基于模式匹配的入侵检测系统

【作者】 李攀；

【导师】 武维善；

【作者基本信息】 西安建筑科技大学 ， 计算机应用， 2001， 硕士

【摘要】 针对目前计算机网络安全现状，本文研究和设计了一种基于网络（区别于基于主机） 的、可用于分布式入侵检测系统的、拥有一个简单专家知识库的计算机网络入侵检测系统──基于模式匹配的入侵检测系统。 本文介绍了入侵检测系统的分类，比较了两种常用的入侵检测技术：异常检测技术和模式检测技术在检测思想和检测效果上的不同之处。引出了与专家知识系统相结合的攻击特征模式匹配入侵检测系统。并依据入侵检测系统通用模型(CIDF)将攻击特征模式匹配入侵检测系统分为事件产生器、事件分析器、响应单元和事件数据库四个功能模块进行分别阐述。还提出了攻击特征模式匹配入侵检测系统的分布式结构，体现入侵检测系统分布监控、集中管理的思想。 攻击特征模式专家知识库是基于攻击特征模式匹配入侵检测系统的核心。文章确立了制定攻击特征模式的原则：匹配精度和匹配速度两者的权衡；对HTTP协议和FTP协议的攻击特征模式的抽取工作分别举例作了具体说明，并列举了一些攻击特征模式；作者还定义了一种攻击特征模式描述语言，将提取得到的攻击特征模式描述为攻击特征模式专家知识库中的一条条规则。 本文系统地提出了一种基于攻击特征模式匹配的入侵检测系统的详细设计方案，为同类系统的设计提供了一个思路和方案。针对几个重点模块：协议处理模块、攻击特征模式匹配模块、日志记录模块和入侵响应模块做了较为详细的说明。并对攻击特征模式匹配模块的匹配算法进行了探讨，提山了一种基于有限状态机的攻击特征模式快速匹配算法，取到了较好的效果。更多还原

【Abstract】 According to current security problems of computer network, this dissertation explores a network-based Intrusion Detection System, called Signature-based Pattern-matching Intrusion Detection System, which could work on Distributed Intrusion Detection Systems and have a sample Expert Knowledge Database of Attack Signature Pattern, and studies its design in the domain of intrusion detection on computer networks.This dissertation introduces the classes of Intrusion Detection System, and studies the different ways in which Anomaly Detection and Pattern Detection detect intrusions. Subsequently, Signature-based Pattern-matching Intrusion Detection System, which is Combined with Expert Knowledge System, is suggested. According to CIDS (Common Intrusion Detection System) standard model, The author divided the Pattern-matching Intrusion Detection System into four functional module: Event generators, Event analyzers, Response units and Event databases; and explained them respectively. The dissertation also provided a Distributed Intrusion Detection System framework to realize distributed detection and centralization.The Expert Knowledge Database of Attack Signature Pattern is just the core of Signature-based Pattern-matching Intrusion Detection System. The dissertation established the principle for specifying the pattern of Attack Signature: the balance between precision and speed of matching; And presented examples of distilling Attack Signature Pattern of H1TP and FTP protocols. Also, the dissertation introduced a description language to descript the Attack Signature Patterns, which compose the Expert Knowledge Database of Attack Signature Pattern.The dissertation put forward a detailed design scheme of Signature-based Pattern-matching Intrusion Detection System systematically, which would be of some hint to the other systems alike. Great emphasis was put in key modules such as Protocols Processing module, Pattern-matching module, Log module and Intrusion Response module. In addition, the author discussed matching algorithm of Pattern-matching module and presented one based upon finite automata, which is applied in some products.更多还原