节点文献
校园网环境下入侵检测系统的研究与实现
【作者】 方贤进;
【导师】 郑诚;
【作者基本信息】 安徽大学 , 计算机应用技术, 2005, 硕士
【摘要】 随着计算机网络和应用的迅速发展,特别是电子银行、电子商务的兴起,网络安全问题也日益突出起来。同样,校园网的网络安全也是当前各高校面临的一个主要问题,从事该项研究具有重要的理论意义和广泛的应用前景。 文章分析了大多数校园网在安全方面所采用的架构,也就是采用基于Iptables包过滤和Squid+socks代理服务器的防火墙体系结构,但很少有校园网部署和实现入侵检测系统(IDS)。作为一种非常重要的网络安全技术,IDS是防火墙的重要补充,其基本功能是监视内部网络的流量,并对识别到的重要攻击特征或异常行为进行警报,监视来自内部网络的对防火墙和其它主机的攻击,但是IDS不能代替防火墙。 文章提出了在使用基于开放源代码软件的校园网环境中使用防火墙+入侵检测系统的校园网网络安全策略,并用著名的网络入侵检测系统snort NIDS加以实现。Snort具有实时数据流量分析和日志网络数据包的能力,能够进行协议分析,对内容进行搜索和匹配,能够检测各种不同的攻击方式并对攻击进行实时警报。 Snort网络入侵检测系统是一个非常特殊的基于字符串匹配技术的应用,在校园网这样的高速网络环境中对它的实时模式匹配能力有很高的要求,如果IDS检测速度跟不上网络数据的传输速度,那么检测系统就会漏掉其中的部分数据包,从而影响系统的准确性和有效性,甚至会造成对网络系统的Dos攻击,因而在IDS中模式匹配算法的性能严重影响IDS的性能。文章的主要目的是改进snort入侵检测系统中的模式匹配算法,提高snort入侵检测速度,减少对系统资源的占用,提高其安全性和准确度。 模式匹配算法已经被广泛地加以研究,snort入侵检测系统使用Aho-Corasick多模式匹配算法,该算法基于确定有限自动机DFA,它的特点是对状态转换矩阵的存储会占用大量的存储器空间,但该算法执行速度快和能同时对多个模式进行匹配,并且性能不受模式集中模式串长度大小的影响,在最坏情况和一般情况下具有相同的性能,因而对IDS来说具有很强的健壮性。为了优化Aho-Corasick算法,文章中研究了几种稀疏矩阵和稀疏向量的存储方式,提出了使用
【Abstract】 With the rapid development of computer network and its applications, especially the extensive use of electronic bank and electronic commerce, network security becomes a more and more important issue. At the same time, the security of campus network is also an increasingly highlighted problem confronting with most university, research on security of campus network has a theoretical significance and an extensive application foreground.The thesis analyses general network security architecture of the campus network, which is the firewall architecture of iptables-based packet filter and squid&socks-based proxy server. In general, campus network is rarely equipped with Intrusion Detection System (IDS). As a kind of significant network security technique, IDS is an important complement of firewall although it cannot take the place of firewall. Fundamental functions of IDS include: monitoring the traffic of interior network, giving an alarm for aggressive feature or abnormality that can be recognized, preventing firewall and other masters from attacks coming from interior network.The thesis presents a network security strategy, which is founded on firewall and IDS, for campus network that is based on open source code software. The strategy is implemented with the support of snort NIDS, a famous network intrusion detection system. Besides abilities to analyses network traffic and to log network data package, Snort can also implement the analysis of protocol. Moreover, since it can search and match by contents, Snort is able to check out different types of attack and give real-time alarm.Snort NIDS belongs to a class of special application which is based on string match technique, it requires the excellent performance of the real-time pattern match, especially in the context of campus network. If the speed of IDS’s inspection cannot keeps up with that of data transmission, then some data packages may be run out, which sometimes even cause the Dos attack, so correctness and efficiency of the system is affected As a consequence, the performance of IDS is badly determined by that of the pattern match algorithm. The thesis mainly aims at improving the performance of the pattern match algorithm used in IDS, speeding-up inspection of the snort, improving safety and correctness and reducing the cost of system resource.Pattern match algorithm has been extensively studied recently. Snort IDS relies heavily on the Aho-Corasick algorithm, which, based on Deterministic Finite Automata (DFA), is a multi-pattern search algorithm, whose characteristics is thelarge memory requirement to store the table of state transition, has a significant speedup and implement multi-pattern match at one times. The worst-case and the average-case performance of Aho-Corasick algorithm are the same in that its performance is unaffected by the length of pattern string in pattern group, so it is a very robust algorithm for IDS. In order to optimize the Aho-Corasick algorithm, the thesis researches on some basic sparse matrix and vector storage formats, and the Banded-Row format was exploited to optimize the Aho-Corasick state table, thus an improved algorithm which reduces memory requirements and further improves performance on large pattern groups is presented. Finally, the comparison, including performance, storage requirement and speed, when the standard AC algorithm, the optimized version AC algorithm using full matrix storage, and the improved AC algorithm using Banded-Row storage are executed in the context of snort test respectively, is listed.Main works of the thesis include:1. A network security strategy, based on firewall and IDS, for campus network is presented, and it is implemented by software based on open source code.2. Researched on Intrusion Detection System together with pattern match algorithm.3. Analyze Some basic storage formats of sparse matrix and vector.4. A sparse storage format is proposed to optimize Aho-Corasick pattern match algorithm used in snort IDS, and simulated results are compared when different sparse storage format are exploited to implement Aho-Corasick algorithm in snort IDS.
【Key words】 Network security; Intrusion Detection; Pattern Match; Banded-Row storage; Aho-Corasick Algorithm;
- 【网络出版投稿人】 安徽大学 【网络出版年期】2006年 02期
- 【分类号】TP393.08
- 【被引频次】12
- 【下载频次】524