基于端口和流量分析的局域网安全检测系统的设计与实现

【作者】 李中原；

【导师】 张昱； 金心宇；

【作者基本信息】 浙江大学 ， 电路与系统， 2007， 硕士

【摘要】 随着信息技术的日益提高和计算机网络的迅猛发展，计算机网络信息系统所面临的安全问题也成为网络应用的关键问题之一。传统的网络安全检测系统已经在这方面做了大量工作，实现了一定的功能；但是也存在误检率高，检测效率较低，检测系统负荷过重等问题。其主要原因有分析数据的来源较为单一，结构较为简单，匹配规则不够具备区分度等。本文针对上述缺点，提出并实现了基于端口扫描检测，协议分析和流量分析技术的网络安全检测系统模型。该检测系统将端口扫描检测和流量异常检测作为系统的预检测，在预检测出现异常后再进行入侵规则匹配，在保证较高的检测率的条件下明显降低了误检率，并降低了系统的负荷。在端口扫描检测模块的实现中，对基于端口分布的端口扫描检测理论做出了一些有益的改进和实现，用D-S数据融合理论将基于端口分布的检测理论与基于序列假设的检测理论结合起来，明显提高了端口扫描的检测效果，对提升整体检测性能起到了关键作用。通过对端口扫描理论以及入侵检测系统的基础测试，初步验证了系统设计方案。更多还原

【Abstract】 As information technology and computer network are developing rapidly, Network Information System security problem has become one of the key problems. Traditional network intrusion detection system have done a lot of work to achieve a certain function; But there are also some defects : a high rate of misjudgments, ordinary detection efficiency, heavy load of the detection system and other problems. The main reason for this is the source of the data for analysis is a single, relatively simple structure, the matching rules have not enough distinction. Based on the shortcomings above, we propose a network intrusion detection system which is based on port scan detection, protocol analysis and traffic analysis. The detection system uses port scanning detection and network traffic Analysis for the pre-testing before the rule-matching. Such detect structure guarantee higher detection rate conditions with significantly lower false alarm rate and lower system load. In the implementation of Port scanning detection module, we made some improvement to the port scanning detect theory base on port distribution. We use data infusion theory to combine two theory to improve the performance of the system. After that, we did some testing for the system and then provide the result.更多还原