应用层并行重组在NIDS中的设计与实现

针对目前网络入侵检测系统在IP分片重组和TCP流重组中的不足, 提出应用层协议并行重组的新方法ALPPR及其原型系统. 根据报文重组的特点, 采用基于LogP模型的并行处理思想和主从模式实现并行任务的分配和处理. 在并行重组过程中, 采用二维链表保存(例如会话列表、 相应状态和任务分配结果等)关键信息. 同时,该方法采用动态分配策略实现并行重组中的负载平衡. 实验结果证明了ALPPR方法的可行性和有效性.

Design and Implementation of Application Layer Parallel Reassembling in NIDS

A new parallel reassembly approachALPPR and its prototype are presented in the light of the weakness of present Network Intrusion Detection Systems(NIDS),especially the procedure of IP fragments and TCP flows reassembling.We adopted an idea based on LogP model and master-slave mode to complete parallel task allocation and implementation.Some key information such as sessions and their corresponding states,operation results were saved by using a two-dimensional linked list in parallel reassembly process.Meanwhile,a dynamic allocation strategy was used to keep load balancing.Experimental results show that (ALPPR) has good effectiveness and high performance.