Snort规则的关键特征提

发布时间：2018-11-22 09:26

【摘要】：随着互联网的飞速发展，网络安全问题日益严重。入侵检测技术是一种新的积极主动防御的安全保障技术，而Snort是其中基于规则匹配的一种入侵检测技术。Snort首先提取出每一种入侵行为的特征，然后按照一定的规范将这些特征编写成规则以形成Snort规则数据库，最后通过检测网络数据包与规则数据库中的规则是否匹配来判断入侵与否。在Snort入侵检测系统中，规则的匹配效率是影响Snort检测效率的关键。对Snort中所有的规则进行逐条匹配是非常耗时和不可行的。因此，可通过“关键特征”将有一定共性且模式化的规则分为一组，并将每一组编译成一个复合确定性有限自动机（Deterministic Finite Automaton，DFA）。这样，可以通过“关键特征”进行预匹配并定位到少量的复合DFA，只对定位到的复合DFA进行精确匹配，避免了对全部Snort规则的逐条匹配，，提高了匹配效率。然而，复合DFA不能满足硬件的存储要求，因此，需对复合DFA进行压缩。基于上述描述，本文的主要工作如下：首先，本文给出了“关键特征”的定义，提出了在Snort规则中提取关键特征的一个新的有效算法。该方法能够提取出正则表达式中全部的关键特征，并由这些关键特征可以达到很好的分组效果。其次，为了实现数据包对规则进行精确匹配，提出了对复合DFA的终态标记算法，该算法可以确定数据包精确匹配到合并前的哪个DFA。再次，考虑到复合DFA会占用大量的存储空间，不能够满足硬件的存储要求，本文提出了基于密度聚类的一种DFA行压缩算法，该算法可以极大地减少复合DFA的存储空间。同时，提出了对行压缩后的DFA匹配算法。最后，对这些算法进行了实验，实验结果表明：利用Snort规则中提取出的关键特征进行分组有效地将分组数量由原来的2076减少至1583个；复合DFA的行压缩算法将存储空间减少了80%，满足了硬件的要求，保证了压缩后的DFA与压缩前的DFA有近似的匹配速度。
[Abstract]:With the rapid development of the Internet, the problem of network security is becoming more and more serious. Intrusion detection technology is a new active defense security technology, and Snort is an intrusion detection technology based on rule matching. Snort firstly extracts the characteristics of each intrusion behavior. Then these features are written into rules according to certain specifications to form the Snort rule database. Finally, the intrusion is judged by checking whether the network packets match the rules in the rule database. In Snort intrusion detection system, rule matching efficiency is the key to affect the efficiency of Snort detection. Matching all the rules in Snort is time-consuming and impractical. Therefore, the rules with certain commonness and pattern can be divided into a group by "key characteristics", and each group can be compiled into a compound deterministic finite automaton (Deterministic Finite Automaton,DFA). In this way, the "key features" can be pre-matched and a small number of composite DFA, can only be accurately matched to the localized compound DFA, thus avoiding the matching of all Snort rules one by one and improving the matching efficiency. However, the composite DFA can not meet the storage requirements of the hardware, so it is necessary to compress the composite DFA. Based on the above description, the main work of this paper is as follows: firstly, the definition of "key feature" is given, and a new effective algorithm for extracting key features from Snort rules is proposed. This method can extract all the key features of the regular expression and can achieve a good grouping effect by these key features. Secondly, in order to match the rules accurately, a final state marking algorithm for composite DFA is proposed, which can determine which DFA. exactly matches the data packet before merging. Thirdly, considering that composite DFA takes up a lot of storage space, it can not meet the storage requirements of hardware. In this paper, a DFA row compression algorithm based on density clustering is proposed, which can greatly reduce the storage space of composite DFA. At the same time, the DFA matching algorithm after row compression is proposed. Finally, the experimental results show that the number of packets can be reduced from 2076 to 1583 by using the key features extracted from Snort rules. The line compression algorithm of composite DFA reduces the storage space by 80 points, satisfies the hardware requirement, and ensures the approximate matching speed between the compressed DFA and the pre-compressed DFA.
【学位授予单位】：西安电子科技大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP393.08

【参考文献】