【作者】 吴诚堃；

【导师】 殷建平；

【作者基本信息】 国防科学技术大学 ， 计算机科学与技术， 2009， 硕士

【摘要】 网络预警系统是实现网络安全主动防护的重要工具。网络预警系统基于网络安全态势感知信息,其中入侵检测系统是网络安全态势感知信息的重要来源,但现有入侵检测系统的性能难以满足现实要求。模式匹配是入侵检测系统的性能瓶颈所在。为提高入侵检测中模式匹配的速度,人们从不同角度开展了大量研究工作,但是仍有许多问题没有得到解决。本文综合考虑了性能与成本的因素,深入研究了入侵检测系统中的模式匹配问题,工作的主要内容和创新点包括:1、研究了当前针对入侵检测系统进行模式匹配加速的四种基本方法,并对这些方法的优缺点和适用范围进行了评价与比较。2、从课题的背景出发,对Snort进行了性能瓶颈分析。首先利用工具gprof获取了Snort运行过程中各函数消耗的时间以及函数间的调用关系等信息;同时设计实现了一个对源码结构自适应的性能分析辅助工具和一个以图形化方式展现特定函数调用关系的工具。分析结果证实,在Snort中,模式匹配消耗的时间占总处理时间的一半以上,是系统性能瓶颈所在。3、提出了一种基于GPU的并行模式匹配方法。该方法将模式集划分与文本划分结合起来,采用更为有效的数据访问和数据管理方式,同时探讨了其中的负载均衡问题,以实现快速的模式匹配。实验表明,该方法相比CPU上的实现有较大的提高,加速比约为7。与另一种在GPU上的实现Gnort相比,在模式集合更大的情况下也有一定优势。4、提出了一种基于缩减模式集的预过滤方法。根据统计分析的结论,使用长度为2字节的模式子串做为过滤模式的候选集合。然后给出缩减候选集合问题的0-1整数线性规划形式,再利用LINGO软件来求解。在Snort的模式集合上进行的实验表明,通过优化,过滤模式集合大大缩减,同时提高了过滤率。5.从网络预警系统的需要出发,构建了网络安全态势信息收集平台。首先探讨了平台的总体架构,给出了现有原型系统的基本情况。然后分别描述了平台中入侵检测预处理模块和基于入侵检测的态势信息收集模块的实现。更多还原

【Abstract】 Network Early Warning System(NEWS) is an important tool for active defence of network security. NEWS is based on Network Security Situation Awareness(NSSA), and Intrusion Detection System(IDS) is the most important source of NSSA information. However, the performance of current IDSs is not as good as required. The bottleneck lies in pattern matching. A lot of work has been done on the problem of pattern matching for intrusion detection, yet there is still a lot of space left for improvement. In this paper, we focus on the problem of pattern matching for IDSs. The main achievements can be listed as follows1.Four different ways to accelerate pattern matching are surveyed, and their advantages and disadvantages are analyzed and compared in detail.2.An analysis of Snort’s performance bottleneck is carried out. The tool Gprof was used to profile the running time of each function and to record the relationship of function calls discovered at run-time. Meanwhile, an assistant tool for performance profiling was designed and implemented, and an graphical description tool for the relationship of function calls was put forward. The experiment results show that in Snort, more than half of the processing time was consumed by pattern matching, which is the performance bottleneck.3.A GPU based method for parallel pattern matching is proposed. This method combines pattern set partition and text partition together, employs a more effective way of data access and data management. At the same time, the issue of load balancing is discussed too. The experiment results indicates a 7 time acceleration compared to the CPU implementation. Under the condition with a large pattern set, our method is better than another GPU based method Gnort.4.A pre-filtering mechanism based on the reduction of filtering pattern set is proposed. According to our statistical analysis, 2 byte sub-pattern are used as pre-filter keyword candidates. Then the Binary Integer Linear Programming formation of the keyword reduction problem is given. The optimization leads to a decreased size of filtering pattern set, and the filter ratio is increased.5 . The platform of information collection for Network Security Situation Awareness is designed according to the requirements of NEWSs. The architecture of the platform is presented first, then some details about the prototype system is revealed. The pre-processing module for intrusion detection and the collection module of situation awareness information for intrusion detection based are demonstrated too.更多还原