本文選題：高速網(wǎng)絡(luò)　切入點(diǎn)：入侵檢測(cè)系統(tǒng)　出處：《延邊大學(xué)》2014年碩士論文

【摘要】：目前,網(wǎng)絡(luò)應(yīng)用的發(fā)展日新月異,各式各樣的網(wǎng)絡(luò)攻擊給網(wǎng)絡(luò)入侵檢測(cè)系統(tǒng)(network intrusion detection systems)提出了更高的要求,采用單一主機(jī)的入侵檢測(cè)系統(tǒng)已不能適應(yīng)高速網(wǎng)絡(luò)入侵檢測(cè)系統(tǒng)的要求,而基于層次式、分布式的入侵檢測(cè)系統(tǒng)成為研究的重點(diǎn)。 本論文在研究高速網(wǎng)絡(luò)入侵檢測(cè)系統(tǒng)面臨的問(wèn)題時(shí),首先提出了一種應(yīng)用于高速NIDS的處理模型,然后對(duì)模型中的數(shù)據(jù)快速捕獲、應(yīng)用協(xié)議識(shí)別以及自適應(yīng)負(fù)載分配等關(guān)鍵技術(shù)做了研究,并在基于ATCA(Advanced Telecom Computing Architecture)標(biāo)準(zhǔn)的嵌入式計(jì)算平臺(tái)上實(shí)現(xiàn)了該模型。研究成果已在中科院“某重大工程”中得到應(yīng)用。 論文通過(guò)分析NIDS的基礎(chǔ)上,提出了一種適用于高速網(wǎng)絡(luò)入侵檢測(cè)系統(tǒng)的可擴(kuò)展分布式并行處理模型(Extensible distributed parallel processing model)。該模型采用層次式結(jié)構(gòu),前端對(duì)數(shù)據(jù)進(jìn)行簡(jiǎn)單處理,后端對(duì)數(shù)據(jù)進(jìn)行耗時(shí)的入侵檢測(cè)。EDPPM模型可擴(kuò)展性好、吞吐量大,適應(yīng)高速網(wǎng)絡(luò)入侵檢測(cè)系統(tǒng)的要求。 針對(duì)入侵檢測(cè)系統(tǒng)中協(xié)議識(shí)別的問(wèn)題,本論文提出了一種應(yīng)用協(xié)議快速識(shí)別方法。本方法利用基于端口的識(shí)別算法,把網(wǎng)絡(luò)會(huì)話分為長(zhǎng)緩存會(huì)話和短緩存會(huì)話。其中長(zhǎng)緩存會(huì)話緩存字節(jié)數(shù)較多,用以識(shí)別復(fù)雜協(xié)議；短緩存會(huì)話緩存數(shù)據(jù)字節(jié)數(shù)相對(duì)較少,用以識(shí)別簡(jiǎn)單協(xié)議類型；以此來(lái)消除累積匹配方式存在的弊端。通過(guò)分析模式匹配算法,采用了AC多模式匹配算法進(jìn)行模式匹配。通過(guò)實(shí)驗(yàn)分析,本方法能有效地提高協(xié)議識(shí)別的吞吐量,并且比L7-filter的識(shí)別準(zhǔn)確性有明顯提升。 針對(duì)EDPPM層次式模型中負(fù)載均衡的需求,本論文提出了一種基于協(xié)議分類的最小加權(quán)熵優(yōu)先(minimum weighted entropy first)動(dòng)態(tài)負(fù)載均衡算法。本算法數(shù)據(jù)源是經(jīng)應(yīng)用協(xié)議分類后的數(shù)據(jù)流,采用靜態(tài)分配(哈希取模運(yùn)算)和基于探針負(fù)載的針對(duì)TCP會(huì)話的動(dòng)態(tài)分配相結(jié)合的方式,在保證會(huì)話完整性的前提下,均衡各個(gè)檢測(cè)器的負(fù)載,以適應(yīng)高速網(wǎng)絡(luò)環(huán)境下的入侵檢測(cè)。
[Abstract]:At present, with the rapid development of network applications, all kinds of network attacks put forward higher requirements for network intrusion detection systems. The single host intrusion detection system can no longer meet the requirements of high-speed network intrusion detection system, and the distributed intrusion detection system based on hierarchy becomes the focus of research. In this paper, when studying the problems faced by high speed network intrusion detection system, a processing model applied to high speed NIDS is proposed, and then the data in the model is captured quickly. The key technologies such as protocol recognition and adaptive load allocation are studied, and the model is implemented on the embedded computing platform based on ATCA(Advanced Telecom Computing Architecture standard. The research results have been applied in a "major project" of the Chinese Academy of Sciences. Based on the analysis of NIDS, an extensible distributed parallel processing model for high speed network intrusion detection system is proposed in this paper. The back-end data time-consuming intrusion detection. EDPPM model has good scalability and high throughput, and can meet the requirements of high speed network intrusion detection system. In order to solve the problem of protocol recognition in intrusion detection system, this paper proposes a fast protocol recognition method based on port. The network session is divided into long cache session and short cache session, in which there are many long cache session bytes to identify complex protocols, and short cache session cache data bytes are relatively small to identify simple protocol types. By analyzing the pattern matching algorithm, the AC multi-pattern matching algorithm is used for pattern matching. Through experimental analysis, this method can effectively improve the throughput of protocol recognition. And the recognition accuracy of L7-filter is improved obviously. In order to meet the demand of load balancing in EDPPM hierarchical model, this paper presents a dynamic load balancing algorithm based on protocol classification, which is based on minimum weighted entropy and minimum weighted entropy. The data source of this algorithm is the data stream classified by the application protocol. Using static allocation (hash mode operation) and dynamic allocation of TCP session based on probe load, the load of each detector is balanced under the premise of ensuring session integrity. In order to adapt to the intrusion detection under the high-speed network environment.
【學(xué)位授予單位】：延邊大學(xué)
【學(xué)位級(jí)別】：碩士
【學(xué)位授予年份】：2014
【分類號(hào)】：TP393.08

