基于NDIS中间层的Windows平台下包分类算法的研究

【作者】 裴林；

【导师】 曹斌；

【作者基本信息】 贵州大学 ， 计算机应用技术， 2009， 硕士

【摘要】 在Internet环境下广泛应用的网络安全技术,例如防火墙、入侵检测、网络监控、安全审计、虚拟专用网等,这些核心技术都是以包拦截包分类为基础的。数据包分类的正确性、准确性、快速性将直接影响安全产品的性能与效率。目前,现有包分类算法中,一维、二维分类算法比较成熟应用广泛,而对于多维包分类算法的研究还很不成熟,存在许多急需解决的问题。比如,包分类的速度无法满足高速网络的应用需求,丢包的现象普遍存在;数据包分类的准确性有待提高,由于协议的复杂性往往导致数据包不能正常识别;随着规则库的扩大,内存空间过大无法满足低成本的要求;规则库难于更新等。本人基于Hash函数快速查找、快速定位的思想,提出了一种基于Hash函数的五元一维包分类算法,该算法是基于包头的五元组分类的,但是由于进行了一次比较运算和一次Hash运算,从五元组降到了一维,最终存在规则库中的只有外地IP地址。因此,不但提高了查找速度,而且减小了存储空间,提高了网络数据包的分类效率。并给出该算法准确性、快速性的理论分析。本文深入分析了Windows平台下各种数据包拦截技术,并且给出了各自的优缺点。采用NDIS中间层驱动程序实现数据包的拦截,因为NDIS中间层驱动程序工作在数据链路层与网络层之间,可以彻底的拦截所有进出主机的数据包。最后实现一个数据包分类系统,采用本人提出的基于Hash函数的五元一维包分类算法对拦截的数据包进行分类处理,实验结果与理论分析基本一致。更多还原

【Abstract】 Under the Internet environment widespread application network security technology, such as firewalls, intrusion detection, network monitoring, security auditing, virtual private networks and so on, which are core technologies in order to intercept packets based on packet classification. Packet Classification correctness, accuracy, speed will directly affect the safety performance and efficiency.At present, the existing packet classification algorithms, the one-dimensional, two-dimensional classification algorithms widely used in more mature, and for the multi-dimensional packet classification algorithm is still immature, there are many urgent problems. For example, the speed of packet classification can not meet the demand for high-speed network applications, packet loss widespread phenomenon; data packet classification accuracy to be improved, because of the complexity of the protocol often leads to identification of data packets can not be normal; With the expansion of the rule base, too much memory space can not meet the requirements of low-cost; difficult to update.I based on that Hash function quick search, quick positioning of thinking, propose one based on Hash function five-dollar one-dimensional packet classification algorithm, which is based on the five-byte header classification, but as a result of a comparison operator and a Hash computing, from five down to one-dimensional, and ultimately there is only a rule-base in the IP Address field. Therefore, not only improved the seek rate, but also reduced the storage space, raised the network data package of classification efficiency. And given this algorithm accuracy, the rapid theoretical analysis.This article has analyzed under thoroughly the Windows platform each kind of data packet interception technology, and given the advantages and disadvantages of each. The use of NDIS intermediate driver layer of the intercept data packets, because NDIS intermediate driver layer in the data link layer and network layer, which can completely block all access to the host of the packet. Finally, the realization of a packet classification system, using my Hash function based on the five-dollar one-dimensional packet classification algorithm for packet interception classification processing, experimental results are basically consistent with the theoretical analysis.更多还原