本文選題：Snort + 規(guī)則建模　； 參考：《西安電子科技大學(xué)》2014年碩士論文

【摘要】：隨著計(jì)算機(jī)和網(wǎng)絡(luò)技術(shù)的快速發(fā)展，，網(wǎng)絡(luò)安全問題日益突出。由于防火墻只是一種被動防御性的網(wǎng)絡(luò)安全工具，不能滿足如今復(fù)雜多變的網(wǎng)絡(luò)安全需求。因此作為防火墻的補(bǔ)充，入侵檢測系統(tǒng)在網(wǎng)絡(luò)安全領(lǐng)域發(fā)揮著越來越重要的作用。Snort是目前最為典型的輕量級網(wǎng)絡(luò)入侵檢測系統(tǒng)，該系統(tǒng)通過將捕獲到的數(shù)據(jù)包與規(guī)則庫中的規(guī)則進(jìn)行匹配以過濾有危害的數(shù)據(jù)包，從而達(dá)到提高網(wǎng)絡(luò)安全的目的。 在將Snort與有窮自動機(jī)理論結(jié)合起來進(jìn)行網(wǎng)絡(luò)入侵檢測的過程中，有以下幾個關(guān)鍵問題需要解決：1）如何將Snort規(guī)則選項(xiàng)轉(zhuǎn)化成PCRE，以便進(jìn)一步轉(zhuǎn)化成有窮自動機(jī)；2）如何將Snort規(guī)則使用統(tǒng)一的規(guī)范進(jìn)行表示以便減小Snort規(guī)則處理的復(fù)雜度；3）如何減少將非確定有窮自動機(jī)（Nondeterministic Finite Automaton,NFA）轉(zhuǎn)化為確定有窮自動機(jī)（Deterministic Finite Automaton, DFA）過程中的重復(fù)計(jì)算，以便提高NFA到DFA的轉(zhuǎn)化效率；4）如何高效地將多個DFA合并成一個DFA以便加快數(shù)據(jù)包的過濾速度。 針對以上四個問題，本文的主要工作如下：（1）根據(jù)Snort規(guī)則選項(xiàng)對于數(shù)據(jù)包的匹配順序，建立了選項(xiàng)鏈模型，并進(jìn)一步 通過將規(guī)則選項(xiàng)轉(zhuǎn)化成PCRE從而將選項(xiàng)鏈模型歸一化為PCRE鏈模型。（2）提出了將NFA轉(zhuǎn)化為DFA的一種新的高效算法以提高數(shù)據(jù)包與Snort規(guī)則 的匹配速度。該算法首先使用哈希算法將NFA字符集上的字符進(jìn)行分組，再 使用改進(jìn)的子集構(gòu)造法將NFA轉(zhuǎn)化成DFA。（3）提出了合并多個DFA的一種新的高效算法。該算法既不用將多個DFA構(gòu)造 成一個NFA也不用計(jì)算-closure就能將多個DFA合并成了一個DFA。 實(shí)驗(yàn)結(jié)果表明，本文提出的有窮自動機(jī)轉(zhuǎn)化算法和有窮自動機(jī)合并算法都是正確和高效的。其中有窮自動機(jī)轉(zhuǎn)化算法可以有效避免子集構(gòu)造法的重復(fù)計(jì)算，提高了轉(zhuǎn)化效率，且得到的DFA的狀態(tài)轉(zhuǎn)換矩陣的存儲空間比起傳統(tǒng)方法也有較大壓縮。
[Abstract]:With the rapid development of computer and network technology, the problem of network security is becoming more and more prominent. Since firewall is only a passive defensive network security tool, it can not meet the needs of complex and changeable network security. Therefore, as a supplement of firewall, intrusion detection system (IDS) plays a more and more important role in the field of network security. Snort is the most typical lightweight network intrusion detection system. By matching the captured data packets with the rules in the rule base, the system filters the harmful data packets, so as to improve the network security. In the process of network intrusion detection based on snort and finite automata theory, there are several key problems that need to be solved: 1) how to convert snort rule options into PCREs in order to further transform snort rules into finite automata; 2) how to express snort rules using uniform specification to reduce the complexity of snort rule processing. How to reduce the double computation in the process of converting nondeterministic finite automata (NFA) into deterministic finite automaton (DFA). In order to improve the conversion efficiency of NFA to DFA 4) how to efficiently combine multiple DFAs into one DFA to speed up packet filtering. For the above four problems, the main work of this paper is as follows: (1) based on the snort rule options for the matching order of packets, a necklace-selecting model is established. Furthermore, by transforming the rule options to PCRE, the necklace-selection model is normalized to PCRE chain model. (2) A new efficient algorithm for converting NFA to DFA is proposed to improve the matching speed between packets and snort rules. The algorithm first uses hash algorithm to group characters on NFA character set, then transforms NFA into DFAs by using improved subset construction method. (3) A new efficient algorithm for merging multiple DFAs is proposed. The algorithm can combine multiple DFAs into a single DFA without either constructing multiple DFAs into one NFA or calculating a closure. The experimental results show that both the finite automata transform algorithm and the finite automata merging algorithm proposed in this paper are correct and efficient. The finite automata transform algorithm can effectively avoid the repeated computation of the subset construction method and improve the conversion efficiency. The storage space of the state conversion matrix of the obtained DFA is also larger than that of the traditional method.
【學(xué)位授予單位】：西安電子科技大學(xué)
【學(xué)位級別】：碩士
【學(xué)位授予年份】：2014
【分類號】：TP393.08

【參考文獻(xiàn)】

相關(guān)期刊論文 前8條

1 敬茂華;李國瑞;史聞博;才書訓(xùn);;一種改進(jìn)的從NFA到DFA的轉(zhuǎn)換算法[J];東北大學(xué)學(xué)報(bào)(自然科學(xué)版);2012年04期

2 戴方虎;周煒;段鯤;吳時霖;;Internet的移動訪問技術(shù)研究[J];計(jì)算機(jī)科學(xué);2001年03期

3 訾小超;姚立紅;李斕;;一種基于有限狀態(tài)機(jī)的隱含信息流分析方法[J];計(jì)算機(jī)學(xué)報(bào);2006年08期

4 李偉男;鄂躍鵬;葛敬國;錢華林;;多模式匹配算法及硬件實(shí)現(xiàn)[J];軟件學(xué)報(bào);2006年12期

5 徐乾;鄂躍鵬;葛敬國;錢華林;;深度包檢測中一種高效的正則表達(dá)式壓縮算法[J];軟件學(xué)報(bào);2009年08期

6 任平紅;陳矗;曹寶香;禹繼國;;基于子集構(gòu)造法的優(yōu)化的NFA確定化算法[J];計(jì)算機(jī)技術(shù)與發(fā)展;2011年01期

7 安立新;藍(lán)向陽;;有窮自動機(jī)計(jì)算中數(shù)據(jù)結(jié)構(gòu)的設(shè)計(jì)[J];中國計(jì)量學(xué)院學(xué)報(bào);2007年02期

8 程元斌;;一類NFA到DFA的直接轉(zhuǎn)化方法[J];計(jì)算機(jī)系統(tǒng)應(yīng)用;2012年10期

本文編號：2096867