【摘要】：隨著互聯(lián)網(wǎng)的飛速發(fā)展，網(wǎng)絡(luò)安全問題也日益嚴(yán)重。入侵檢測技術(shù)是繼傳統(tǒng)安全保護措施之后出現(xiàn)的一種積極主動防御的新一代安全保障技術(shù)，而Snort是其中基于規(guī)則匹配的一種入侵檢測系統(tǒng)。Snort首先分析提取出每一種入侵行為的特征，然后按照一定的規(guī)范將這些特征編寫成規(guī)則以形成Snort規(guī)則數(shù)據(jù)庫，最后通過將網(wǎng)絡(luò)數(shù)據(jù)包同規(guī)則數(shù)據(jù)庫中的規(guī)則進行匹配以完成入侵檢測過程。 在Snort系統(tǒng)中，規(guī)則匹配的效率是影響Snort性能的關(guān)鍵。研究表明，對Snort規(guī)則數(shù)據(jù)庫中的規(guī)則進行預(yù)處理可以提高規(guī)則匹配效率。針對Snort規(guī)則的預(yù)處理流程，本文研究了如何將Snort規(guī)則轉(zhuǎn)化為非確定性有限狀態(tài)機、如何分組合并狀態(tài)機以及如何把狀態(tài)機映射入哈希表等三個關(guān)鍵問題，，并在此基礎(chǔ)上：①提出了一種基于pcre庫構(gòu)造非確定性有限狀態(tài)機的方法以處理Snort規(guī)則中大量使用的pcre選項中的一些特殊語法；②設(shè)計了一種狀態(tài)機分組算法，依據(jù)狀態(tài)機的特征對其進行分組合并以減少狀態(tài)機的數(shù)量，從而間接減少需要進行精確匹配的狀態(tài)機數(shù)量，進一步提高規(guī)則匹配的效率；③設(shè)計了一種低沖突率的哈希映射算法，該算法實現(xiàn)了對具有某個特征的狀態(tài)機進行快速定位，同時又能夠保證哈希表具有盡可能低的沖突率。實驗結(jié)果表明算法是有效的。
[Abstract]:With the rapid development of the Internet, the network security problem is becoming more and more serious. Intrusion detection technology is a new generation of active defense security technology after traditional security protection measures. Snort is an intrusion detection system based on rule matching. Firstly, Snort analyzes and extracts the characteristics of each intrusion behavior, and then writes these features into rules according to certain specifications to form a Snort rule database. Finally, the intrusion detection process is completed by matching the network packets with the rules in the rule database. In Snort system, the efficiency of rule matching is the key to the performance of Snort. The research shows that the rule matching efficiency can be improved by preprocessing the rules in Snort rule database. According to the preprocessing process of Snort rules, this paper studies how to transform Snort rules into non-deterministic finite state machines, how to group and merge state machines, and how to map state machines into hash tables. On the basis of this, we propose a method of constructing non-deterministic finite state machine based on pcre library to deal with some special syntax of pcre option which is widely used in Snort rules; (2) A state machine grouping algorithm is designed, which is combined according to the characteristics of the state machine to reduce the number of state machines, so as to indirectly reduce the number of state machines that need accurate matching, and further improve the efficiency of rule matching. 3 A low collision rate hashing mapping algorithm is designed. This algorithm can locate the state machine with some characteristics quickly, and at the same time, it can ensure that the hash table has as low a collision rate as possible. Experimental results show that the algorithm is effective.
【學(xué)位授予單位】：西安電子科技大學(xué)
【學(xué)位級別】：碩士
【學(xué)位授予年份】：2014
【分類號】：TP393.08

【參考文獻】

相關(guān)期刊論文 前10條

1 賈慶節(jié);;論防范黑客入侵的策略[J];電腦知識與技術(shù)(學(xué)術(shù)交流);2007年15期

2 路志平;田喜平;;計算機病毒的危害及防范[J];電腦知識與技術(shù);2010年09期

3 耿風(fēng);郭紅山;;Snort檢測引擎的優(yōu)化研究[J];電腦知識與技術(shù);2010年36期

4 楊軍;鄧芳林;;基于Snort入侵檢測系統(tǒng)模式匹配改進算法研究[J];計算機安全;2011年06期

5 趙忠鑫;;試論我國網(wǎng)絡(luò)信息安全的現(xiàn)狀與對策[J];計算機光盤軟件與應(yīng)用;2012年03期

6 張悅連,郭文東;Snort規(guī)則及規(guī)則處理模塊分析[J];河北科技大學(xué)學(xué)報;2003年04期

7 汪�；�;;淺議網(wǎng)絡(luò)安全問題及防范對策[J];信息技術(shù);2007年01期

8 劉寶旭,徐菁,許榕生;黑客入侵防護體系研究與設(shè)計[J];計算機工程與應(yīng)用;2001年08期

9 唐謙,張大方;入侵檢測中模式匹配算法的性能分析[J];計算機工程與應(yīng)用;2005年17期

10 袁世忠;曹e

本文編號：2300435