基于Snort平台的入侵检测算法研究

发布时间：2018-03-30 18:36

本文选题：网络安全　切入点：入侵检测　出处：《华北电力大学》2017年硕士论文

【摘要】：随着互联网的不断发展和广泛深入应用,网络安全问题日益严重,传统静态安全技术不足以应对各种网络安全问题,因此需要积极主动的防御机制,实时保护系统,在网络系统遭受破坏之前发现并响应入侵。入侵检测就是一种主动防御入侵行为的安全机制,能够自动检测系统内部不合法操作和外部入侵活动,是网络安全防护的重要组成部分。在研究入侵检测系统的原理及模型发展的基础上,说明了基于Snort入侵检测系统研究入侵检测算法的原因,研究了Snort入侵检测系统各模块主要工作和Snort的工作流程。Snort是基于规则匹配的策略,模式匹配过程是其最主要的过程,是影响系统性能的最主要因素。对Snort中的多种模式匹配算法思想进行深入研究,包括BM算法、AC算法、WM算法等。随后发现,Snort中的经典多模式匹配算法AC算法,虽然比一般单模式匹配算法高效,但是对文本串搜索逐字符匹配,存在多余比较,降低了入侵检测的效率。为进一步提高入侵检测系统的性能和效率,提出了一种有限状态自动机与后缀自动机相互合作的算法。该算法使用双自动机,后缀自动机反向扫描文本串,查找模式串最大子串,然后在已匹配子串的基础上用原AC自动机正向扫描文本串匹配,且利用后缀自动机获得最大跳跃距离。将该算法应用于Snort入侵检测系统中,通过实验比较了几个算法的时空性能。实验结果表明,与AC算法、AC-SPLIT算法及WMW算法相比较,该算法大幅度提高了检测效率,且规则数量增大时,算法时间平稳增长。最后本文分析了搭建网络入侵检测系统需要的体系结构,设计、安装、配置及实现了基于Win7系统的可提供图形化管理界面的Snort入侵检测系统。
[Abstract]:With the continuous development and extensive application of the Internet, the problem of network security is becoming more and more serious. Traditional static security technology is not enough to deal with all kinds of network security problems. Therefore, it needs proactive defense mechanism and real-time protection system.Discover and respond to an intrusion before the network system is compromised.Intrusion detection is a kind of active intrusion prevention security mechanism. It can automatically detect illegal operation inside the system and external intrusion activities. It is an important part of network security protection.On the basis of studying the principle and model development of intrusion detection system (IDS), the reason of studying intrusion detection algorithm based on Snort intrusion detection system is explained.The main work of each module of Snort intrusion detection system and the work flow of Snort. Snort is a rule-based strategy. Pattern matching is the most important process and the most important factor affecting the performance of the system.This paper makes a deep research on various pattern matching algorithms in Snort, including BM algorithm and AC algorithm and WM algorithm.Then it is found that the classical multi-pattern matching algorithm AC algorithm in snort is more efficient than the single pattern matching algorithm, but there are redundant comparisons for text string search by character matching, which reduces the efficiency of intrusion detection.In order to improve the performance and efficiency of intrusion detection system, an algorithm of cooperation between finite state automata and suffix automata is proposed.The algorithm uses double automata, suffix automata to reverse scan text string, finds the largest substring of pattern string, and then uses the original AC automaton to forward scan text string matching on the basis of matched substring.The maximum jump distance is obtained by using suffix automata.The algorithm is applied to Snort intrusion detection system, and the space-time performance of several algorithms is compared by experiments.The experimental results show that compared with AC algorithm, AC-SPLIT algorithm and WMW algorithm, the algorithm greatly improves the detection efficiency, and when the number of rules increases, the time of the algorithm grows steadily.Finally, this paper analyzes the architecture, design, installation, configuration and implementation of Snort intrusion detection system which can provide graphical management interface based on Win7 system.
【学位授予单位】：华北电力大学
【学位级别】：硕士
【学位授予年份】：2017
【分类号】：TP393.08

【参考文献】