【作者】 张乾；

【导师】 桑军；

【作者基本信息】 重庆大学 ， 计算机软件与理论， 2009， 硕士

【摘要】 随着Internet的发展,网络安全问题日益突出,其中分布式拒绝服务(Distributed Denial of Service,DDoS)攻击是当今Internet面临的主要威胁之一,更为严重的是现在尚无完全令人满意的防护手段和攻击检测手段,因此为其设计有效的防护手段和攻击检测手段是当前维护网络安全的重要目标。DDoS(分布式拒绝服务攻击)是一种攻击强度大、危害严重的攻击方式。它利用合理的请求来占用过多的服务器资源,致使服务器超载,无法响应其他的请求。因为这种攻击一般通过分布在不同计算机上的攻击进程进行攻击,同时运用IP欺骗和洪水攻击等手段,因此对它进行检测和防御就非常困难。相对于传统的模式匹配,正则表达式具有灵活高效的特点。随着DDoS防御检测技术的发展,传统上用于过滤数据包内容的模式集合(包含模式的匹配串)逐渐被正则表达式集合所代替。例如Linux的应用协议分类器L7-filter (Linux Application Protocol Classifier),通过基于正则表达式的模式集合识别应用层的数据包。目前,如何提高基于正则表达式的深度包检测技术的效率,是DDoS防御检测工作重点。本文提出了一种新的基于正则表达式的匹配算法,在深入分析了DFA (Deterministic Finite Automaton)状态数对算法性能影响的基础上,本文进一步提出了构造最优DFA状态数的算法,该算法保证在任意有限的系统资源下算法具有优化的时间复杂度。在Linux环境下实现了该算法,并对基于L7-filter模式集合的网络数据包进行了大量对比实验。实验数据表明,与已有算法相比该算法具有优化的时间复杂度。更多还原

【Abstract】 With the rapid development of Internet, network security is becoming more and more critical, DDoS(Distributed Denial of Services)attacks is one of the primary threats in today’s Internet, further more, there is no completely satisfying protective and detective means of attacks yet, so it is an very important target in the network security field to design more effective security solution and attack detection module.Defense against DDoS(distributed denial-of-service)attacks is one of the hardest security problems on the Internet. Attackers usually send too many requests for service to engross the resource on the server, and server can not provide service for real request because of overloading. This kind of attack always control many computers distributed on the internet to attack the server. Mendacious IP and Flooding attack mode is also used in the attack. So it is very hard to detect and defend DDoS attack.Traditional string-set-based defense technology is being replaced by regular expression-set-based technology. For example, in Linux Application Protocol classifier (L7-filter), all protocol identifiers are expressed as regular expressions. Similarly, Snort and Bro intrusion detection systems also use regular expressions as pattern language.By analyzing the merits and demerits of the classical pattern matching algorithms, a new Pattern matching algorithm based regular expression which was proposed in this Paper. Based on the analysis of the impact of number of DFA states to the algorithm performance, further improvement to the algorithm was made by introducing a DFA state number optimization algorithm. The proposed algorithm has been implemented in Linux environment and lots of experiments have been done. Experimental results show that the performance of the proposed algorithm is much better than others.更多还原