基于Snort规则匹配算法的研究与实现

发布时间：2018-03-19 17:05

本文选题：入侵检测　切入点：Snort　出处：《江西理工大学》2014年硕士论文　论文类型：学位论文

【摘要】：随着计算机网络的飞速发展,人们的生活也在发生深刻的变化,计算机网络已经成为人们生活中非常重要的一部分。然而,网络安全问题一直是研究和关注的焦点,上至国家,下至个人,都了解网络安全的重要性。入侵检测系统作为网络安全技术的代表之一,一直是专家学者研究的重点。作为一门年轻的学科分支,入侵检测系统的模型、原理、作用及分类都值得学习。入侵检测技术正在从传统网络安全技术中脱颖而出,成为网络安全技术的主流技术。 Snort是一个轻量级的、开源的入侵检测系统,分析它的工作原理,检测过程,规则语法对学习Snort系统都是必要的。本文还分析了Snort从捕获数据包、包解码器、预处理器、规则解析和探测引擎以及响应与输出的全过程。本文重点剖析了Snort检测引擎采用的模式匹配算法,分析了BM算法、BMH算法、BMHS算法,指出了它们的优点及不足,以及BM及其改进算法的思想。在此基础上,从三个方面思考,采用双字符序列检测法,提出一种改进的BM算法1。继而,在BMH算法和BMHS算法的思想上拓展,提出另一种改进的BM算法2。在学习和分析Snort系统的基础上,设计一个在Windows平台下Snort入侵检测系统,可图形化显示入侵检测分析结果。最后将改进的算法应用于Snort系统中,通过实验验证,比较分析,改进的算法比BM算法及其改进算法在效率上都有所提高。算法的改进是成功的,对Snort系统今后的发展是有帮助的。
[Abstract]:With the rapid development of computer network, people's life is also undergoing profound changes. Computer network has become a very important part of people's life. However, network security has always been the focus of research and attention, up to the country, As far as individuals are concerned, they understand the importance of network security. As one of the representatives of network security technology, intrusion detection system (IDS) has always been the focus of experts and scholars. As a young branch of discipline, intrusion detection system model, principle, Intrusion detection technology is emerging from the traditional network security technology and has become the mainstream technology of network security technology. Snort is a lightweight, open source intrusion detection system. It is necessary to analyze its working principle, detection process and rule syntax for learning Snort system. The rule parsing and detecting engine and the whole process of response and output. This paper mainly analyzes the pattern matching algorithm used in Snort detection engine, analyzes the BMHS algorithm of BM algorithm and BMH algorithm, points out their advantages and disadvantages, and the ideas of BM and its improved algorithm. An improved BM algorithm is proposed by using the two-character sequence detection method. Secondly, an improved BM algorithm is proposed by extending the ideas of BMH algorithm and BMHS algorithm. Based on the study and analysis of Snort system, a Snort intrusion detection system based on Windows platform is designed, which can display the result of intrusion detection analysis graphically. Finally, the improved algorithm is applied to Snort system. The improved algorithm is more efficient than BM algorithm and its improved algorithm. The improved algorithm is successful and helpful to the future development of Snort system.
【学位授予单位】：江西理工大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP393.08

【参考文献】