Snort规则分组和匹配算法的研究
发布时间:2018-11-28 15:51
【摘要】:随着互联网技术的快速发展,它在人们的日常工作生活中发挥出了越来越重要的作用,因此,网络安全问题已经成为人们关注的焦点问题。网络入侵检测系统在网络安全中占据着重要的地位,它是继防火墙之后的又一道安全闸门。目前,Snort是一个典型的常用的入侵检测系统,它通过对入侵行为做出分析总结,得出一定的Snort规则,每当捕获到数据包时,用数据包中的内容去匹配所有的Snort规则,若能匹配上其中的一条或几条规则,则说明该数据包具有入侵行为,是一个危险数据包,否则,则是一个正常的安全的数据包。本文将Snort规则与DFA结合起来,用DFA来判断数据包中的信息是否具有入侵行为,但是存在以下问题:(1)如何降低数据包匹配时的DFA命中率;(2)如何降低数据包匹配DFA时的冗余匹配;(3)如何降低DFA占用的存储空间。针对以上三个问题,本文的主要工作如下:(1)提出了一种新的基于协议分类的新的分组算法,将所有的DFA分为:HTTP协议DFA和非HTTP协议DFA,进行协议类内部的DFA分组合并后进行协议类之间的分组合并,降低了DFA的数目,同时降低了DFA的命中率。(2)改进的匹配算法。i)通过区分不同的规则选项,并增加一个起始位置标记,降低了部分DFA的冗余匹配次数。ii)采用DFA和NFA相结合的匹配方法,当DFA合并发生状态爆炸时,将DFA合并为一个新的NFA,降低占用的存储空间。在匹配过程中,利用新的状态转移方法,避免了状态回溯。实验结果表明,本文提出的新的分组算法和新的匹配算法都是正确有效的。
[Abstract]:With the rapid development of Internet technology, it plays a more and more important role in people's daily work and life. Therefore, network security has become the focus of attention. Network intrusion Detection system (NIDS) plays an important role in network security. At present, Snort is a typical and commonly used intrusion detection system. By analyzing and summarizing the intrusion behavior, it obtains certain Snort rules, and matches all the Snort rules with the contents of the packets whenever it is captured. If one or more of the rules can be matched, the packet has intrusion behavior and is a dangerous packet, otherwise, it is a normal secure packet. In this paper, we combine Snort rule with DFA, and use DFA to judge whether the information in the packet has intrusion behavior or not, but there are the following problems: (1) how to reduce the DFA hit rate when the packet matches; (2) how to reduce the redundant matching when the packet matches DFA, (3) how to reduce the storage space occupied by DFA. The main work of this paper is as follows: (1) A new grouping algorithm based on protocol classification is proposed. All DFA are divided into HTTP protocol DFA and non-HTTP protocol DFA,. After the DFA group merging within the protocol class, the number of DFA is reduced and the hit ratio of DFA is reduced. (2) the improved matching algorithm. I) distinguishes different rule options. An initial location marker is added to reduce the number of redundant matches in some DFA. The combination of DFA and NFA is adopted in. Ii). When the state explosion of DFA merge occurs, DFA is merged into a new NFA, to reduce the storage space. In the matching process, a new state transfer method is used to avoid state backtracking. Experimental results show that the proposed new grouping algorithm and new matching algorithm are correct and effective.
【学位授予单位】:西安电子科技大学
【学位级别】:硕士
【学位授予年份】:2014
【分类号】:TP393.08
本文编号:2363365
[Abstract]:With the rapid development of Internet technology, it plays a more and more important role in people's daily work and life. Therefore, network security has become the focus of attention. Network intrusion Detection system (NIDS) plays an important role in network security. At present, Snort is a typical and commonly used intrusion detection system. By analyzing and summarizing the intrusion behavior, it obtains certain Snort rules, and matches all the Snort rules with the contents of the packets whenever it is captured. If one or more of the rules can be matched, the packet has intrusion behavior and is a dangerous packet, otherwise, it is a normal secure packet. In this paper, we combine Snort rule with DFA, and use DFA to judge whether the information in the packet has intrusion behavior or not, but there are the following problems: (1) how to reduce the DFA hit rate when the packet matches; (2) how to reduce the redundant matching when the packet matches DFA, (3) how to reduce the storage space occupied by DFA. The main work of this paper is as follows: (1) A new grouping algorithm based on protocol classification is proposed. All DFA are divided into HTTP protocol DFA and non-HTTP protocol DFA,. After the DFA group merging within the protocol class, the number of DFA is reduced and the hit ratio of DFA is reduced. (2) the improved matching algorithm. I) distinguishes different rule options. An initial location marker is added to reduce the number of redundant matches in some DFA. The combination of DFA and NFA is adopted in. Ii). When the state explosion of DFA merge occurs, DFA is merged into a new NFA, to reduce the storage space. In the matching process, a new state transfer method is used to avoid state backtracking. Experimental results show that the proposed new grouping algorithm and new matching algorithm are correct and effective.
【学位授予单位】:西安电子科技大学
【学位级别】:硕士
【学位授予年份】:2014
【分类号】:TP393.08
【参考文献】
相关期刊论文 前1条
1 刘宝旭,徐菁,许榕生;黑客入侵防护体系研究与设计[J];计算机工程与应用;2001年08期
,本文编号:2363365
本文链接:https://www.wllwen.com/guanlilunwen/ydhl/2363365.html
