【摘要】：入侵檢測(cè)系統(tǒng)作為一種檢測(cè)系統(tǒng)入侵行為的安全防護(hù)設(shè)備,在信息安全領(lǐng)域發(fā)揮著重要作用。提高入侵檢測(cè)系統(tǒng)的檢測(cè)速度并減少入侵檢測(cè)系統(tǒng)誤報(bào)率和漏報(bào)率是信息安全領(lǐng)域的研究重點(diǎn)。Snort作為輕量級(jí)的開(kāi)源入侵檢測(cè)系統(tǒng)得到廣泛地應(yīng)用和研究,本文在對(duì)其系統(tǒng)架構(gòu)深入分析的基礎(chǔ)上,從空間和時(shí)間兩個(gè)方面對(duì)其性能進(jìn)行優(yōu)化,主要工作包括:1、從時(shí)間方面提高Snort的檢測(cè)性能:優(yōu)化處理了Snort規(guī)則集,通過(guò)刪除部分不影響匹配結(jié)果的規(guī)則和修改部分規(guī)則,達(dá)到了用相對(duì)較少的規(guī)則匹配較多特征的目的,并能減少檢測(cè)報(bào)文時(shí)的計(jì)算量,從而提高了系統(tǒng)檢測(cè)速度。2、從空間方面提高Snort的檢測(cè)性能:為減少入侵檢測(cè)系統(tǒng)運(yùn)行時(shí)的內(nèi)存占有量,優(yōu)化了Snort快速檢測(cè)引擎結(jié)構(gòu),通過(guò)改變快速檢測(cè)引擎的源端口和目的端口集的規(guī)則節(jié)點(diǎn)與通用規(guī)則集的規(guī)則節(jié)點(diǎn)的連接方式,形成了一種新的快速檢測(cè)引擎結(jié)構(gòu),可以在不影響檢測(cè)性能的前提下減少內(nèi)存占有量。3、設(shè)計(jì)檢測(cè)http協(xié)議數(shù)據(jù)報(bào)文特征方法。使用這種檢測(cè)方法檢測(cè)數(shù)據(jù)報(bào)文的協(xié)議特征時(shí)只檢測(cè)數(shù)據(jù)報(bào)文的IP協(xié)議標(biāo)識(shí)、TCP協(xié)議標(biāo)識(shí)和http協(xié)議標(biāo)識(shí),與原始Snort系統(tǒng)相比,新的檢測(cè)方法減少了運(yùn)算量,使Snort可以在相同的時(shí)間處理更多的報(bào)文,檢測(cè)報(bào)文時(shí)提取http會(huì)話中每個(gè)報(bào)文的數(shù)據(jù)部分并將這些數(shù)據(jù)整合到一個(gè)虛擬數(shù)據(jù)包中,然后由檢測(cè)引擎對(duì)虛擬數(shù)據(jù)包進(jìn)行檢測(cè),使用這種檢測(cè)方法進(jìn)行檢測(cè)能降低Snort檢測(cè)報(bào)文的誤報(bào)率和漏報(bào)率。本文利用在實(shí)際網(wǎng)絡(luò)環(huán)境中捕獲的數(shù)據(jù)報(bào)文作為測(cè)試數(shù)據(jù)對(duì)Snort代碼修改前后的性能分別進(jìn)行了測(cè)試。實(shí)驗(yàn)結(jié)果證明通過(guò)修改Snort快速檢測(cè)引擎結(jié)構(gòu)、優(yōu)化Snort規(guī)則集、設(shè)計(jì)http協(xié)議特征檢測(cè)方法,Snort的檢測(cè)速度得到提升,漏報(bào)率和誤報(bào)率明顯降低。
[Abstract]:Intrusion detection system (IDS), as a kind of security protection equipment for intrusion detection system, plays an important role in the field of information security. Improving the detection speed of intrusion detection system and reducing the false alarm rate and false alarm rate of intrusion detection system are the research focus in the field of information security. As a lightweight open source intrusion detection system, Snort has been widely used and studied. Based on the deep analysis of the system architecture, this paper optimizes the performance of Snort from two aspects of space and time. The main work includes: 1, improving the detection performance of Snort from the aspect of time: processing Snort rule set optimally. By deleting the rules that do not affect the matching results and modifying the partial rules, the purpose of matching more features with relatively fewer rules is achieved, and the computation of detecting packets can be reduced, thus improving the detection speed of the system. Improve the detection performance of Snort from the space aspect: in order to reduce the memory of intrusion detection system running time, the structure of Snort fast detection engine is optimized. By changing the connection between the source port of the fast detection engine and the rule node of the destination port set and the rule node of the general rule set, a new structure of the fast detection engine is formed. It can reduce the amount of memory without affecting the detection performance. 3. The method of detecting http protocol data packet features is designed. When using this detection method to detect the protocol features of data packets, only the IP protocol, TCP protocol and http protocol identification of the data message are detected. Compared with the original Snort system, the new detection method reduces the amount of computation. So that Snort can process more packets at the same time, extract the data part of each packet in the http session when detecting the message, integrate the data into a virtual packet, and then detect the virtual packet by the detection engine. This detection method can reduce the false alarm rate and false alarm rate of Snort detection message. In this paper, the performance of Snort code before and after modification is tested using data packets captured in real network environment as test data. The experimental results show that by modifying the structure of the Snort fast detection engine, optimizing the Snort rule set and designing the http protocol feature detection method, the detection speed of Snort is improved, and the false alarm rate and false alarm rate are obviously reduced.
【學(xué)位授予單位】：國(guó)防科學(xué)技術(shù)大學(xué)
【學(xué)位級(jí)別】：碩士
【學(xué)位授予年份】：2014
【分類號(hào)】：TP393.08

【參考文獻(xiàn)】

相關(guān)期刊論文 前6條

1 張杰;李永忠;;基于半監(jiān)督聚類云模型動(dòng)態(tài)加權(quán)的入侵檢測(cè)方法[J];計(jì)算機(jī)應(yīng)用與軟件;2014年03期

2 張正光;李國(guó)寧;陳璐;;CIPS中基于改進(jìn)GANN的入侵檢測(cè)模型[J];計(jì)算機(jī)工程;2013年04期

3 王良民;茅冬梅;梁軍;;基于RFID系統(tǒng)的隱私保護(hù)技術(shù)[J];江蘇大學(xué)學(xué)報(bào)(自然科學(xué)版);2012年06期

4 劉平;曹云;;入侵檢測(cè)在網(wǎng)絡(luò)安全中的地位與作用[J];湘南學(xué)院學(xué)報(bào);2010年02期

5 徐嘉銘;;SQL注入攻擊原理及在數(shù)據(jù)庫(kù)安全中的應(yīng)用[J];電腦編程技巧與維護(hù);2009年18期

6 吳耀斌;王科;龍?jiān)兰t;;基于跨站腳本的網(wǎng)絡(luò)漏洞攻擊與防范[J];計(jì)算機(jī)系統(tǒng)應(yīng)用;2008年01期

，

本文編號(hào)：2417470