本文選題：EFSA模型 + 六元組　； 參考：《江西師范大學(xué)》2015年碩士論文

【摘要】：隨著科技的發(fā)展,網(wǎng)絡(luò)安全問(wèn)題日益突顯,嚴(yán)重?fù)p害了網(wǎng)民的利益。入侵檢測(cè)技術(shù)作為一種主動(dòng)的防御和檢測(cè)手段,為主機(jī)和計(jì)算機(jī)網(wǎng)絡(luò)提供了實(shí)時(shí)動(dòng)態(tài)的安全保障。隨著網(wǎng)絡(luò)數(shù)據(jù)規(guī)模的不斷擴(kuò)大以及黑客攻擊手段的復(fù)雜多樣,網(wǎng)絡(luò)安全形勢(shì)正面臨著前所未有的危機(jī)和挑戰(zhàn)。針對(duì)傳統(tǒng)模式匹配技術(shù)和協(xié)議分析技術(shù)檢測(cè)攻擊存在的不足,提出一種基于狀態(tài)協(xié)議分析技術(shù)的擴(kuò)展有窮自動(dòng)機(jī)(EFSA)入侵檢測(cè)模型。該模型通過(guò)構(gòu)建一個(gè)EFSA來(lái)描述攻擊的狀態(tài)轉(zhuǎn)移和變化,EFSA入侵檢測(cè)模型可用一個(gè)六元組表示,即M=(P,Q,Σ,W,q0,F)。通過(guò)建立該六元組,一方面將接受到的數(shù)據(jù)包映射為協(xié)議狀態(tài)的轉(zhuǎn)換從而建立有窮狀態(tài)自動(dòng)機(jī),根據(jù)檢測(cè)數(shù)據(jù)是否被自動(dòng)機(jī)接受來(lái)判斷攻擊的存在。另一方面將待檢測(cè)數(shù)據(jù)按協(xié)議分流,從而提升檢測(cè)精度,減小規(guī)則匹配計(jì)算量,提高檢測(cè)效率。在創(chuàng)建EFSA模型時(shí)給出了EFSA檢測(cè)機(jī)制和算法,在模型應(yīng)用于入侵檢測(cè)過(guò)程中采用規(guī)則集分類匹配的思想,有助于提高入侵檢測(cè)準(zhǔn)確率。另外為了更好的描述自動(dòng)機(jī),提出利用狀態(tài)轉(zhuǎn)移樹(shù)表示會(huì)話的運(yùn)行過(guò)程,同時(shí)為每個(gè)會(huì)話節(jié)點(diǎn)創(chuàng)建會(huì)話鏈表用于存儲(chǔ)會(huì)話信息,實(shí)現(xiàn)了會(huì)話狀態(tài)與會(huì)話鏈表的雙向關(guān)聯(lián)。最后實(shí)驗(yàn)選取KDD CUP99作為測(cè)試數(shù)據(jù)集,通過(guò)實(shí)驗(yàn)證明了基于EFSA模型的入侵檢測(cè)效率較之基于模式匹配和基于狀態(tài)協(xié)議分析技術(shù)的入侵檢測(cè)效率得到了提高,誤報(bào)率有所下降。此外,為了減少規(guī)則匹配時(shí)間,提高入侵檢測(cè)的實(shí)時(shí)性,利用三步動(dòng)態(tài)調(diào)整算法對(duì)規(guī)則集做了實(shí)時(shí)調(diào)整,依據(jù)事件匹配觸發(fā)調(diào)整規(guī)則優(yōu)先級(jí),從而實(shí)時(shí)的把那些經(jīng)常被匹配的規(guī)則賦予更高的優(yōu)先級(jí),以此提高系統(tǒng)的匹配效率。實(shí)驗(yàn)證明了基于規(guī)則動(dòng)態(tài)調(diào)整的入侵檢測(cè)方法較之采用靜態(tài)規(guī)則集的入侵檢測(cè)在檢測(cè)時(shí)間方面減少了近10%,提高了入侵檢測(cè)效率和實(shí)時(shí)性。
[Abstract]:With the development of science and technology, the problem of network security is becoming more and more prominent, which seriously damages the interests of Internet users. As an active defense and detection method, intrusion detection technology provides real-time and dynamic security for host computer and computer network. With the expansion of network data scale and the complexity of hacker attack, network security is facing unprecedented crisis and challenge. Aiming at the shortcomings of traditional pattern matching and protocol analysis techniques in detecting attacks, an extended finite automaton (EFSA) intrusion detection model based on state protocol analysis is proposed. This model can be represented by a six-tuple set of EFSA to describe the state transition and changes of the attack. By establishing the six-tuple, on the one hand, the received data packet is mapped to the transition of the protocol state, and then the finite state automaton is established, and the existence of the attack is judged according to whether the detection data is accepted by the automaton. On the other hand, the data to be detected are separated according to the protocol to improve the accuracy of detection, reduce the calculation of rule matching, and improve the efficiency of detection. In order to improve the accuracy of intrusion detection, the mechanism and algorithm of EFSA detection are presented when the EFSA model is created. The idea of rule set classification matching is used in the application of the model in the process of intrusion detection. In addition, in order to describe the automata better, the state transition tree is used to represent the running process of the session. At the same time, a session chain list is created for each session node to store the session information, which realizes the bidirectional association between the session state and the session linked list. Finally, KDD CUP99 is selected as the test data set. It is proved that the efficiency of intrusion detection based on EFSA model is higher than that of intrusion detection based on pattern matching and state protocol analysis, and the false positive rate is decreased. In addition, in order to reduce the time of rule matching and improve the real-time performance of intrusion detection, a three-step dynamic adjustment algorithm is used to adjust the rule set in real time, and the rule priority is adjusted according to the event matching trigger. In order to improve the system matching efficiency, the rules that are often matched are given higher priority in real time. The experimental results show that the intrusion detection method based on dynamic adjustment of rules reduces the detection time by nearly 10 times and improves the efficiency and real time of intrusion detection.
【學(xué)位授予單位】：江西師范大學(xué)
【學(xué)位級(jí)別】：碩士
【學(xué)位授予年份】：2015
【分類號(hào)】：TP393.08

【參考文獻(xiàn)】

相關(guān)期刊論文 前2條

1 于志宏;趙闊;胡亮;;基于協(xié)議分析的入侵檢測(cè)規(guī)則智能匹配[J];吉林大學(xué)學(xué)報(bào)(信息科學(xué)版);2008年02期

2 鄧文達(dá);;基于有限狀態(tài)機(jī)協(xié)議分析模型的入侵檢測(cè)系統(tǒng)[J];自動(dòng)化技術(shù)與應(yīng)用;2006年06期

相關(guān)碩士學(xué)位論文 前2條

1 戴宏偉;基于協(xié)議分析的入侵檢測(cè)技術(shù)研究[D];中南大學(xué);2007年

2 陳江斌;Snort入侵檢測(cè)系統(tǒng)的研究和改進(jìn)[D];電子科技大學(xué);2012年

，

本文編號(hào)：1981654