节点文献

基于智能Agent的分布式入侵检测系统设计

Design of Distributed Intrusion Detection System Based on Intelligent Agent

【作者】 张宜凯

【导师】 李军民;

【作者基本信息】 西安科技大学 , 计算机应用技术, 2008, 硕士

【摘要】 论文以中科院西安网络中心网络安全嵌入式研究项目的研究和开发为背景,分析了当前系统中存在的问题,即检测速度太慢,检测技术的发展跟不上网速的快速发展,在分布性、灵活性、效率等方面还不尽如人意。因此我们开始寻求新的技术,以求提高入侵检测系统的整体性能。本文尝试了在入侵检测系统中引入智能Agent技术,力图使其在实时性、可扩展性、灵活性以及系统的容错能力等方面有较大的改善,使系统具有较好的性能和灵活性。Agent技术是缘于智能代理的分布式计算技术。与传统的分布式相比,Agent能减轻网络流量,以异步方式自主运行,能动态适应网络变化等。将多Agent系统技术应用到分布式入侵检测系统中,将能实现全局范围内的入侵检测功能,对网络系统和主机资源的占用较低,减少了出现瓶颈的可能,而且易于分发服务。本文对入侵检测系统作了详细介绍,分析了常用的几种检测方法,对Agent技术及其平台Aglet在IDS中的优点作了介绍,对比分析了检测引擎使用的几种模式匹配算法,采用协议分析与模式匹配结合的方法。通过实验表明该方法具有很好的优点,协议分析技术利用网络协议的高度规则,只检测特定协议的内容,从而减少了搜索空间和计算量,避免了简单模式匹配对内容比较而产生的误报和漏报。本文对Linux系统下网卡驱动程序和内存管理机制作了深入研究,绕过操作系统对数据包协议栈的解析,减少了数据包拷贝次数,实现了零拷贝,提高了系统捕获数据包的能力,显著改善了系统性能。

【Abstract】 This thesis based on the embedded project in Network Center of Chinese Academy of Sciences in Xi’an. Currently the key problem is how to improve the performance of Intrusion Detection System, the development of detection technology can’t keep up with the speed of network technology, the traditional Intrusion Detection System have some shortcomings in certain aspects, such as flexibility, interoperability etc. Therefore, people begin to seek for new technologies to improve the performance of Intrusion Detection System. In this thesis, we try to lead Mobile Agent Technique into Intrusion Detection System to improve their flexibility, interoperability, extensibility as well as their real-time performance. Agent have been proposed for distributed network management. Comparing to the traditional technology it has obvious advantages, such as reducing network traffic greatly, running independent and asynchronous, adapting the network’s change through configuring dynamicly. And use less network traffic and hosts resources to reduce the possible of bottleneck’s occur, furthermore, it is easy to deploy the service.This dissertation introduced Intrusion Detection System in detail, and analyzed the normal methods of the Intrusion Detection System. It also describes the advantages and the disadvantages of the present system. Point out the strong point of Agent and it’s platform Aglet using in Intrusion Detection System, analyzes some string matching algorithms of detection engine using in Intrusion Detection System, basing on research, we adopt the method of protocol analyze combine with string pattern match. Protocol analyze technology using high integration of network protocol, only match the special fields in data packets, so it decreased the search space and computing complexity, avoid the error message reported by simple pattern match.We improved the tradition packets capture procedure based on zero copy technology, thoroughly researched driver programming and memeory management mechanism which under the Linux system, reduced the number of data copy, fulfilled zero copy and improved system performance remarkably.

节点文献中: