高速网络入侵检测系统若干关键技术的研究

发布时间：2018-03-26 07:18

本文选题：高速网络　切入点：入侵检测系统　出处：《延边大学》2014年硕士论文

【摘要】：目前,网络应用的发展日新月异,各式各样的网络攻击给网络入侵检测系统(network intrusion detection systems)提出了更高的要求,采用单一主机的入侵检测系统已不能适应高速网络入侵检测系统的要求,而基于层次式、分布式的入侵检测系统成为研究的重点。本论文在研究高速网络入侵检测系统面临的问题时,首先提出了一种应用于高速NIDS的处理模型,然后对模型中的数据快速捕获、应用协议识别以及自适应负载分配等关键技术做了研究,并在基于ATCA(Advanced Telecom Computing Architecture)标准的嵌入式计算平台上实现了该模型。研究成果已在中科院“某重大工程”中得到应用。论文通过分析NIDS的基础上,提出了一种适用于高速网络入侵检测系统的可扩展分布式并行处理模型(Extensible distributed parallel processing model)。该模型采用层次式结构,前端对数据进行简单处理,后端对数据进行耗时的入侵检测。EDPPM模型可扩展性好、吞吐量大,适应高速网络入侵检测系统的要求。针对入侵检测系统中协议识别的问题,本论文提出了一种应用协议快速识别方法。本方法利用基于端口的识别算法,把网络会话分为长缓存会话和短缓存会话。其中长缓存会话缓存字节数较多,用以识别复杂协议；短缓存会话缓存数据字节数相对较少,用以识别简单协议类型；以此来消除累积匹配方式存在的弊端。通过分析模式匹配算法,采用了AC多模式匹配算法进行模式匹配。通过实验分析,本方法能有效地提高协议识别的吞吐量,并且比L7-filter的识别准确性有明显提升。针对EDPPM层次式模型中负载均衡的需求,本论文提出了一种基于协议分类的最小加权熵优先(minimum weighted entropy first)动态负载均衡算法。本算法数据源是经应用协议分类后的数据流,采用静态分配(哈希取模运算)和基于探针负载的针对TCP会话的动态分配相结合的方式,在保证会话完整性的前提下,均衡各个检测器的负载,以适应高速网络环境下的入侵检测。
[Abstract]:At present, with the rapid development of network applications, all kinds of network attacks put forward higher requirements for network intrusion detection systems. The single host intrusion detection system can no longer meet the requirements of high-speed network intrusion detection system, and the distributed intrusion detection system based on hierarchy becomes the focus of research. In this paper, when studying the problems faced by high speed network intrusion detection system, a processing model applied to high speed NIDS is proposed, and then the data in the model is captured quickly. The key technologies such as protocol recognition and adaptive load allocation are studied, and the model is implemented on the embedded computing platform based on ATCA(Advanced Telecom Computing Architecture standard. The research results have been applied in a "major project" of the Chinese Academy of Sciences. Based on the analysis of NIDS, an extensible distributed parallel processing model for high speed network intrusion detection system is proposed in this paper. The back-end data time-consuming intrusion detection. EDPPM model has good scalability and high throughput, and can meet the requirements of high speed network intrusion detection system. In order to solve the problem of protocol recognition in intrusion detection system, this paper proposes a fast protocol recognition method based on port. The network session is divided into long cache session and short cache session, in which there are many long cache session bytes to identify complex protocols, and short cache session cache data bytes are relatively small to identify simple protocol types. By analyzing the pattern matching algorithm, the AC multi-pattern matching algorithm is used for pattern matching. Through experimental analysis, this method can effectively improve the throughput of protocol recognition. And the recognition accuracy of L7-filter is improved obviously. In order to meet the demand of load balancing in EDPPM hierarchical model, this paper presents a dynamic load balancing algorithm based on protocol classification, which is based on minimum weighted entropy and minimum weighted entropy. The data source of this algorithm is the data stream classified by the application protocol. Using static allocation (hash mode operation) and dynamic allocation of TCP session based on probe load, the load of each detector is balanced under the premise of ensuring session integrity. In order to adapt to the intrusion detection under the high-speed network environment.
【学位授予单位】：延边大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP393.08

【参考文献】