【摘要】：當今社會信息技術的日益發(fā)展,尤其是互聯(lián)網(wǎng)技術的迅猛發(fā)展,給當代人們的生活帶來了極大的便利。然而,隨著各類網(wǎng)絡應用不斷普及,也為網(wǎng)絡攻擊者提供了更多的可乘之機。近年來,網(wǎng)絡入侵成逐年上升的趨勢,造成的損失難以估量。入侵防御是一項專門對各類網(wǎng)絡攻擊進行防御的技術,它融合了防火墻和入侵檢測技術各自的優(yōu)點,既能夠對網(wǎng)絡數(shù)據(jù)包進行深入的攻擊檢測,又能夠及時阻斷攻擊。當前,入侵防御系統(tǒng)面臨的最大問題是網(wǎng)絡時延和丟包造成的性能瓶頸。由于入侵防御系統(tǒng)以串聯(lián)的形式連接到主干網(wǎng)絡中,一旦出現(xiàn)網(wǎng)絡時延較大或者丟包的情況,就會對用戶的正常網(wǎng)絡訪問造成嚴重影響,因此如何提高入侵防御系統(tǒng)的性能,減小網(wǎng)絡時延,增加系統(tǒng)吞吐量,是當前急需解決的一個問題。本文對開源入侵檢測系統(tǒng)Snort進行了深入的分析,設計并實現(xiàn)了一個基于Snort的入侵防御系統(tǒng)原型。其中,該系統(tǒng)的濫用檢測模塊移植了Snort的核心檢測引擎。在此基礎上,本文對該系統(tǒng)的濫用檢測模塊進行了單元測試與分析,找出了系統(tǒng)的性能瓶頸所在,針對相關的環(huán)節(jié)進行了以下改進和優(yōu)化:1)針對Snort的檢測引擎,提出并實現(xiàn)了一種“基于活躍度的規(guī)則鏈動態(tài)優(yōu)先級調整方案”。通過實驗對比,證明該方案在“大量、持續(xù)攻擊發(fā)生”的網(wǎng)絡環(huán)境下,能夠有效地提高系統(tǒng)的檢測性能。2)分析了當前版本的Snort中所采用的模式匹配BM算法和AC算法,并分析了現(xiàn)有的相關改進算法。在此基礎上,本文提出了一種改進的多模式匹配算法,并應用到系統(tǒng)中。通過實驗對比,證明改進后的算法在實際檢測中的性能優(yōu)于改進前的版本。3)基于多核平臺,本文提出了一種“多核平臺下的并發(fā)檢測引擎模型”,將系統(tǒng)的濫用檢測模塊架構從原來的單線程模型改進為多進程并發(fā)模型,以充分發(fā)揮多核CPU各個核心的運算能力,通過在8核硬件平臺上的測試結果表明,該模型有效地提升了系統(tǒng)網(wǎng)絡吞吐量,實現(xiàn)了對系統(tǒng)整體檢測性能的提升。最后,本文將以上3種改進方案應用到了入侵防御系統(tǒng)中,結合系統(tǒng)的其他功能模塊進行整體性能測試,測試結果表明改進后的系統(tǒng)整體性能有了較大提升。
[Abstract]:Nowadays, the development of information technology, especially the rapid development of Internet technology, brings great convenience to the life of contemporary people. However, with the popularity of various network applications, it also provides more opportunities for network attackers. In recent years, network intrusion has been increasing year by year, resulting in loss is incalculable. Intrusion Prevention (IDS) is a special technology to defend all kinds of network attacks. It combines the advantages of firewall and intrusion detection technology. It not only can detect the network packets deeply, but also can block the attacks in time. At present, the biggest problem of intrusion prevention system is the bottleneck caused by network delay and packet loss. As the intrusion prevention system is connected to the backbone network in series, once the network delay is large or the packet is lost, it will seriously affect the users' normal network access, so how to improve the performance of the intrusion prevention system. It is an urgent problem to reduce network delay and increase system throughput. In this paper, the open source intrusion detection system (Snort) is deeply analyzed, and a prototype of intrusion prevention system based on Snort is designed and implemented. Among them, the abuse detection module of the system transplanted the core detection engine of Snort. On this basis, this paper has carried on the unit test and the analysis to the abuse detection module of the system, has found the system performance bottleneck, has carried on the following improvement and the optimization to the correlation link, has carried on the following improvement and the optimization to the Snort detection engine, has aimed at the Snort detection engine, This paper proposes and implements a dynamic priority adjustment scheme of rule chain based on activity degree. The experimental results show that the scheme can effectively improve the detection performance of the system under the network environment of "a large number of continuous attacks". The current version of Snort is analyzed using pattern matching BM algorithm and AC algorithm. The existing improved algorithms are analyzed. On this basis, an improved multi-pattern matching algorithm is proposed and applied to the system. Through experimental comparison, it is proved that the performance of the improved algorithm in actual detection is better than that of the former version .3) based on multi-core platform, a "concurrent detection engine model under multi-core platform" is proposed in this paper. The architecture of the system abuse detection module is improved from the original single-thread model to the multi-process concurrent model in order to give full play to the computing power of each core of the multi-core CPU. The test results on the 8-core hardware platform show that, The model can effectively improve the throughput of the system and improve the detection performance of the whole system. Finally, the above three improved schemes are applied to the intrusion prevention system, and combined with other functional modules of the system to test the overall performance. The test results show that the overall performance of the improved system has been greatly improved.
【學位授予單位】：電子科技大學
【學位級別】：碩士
【學位授予年份】：2014
【分類號】：TP393.08

【參考文獻】

相關期刊論文 前7條

1 趙林亮;廖先林;田敏;秦勇;;RTP快速匹配最佳發(fā)送速率算法的研究[J];東北大學學報(自然科學版);2008年05期

2 王浩;周曉峰;;基于入侵檢測系統(tǒng)snort的BM模式匹配算法的研究和改進[J];計算機安全;2009年02期

3 牛建強;徐美玉;陳昕;曹元大;;基于SNORT的入侵規(guī)則動態(tài)排序方法研究[J];計算機工程與應用;2006年28期

4 盧捚;吳忠望;王宇;盧昱;;基于kNN算法的異常行為檢測方法研究[J];計算機工程;2007年07期

5 徐帆;沈立;王志英;;基于多核平臺的多線程動態(tài)優(yōu)化框架[J];計算機工程與科學;2011年05期

6 陳虎;彭江鋒;施少懷;;gAC:基于GPU的高性能AC算法[J];計算機工程與應用;2012年12期

7 許一震,王永成,沈洲;一種快速的多模式字符串匹配算法[J];上海交通大學學報;2002年04期

相關碩士學位論文 前1條

1 萬姝伊;基于AC-BM改進算法的IPS研究與實現(xiàn)[D];合肥工業(yè)大學;2011年

，

本文編號：2192455