基于NDIS的入侵检测系统设计与实现

在提高入侵检测速度和减少误报、漏报这2个方面展开了研究。文中基于NDIS中间层驱动程序,引入协议分析技术作为入侵分析的预处理模块,提出了一种入侵检测模型,并对其中的数据采集模块和协议分析模块进行了实现。在数据采集模块中设计并实现了基于Windows操作系统NDIS中间层驱动程序的数据捕获机制,该模块在Windows系统核心态中运行,与物理网卡驱动程序相邻,可以最大程度上减少数据捕获过程中产生的重复拷贝。而协议分析模块分成核心态协议分析模块以及用户态协议分析模块,通过Windows系统中的事件机制与文件映射机制实现了二者之间的通信,利用中间层驱动实现了核心态协议分析模块,最后利用核心态协议分析模块实现了对几种常见攻击的检测。

Design and implement of NDIS based intrusion detection system

This paper elaborates on some research work trying to enhance the intrusion detecting rate and to reduce false positive and false negative.Based on NDIS intermediate layer driver,incorporating with the mechanism of Protocol Analysis,this paper brings out a new model of IDS.Besides,give implementations on data collecting module(packet capture) and Protocol Analysis module.In the aspect of data collecting,a packet capture module that is based on NDIS intermediate layer driver in Windows is designed and realized.It runs in Windows Kernel mode nearing to NIC driver,so it can reduce the times of duplication to a minimal.Inside IDS module,introduced Protocol Analysis as a pre-processing module which takes the advantage of high discipline of network protocol to enhance detecting rate and reduce false positive and false negative.Separate the Protocol Analysis module to two parts,one in Kernel Mode and the other in User Mode,each realized respectively.The two communicate with each other through event mechanism and file mapping mechanism,which are feature provided by the Windows.Implemented the module in Kernel Mode on the basis of intermediate layer driver.At the end,exposed model to several conventional attacks using the protocol analysis module in Kernel Mode.