**2.4.2 Key zones prevention deployment**

External security threats, such as worms, computer viruses, spywares, may be introduced into intranet by inconsciently users. To minimize internal network security risks, intrusion prevention module may sit on the entrance to office zone and key server zone, block malicious traffic in real time, filter worms, computer viruses and spywares from office zone, and protect the key network server. As shown in Fig. 8.

#### **2.4.3 Hybrid prevention deployment**

To minimize external and internal network security risks simultaneously, intrusion prevention module may sit on the entrance to key network link, block malicious traffic in real time, and protect the key network resources.

Meanwhile, intrusion prevention module may sit on the entrance to key network link in bypass mode, which can be treated as intrusion detection system, and performs analysis and detections on intranet. As shown in figure 9.

#### **2.5 Related work**

There are various research and commercial work on the design and implementation of IPS. Tan and Weinsberg attempt to improve string-matching algorithms for intrusion detection and prevention on large-scale high-speed network traffic; Drinic (Drinic & Kirovski, 2004) and Weaver (Weaver et al., 2007) present the hardware implementation of IPS based on field programmable gate arrays; Green uses a generic and reliable model to anticipate future

Internet

Attacker

IPS

Firewall

User

Office zone

External security threats, such as worms, computer viruses, spywares, may be introduced into intranet by inconsciently users. To minimize internal network security risks, intrusion prevention module may sit on the entrance to office zone and key server zone, block malicious traffic in real time, filter worms, computer viruses and spywares from office zone,

Server zone

To minimize external and internal network security risks simultaneously, intrusion prevention module may sit on the entrance to key network link, block malicious traffic in

Meanwhile, intrusion prevention module may sit on the entrance to key network link in bypass mode, which can be treated as intrusion detection system, and performs analysis and

There are various research and commercial work on the design and implementation of IPS. Tan and Weinsberg attempt to improve string-matching algorithms for intrusion detection and prevention on large-scale high-speed network traffic; Drinic (Drinic & Kirovski, 2004) and Weaver (Weaver et al., 2007) present the hardware implementation of IPS based on field programmable gate arrays; Green uses a generic and reliable model to anticipate future

Fig. 7. Border prevention deployment

**2.4.3 Hybrid prevention deployment** 

**2.4.2 Key zones prevention deployment** 

Security control zone

and protect the key network server. As shown in Fig. 8.

real time, and protect the key network resources.

detections on intranet. As shown in figure 9.

**2.5 Related work** 

Fig. 8. Key zone prevention deployment

Fig. 9. Hybrid prevention deployment

Intrusion Detection and Prevention in High Speed Network 65

Furthermore, the sampling is asymptotically unbiased even if the act of sampling affects the network's state. Such sampling is referred to as Poisson sampling. The sample size during interval *T* obeys Poisson distribution with rate *λ* at which the singleton measurements will

To generate Poisson sampling intervals, one first determines the rate *λ* at which the singleton measurements will on average be made (e.g., for an average sampling interval of 30 seconds, we have *λ*= 1/30, if the units of time are seconds). One then generates a series of exponentially-distributed (pseudo) random numbers *E1*, *E2*,…, *En* The first measurement is

Before sampling, the whole population is first divided into mutually exclusive subgroups, called stratum. Let *N* be the number of population unit, *L* be the number of strata and

For stratified sampling, there are some factors supposed to determine such as stratified characteristics, stratum number, stratum border, sample size allocation and variance within

Stratified characteristics are the base of stratified sampling. Network packets may be stratified by protocol type, TTL or total length field of IP header. The selection of stratified characteristics relates to the type of intrusions. As a example of ICMP sweep attack, the characteristics of this attack is the generation of lots of ping packets with light payload suddenly, then the proportion of ICMP packets ascends and the average length of packets decreases. If the packet length is selected for stratification, sound detection results are to be

From [12], the gain of stratified sampling increases with the more stratum number; when the stratum number increases to 3 from 2, the gain won't improve too much; the gain will appear to decrease with the increase of stratum number; when the stratum number is

The determination of stratum border is based on the stratified strategy. Sample with similar characteristics may be classified into certain stratum in stratified sampling, which leads to the less variance in certain stratum. The simplest way to determine stratum border is based on the type of packets such as TCP, UDP and ICMP, and stratum border is naturally determined by protocol type of IP header of packet. If packet is classified into certain stratum according to the total length field, the stratum border is determined by the variable interval of the actual value *Li* ( *L LL* min *<sup>i</sup>* max ). If every stratum is based on *Li*, it is obvious that this is impractical. In this paper, there are hundreds kinds of packets related to total length field. If every stratum is based on total length, the efficiency of this implementation is too bad. So we make use of the optimum stratified method based on the cumulate square

randomly from each stratum, the procedure is known as stratified random sampling.

1

*h*

. If the sample is taken

*L*

*h N N* 

.

on average be made, that is () ( ) ! *k T P T Tke k <sup>k</sup>*

made at time *E1*, the next at time *E1*+*E2*, and so on.

*N*1,*N*2,…,*N*L represent the size of each stratum, then

strata. The concrete discussions of these factors are as follows:

beyond 4, the gain of stratified sampling tend to be stable.

root of stratified variable distribution [13], shown as Table 1.

**3.1.3 Stratified sampline** 

achieved.

attack scenarios; Uppuluri provides a practical approach to detect and prevent race condition attacks (Uppuluri et al., 2005). What's more, there are many commercial IPS products available such as TippingPoint IPS, ISS IPS, Cisco IPS and NetKeeper IPS, and these representative products are online, network-based solution, designed to accurately identify, classify, and stop malicious traffic, including worms, spyware/adware, network viruses, and application abuse.
