基于NDIS深度包检测的网络安全审计系统的设计与实现

发布时间：2018-04-28 16:57

本文选题：网络安全审计 + NDIS　；参考：《中南大学》2014年硕士论文

【摘要】：摘要：针对Internet的攻击现象越来越多,特别针对应用层的入侵更是屡见不鲜,网络安全审计系统把防火墙的功能重心从网络层发展到了应用层。针对应用层的审计诞生了深度包检测技术,深度包检测技术不仅检测数据包头部,而且深入有效载荷,能够发现隐藏在其中的特征,较之传统的网络层审计方法能更精细地识别不同的网络行为。正则表达式具有字符串所不具备的强大和灵活的表达能力,它能确切地表达出复杂的特征,因而深度包检测中逐渐使用正则表达式代替传统的KMP、AC、BM等精确字符串匹配算法。DFA和NFA可以实现正则表达式匹配,DFA比NFA更适合在网络应用中使用。规则特征库规模的扩大以及“.*”和“{}”运算符的广泛使用使DFA存在空间爆炸、性能严重下降的问题。本文详细分析了DFA空间爆炸的原因,在对现有DFA优化技术深入研究和分析的基础上,提出了HCADFA分组算法。通过L7-filter最新的所有规则模拟DFA爆炸情况,相比于mDFA,同一内存限制条件下,HCADFA能得到更少的分组；同等数量分组的条件下,HCADFA存储性能更好。HCADFA提高了DFA在深度包检测中的实用性。另外,本文给出了一种适用于应用层的特征库内存模型,该模型能压缩DFA图存储的状态数量,减少DFA图存储空间。最后,本文通过使用HCADFA分组算法作为核心模块匹配策略,设计并实现了一个网络安全审计系统ENAuditSys。分析运行结果表明ENAuditSys达到了预期目的,在对网络性能影响在可接受范围内,能够审计内网各机器的上网行为或异常行为。
[Abstract]:Absrtact: there are more and more attacks against Internet, especially for the intrusion of application layer. Network security audit system develops the function of firewall from network layer to application layer. For the audit of application layer, the depth packet detection technology is born. The depth packet detection technology not only detects the packet head, but also goes deep into the payload, and can discover the hidden features in it. Compared with the traditional network layer audit method, it can identify different network behaviors more carefully. Regular expressions have powerful and flexible expressive capabilities that strings do not. They can express complex features exactly. Therefore, in depth packet detection, regular expressions are gradually used to replace the traditional exact string matching algorithms, such as KMPA / AC / BM. DFA and NFA can be used to realize regular expression matching. DFA is more suitable for network applications than NFA. The expansion of the rule signature library and the widespread use of ". *" and "{}" operators make DFA suffer from space explosion and serious degradation of performance. In this paper, the causes of DFA space explosion are analyzed in detail. Based on the in-depth study and analysis of the existing DFA optimization techniques, a HCADFA grouping algorithm is proposed. Using all the latest rules of L7-filter to simulate DFA explosion, compared with mDFAs, HCADFAs can get fewer packets under the same memory limitation condition, and the storage performance of DFA in the same number of packets is better. HCADFA improves the practicability of DFA in depth packet detection. In addition, this paper presents a signature memory model suitable for application layer. The model can compress the number of states stored in DFA diagrams and reduce the storage space of DFA diagrams. Finally, by using HCADFA packet algorithm as the core module matching strategy, this paper designs and implements a network security audit system, Enadit Sys. The analysis results show that ENAuditSys achieves the expected purpose and can audit the Internet behavior or abnormal behavior of the intranet machines within the acceptable range of the impact on the network performance.
【学位授予单位】：中南大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP393.08

【参考文献】