基于Snort的入侵防御系统性能优化研究
发布时间:2018-08-19 18:22
【摘要】:当今社会信息技术的日益发展,尤其是互联网技术的迅猛发展,给当代人们的生活带来了极大的便利。然而,随着各类网络应用不断普及,也为网络攻击者提供了更多的可乘之机。近年来,网络入侵成逐年上升的趋势,造成的损失难以估量。入侵防御是一项专门对各类网络攻击进行防御的技术,它融合了防火墙和入侵检测技术各自的优点,既能够对网络数据包进行深入的攻击检测,又能够及时阻断攻击。当前,入侵防御系统面临的最大问题是网络时延和丢包造成的性能瓶颈。由于入侵防御系统以串联的形式连接到主干网络中,一旦出现网络时延较大或者丢包的情况,就会对用户的正常网络访问造成严重影响,因此如何提高入侵防御系统的性能,减小网络时延,增加系统吞吐量,是当前急需解决的一个问题。本文对开源入侵检测系统Snort进行了深入的分析,设计并实现了一个基于Snort的入侵防御系统原型。其中,该系统的滥用检测模块移植了Snort的核心检测引擎。在此基础上,本文对该系统的滥用检测模块进行了单元测试与分析,找出了系统的性能瓶颈所在,针对相关的环节进行了以下改进和优化:1)针对Snort的检测引擎,提出并实现了一种“基于活跃度的规则链动态优先级调整方案”。通过实验对比,证明该方案在“大量、持续攻击发生”的网络环境下,能够有效地提高系统的检测性能。2)分析了当前版本的Snort中所采用的模式匹配BM算法和AC算法,并分析了现有的相关改进算法。在此基础上,本文提出了一种改进的多模式匹配算法,并应用到系统中。通过实验对比,证明改进后的算法在实际检测中的性能优于改进前的版本。3)基于多核平台,本文提出了一种“多核平台下的并发检测引擎模型”,将系统的滥用检测模块架构从原来的单线程模型改进为多进程并发模型,以充分发挥多核CPU各个核心的运算能力,通过在8核硬件平台上的测试结果表明,该模型有效地提升了系统网络吞吐量,实现了对系统整体检测性能的提升。最后,本文将以上3种改进方案应用到了入侵防御系统中,结合系统的其他功能模块进行整体性能测试,测试结果表明改进后的系统整体性能有了较大提升。
[Abstract]:Nowadays, the development of information technology, especially the rapid development of Internet technology, brings great convenience to the life of contemporary people. However, with the popularity of various network applications, it also provides more opportunities for network attackers. In recent years, network intrusion has been increasing year by year, resulting in loss is incalculable. Intrusion Prevention (IDS) is a special technology to defend all kinds of network attacks. It combines the advantages of firewall and intrusion detection technology. It not only can detect the network packets deeply, but also can block the attacks in time. At present, the biggest problem of intrusion prevention system is the bottleneck caused by network delay and packet loss. As the intrusion prevention system is connected to the backbone network in series, once the network delay is large or the packet is lost, it will seriously affect the users' normal network access, so how to improve the performance of the intrusion prevention system. It is an urgent problem to reduce network delay and increase system throughput. In this paper, the open source intrusion detection system (Snort) is deeply analyzed, and a prototype of intrusion prevention system based on Snort is designed and implemented. Among them, the abuse detection module of the system transplanted the core detection engine of Snort. On this basis, this paper has carried on the unit test and the analysis to the abuse detection module of the system, has found the system performance bottleneck, has carried on the following improvement and the optimization to the correlation link, has carried on the following improvement and the optimization to the Snort detection engine, has aimed at the Snort detection engine, This paper proposes and implements a dynamic priority adjustment scheme of rule chain based on activity degree. The experimental results show that the scheme can effectively improve the detection performance of the system under the network environment of "a large number of continuous attacks". The current version of Snort is analyzed using pattern matching BM algorithm and AC algorithm. The existing improved algorithms are analyzed. On this basis, an improved multi-pattern matching algorithm is proposed and applied to the system. Through experimental comparison, it is proved that the performance of the improved algorithm in actual detection is better than that of the former version .3) based on multi-core platform, a "concurrent detection engine model under multi-core platform" is proposed in this paper. The architecture of the system abuse detection module is improved from the original single-thread model to the multi-process concurrent model in order to give full play to the computing power of each core of the multi-core CPU. The test results on the 8-core hardware platform show that, The model can effectively improve the throughput of the system and improve the detection performance of the whole system. Finally, the above three improved schemes are applied to the intrusion prevention system, and combined with other functional modules of the system to test the overall performance. The test results show that the overall performance of the improved system has been greatly improved.
