【摘要】：隨著互聯(lián)網(wǎng)技術(shù)的快速發(fā)展,它在人們的日常工作生活中發(fā)揮出了越來越重要的作用,因此,網(wǎng)絡(luò)安全問題已經(jīng)成為人們關(guān)注的焦點(diǎn)問題。網(wǎng)絡(luò)入侵檢測系統(tǒng)在網(wǎng)絡(luò)安全中占據(jù)著重要的地位,它是繼防火墻之后的又一道安全閘門。目前,Snort是一個(gè)典型的常用的入侵檢測系統(tǒng),它通過對(duì)入侵行為做出分析總結(jié),得出一定的Snort規(guī)則,每當(dāng)捕獲到數(shù)據(jù)包時(shí),用數(shù)據(jù)包中的內(nèi)容去匹配所有的Snort規(guī)則,若能匹配上其中的一條或幾條規(guī)則,則說明該數(shù)據(jù)包具有入侵行為,是一個(gè)危險(xiǎn)數(shù)據(jù)包,否則,則是一個(gè)正常的安全的數(shù)據(jù)包。本文將Snort規(guī)則與DFA結(jié)合起來,用DFA來判斷數(shù)據(jù)包中的信息是否具有入侵行為,但是存在以下問題:(1)如何降低數(shù)據(jù)包匹配時(shí)的DFA命中率;(2)如何降低數(shù)據(jù)包匹配DFA時(shí)的冗余匹配;(3)如何降低DFA占用的存儲(chǔ)空間。針對(duì)以上三個(gè)問題,本文的主要工作如下:(1)提出了一種新的基于協(xié)議分類的新的分組算法,將所有的DFA分為:HTTP協(xié)議DFA和非HTTP協(xié)議DFA,進(jìn)行協(xié)議類內(nèi)部的DFA分組合并后進(jìn)行協(xié)議類之間的分組合并,降低了DFA的數(shù)目,同時(shí)降低了DFA的命中率。(2)改進(jìn)的匹配算法。i)通過區(qū)分不同的規(guī)則選項(xiàng),并增加一個(gè)起始位置標(biāo)記,降低了部分DFA的冗余匹配次數(shù)。ii)采用DFA和NFA相結(jié)合的匹配方法,當(dāng)DFA合并發(fā)生狀態(tài)爆炸時(shí),將DFA合并為一個(gè)新的NFA,降低占用的存儲(chǔ)空間。在匹配過程中,利用新的狀態(tài)轉(zhuǎn)移方法,避免了狀態(tài)回溯。實(shí)驗(yàn)結(jié)果表明,本文提出的新的分組算法和新的匹配算法都是正確有效的。
[Abstract]:With the rapid development of Internet technology, it plays a more and more important role in people's daily work and life. Therefore, network security has become the focus of attention. Network intrusion Detection system (NIDS) plays an important role in network security. At present, Snort is a typical and commonly used intrusion detection system. By analyzing and summarizing the intrusion behavior, it obtains certain Snort rules, and matches all the Snort rules with the contents of the packets whenever it is captured. If one or more of the rules can be matched, the packet has intrusion behavior and is a dangerous packet, otherwise, it is a normal secure packet. In this paper, we combine Snort rule with DFA, and use DFA to judge whether the information in the packet has intrusion behavior or not, but there are the following problems: (1) how to reduce the DFA hit rate when the packet matches; (2) how to reduce the redundant matching when the packet matches DFA, (3) how to reduce the storage space occupied by DFA. The main work of this paper is as follows: (1) A new grouping algorithm based on protocol classification is proposed. All DFA are divided into HTTP protocol DFA and non-HTTP protocol DFA,. After the DFA group merging within the protocol class, the number of DFA is reduced and the hit ratio of DFA is reduced. (2) the improved matching algorithm. I) distinguishes different rule options. An initial location marker is added to reduce the number of redundant matches in some DFA. The combination of DFA and NFA is adopted in. Ii). When the state explosion of DFA merge occurs, DFA is merged into a new NFA, to reduce the storage space. In the matching process, a new state transfer method is used to avoid state backtracking. Experimental results show that the proposed new grouping algorithm and new matching algorithm are correct and effective.
【學(xué)位授予單位】：西安電子科技大學(xué)
【學(xué)位級(jí)別】：碩士
【學(xué)位授予年份】：2014
【分類號(hào)】：TP393.08

【參考文獻(xiàn)】

相關(guān)期刊論文 前1條

1 劉寶旭,徐菁,許榕生;黑客入侵防護(hù)體系研究與設(shè)計(jì)[J];計(jì)算機(jī)工程與應(yīng)用;2001年08期

，

本文編號(hào)：2363365