【摘要】：隨著互聯(lián)網的飛速發(fā)展,以及云技術和大數(shù)據(jù)在這幾年被越來越多的大公司所關注,人們開始享受這些新興技術帶來的便捷的同時也遭受著無孔不入的網絡入侵行為。網絡安全已經成為關乎你我彼此切身利益的重要課題。Snort憑借著其C語言特性,輕量級,開源等特性,被越來越多的人所使用。如何更好的組織Snort指紋規(guī)則庫,是開發(fā)者所關注的焦點。而如何更快的發(fā)現(xiàn)網絡入侵行為,則是用戶所關心的問題。尤其是應用于終端,其數(shù)據(jù)包的匹配速度決定了其性能優(yōu)劣,成為了其成敗的關鍵。由于本框架是基于硬件實現(xiàn)的,所以對匹配速率以及存儲空間提出了更高的要求,本文的工作重點為在不影響匹配速率以及命中率的情況下如何獲取更低的沖突率。針對該問題,本文的工作主要如下:本框架對沖突率以及哈希表的空間大小有著極其嚴格的要求,并且所需映射的數(shù)據(jù)集是動態(tài)的,加之考慮到原有哈希函數(shù)的不足,本文設計出一種新的哈希函數(shù)。針對不同的數(shù)據(jù)集,該函數(shù)會以數(shù)字統(tǒng)計法對數(shù)據(jù)進行預處理,同時該哈希函數(shù)映射后的空間也將保持在較小空間。從經典哈希函數(shù)獲得啟發(fā),該函數(shù)在設計的過程中充分考慮到穩(wěn)定性問題,是一個好的哈希函數(shù)。本框架原有的沖突處理是針對特定的數(shù)據(jù)集,雖然獲得了較低的沖突率,但卻是在犧牲數(shù)據(jù)包的命中率的前提下達成的,而且其方法本身采用的是一種試探性的方法,穩(wěn)定性較差。本文從沖突的本質出發(fā),考慮如何從根源上杜絕沖突的產生,從而設計出了一個新的沖突處理方法。同時該方法采用二級哈希的結構,降低了DFA與指紋特征之間的耦合度,從而進一步降低沖突率。最后實驗結果證明,在不影響命中率的情況下,新的哈希函數(shù)以及沖突處理方法可以將沖突率降低到1.72‰。
[Abstract]:With the rapid development of the Internet, cloud technology and big data have attracted more and more attention in recent years, people begin to enjoy the convenience brought by these new technologies, but also suffer from all-pervasive network intrusion behavior. Network security has become an important issue related to our mutual interests. Snort has been used by more and more people by virtue of its C language features, lightweight, open source and so on. How to better organize Snort fingerprint rule base is the focus of developers. However, how to find network intrusion more quickly is the concern of users. Especially in the terminal, the matching speed of its data packet determines its performance and becomes the key to its success or failure. Since the framework is based on hardware implementation, the matching rate and storage space are required to be higher. The focus of this paper is how to obtain lower collision rate without affecting the matching rate and hit rate. To solve this problem, the main work of this paper is as follows: this framework has very strict requirements for collision rate and space size of hash table, and the data set of the required mapping is dynamic, and considering the shortcomings of the original hash function, In this paper, a new hash function is designed. For different data sets, the function preprocesses the data by digital statistics, and the space mapped by the hash function will be kept in a smaller space. Inspired by the classical hash function, this function is a good hash function, which fully considers the stability problem in the design process. The original conflict treatment of this framework is aimed at a specific data set. Although it obtains a low collision rate, it is achieved at the expense of the hit rate of the packet, and the method itself adopts a tentative method. The stability is poor. Starting from the essence of conflict, this paper considers how to eliminate the conflict from its origin, and designs a new method to deal with the conflict. At the same time, the two-level hash structure is used to reduce the coupling degree between DFA and fingerprint features, thus further reducing the collision rate. The experimental results show that the collision rate can be reduced to 1.72 鈥，

本文編號：2185642