發(fā)布時(shí)間：2018-10-30 15:46

【摘要】：隨著互聯(lián)網(wǎng)的飛速發(fā)展，網(wǎng)絡(luò)安全問(wèn)題也日益嚴(yán)重。入侵檢測(cè)技術(shù)是繼傳統(tǒng)安全保護(hù)措施之后出現(xiàn)的一種積極主動(dòng)防御的新一代安全保障技術(shù)，而Snort是其中基于規(guī)則匹配的一種入侵檢測(cè)系統(tǒng)。Snort首先分析提取出每一種入侵行為的特征，然后按照一定的規(guī)范將這些特征編寫(xiě)成規(guī)則以形成Snort規(guī)則數(shù)據(jù)庫(kù)，最后通過(guò)將網(wǎng)絡(luò)數(shù)據(jù)包同規(guī)則數(shù)據(jù)庫(kù)中的規(guī)則進(jìn)行匹配以完成入侵檢測(cè)過(guò)程。 在Snort系統(tǒng)中，規(guī)則匹配的效率是影響Snort性能的關(guān)鍵。研究表明，對(duì)Snort規(guī)則數(shù)據(jù)庫(kù)中的規(guī)則進(jìn)行預(yù)處理可以提高規(guī)則匹配效率。針對(duì)Snort規(guī)則的預(yù)處理流程，本文研究了如何將Snort規(guī)則轉(zhuǎn)化為非確定性有限狀態(tài)機(jī)、如何分組合并狀態(tài)機(jī)以及如何把狀態(tài)機(jī)映射入哈希表等三個(gè)關(guān)鍵問(wèn)題，，并在此基礎(chǔ)上：①提出了一種基于pcre庫(kù)構(gòu)造非確定性有限狀態(tài)機(jī)的方法以處理Snort規(guī)則中大量使用的pcre選項(xiàng)中的一些特殊語(yǔ)法；②設(shè)計(jì)了一種狀態(tài)機(jī)分組算法，依據(jù)狀態(tài)機(jī)的特征對(duì)其進(jìn)行分組合并以減少狀態(tài)機(jī)的數(shù)量，從而間接減少需要進(jìn)行精確匹配的狀態(tài)機(jī)數(shù)量，進(jìn)一步提高規(guī)則匹配的效率；③設(shè)計(jì)了一種低沖突率的哈希映射算法，該算法實(shí)現(xiàn)了對(duì)具有某個(gè)特征的狀態(tài)機(jī)進(jìn)行快速定位，同時(shí)又能夠保證哈希表具有盡可能低的沖突率。實(shí)驗(yàn)結(jié)果表明算法是有效的。
[Abstract]:With the rapid development of the Internet, the network security problem is becoming more and more serious. Intrusion detection technology is a new generation of active defense security technology after traditional security protection measures. Snort is an intrusion detection system based on rule matching. Firstly, Snort analyzes and extracts the characteristics of each intrusion behavior, and then writes these features into rules according to certain specifications to form a Snort rule database. Finally, the intrusion detection process is completed by matching the network packets with the rules in the rule database. In Snort system, the efficiency of rule matching is the key to the performance of Snort. The research shows that the rule matching efficiency can be improved by preprocessing the rules in Snort rule database. According to the preprocessing process of Snort rules, this paper studies how to transform Snort rules into non-deterministic finite state machines, how to group and merge state machines, and how to map state machines into hash tables. On the basis of this, we propose a method of constructing non-deterministic finite state machine based on pcre library to deal with some special syntax of pcre option which is widely used in Snort rules; (2) A state machine grouping algorithm is designed, which is combined according to the characteristics of the state machine to reduce the number of state machines, so as to indirectly reduce the number of state machines that need accurate matching, and further improve the efficiency of rule matching. 3 A low collision rate hashing mapping algorithm is designed. This algorithm can locate the state machine with some characteristics quickly, and at the same time, it can ensure that the hash table has as low a collision rate as possible. Experimental results show that the algorithm is effective.
【學(xué)位授予單位】：西安電子科技大學(xué)
【學(xué)位級(jí)別】：碩士
【學(xué)位授予年份】：2014
【分類(lèi)號(hào)】：TP393.08

【參考文獻(xiàn)】

相關(guān)期刊論文 前10條

1 賈慶節(jié);;論防范黑客入侵的策略[J];電腦知識(shí)與技術(shù)(學(xué)術(shù)交流);2007年15期

2 路志平;田喜平;;計(jì)算機(jī)病毒的危害及防范[J];電腦知識(shí)與技術(shù);2010年09期

3 耿風(fēng);郭紅山;;Snort檢測(cè)引擎的優(yōu)化研究[J];電腦知識(shí)與技術(shù);2010年36期

4 楊軍;鄧芳林;;基于Snort入侵檢測(cè)系統(tǒng)模式匹配改進(jìn)算法研究[J];計(jì)算機(jī)安全;2011年06期

5 趙忠鑫;;試論我國(guó)網(wǎng)絡(luò)信息安全的現(xiàn)狀與對(duì)策[J];計(jì)算機(jī)光盤(pán)軟件與應(yīng)用;2012年03期

6 張悅連,郭文東;Snort規(guī)則及規(guī)則處理模塊分析[J];河北科技大學(xué)學(xué)報(bào);2003年04期

7 汪海慧;;淺議網(wǎng)絡(luò)安全問(wèn)題及防范對(duì)策[J];信息技術(shù);2007年01期

8 劉寶旭,徐菁,許榕生;黑客入侵防護(hù)體系研究與設(shè)計(jì)[J];計(jì)算機(jī)工程與應(yīng)用;2001年08期

9 唐謙,張大方;入侵檢測(cè)中模式匹配算法的性能分析[J];計(jì)算機(jī)工程與應(yīng)用;2005年17期

10 袁世忠;曹e

本文編號(hào)：2300435