【学位授予单位】:电子科技大学
【学位级别】:硕士
【学位授予年份】:2014
【分类号】:TP393.08
本文编号:2192455
[Abstract]:Nowadays, the development of information technology, especially the rapid development of Internet technology, brings great convenience to the life of contemporary people. However, with the popularity of various network applications, it also provides more opportunities for network attackers. In recent years, network intrusion has been increasing year by year, resulting in loss is incalculable. Intrusion Prevention (IDS) is a special technology to defend all kinds of network attacks. It combines the advantages of firewall and intrusion detection technology. It not only can detect the network packets deeply, but also can block the attacks in time. At present, the biggest problem of intrusion prevention system is the bottleneck caused by network delay and packet loss. As the intrusion prevention system is connected to the backbone network in series, once the network delay is large or the packet is lost, it will seriously affect the users' normal network access, so how to improve the performance of the intrusion prevention system. It is an urgent problem to reduce network delay and increase system throughput. In this paper, the open source intrusion detection system (Snort) is deeply analyzed, and a prototype of intrusion prevention system based on Snort is designed and implemented. Among them, the abuse detection module of the system transplanted the core detection engine of Snort. On this basis, this paper has carried on the unit test and the analysis to the abuse detection module of the system, has found the system performance bottleneck, has carried on the following improvement and the optimization to the correlation link, has carried on the following improvement and the optimization to the Snort detection engine, has aimed at the Snort detection engine, This paper proposes and implements a dynamic priority adjustment scheme of rule chain based on activity degree. The experimental results show that the scheme can effectively improve the detection performance of the system under the network environment of "a large number of continuous attacks". The current version of Snort is analyzed using pattern matching BM algorithm and AC algorithm. The existing improved algorithms are analyzed. On this basis, an improved multi-pattern matching algorithm is proposed and applied to the system. Through experimental comparison, it is proved that the performance of the improved algorithm in actual detection is better than that of the former version .3) based on multi-core platform, a "concurrent detection engine model under multi-core platform" is proposed in this paper. The architecture of the system abuse detection module is improved from the original single-thread model to the multi-process concurrent model in order to give full play to the computing power of each core of the multi-core CPU. The test results on the 8-core hardware platform show that, The model can effectively improve the throughput of the system and improve the detection performance of the whole system. Finally, the above three improved schemes are applied to the intrusion prevention system, and combined with other functional modules of the system to test the overall performance. The test results show that the overall performance of the improved system has been greatly improved.
【学位授予单位】:电子科技大学
【学位级别】:硕士
【学位授予年份】:2014
【分类号】:TP393.08
【参考文献】
相关期刊论文 前7条
1 赵林亮;廖先林;田敏;秦勇;;RTP快速匹配最佳发送速率算法的研究[J];东北大学学报(自然科学版);2008年05期
2 王浩;周晓峰;;基于入侵检测系统snort的BM模式匹配算法的研究和改进[J];计算机安全;2009年02期
3 牛建强;徐美玉;陈昕;曹元大;;基于SNORT的入侵规则动态排序方法研究[J];计算机工程与应用;2006年28期
4 卢捚;吴忠望;王宇;卢昱;;基于kNN算法的异常行为检测方法研究[J];计算机工程;2007年07期
5 徐帆;沈立;王志英;;基于多核平台的多线程动态优化框架[J];计算机工程与科学;2011年05期
6 陈虎;彭江锋;施少怀;;gAC:基于GPU的高性能AC算法[J];计算机工程与应用;2012年12期
7 许一震,王永成,沈洲;一种快速的多模式字符串匹配算法[J];上海交通大学学报;2002年04期
相关硕士学位论文 前1条
1 万姝伊;基于AC-BM改进算法的IPS研究与实现[D];合肥工业大学;2011年
,本文编号:2192455
本文链接:https://www.wllwen.com/guanlilunwen/ydhl/2192455.html
