【摘要】：當(dāng)今社會(huì)信息技術(shù)的日益發(fā)展,尤其是互聯(lián)網(wǎng)技術(shù)的迅猛發(fā)展,給當(dāng)代人們的生活帶來(lái)了極大的便利。然而,隨著各類網(wǎng)絡(luò)應(yīng)用不斷普及,也為網(wǎng)絡(luò)攻擊者提供了更多的可乘之機(jī)。近年來(lái),網(wǎng)絡(luò)入侵成逐年上升的趨勢(shì),造成的損失難以估量。入侵防御是一項(xiàng)專門對(duì)各類網(wǎng)絡(luò)攻擊進(jìn)行防御的技術(shù),它融合了防火墻和入侵檢測(cè)技術(shù)各自的優(yōu)點(diǎn),既能夠?qū)W(wǎng)絡(luò)數(shù)據(jù)包進(jìn)行深入的攻擊檢測(cè),又能夠及時(shí)阻斷攻擊。當(dāng)前,入侵防御系統(tǒng)面臨的最大問(wèn)題是網(wǎng)絡(luò)時(shí)延和丟包造成的性能瓶頸。由于入侵防御系統(tǒng)以串聯(lián)的形式連接到主干網(wǎng)絡(luò)中,一旦出現(xiàn)網(wǎng)絡(luò)時(shí)延較大或者丟包的情況,就會(huì)對(duì)用戶的正常網(wǎng)絡(luò)訪問(wèn)造成嚴(yán)重影響,因此如何提高入侵防御系統(tǒng)的性能,減小網(wǎng)絡(luò)時(shí)延,增加系統(tǒng)吞吐量,是當(dāng)前急需解決的一個(gè)問(wèn)題。本文對(duì)開(kāi)源入侵檢測(cè)系統(tǒng)Snort進(jìn)行了深入的分析,設(shè)計(jì)并實(shí)現(xiàn)了一個(gè)基于Snort的入侵防御系統(tǒng)原型。其中,該系統(tǒng)的濫用檢測(cè)模塊移植了Snort的核心檢測(cè)引擎。在此基礎(chǔ)上,本文對(duì)該系統(tǒng)的濫用檢測(cè)模塊進(jìn)行了單元測(cè)試與分析,找出了系統(tǒng)的性能瓶頸所在,針對(duì)相關(guān)的環(huán)節(jié)進(jìn)行了以下改進(jìn)和優(yōu)化:1)針對(duì)Snort的檢測(cè)引擎,提出并實(shí)現(xiàn)了一種“基于活躍度的規(guī)則鏈動(dòng)態(tài)優(yōu)先級(jí)調(diào)整方案”。通過(guò)實(shí)驗(yàn)對(duì)比,證明該方案在“大量、持續(xù)攻擊發(fā)生”的網(wǎng)絡(luò)環(huán)境下,能夠有效地提高系統(tǒng)的檢測(cè)性能。2)分析了當(dāng)前版本的Snort中所采用的模式匹配BM算法和AC算法,并分析了現(xiàn)有的相關(guān)改進(jìn)算法。在此基礎(chǔ)上,本文提出了一種改進(jìn)的多模式匹配算法,并應(yīng)用到系統(tǒng)中。通過(guò)實(shí)驗(yàn)對(duì)比,證明改進(jìn)后的算法在實(shí)際檢測(cè)中的性能優(yōu)于改進(jìn)前的版本。3)基于多核平臺(tái),本文提出了一種“多核平臺(tái)下的并發(fā)檢測(cè)引擎模型”,將系統(tǒng)的濫用檢測(cè)模塊架構(gòu)從原來(lái)的單線程模型改進(jìn)為多進(jìn)程并發(fā)模型,以充分發(fā)揮多核CPU各個(gè)核心的運(yùn)算能力,通過(guò)在8核硬件平臺(tái)上的測(cè)試結(jié)果表明,該模型有效地提升了系統(tǒng)網(wǎng)絡(luò)吞吐量,實(shí)現(xiàn)了對(duì)系統(tǒng)整體檢測(cè)性能的提升。最后,本文將以上3種改進(jìn)方案應(yīng)用到了入侵防御系統(tǒng)中,結(jié)合系統(tǒng)的其他功能模塊進(jìn)行整體性能測(cè)試,測(cè)試結(jié)果表明改進(jìn)后的系統(tǒng)整體性能有了較大提升。
[Abstract]:Nowadays, the development of information technology, especially the rapid development of Internet technology, brings great convenience to the life of contemporary people. However, with the popularity of various network applications, it also provides more opportunities for network attackers. In recent years, network intrusion has been increasing year by year, resulting in loss is incalculable. Intrusion Prevention (IDS) is a special technology to defend all kinds of network attacks. It combines the advantages of firewall and intrusion detection technology. It not only can detect the network packets deeply, but also can block the attacks in time. At present, the biggest problem of intrusion prevention system is the bottleneck caused by network delay and packet loss. As the intrusion prevention system is connected to the backbone network in series, once the network delay is large or the packet is lost, it will seriously affect the users' normal network access, so how to improve the performance of the intrusion prevention system. It is an urgent problem to reduce network delay and increase system throughput. In this paper, the open source intrusion detection system (Snort) is deeply analyzed, and a prototype of intrusion prevention system based on Snort is designed and implemented. Among them, the abuse detection module of the system transplanted the core detection engine of Snort. On this basis, this paper has carried on the unit test and the analysis to the abuse detection module of the system, has found the system performance bottleneck, has carried on the following improvement and the optimization to the correlation link, has carried on the following improvement and the optimization to the Snort detection engine, has aimed at the Snort detection engine, This paper proposes and implements a dynamic priority adjustment scheme of rule chain based on activity degree. The experimental results show that the scheme can effectively improve the detection performance of the system under the network environment of "a large number of continuous attacks". The current version of Snort is analyzed using pattern matching BM algorithm and AC algorithm. The existing improved algorithms are analyzed. On this basis, an improved multi-pattern matching algorithm is proposed and applied to the system. Through experimental comparison, it is proved that the performance of the improved algorithm in actual detection is better than that of the former version .3) based on multi-core platform, a "concurrent detection engine model under multi-core platform" is proposed in this paper. The architecture of the system abuse detection module is improved from the original single-thread model to the multi-process concurrent model in order to give full play to the computing power of each core of the multi-core CPU. The test results on the 8-core hardware platform show that, The model can effectively improve the throughput of the system and improve the detection performance of the whole system. Finally, the above three improved schemes are applied to the intrusion prevention system, and combined with other functional modules of the system to test the overall performance. The test results show that the overall performance of the improved system has been greatly improved.
【學(xué)位授予單位】：電子科技大學(xué)
【學(xué)位級(jí)別】：碩士
【學(xué)位授予年份】：2014
【分類號(hào)】：TP393.08

