Snort規(guī)則分組和匹配算法的研究
發(fā)布時間:2018-11-28 15:51
【摘要】:隨著互聯網技術的快速發(fā)展,它在人們的日常工作生活中發(fā)揮出了越來越重要的作用,因此,網絡安全問題已經成為人們關注的焦點問題。網絡入侵檢測系統在網絡安全中占據著重要的地位,它是繼防火墻之后的又一道安全閘門。目前,Snort是一個典型的常用的入侵檢測系統,它通過對入侵行為做出分析總結,得出一定的Snort規(guī)則,每當捕獲到數據包時,用數據包中的內容去匹配所有的Snort規(guī)則,若能匹配上其中的一條或幾條規(guī)則,則說明該數據包具有入侵行為,是一個危險數據包,否則,則是一個正常的安全的數據包。本文將Snort規(guī)則與DFA結合起來,用DFA來判斷數據包中的信息是否具有入侵行為,但是存在以下問題:(1)如何降低數據包匹配時的DFA命中率;(2)如何降低數據包匹配DFA時的冗余匹配;(3)如何降低DFA占用的存儲空間。針對以上三個問題,本文的主要工作如下:(1)提出了一種新的基于協議分類的新的分組算法,將所有的DFA分為:HTTP協議DFA和非HTTP協議DFA,進行協議類內部的DFA分組合并后進行協議類之間的分組合并,降低了DFA的數目,同時降低了DFA的命中率。(2)改進的匹配算法。i)通過區(qū)分不同的規(guī)則選項,并增加一個起始位置標記,降低了部分DFA的冗余匹配次數。ii)采用DFA和NFA相結合的匹配方法,當DFA合并發(fā)生狀態(tài)爆炸時,將DFA合并為一個新的NFA,降低占用的存儲空間。在匹配過程中,利用新的狀態(tài)轉移方法,避免了狀態(tài)回溯。實驗結果表明,本文提出的新的分組算法和新的匹配算法都是正確有效的。
[Abstract]:With the rapid development of Internet technology, it plays a more and more important role in people's daily work and life. Therefore, network security has become the focus of attention. Network intrusion Detection system (NIDS) plays an important role in network security. At present, Snort is a typical and commonly used intrusion detection system. By analyzing and summarizing the intrusion behavior, it obtains certain Snort rules, and matches all the Snort rules with the contents of the packets whenever it is captured. If one or more of the rules can be matched, the packet has intrusion behavior and is a dangerous packet, otherwise, it is a normal secure packet. In this paper, we combine Snort rule with DFA, and use DFA to judge whether the information in the packet has intrusion behavior or not, but there are the following problems: (1) how to reduce the DFA hit rate when the packet matches; (2) how to reduce the redundant matching when the packet matches DFA, (3) how to reduce the storage space occupied by DFA. The main work of this paper is as follows: (1) A new grouping algorithm based on protocol classification is proposed. All DFA are divided into HTTP protocol DFA and non-HTTP protocol DFA,. After the DFA group merging within the protocol class, the number of DFA is reduced and the hit ratio of DFA is reduced. (2) the improved matching algorithm. I) distinguishes different rule options. An initial location marker is added to reduce the number of redundant matches in some DFA. The combination of DFA and NFA is adopted in. Ii). When the state explosion of DFA merge occurs, DFA is merged into a new NFA, to reduce the storage space. In the matching process, a new state transfer method is used to avoid state backtracking. Experimental results show that the proposed new grouping algorithm and new matching algorithm are correct and effective.
【學位授予單位】:西安電子科技大學
【學位級別】:碩士
【學位授予年份】:2014
【分類號】:TP393.08
本文編號:2363365
[Abstract]:With the rapid development of Internet technology, it plays a more and more important role in people's daily work and life. Therefore, network security has become the focus of attention. Network intrusion Detection system (NIDS) plays an important role in network security. At present, Snort is a typical and commonly used intrusion detection system. By analyzing and summarizing the intrusion behavior, it obtains certain Snort rules, and matches all the Snort rules with the contents of the packets whenever it is captured. If one or more of the rules can be matched, the packet has intrusion behavior and is a dangerous packet, otherwise, it is a normal secure packet. In this paper, we combine Snort rule with DFA, and use DFA to judge whether the information in the packet has intrusion behavior or not, but there are the following problems: (1) how to reduce the DFA hit rate when the packet matches; (2) how to reduce the redundant matching when the packet matches DFA, (3) how to reduce the storage space occupied by DFA. The main work of this paper is as follows: (1) A new grouping algorithm based on protocol classification is proposed. All DFA are divided into HTTP protocol DFA and non-HTTP protocol DFA,. After the DFA group merging within the protocol class, the number of DFA is reduced and the hit ratio of DFA is reduced. (2) the improved matching algorithm. I) distinguishes different rule options. An initial location marker is added to reduce the number of redundant matches in some DFA. The combination of DFA and NFA is adopted in. Ii). When the state explosion of DFA merge occurs, DFA is merged into a new NFA, to reduce the storage space. In the matching process, a new state transfer method is used to avoid state backtracking. Experimental results show that the proposed new grouping algorithm and new matching algorithm are correct and effective.
【學位授予單位】:西安電子科技大學
【學位級別】:碩士
【學位授予年份】:2014
【分類號】:TP393.08
【參考文獻】
相關期刊論文 前1條
1 劉寶旭,徐菁,許榕生;黑客入侵防護體系研究與設計[J];計算機工程與應用;2001年08期
,本文編號:2363365
本文鏈接:http://sikaile.net/guanlilunwen/ydhl/2363365.html
最近更新
教材專著
