基于特征检测入侵检测系统的研究与改进

【作者】 张勇；

【导师】 王能；

【作者基本信息】 华东师范大学 ， 系统分析与集成， 2002， 硕士

【摘要】 TCP／IP协议的开放性使得Internet迅速成为世界上规模最大的计算机网络，然而，也正是由于它的开放性带来的诸多安全问题越来越引起大家的关注。并且随着Internet的日益普及以及商务应用的逐渐丰富，网络的安全性已经直接影响着Internet发展的前景。 人们纷纷开发各种安全措施，象信息加密、访问控制、防火墙等，这些技术针对不同侧面加强了网络安全。入侵检测是加强网络安全的又一重要手段，基于特征检测的入侵检测系统是目前入侵检测系统的主流。 本文从研究传统计算机安全模型和通用入侵检测模型入手，分析总结了当前主要的入侵检测技术以及技术上的优缺点，并重点分析了基于特征检测的有关技术。文章在如何提高特征检测的效率和准确性方面主要做了下面的工作： 1．在分析了Boyer-Moore算法和Aho-Corasick算法的基础上，提出了将二者结合的提高样式匹配效率的改进算法。对改进算法进行了理论上的分析，对算法实现后进行了实际的性能比较分析。 2．为了提高入侵检测的准确性，分析了入侵检测系统面对的网络“嵌入”攻击、“逃避”攻击、扩展编码等问题，提出了提高入侵检测系统自身适应性的扩充方法和网络流量正常化方法。更多还原

【Abstract】 The opening of TCP/IP protocol makes the Internet become the largest computer network all over the world. However, the opening brings more and more serious problems in security. As the Internet becomes widely used in our daily life, especially in business area, the security problem will effect the future development of the Internet directly.Many network security technologies, such as firewalls, access control and data encryption, have been developed and adopted. Intrusion Detection is another important network security technology, and Signature-based Intrusion Detection System is the most popular one now.This paper studies the traditional computer security model and the Common Intrusion Detection Model first, then analyzes and summarizes the main intrusion detection methods and their features. The Signature-based Intrusion Detection is analyzed with emphasis, and the goal of the paper is to discuss how to improve efficiency and accuracy of the Signature-Based Intrusion Detection. Following are the main points of the paper:1. Signature-based Intrusion Detection System takes advantages of advanced pattern-match algorithms. Through description of existent algorithms (the Bayer-Moore algorithm and the Aho-Corasick algorithm), the paper describes a newly developed algorithm for matching sets of strings, which integrates the useful concepts from the two algorithms. The modified algorithm is realized and made experimental comparison with the standard Bayer-Moore algorithm.2. The skilled attacker can evade detection by exploiting ambiguities in the traffic stream as seen by the Network Intrusion Detecting System. This paper proposes a new method to improve NIDS’ ability of "knowing" more detailed knowledge of the end-systems. We can add a "normalizer" to eliminate potential ambiguities before the traffic is seen by the IDS.更多还原