Journal of Frontiers of Computer Science and Technology ›› 2013, Vol. 7 ›› Issue (4): 289-303.DOI: 10.3778/j.issn.1673-9418.1212017

Previous Articles     Next Articles

High Performance Parallel Intrusion Detection Algorithms and Framework

CAI Zhiping+, LIU Shuhao, WANG Han, CAO Jienan, XU Ming   

  1. School of Computer, National University of Defense Technology, Changsha 410073, China
  • Online:2013-04-01 Published:2013-04-02

高性能并行入侵检测算法与框架

蔡志平+,刘书昊,王  晗,曹介南,徐  明   

  1. 国防科学技术大学 计算机学院,长沙 410073

Abstract: The performance of single setup based network intrusion detection system (NIDS) is used to be improved by using custom hardware or modifying detection algorithms, but it wouldn’t meet the requirement for link speed up to 10 Gb/s. Parallel detection using multi detection sensors is the import way to implement the high performance intrusion detection. The parallel detection system can coordinately use multiple detection sensors to detect intrusions in parallel, which characterizes it with high performance and scalability. This paper summarizes the challenges of keeping the proof used for detecting attacks and balancing the load among sensors, and discusses various solutions to the challenges. This paper also considers the advantages of existing parallel detection technologies, proposes a uniformed parallel detection architecture (UPDA) that supports parallel detection with multi detection sensors. Based on NetMagic platform and UPDA, this paper designs and implements a parallel intrusion detection prototype system, and evaluates its performance in the network environment.

Key words: high performance, intrusion detection, parallel detection, proof keeping, load balancing

摘要: 基于单引擎检测的网络入侵检测系统(network intrusion detection system,NIDS)靠辅助硬件和改进检测算法来提高处理性能,但已无法适应10 Gb/s以上流量的线速处理要求。利用多检测引擎进行并行处理是实现高性能入侵检测的重要技术手段,并行检测系统通过多检测引擎进行并行协同检测,具有高性能和可扩展的优点。归纳了进行流量划分时遇到的保持检测攻击所需证据和负载均衡这两方面的挑战及其解决策略。综合现有并行入侵检测框架的优点,提出了一个统一的支持多检测引擎并行检测的体系结构UPDA(uniformed parallel detection architecture)。利用NetMagic平台,基于UPDA框架,设计和实现了一个高性能并行入侵检测原型系统,并通过实验验证了系统的高性能和有效性。

关键词: 高性能, 入侵检测, 并行检测, 证据保持, 负载均衡