Snort规则分组和映射算法的研究
发布时间:2018-10-30 15:46
【摘要】:随着互联网的飞速发展,网络安全问题也日益严重。入侵检测技术是继传统安全保护措施之后出现的一种积极主动防御的新一代安全保障技术,而Snort是其中基于规则匹配的一种入侵检测系统。Snort首先分析提取出每一种入侵行为的特征,然后按照一定的规范将这些特征编写成规则以形成Snort规则数据库,最后通过将网络数据包同规则数据库中的规则进行匹配以完成入侵检测过程。 在Snort系统中,规则匹配的效率是影响Snort性能的关键。研究表明,对Snort规则数据库中的规则进行预处理可以提高规则匹配效率。针对Snort规则的预处理流程,本文研究了如何将Snort规则转化为非确定性有限状态机、如何分组合并状态机以及如何把状态机映射入哈希表等三个关键问题,,并在此基础上:①提出了一种基于pcre库构造非确定性有限状态机的方法以处理Snort规则中大量使用的pcre选项中的一些特殊语法;②设计了一种状态机分组算法,依据状态机的特征对其进行分组合并以减少状态机的数量,从而间接减少需要进行精确匹配的状态机数量,进一步提高规则匹配的效率;③设计了一种低冲突率的哈希映射算法,该算法实现了对具有某个特征的状态机进行快速定位,同时又能够保证哈希表具有尽可能低的冲突率。实验结果表明算法是有效的。
[Abstract]:With the rapid development of the Internet, the network security problem is becoming more and more serious. Intrusion detection technology is a new generation of active defense security technology after traditional security protection measures. Snort is an intrusion detection system based on rule matching. Firstly, Snort analyzes and extracts the characteristics of each intrusion behavior, and then writes these features into rules according to certain specifications to form a Snort rule database. Finally, the intrusion detection process is completed by matching the network packets with the rules in the rule database. In Snort system, the efficiency of rule matching is the key to the performance of Snort. The research shows that the rule matching efficiency can be improved by preprocessing the rules in Snort rule database. According to the preprocessing process of Snort rules, this paper studies how to transform Snort rules into non-deterministic finite state machines, how to group and merge state machines, and how to map state machines into hash tables. On the basis of this, we propose a method of constructing non-deterministic finite state machine based on pcre library to deal with some special syntax of pcre option which is widely used in Snort rules; (2) A state machine grouping algorithm is designed, which is combined according to the characteristics of the state machine to reduce the number of state machines, so as to indirectly reduce the number of state machines that need accurate matching, and further improve the efficiency of rule matching. 3 A low collision rate hashing mapping algorithm is designed. This algorithm can locate the state machine with some characteristics quickly, and at the same time, it can ensure that the hash table has as low a collision rate as possible. Experimental results show that the algorithm is effective.
【学位授予单位】:西安电子科技大学
【学位级别】:硕士
【学位授予年份】:2014
【分类号】:TP393.08
[Abstract]:With the rapid development of the Internet, the network security problem is becoming more and more serious. Intrusion detection technology is a new generation of active defense security technology after traditional security protection measures. Snort is an intrusion detection system based on rule matching. Firstly, Snort analyzes and extracts the characteristics of each intrusion behavior, and then writes these features into rules according to certain specifications to form a Snort rule database. Finally, the intrusion detection process is completed by matching the network packets with the rules in the rule database. In Snort system, the efficiency of rule matching is the key to the performance of Snort. The research shows that the rule matching efficiency can be improved by preprocessing the rules in Snort rule database. According to the preprocessing process of Snort rules, this paper studies how to transform Snort rules into non-deterministic finite state machines, how to group and merge state machines, and how to map state machines into hash tables. On the basis of this, we propose a method of constructing non-deterministic finite state machine based on pcre library to deal with some special syntax of pcre option which is widely used in Snort rules; (2) A state machine grouping algorithm is designed, which is combined according to the characteristics of the state machine to reduce the number of state machines, so as to indirectly reduce the number of state machines that need accurate matching, and further improve the efficiency of rule matching. 3 A low collision rate hashing mapping algorithm is designed. This algorithm can locate the state machine with some characteristics quickly, and at the same time, it can ensure that the hash table has as low a collision rate as possible. Experimental results show that the algorithm is effective.
【学位授予单位】:西安电子科技大学
【学位级别】:硕士
【学位授予年份】:2014
【分类号】:TP393.08
【参考文献】
相关期刊论文 前10条
1 贾庆节;;论防范黑客入侵的策略[J];电脑知识与技术(学术交流);2007年15期
2 路志平;田喜平;;计算机病毒的危害及防范[J];电脑知识与技术;2010年09期
3 耿风;郭红山;;Snort检测引擎的优化研究[J];电脑知识与技术;2010年36期
4 杨军;邓芳林;;基于Snort入侵检测系统模式匹配改进算法研究[J];计算机安全;2011年06期
5 赵忠鑫;;试论我国网络信息安全的现状与对策[J];计算机光盘软件与应用;2012年03期
6 张悦连,郭文东;Snort规则及规则处理模块分析[J];河北科技大学学报;2003年04期
7 汪海慧;;浅议网络安全问题及防范对策[J];信息技术;2007年01期
8 刘宝旭,徐菁,许榕生;黑客入侵防护体系研究与设计[J];计算机工程与应用;2001年08期
9 唐谦,张大方;入侵检测中模式匹配算法的性能分析[J];计算机工程与应用;2005年17期
10 袁世忠;曹e
本文编号:2300435
本文链接:https://www.wllwen.com/guanlilunwen/ydhl/2300435.html
