节点文献
面向流量分析的流模式匹配技术
A Traffic-Analysis Oriented Stream Pattern Matching Technology
【作者】 王彦平;
【导师】 李晖;
【作者基本信息】 西安电子科技大学 , 通信与信息系统, 2010, 硕士
【摘要】 网络流量识别在网络安全、网络监控以及负载均衡等方面起着重要的作用,已成为网络管理的基础和前提。但随着加密流量和各种新应用的不断涌现,网络流量识别也面临着巨大的挑战。目前的各种网络流量识别方法(基于端口、基于载荷以及统计特征的算法)都有着各自显著的优缺点,且均不能满足现今数据流分析的需要。因此需要设计一种简单、规范的机制,来融合各种识别方法的优点,使其协同工作,实现高效、准确的网络流量识别。本文提出一种流模式匹配技术,通过定义形式化的描述规范,使得用户可以按照一定语法和语义,用一个“流模式”来无歧义的表示一系列具有某些共同特征的数据流;并针对这种表示方法进行解析、处理,设计出基于非确定性有限自动机(NFA)和位并行算法的流模式匹配引擎,实时地从截获的网络数据中准确区分出指定的流。本论文主要完成了以下工作:1.给出流模式的定义以及规范化设计。该模式融合了现有的几种流量识别算法,并可以灵活方便的进行书写和扩展。2.根据流模式自身的特点,构建了适合流模式的专用的解析树构造器,将用户设定的流模式解析成便于程序处理的树型结构。3.在解析树的基础上,设计出基于非确定性有限自动机和位并行搜索算法的流模式匹配引擎。4.对流模式匹配引擎进行系统测试、验证,给出理论分析和功能测试。测试结果验证匹配引擎能有效地完成流量的识别。
【Abstract】 Recognizing network traffic has always been the basis of network security and management due to its applications in network security, network monitoring, load balancing, etc. But it has faced enormous challenges due to the continued emergence of new applications and encrypted traffic. The currently available approaches such as port-based classification, payload-based classification and statistical-based classification, have respective advances and backwards, and none of them perform well for all different network data on the internet nowadays. Thus a kind of simple and standard mechanism which includes the advantages of different methods and provides a high level of recognition efficiency and accuracy should be proposed and designed.This thesis proposes a stream pattern matching technique. By defining a formal description specification, any series of data stream with common features can be unambiguously described by a special stream pattern, according to a certain grammar and lexeme. And then the stream pattern is parsed in order to obtain a tree representation; Above that, a stream pattern engine is constructed based on the Non-finite automata (NFA) and Bit-parallel searching algorithms.The main contributions in this thesis are as follows:1. Put forward a definition and specification design of stream pattern. This pattern combines different approaches at present, and can be flexibly written and expanded.2. Build a special stream pattern parser based on its own features, in order to obtain the tree structure which is easily processed.3. Construct a stream pattern engine based on the NFA-based FSM and Bit-parallel searching algorithms after the parse tree is built.4. Test and verify the performance of stream pattern engine, and give the analysis of the theory and the functional test. The functional test result shows the effectiveness of the stream pattern engine.