本文選題：Snort + 規(guī)則建模　； 參考：《西安電子科技大學》2014年碩士論文

【摘要】：隨著計算機和網絡技術的快速發(fā)展，，網絡安全問題日益突出。由于防火墻只是一種被動防御性的網絡安全工具，不能滿足如今復雜多變的網絡安全需求。因此作為防火墻的補充，入侵檢測系統(tǒng)在網絡安全領域發(fā)揮著越來越重要的作用。Snort是目前最為典型的輕量級網絡入侵檢測系統(tǒng)，該系統(tǒng)通過將捕獲到的數據包與規(guī)則庫中的規(guī)則進行匹配以過濾有危害的數據包，從而達到提高網絡安全的目的。 在將Snort與有窮自動機理論結合起來進行網絡入侵檢測的過程中，有以下幾個關鍵問題需要解決：1）如何將Snort規(guī)則選項轉化成PCRE，以便進一步轉化成有窮自動機；2）如何將Snort規(guī)則使用統(tǒng)一的規(guī)范進行表示以便減小Snort規(guī)則處理的復雜度；3）如何減少將非確定有窮自動機（Nondeterministic Finite Automaton,NFA）轉化為確定有窮自動機（Deterministic Finite Automaton, DFA）過程中的重復計算，以便提高NFA到DFA的轉化效率；4）如何高效地將多個DFA合并成一個DFA以便加快數據包的過濾速度。 針對以上四個問題，本文的主要工作如下：（1）根據Snort規(guī)則選項對于數據包的匹配順序，建立了選項鏈模型，并進一步 通過將規(guī)則選項轉化成PCRE從而將選項鏈模型歸一化為PCRE鏈模型。（2）提出了將NFA轉化為DFA的一種新的高效算法以提高數據包與Snort規(guī)則 的匹配速度。該算法首先使用哈希算法將NFA字符集上的字符進行分組，再 使用改進的子集構造法將NFA轉化成DFA。（3）提出了合并多個DFA的一種新的高效算法。該算法既不用將多個DFA構造 成一個NFA也不用計算-closure就能將多個DFA合并成了一個DFA。 實驗結果表明，本文提出的有窮自動機轉化算法和有窮自動機合并算法都是正確和高效的。其中有窮自動機轉化算法可以有效避免子集構造法的重復計算，提高了轉化效率，且得到的DFA的狀態(tài)轉換矩陣的存儲空間比起傳統(tǒng)方法也有較大壓縮。
[Abstract]:With the rapid development of computer and network technology, the problem of network security is becoming more and more prominent. Since firewall is only a passive defensive network security tool, it can not meet the needs of complex and changeable network security. Therefore, as a supplement of firewall, intrusion detection system (IDS) plays a more and more important role in the field of network security. Snort is the most typical lightweight network intrusion detection system. By matching the captured data packets with the rules in the rule base, the system filters the harmful data packets, so as to improve the network security. In the process of network intrusion detection based on snort and finite automata theory, there are several key problems that need to be solved: 1) how to convert snort rule options into PCREs in order to further transform snort rules into finite automata; 2) how to express snort rules using uniform specification to reduce the complexity of snort rule processing. How to reduce the double computation in the process of converting nondeterministic finite automata (NFA) into deterministic finite automaton (DFA). In order to improve the conversion efficiency of NFA to DFA 4) how to efficiently combine multiple DFAs into one DFA to speed up packet filtering. For the above four problems, the main work of this paper is as follows: (1) based on the snort rule options for the matching order of packets, a necklace-selecting model is established. Furthermore, by transforming the rule options to PCRE, the necklace-selection model is normalized to PCRE chain model. (2) A new efficient algorithm for converting NFA to DFA is proposed to improve the matching speed between packets and snort rules. The algorithm first uses hash algorithm to group characters on NFA character set, then transforms NFA into DFAs by using improved subset construction method. (3) A new efficient algorithm for merging multiple DFAs is proposed. The algorithm can combine multiple DFAs into a single DFA without either constructing multiple DFAs into one NFA or calculating a closure. The experimental results show that both the finite automata transform algorithm and the finite automata merging algorithm proposed in this paper are correct and efficient. The finite automata transform algorithm can effectively avoid the repeated computation of the subset construction method and improve the conversion efficiency. The storage space of the state conversion matrix of the obtained DFA is also larger than that of the traditional method.
【學位授予單位】：西安電子科技大學
【學位級別】：碩士
【學位授予年份】：2014
【分類號】：TP393.08

【參考文獻】

相關期刊論文 前8條

1 敬茂華;李國瑞;史聞博;才書訓;;一種改進的從NFA到DFA的轉換算法[J];東北大學學報(自然科學版);2012年04期

2 戴方虎;周煒;段鯤;吳時霖;;Internet的移動訪問技術研究[J];計算機科學;2001年03期

3 訾小超;姚立紅;李斕;;一種基于有限狀態(tài)機的隱含信息流分析方法[J];計算機學報;2006年08期

4 李偉男;鄂躍鵬;葛敬國;錢華林;;多模式匹配算法及硬件實現[J];軟件學報;2006年12期

5 徐乾;鄂躍鵬;葛敬國;錢華林;;深度包檢測中一種高效的正則表達式壓縮算法[J];軟件學報;2009年08期

6 任平紅;陳矗;曹寶香;禹繼國;;基于子集構造法的優(yōu)化的NFA確定化算法[J];計算機技術與發(fā)展;2011年01期

7 安立新;藍向陽;;有窮自動機計算中數據結構的設計[J];中國計量學院學報;2007年02期

8 程元斌;;一類NFA到DFA的直接轉化方法[J];計算機系統(tǒng)應用;2012年10期

本文編號：2096867