Snort規(guī)則的關(guān)鍵特征提
發(fā)布時(shí)間:2018-11-22 09:26
【摘要】:隨著互聯(lián)網(wǎng)的飛速發(fā)展,網(wǎng)絡(luò)安全問題日益嚴(yán)重。入侵檢測(cè)技術(shù)是一種新的積極主動(dòng)防御的安全保障技術(shù),而Snort是其中基于規(guī)則匹配的一種入侵檢測(cè)技術(shù)。Snort首先提取出每一種入侵行為的特征,然后按照一定的規(guī)范將這些特征編寫成規(guī)則以形成Snort規(guī)則數(shù)據(jù)庫,最后通過檢測(cè)網(wǎng)絡(luò)數(shù)據(jù)包與規(guī)則數(shù)據(jù)庫中的規(guī)則是否匹配來判斷入侵與否。在Snort入侵檢測(cè)系統(tǒng)中,規(guī)則的匹配效率是影響Snort檢測(cè)效率的關(guān)鍵。對(duì)Snort中所有的規(guī)則進(jìn)行逐條匹配是非常耗時(shí)和不可行的。因此,可通過“關(guān)鍵特征”將有一定共性且模式化的規(guī)則分為一組,并將每一組編譯成一個(gè)復(fù)合確定性有限自動(dòng)機(jī)(Deterministic Finite Automaton,DFA)。這樣,可以通過“關(guān)鍵特征”進(jìn)行預(yù)匹配并定位到少量的復(fù)合DFA,只對(duì)定位到的復(fù)合DFA進(jìn)行精確匹配,避免了對(duì)全部Snort規(guī)則的逐條匹配,,提高了匹配效率。然而,復(fù)合DFA不能滿足硬件的存儲(chǔ)要求,因此,需對(duì)復(fù)合DFA進(jìn)行壓縮;谏鲜雒枋觯疚牡闹饕ぷ魅缦拢 首先,本文給出了“關(guān)鍵特征”的定義,提出了在Snort規(guī)則中提取關(guān)鍵特征的一個(gè)新的有效算法。該方法能夠提取出正則表達(dá)式中全部的關(guān)鍵特征,并由這些關(guān)鍵特征可以達(dá)到很好的分組效果。其次,為了實(shí)現(xiàn)數(shù)據(jù)包對(duì)規(guī)則進(jìn)行精確匹配,提出了對(duì)復(fù)合DFA的終態(tài)標(biāo)記算法,該算法可以確定數(shù)據(jù)包精確匹配到合并前的哪個(gè)DFA。再次,考慮到復(fù)合DFA會(huì)占用大量的存儲(chǔ)空間,不能夠滿足硬件的存儲(chǔ)要求,本文提出了基于密度聚類的一種DFA行壓縮算法,該算法可以極大地減少復(fù)合DFA的存儲(chǔ)空間。同時(shí),提出了對(duì)行壓縮后的DFA匹配算法。最后,對(duì)這些算法進(jìn)行了實(shí)驗(yàn),實(shí)驗(yàn)結(jié)果表明:利用Snort規(guī)則中提取出的關(guān)鍵特征進(jìn)行分組有效地將分組數(shù)量由原來的2076減少至1583個(gè);復(fù)合DFA的行壓縮算法將存儲(chǔ)空間減少了80%,滿足了硬件的要求,保證了壓縮后的DFA與壓縮前的DFA有近似的匹配速度。
[Abstract]:With the rapid development of the Internet, the problem of network security is becoming more and more serious. Intrusion detection technology is a new active defense security technology, and Snort is an intrusion detection technology based on rule matching. Snort firstly extracts the characteristics of each intrusion behavior. Then these features are written into rules according to certain specifications to form the Snort rule database. Finally, the intrusion is judged by checking whether the network packets match the rules in the rule database. In Snort intrusion detection system, rule matching efficiency is the key to affect the efficiency of Snort detection. Matching all the rules in Snort is time-consuming and impractical. Therefore, the rules with certain commonness and pattern can be divided into a group by "key characteristics", and each group can be compiled into a compound deterministic finite automaton (Deterministic Finite Automaton,DFA). In this way, the "key features" can be pre-matched and a small number of composite DFA, can only be accurately matched to the localized compound DFA, thus avoiding the matching of all Snort rules one by one and improving the matching efficiency. However, the composite DFA can not meet the storage requirements of the hardware, so it is necessary to compress the composite DFA. Based on the above description, the main work of this paper is as follows: firstly, the definition of "key feature" is given, and a new effective algorithm for extracting key features from Snort rules is proposed. This method can extract all the key features of the regular expression and can achieve a good grouping effect by these key features. Secondly, in order to match the rules accurately, a final state marking algorithm for composite DFA is proposed, which can determine which DFA. exactly matches the data packet before merging. Thirdly, considering that composite DFA takes up a lot of storage space, it can not meet the storage requirements of hardware. In this paper, a DFA row compression algorithm based on density clustering is proposed, which can greatly reduce the storage space of composite DFA. At the same time, the DFA matching algorithm after row compression is proposed. Finally, the experimental results show that the number of packets can be reduced from 2076 to 1583 by using the key features extracted from Snort rules. The line compression algorithm of composite DFA reduces the storage space by 80 points, satisfies the hardware requirement, and ensures the approximate matching speed between the compressed DFA and the pre-compressed DFA.
