基于Snort的混合入侵检测模型在网络靶场中的应用研究

发布时间：2018-01-25 04:01

本文关键词： 网络靶场入侵检测系统 Snort改进模型数据挖掘　出处：《重庆理工大学》2015年硕士论文　论文类型：学位论文

【摘要】：网络靶场是一个仿真的网络安全、攻防演练、人员培训的虚拟训练场,其目的是提升训练人员的网络攻防技能。靶场模拟训练时会产生网络攻防流量,对这些攻防流量的检测与记录一般是通过入侵检测系统来实现的。实时检测和日志记录是入侵检测系统的两大核心功能,实时检测网络数据包的功能能够捕获到网络攻防对抗演练中产生的入侵行为,作用就如同攻防对抗的记录仪一样反映着演练的情况;日志记录功能提供的日志数据则为攻防训练的展示及评价提供了很好的依据。靶场跟踪系统能准确检测并实时展示攻防演练情况,其主要利用的就是入侵检测系统的这两大核心功能。正因为此,入侵检测系统是靶场跟踪系统的重要组成部分。综合考虑成本与技术因素,著名入侵检测系统Snort以其开源和免费的优势而被网络训练靶场跟踪系统选用。在实际的运用过程中,Snort表现出了很多缺陷和问题,但因Snort开放灵活的特点,拥有巨大的改进空间,是非常值得研究的。该文为改进Snort在靶场跟踪系统中的应用性能展开研究。首先,对入侵检测的发展概况及Snort的应用现状进行了深入分析,分析了Snort固有的缺点;其次,论文对现有Snort系统的体系结构、各主要功能模块及其检测机制进行了详细分析,并研究了运用到入侵检测中的数据挖掘技术;针对靶场中攻防训练较多时,Snort检测效率低下,不能将监控产生的日志及时送达跟踪系统展示给考核人员的问题,为Snort设计了一个异常检测模块,用来过滤掉大量正常网络流量,以提升检测效率;针对训练人员会在靶场环境中不断尝试新攻击的现象,为Snort设计了一个新规则生成模块,以使Snort具备检测新入侵行为的能力,并最终提出了一个基于数据挖掘的Snort混合模型。在提出新模型的基础上,对新增模块中用到的K-means聚类算法和Apriori算法进行了深入的分析,提出改进,并将改进后的算法引入新增功能模块,以插件形式加入Snort中,通过实验证明了改进的Snort混合检测模型在网络靶场应用中的可行性和有效性。
[Abstract]:The network shooting range is a virtual training ground for network security, attack and defense drills and personnel training, which aims to improve the network attack and defense skills of the trainers. When the range is simulated, the network attack and defense flow will be generated. The detection and recording of these attack and defense flows are generally realized by intrusion detection system. Real-time detection and log recording are the two core functions of intrusion detection system. The function of detecting network data packets in real time can capture the intrusion behavior in the network attack and defense countermeasure drill, which reflects the situation of the drill just like the recorder of the attack and defense countermeasure. The log data provided by the logging function can provide a good basis for the display and evaluation of attack and defense training. The range tracking system can accurately detect and display the situation of attack and defense drills in real time. It mainly uses these two core functions of IDS. Because of this, IDS is an important part of range tracking system. The cost and technical factors are considered comprehensively. The famous intrusion detection system (Snort) is chosen by the network training range tracking system because of its advantages of open source and free. In the process of practical application snort shows a lot of defects and problems. However, due to the open and flexible characteristics of Snort, there is a huge room for improvement, which is very worthy of study. This paper studies how to improve the performance of Snort in range tracking system. First of all. The development of intrusion detection and the application status of Snort are analyzed, and the inherent shortcomings of Snort are analyzed. Secondly, the architecture, main function modules and detection mechanism of the existing Snort system are analyzed in detail, and the data mining technology used in intrusion detection is studied. In view of the low efficiency of snort detection in the shooting range when there is more attack and defense training, the log generated by monitoring can not be sent to the tracking system in time to show the problem to the examiner. An anomaly detection module is designed for Snort to filter out a large number of normal network traffic to improve detection efficiency. Aiming at the phenomenon that trainers try new attacks in range environment, a new rule generation module is designed for Snort to enable Snort to detect new intrusions. Finally, a Snort hybrid model based on data mining is proposed. The K-means clustering algorithm and Apriori algorithm used in the new module are deeply analyzed and improved, and the improved algorithm is introduced into the new functional module. The application of the improved Snort hybrid detection model in the network shooting range is proved to be feasible and effective by adding Snort in the form of plug-in.
【学位授予单位】：重庆理工大学
【学位级别】：硕士
【学位授予年份】：2015
【分类号】：TP393.08

【参考文献】