【參考文獻(xiàn)】

相關(guān)期刊論文 前7條

1 趙林亮;廖先林;田敏;秦勇;;RTP快速匹配最佳發(fā)送速率算法的研究[J];東北大學(xué)學(xué)報(bào)(自然科學(xué)版);2008年05期

2 王浩;周曉峰;;基于入侵檢測(cè)系統(tǒng)snort的BM模式匹配算法的研究和改進(jìn)[J];計(jì)算機(jī)安全;2009年02期

3 牛建強(qiáng);徐美玉;陳昕;曹元大;;基于SNORT的入侵規(guī)則動(dòng)態(tài)排序方法研究[J];計(jì)算機(jī)工程與應(yīng)用;2006年28期

4 盧捚;吳忠望;王宇;盧昱;;基于kNN算法的異常行為檢測(cè)方法研究[J];計(jì)算機(jī)工程;2007年07期

5 徐帆;沈立;王志英;;基于多核平臺(tái)的多線程動(dòng)態(tài)優(yōu)化框架[J];計(jì)算機(jī)工程與科學(xué);2011年05期

6 陳虎;彭江鋒;施少懷;;gAC:基于GPU的高性能AC算法[J];計(jì)算機(jī)工程與應(yīng)用;2012年12期

7 許一震,王永成,沈洲;一種快速的多模式字符串匹配算法[J];上海交通大學(xué)學(xué)報(bào);2002年04期

相關(guān)碩士學(xué)位論文 前1條

1 萬(wàn)姝伊;基于AC-BM改進(jìn)算法的IPS研究與實(shí)現(xiàn)[D];合肥工業(yè)大學(xué);2011年

，

本文編號(hào)：2192455