【摘要】：入侵檢測系統(tǒng)作為一種檢測系統(tǒng)入侵行為的安全防護設(shè)備,在信息安全領(lǐng)域發(fā)揮著重要作用。提高入侵檢測系統(tǒng)的檢測速度并減少入侵檢測系統(tǒng)誤報率和漏報率是信息安全領(lǐng)域的研究重點。Snort作為輕量級的開源入侵檢測系統(tǒng)得到廣泛地應(yīng)用和研究,本文在對其系統(tǒng)架構(gòu)深入分析的基礎(chǔ)上,從空間和時間兩個方面對其性能進行優(yōu)化,主要工作包括:1、從時間方面提高Snort的檢測性能:優(yōu)化處理了Snort規(guī)則集,通過刪除部分不影響匹配結(jié)果的規(guī)則和修改部分規(guī)則,達到了用相對較少的規(guī)則匹配較多特征的目的,并能減少檢測報文時的計算量,從而提高了系統(tǒng)檢測速度。2、從空間方面提高Snort的檢測性能:為減少入侵檢測系統(tǒng)運行時的內(nèi)存占有量,優(yōu)化了Snort快速檢測引擎結(jié)構(gòu),通過改變快速檢測引擎的源端口和目的端口集的規(guī)則節(jié)點與通用規(guī)則集的規(guī)則節(jié)點的連接方式,形成了一種新的快速檢測引擎結(jié)構(gòu),可以在不影響檢測性能的前提下減少內(nèi)存占有量。3、設(shè)計檢測http協(xié)議數(shù)據(jù)報文特征方法。使用這種檢測方法檢測數(shù)據(jù)報文的協(xié)議特征時只檢測數(shù)據(jù)報文的IP協(xié)議標識、TCP協(xié)議標識和http協(xié)議標識,與原始Snort系統(tǒng)相比,新的檢測方法減少了運算量,使Snort可以在相同的時間處理更多的報文,檢測報文時提取http會話中每個報文的數(shù)據(jù)部分并將這些數(shù)據(jù)整合到一個虛擬數(shù)據(jù)包中,然后由檢測引擎對虛擬數(shù)據(jù)包進行檢測,使用這種檢測方法進行檢測能降低Snort檢測報文的誤報率和漏報率。本文利用在實際網(wǎng)絡(luò)環(huán)境中捕獲的數(shù)據(jù)報文作為測試數(shù)據(jù)對Snort代碼修改前后的性能分別進行了測試。實驗結(jié)果證明通過修改Snort快速檢測引擎結(jié)構(gòu)、優(yōu)化Snort規(guī)則集、設(shè)計http協(xié)議特征檢測方法,Snort的檢測速度得到提升,漏報率和誤報率明顯降低。
[Abstract]:Intrusion detection system (IDS), as a kind of security protection equipment for intrusion detection system, plays an important role in the field of information security. Improving the detection speed of intrusion detection system and reducing the false alarm rate and false alarm rate of intrusion detection system are the research focus in the field of information security. As a lightweight open source intrusion detection system, Snort has been widely used and studied. Based on the deep analysis of the system architecture, this paper optimizes the performance of Snort from two aspects of space and time. The main work includes: 1, improving the detection performance of Snort from the aspect of time: processing Snort rule set optimally. By deleting the rules that do not affect the matching results and modifying the partial rules, the purpose of matching more features with relatively fewer rules is achieved, and the computation of detecting packets can be reduced, thus improving the detection speed of the system. Improve the detection performance of Snort from the space aspect: in order to reduce the memory of intrusion detection system running time, the structure of Snort fast detection engine is optimized. By changing the connection between the source port of the fast detection engine and the rule node of the destination port set and the rule node of the general rule set, a new structure of the fast detection engine is formed. It can reduce the amount of memory without affecting the detection performance. 3. The method of detecting http protocol data packet features is designed. When using this detection method to detect the protocol features of data packets, only the IP protocol, TCP protocol and http protocol identification of the data message are detected. Compared with the original Snort system, the new detection method reduces the amount of computation. So that Snort can process more packets at the same time, extract the data part of each packet in the http session when detecting the message, integrate the data into a virtual packet, and then detect the virtual packet by the detection engine. This detection method can reduce the false alarm rate and false alarm rate of Snort detection message. In this paper, the performance of Snort code before and after modification is tested using data packets captured in real network environment as test data. The experimental results show that by modifying the structure of the Snort fast detection engine, optimizing the Snort rule set and designing the http protocol feature detection method, the detection speed of Snort is improved, and the false alarm rate and false alarm rate are obviously reduced.
【學(xué)位授予單位】：國防科學(xué)技術(shù)大學(xué)
【學(xué)位級別】：碩士
【學(xué)位授予年份】：2014
【分類號】：TP393.08

【參考文獻】

相關(guān)期刊論文 前6條

1 張杰;李永忠;;基于半監(jiān)督聚類云模型動態(tài)加權(quán)的入侵檢測方法[J];計算機應(yīng)用與軟件;2014年03期

2 張正光;李國寧;陳璐;;CIPS中基于改進GANN的入侵檢測模型[J];計算機工程;2013年04期

3 王良民;茅冬梅;梁軍;;基于RFID系統(tǒng)的隱私保護技術(shù)[J];江蘇大學(xué)學(xué)報(自然科學(xué)版);2012年06期

4 劉平;曹云;;入侵檢測在網(wǎng)絡(luò)安全中的地位與作用[J];湘南學(xué)院學(xué)報;2010年02期

5 徐嘉銘;;SQL注入攻擊原理及在數(shù)據(jù)庫安全中的應(yīng)用[J];電腦編程技巧與維護;2009年18期

6 吳耀斌;王科;龍岳紅;;基于跨站腳本的網(wǎng)絡(luò)漏洞攻擊與防范[J];計算機系統(tǒng)應(yīng)用;2008年01期

，

本文編號：2417470