Design And Implementation Of WinPcap-based Network Intrusion Detection System

Today, With the rapid development of network, application of network has already spread to all aspects of life. Billions of people are surfing on the network around the world in a different time every day. Our life is closely linked to network, certainly, network security is becaming crticeal problem and get more and more attention by people. Network security technology, including firewall technology, virus protection technology and so on, provides the protection for people’s computers against on virus, network attack. However, these techniques are relatively of passive protection, and the protection function can not meet the security requirements. Therefore, it is necessary to re-examine the existing network security technology, and develop an real-time data protection to prevent virus intrusion.The thesis mainly designs and implements a Win Pcap-based network intrusion detection system by the requirement analysis of network security. The system can work on both network layer and transport layer to capture the packets, and detects the packets with the information of network intrusion.The main function of the system is to realize the function of the information query, network monitoring and virus record management,which include grabing the data of passing through the local network card, detecting the data for virus, pickging up the key data and storaging into the record database, filtering data packet, statisticing network data flow, managing record, managing the features of the virus code and so on. With the help of API of visiting the underlying network that Win Pcap provides, we can open the adapter, grab packets and filter packets according to the protocol packet.The system adopt the techniques of KMP algorithm and multi-thread processing to match the signature of virus efficiently, when the system captures the network packet and detects the intrusion. For the storage of virus signature and intrusion information, the system adopt a database combined with SQL Server for intrusion information and self-defined file for virus signatures.According to function and environment, considering some demands like 24 hours of uninterrupted operation, reducing misuse and improve accuracy,small space occupation and updating the virus database, in the process of designing, the system require to optimize the stability, system coordination, resource utilization rate, accuracy and scalability to design reasonable and efficient monitoring system.