【參考文獻(xiàn)】

相關(guān)期刊論文 前8條

1 黃松華;丁峰;黃皓;;支持負(fù)載均衡和路由優(yōu)化的網(wǎng)絡(luò)移動(dòng)增強(qiáng)協(xié)議[J];東南大學(xué)學(xué)報(bào)(自然科學(xué)版);2010年01期

2 鄧成玉;章劍濤;劉永山;;動(dòng)態(tài)負(fù)載均衡策略及相關(guān)模型研究[J];計(jì)算機(jī)工程與應(yīng)用;2011年08期

3 申德榮;陳翔宇;呂立昂;邵一川;于戈;;一種支持服務(wù)網(wǎng)格的動(dòng)態(tài)負(fù)載平衡系統(tǒng)[J];計(jì)算機(jī)工程;2006年21期

4 王春娟;董麗麗;賈麗;;Web集群系統(tǒng)的負(fù)載均衡算法[J];計(jì)算機(jī)工程;2010年02期

5 石磊;何增輝;;基于預(yù)測(cè)機(jī)制的自適應(yīng)負(fù)載均衡算法[J];計(jì)算機(jī)應(yīng)用;2010年07期

6 周瑩蓮;劉甫;;服務(wù)器負(fù)載均衡技術(shù)研究[J];計(jì)算機(jī)與數(shù)字工程;2010年04期

7 程光,龔儉,丁偉,徐加羚;面向IP流測(cè)量的哈希算法研究[J];軟件學(xué)報(bào);2005年05期

8 柳斌;李之棠;涂浩;;基于半監(jiān)督學(xué)習(xí)的應(yīng)用流分類方法[J];微電子學(xué)與計(jì)算機(jī);2010年08期

相關(guān)博士學(xué)位論文 前2條

1 林冠洲;網(wǎng)絡(luò)流量識(shí)別關(guān)鍵技術(shù)研究[D];北京郵電大學(xué);2011年

2 陳一驕;網(wǎng)絡(luò)入侵檢測(cè)系統(tǒng)高速處理技術(shù)研究[D];國(guó)防科學(xué)技術(shù)大學(xué);2007年

，

本文編號(hào)：1666891