【摘要】： 入侵檢測(cè)系統(tǒng)通常包括事件產(chǎn)生器、事件分析器、響應(yīng)單元以及事件數(shù)據(jù)庫四部分。其中,事件分析器又是我們?nèi)肭謾z測(cè)技術(shù)的關(guān)鍵部分。 在網(wǎng)絡(luò)入侵檢測(cè)系統(tǒng)的事件分析器中,截獲網(wǎng)絡(luò)的每一個(gè)數(shù)據(jù)包,都要進(jìn)行分析、匹配,這就需要花費(fèi)大量的時(shí)間和系統(tǒng)資源。大部分現(xiàn)有的網(wǎng)絡(luò)入侵檢測(cè)只有幾十兆的檢測(cè)速度,隨著百兆、甚至千兆網(wǎng)絡(luò)的大量應(yīng)用,入侵檢測(cè)的速度已經(jīng)遠(yuǎn)遠(yuǎn)落后于網(wǎng)絡(luò)速度。對(duì)于這一檢測(cè)速度的瓶頸,對(duì)此我們改進(jìn)了AC-BM算法以解決這一問題。 除了入侵檢測(cè)系統(tǒng)外,我們的計(jì)算機(jī)中還可能使用了防火墻、漏洞掃描等其他類別的安全設(shè)備,這些安全組件之間如何交換信息,共同協(xié)作來發(fā)現(xiàn)攻擊、作出響應(yīng)并阻止攻擊關(guān)系到整個(gè)系統(tǒng)的安全性。另外,對(duì)間諜軟件和廣告軟件的檢測(cè)也是一個(gè)令人頭疼的問題。對(duì)此,我們?cè)诟倪M(jìn)了的AC-BM算法的基礎(chǔ)上建立了具有主動(dòng)防御能力的主動(dòng)防御模塊以解決問題。 介紹了一般的入侵檢測(cè)系統(tǒng)的概念、模型,入侵檢測(cè)技術(shù)的分類。然后,描述了網(wǎng)絡(luò)入侵檢測(cè)系統(tǒng)的CIDF模型,以及入侵檢測(cè)存在的弱點(diǎn)和局限性,從而引出了我們課題研究的意義、現(xiàn)狀和背景。 闡述了數(shù)據(jù)采集的原理。因?yàn)槲沂窃贚inux操作系統(tǒng)下,用Libpcap庫函數(shù)實(shí)現(xiàn)的數(shù)據(jù)包的捕獲,所以就介紹一下Libpcap的有關(guān)函數(shù)和數(shù)據(jù)結(jié)構(gòu)。重點(diǎn)闡述了網(wǎng)絡(luò)數(shù)據(jù)包的捕獲程序,并輸出了實(shí)驗(yàn)結(jié)果。 簡(jiǎn)要介紹了TCP/IP的四層模型、數(shù)據(jù)報(bào)的封裝過程,IP、TCP等協(xié)議的格式和數(shù)據(jù)結(jié)構(gòu)。這些是非常重要的,因?yàn)樗鼈兪沁M(jìn)行數(shù)據(jù)報(bào)協(xié)議分析、負(fù)載分析所必須的。當(dāng)然,重點(diǎn)還是放在了介紹數(shù)據(jù)分析的原理、模塊設(shè)計(jì)、程序?qū)崿F(xiàn)上,最后輸出實(shí)驗(yàn)數(shù)據(jù)。 我們自己改進(jìn)了一種算法。重點(diǎn)介紹了怎樣改進(jìn)AC-BM算法,介紹它的工作原理,詳細(xì)敘述了它的算法實(shí)現(xiàn)、測(cè)試結(jié)果、結(jié)果分析。 組建主動(dòng)防御模塊,用它來實(shí)現(xiàn)多層次的縱深防御,實(shí)現(xiàn)了和其它安全設(shè)備的互動(dòng),探索了檢測(cè)反掃描、反間諜軟件、反廣告軟件的功能。 最后是結(jié)論,并介紹了今后需要進(jìn)一步完善的工作。
[Abstract]:Intrusion detection system usually includes four parts: event generator, event analyzer, response unit and event database. Among them, the event analyzer is the key part of our intrusion detection technology. In the event analyzer of the network intrusion detection system, every packet of the network must be analyzed and matched, which requires a lot of time and system resources. Most of the existing network intrusion detection has only tens of megabytes of detection speed. With a large number of applications, intrusion detection speed has been far behind the network speed. For the bottleneck of detection speed, we improve the AC-BM algorithm to solve this problem. In addition to intrusion detection systems, our computers may also use other types of security devices, such as firewalls, vulnerability scans, etc., how these security components can exchange information and work together to discover attacks. Responding and preventing attacks are related to the security of the entire system. In addition, the detection of spyware and advertising software is also a headache. Based on the improved AC-BM algorithm, we build an active defense module with active defense ability to solve the problem. This paper introduces the concept, model and classification of intrusion detection system. Then, this paper describes the CIDF model of network intrusion detection system, as well as the weakness and limitation of intrusion detection, which leads to the significance, present situation and background of our research. The principle of data acquisition is expounded. Because I was in the Linux operating system, using the Libpcap library function to achieve the capture of data packets, so we introduce the Libpcap functions and data structure. The capture program of network data packet is described in detail, and the experimental results are outputted. This paper briefly introduces the four-layer model of TCP/IP, the encapsulation process of Datagram, the format and data structure of IP,TCP and so on. These are important because they are necessary for Datagram protocol analysis, load analysis. Of course, the emphasis is on the introduction of the principle of data analysis, module design, program implementation, the final output of experimental data. We improved an algorithm ourselves. This paper mainly introduces how to improve AC-BM algorithm, introduces its working principle, and describes its algorithm realization, test result and result analysis in detail. The active defense module is set up, which is used to realize the multi-level defense in depth, to realize the interaction with other security devices, and to explore the functions of detecting anti-scanning, anti-spyware and anti-advertising software. Finally, the conclusion is given, and the further work that needs to be improved in the future is introduced.
【學(xué)位授予單位】：江南大學(xué)
【學(xué)位級(jí)別】：碩士
【學(xué)位授予年份】：2006
【分類號(hào)】：TP393.08

【引證文獻(xiàn)】

相關(guān)碩士學(xué)位論文 前1條

1 鄭冠貞;基于Linux下的網(wǎng)絡(luò)入侵檢測(cè)系統(tǒng)[D];中國(guó)石油大學(xué);2010年

，

本文編號(hào)：2398300