Intrusion detection based on NDIS intermediate drivers

In order to implement intrusion detection based on NDIS,according to NDIS intermediate driver's basic principle,using driver development kit that Microsoft provided,capture all raw data packets at data link layer.Because of NDIS intermediate driver locate inside of Windows kernel,with hardware relation close,can't keep away from and independent of protocol layer,so must self-defining analysis that protocol type.Describing the detailed implement codes,according to detection principle,analyzing in depth various intrusion behaviors and characteristic and raw data packets,combine with NDIS intermediate driverand detection principle,revea-ling attack and port stealth scan might be appear,to achieve the goal of intrusion detection.