Study of High-Speed Processing for Network Intrusion Detection System

With the flouring development of network-application, the importance of network security and its information security has become a greater concern for the computer users. This paper focuses on the study of the speed of detection, which is so far the most challenging problems in network intrusion detection. In practice, double-array hashing space method is applied in order to solve the problem of the big hashing space; according to features of data-package and those of attack-string, hashing -function is selected because of its high speed and efficiency; and the speed of detection is improve through the decrdasd of the times of detection to network package by applying various characteristic-string of the sane length with their corresponding pattern. There are many methods to achieve network security, and intrusion detection technology is a very effective mechanism [1]. It is a technology that could detect the current attack or attack happening inside computer system. At present, there are several different pattern match algorithms that are used for the attack detection of effective load for packet. No matter what optimization is made, they all could not get rid of a weakness: must match item by item for each mode that indicates attack characteristics [2-5]. So the packet to be detected shall be scanned for many times, and the scanning time is equal to the quality of mode; meanwhile, detection system also establish and manage heuristic function for each attack mode, and adjust detection order of attack mode, so system has rather big burden, and has difficulty to promote the detection efficiency. This is the fundamental problem causing low detection efficiency of effective load of packet [6]. Is it possible to design a detection algorithm which could build heuristic function from the perspective of whole attack model base and could detect all the attack models at the same time? This article uses hashing-method to discuss this problem, and finds that the attack probably existing could be found by several scanning for packet. In addition, network intrusion detection rule base is network IDS detection engine using model matching detection method, which is the standard for checking the captured packet. Snort is intrusion detection system based on network. This description method is simple, easy to achieve, and could describe most of the intrusion activities. Therefore, this article adopts the intrusion activity description method of Snort intrusion detection system, and introduces the rule base of Snort intrusion detection system as the rule base of this article for the foundation of design and demonstration of hashing detection scheme.