多模匹配算法及在入侵检测系统中的应用

发布时间：2018-05-12 21:26

本文选题：入侵检测 + 多模匹配　；参考：《浙江工业大学》2014年硕士论文

【摘要】：各行各业对网络的依赖越来越高,网络安全问题变得日益严峻。入侵检测技术是一种动态的安全防护手段,能够主动识别网络中的入侵行为的特征,弥补了传统网络安全中的不足。入侵检测技术为网络安全提供了技术保障,是网络安全保障系统的重要组成部分。本论文介绍了入侵检测系统的相关技术,详细分析了典型的网络入侵检测系统Snort系统,并介绍了Snort系统的结构、工作模式及规则等。简单介绍多模式匹配算法在入侵检测中的应用,并对两种经典的多模匹配算法AC算法和WM算法做了详细的说明与对比。但伴随着网络技术的发展以及入侵检测系统的规则集复杂性的不断增加,先进的正则表达式引擎已渐渐替代了这些传统的字符串匹配引擎。正则表达式匹配包括DFA(确定有限状态自动机)匹配和NFA(非确定有限状态自动机)匹配,由于网络应用中更加适合于采用确定有限状态自动机,我们一般更多对基于DFA的多模正则表达式匹配算法进行研究。虽然在速度上DFA比NFA更具备优势,但由于其规则集规模较大和匹配时过多地消耗空间,使得DFA性能下降严重。针对DFA的缺点,通过加入对规则的预处理,对要构造的规则进行分析,将相同类似的规则分成同一组,减少生成DFA的总个数,以及构造DFA的时间。通过对规则的分析,尽量减少系统规则的DFA状态的总个数,从而使得系统所占的内存尽量减少,构造DFA的速度尽量快,对系统的规则匹配速度,以及减少内存使用的地方有较大的提高。
[Abstract]:Various industries rely more and more on the network, network security problems become increasingly serious. Intrusion detection technology is a dynamic security protection method which can identify the characteristics of intrusion behavior in the network actively and make up for the shortcomings of the traditional network security. Intrusion detection technology provides technical support for network security and is an important part of network security guarantee system. This paper introduces the related technologies of intrusion detection system, analyzes the typical network intrusion detection system (Snort) system in detail, and introduces the structure, working mode and rules of Snort system. This paper briefly introduces the application of multi-pattern matching algorithm in intrusion detection, and gives a detailed explanation and comparison of two classic multi-mode matching algorithms AC algorithm and WM algorithm. However, with the development of network technology and the increasing complexity of intrusion detection system rule set, the advanced regular expression engine has gradually replaced these traditional string matching engines. Regular expression matching includes DFA (deterministic finite state automata) matching and NFA (uncertain finite state automata) matching. We generally do more research on multi-mode regular expression matching algorithm based on DFA. Although DFA has more advantages than NFA in speed, because of its large size of rule set and excessive consumption of space when matching, the performance of DFA is degraded seriously. Aiming at the shortcomings of DFA, the rules to be constructed are analyzed by adding the preprocessing of the rules, and the same similar rules are divided into the same group to reduce the total number of DFA and the time of constructing DFA. Through the analysis of the rules, the total number of DFA states of the system rules is reduced as far as possible, so that the memory occupied by the system is reduced as much as possible, the speed of constructing DFA is as fast as possible, and the matching speed of the rules of the system is as fast as possible. As well as reducing the use of memory where there is a greater improvement.
【学位授予单位】：浙江工业大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP393.08

【参考文献】