面向轻量级入侵检测系统性能优化研究

发布时间：2019-01-29 00:42

【摘要】：入侵检测系统作为一种检测系统入侵行为的安全防护设备,在信息安全领域发挥着重要作用。提高入侵检测系统的检测速度并减少入侵检测系统误报率和漏报率是信息安全领域的研究重点。Snort作为轻量级的开源入侵检测系统得到广泛地应用和研究,本文在对其系统架构深入分析的基础上,从空间和时间两个方面对其性能进行优化,主要工作包括:1、从时间方面提高Snort的检测性能:优化处理了Snort规则集,通过删除部分不影响匹配结果的规则和修改部分规则,达到了用相对较少的规则匹配较多特征的目的,并能减少检测报文时的计算量,从而提高了系统检测速度。2、从空间方面提高Snort的检测性能:为减少入侵检测系统运行时的内存占有量,优化了Snort快速检测引擎结构,通过改变快速检测引擎的源端口和目的端口集的规则节点与通用规则集的规则节点的连接方式,形成了一种新的快速检测引擎结构,可以在不影响检测性能的前提下减少内存占有量。3、设计检测http协议数据报文特征方法。使用这种检测方法检测数据报文的协议特征时只检测数据报文的IP协议标识、TCP协议标识和http协议标识,与原始Snort系统相比,新的检测方法减少了运算量,使Snort可以在相同的时间处理更多的报文,检测报文时提取http会话中每个报文的数据部分并将这些数据整合到一个虚拟数据包中,然后由检测引擎对虚拟数据包进行检测,使用这种检测方法进行检测能降低Snort检测报文的误报率和漏报率。本文利用在实际网络环境中捕获的数据报文作为测试数据对Snort代码修改前后的性能分别进行了测试。实验结果证明通过修改Snort快速检测引擎结构、优化Snort规则集、设计http协议特征检测方法,Snort的检测速度得到提升,漏报率和误报率明显降低。
[Abstract]:Intrusion detection system (IDS), as a kind of security protection equipment for intrusion detection system, plays an important role in the field of information security. Improving the detection speed of intrusion detection system and reducing the false alarm rate and false alarm rate of intrusion detection system are the research focus in the field of information security. As a lightweight open source intrusion detection system, Snort has been widely used and studied. Based on the deep analysis of the system architecture, this paper optimizes the performance of Snort from two aspects of space and time. The main work includes: 1, improving the detection performance of Snort from the aspect of time: processing Snort rule set optimally. By deleting the rules that do not affect the matching results and modifying the partial rules, the purpose of matching more features with relatively fewer rules is achieved, and the computation of detecting packets can be reduced, thus improving the detection speed of the system. Improve the detection performance of Snort from the space aspect: in order to reduce the memory of intrusion detection system running time, the structure of Snort fast detection engine is optimized. By changing the connection between the source port of the fast detection engine and the rule node of the destination port set and the rule node of the general rule set, a new structure of the fast detection engine is formed. It can reduce the amount of memory without affecting the detection performance. 3. The method of detecting http protocol data packet features is designed. When using this detection method to detect the protocol features of data packets, only the IP protocol, TCP protocol and http protocol identification of the data message are detected. Compared with the original Snort system, the new detection method reduces the amount of computation. So that Snort can process more packets at the same time, extract the data part of each packet in the http session when detecting the message, integrate the data into a virtual packet, and then detect the virtual packet by the detection engine. This detection method can reduce the false alarm rate and false alarm rate of Snort detection message. In this paper, the performance of Snort code before and after modification is tested using data packets captured in real network environment as test data. The experimental results show that by modifying the structure of the Snort fast detection engine, optimizing the Snort rule set and designing the http protocol feature detection method, the detection speed of Snort is improved, and the false alarm rate and false alarm rate are obviously reduced.
【学位授予单位】：国防科学技术大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP393.08

【参考文献】