【學(xué)位授予單位】:西安電子科技大學(xué)
【學(xué)位級(jí)別】:碩士
【學(xué)位授予年份】:2014
【分類號(hào)】:TP393.08
本文編號(hào):2348855
[Abstract]:With the rapid development of the Internet, the problem of network security is becoming more and more serious. Intrusion detection technology is a new active defense security technology, and Snort is an intrusion detection technology based on rule matching. Snort firstly extracts the characteristics of each intrusion behavior. Then these features are written into rules according to certain specifications to form the Snort rule database. Finally, the intrusion is judged by checking whether the network packets match the rules in the rule database. In Snort intrusion detection system, rule matching efficiency is the key to affect the efficiency of Snort detection. Matching all the rules in Snort is time-consuming and impractical. Therefore, the rules with certain commonness and pattern can be divided into a group by "key characteristics", and each group can be compiled into a compound deterministic finite automaton (Deterministic Finite Automaton,DFA). In this way, the "key features" can be pre-matched and a small number of composite DFA, can only be accurately matched to the localized compound DFA, thus avoiding the matching of all Snort rules one by one and improving the matching efficiency. However, the composite DFA can not meet the storage requirements of the hardware, so it is necessary to compress the composite DFA. Based on the above description, the main work of this paper is as follows: firstly, the definition of "key feature" is given, and a new effective algorithm for extracting key features from Snort rules is proposed. This method can extract all the key features of the regular expression and can achieve a good grouping effect by these key features. Secondly, in order to match the rules accurately, a final state marking algorithm for composite DFA is proposed, which can determine which DFA. exactly matches the data packet before merging. Thirdly, considering that composite DFA takes up a lot of storage space, it can not meet the storage requirements of hardware. In this paper, a DFA row compression algorithm based on density clustering is proposed, which can greatly reduce the storage space of composite DFA. At the same time, the DFA matching algorithm after row compression is proposed. Finally, the experimental results show that the number of packets can be reduced from 2076 to 1583 by using the key features extracted from Snort rules. The line compression algorithm of composite DFA reduces the storage space by 80 points, satisfies the hardware requirement, and ensures the approximate matching speed between the compressed DFA and the pre-compressed DFA.
【學(xué)位授予單位】:西安電子科技大學(xué)
【學(xué)位級(jí)別】:碩士
【學(xué)位授予年份】:2014
【分類號(hào)】:TP393.08
【參考文獻(xiàn)】
相關(guān)期刊論文 前5條
1 陳曙暉;蘇金樹;范慧萍;侯婕;;一種基于深度報(bào)文檢測(cè)的FSM狀態(tài)表壓縮技術(shù)[J];計(jì)算機(jī)研究與發(fā)展;2008年08期
2 付衛(wèi)紅;;計(jì)算機(jī)網(wǎng)絡(luò)安全入侵檢測(cè)技術(shù)的研究[J];科技信息;2010年03期
3 徐乾;鄂躍鵬;葛敬國;錢華林;;深度包檢測(cè)中一種高效的正則表達(dá)式壓縮算法[J];軟件學(xué)報(bào);2009年08期
4 柳廳文;孫永;卜東波;郭莉;方濱興;;正則表達(dá)式分組的1/(1-1/k)-近似算法[J];軟件學(xué)報(bào);2012年09期
5 吳玉;構(gòu)建基于Snort的入侵檢測(cè)系統(tǒng)[J];微電子學(xué)與計(jì)算機(jī);2005年07期
本文編號(hào):2348855
本文鏈接:http://sikaile.net/guanlilunwen/ydhl/2348855.html
最近更新
教材專著
