【摘要】：當(dāng)今社會信息技術(shù)的日益發(fā)展,尤其是互聯(lián)網(wǎng)技術(shù)的迅猛發(fā)展,給當(dāng)代人們的生活帶來了極大的便利。然而,隨著各類網(wǎng)絡(luò)應(yīng)用不斷普及,也為網(wǎng)絡(luò)攻擊者提供了更多的可乘之機。近年來,網(wǎng)絡(luò)入侵成逐年上升的趨勢,造成的損失難以估量。入侵防御是一項專門對各類網(wǎng)絡(luò)攻擊進行防御的技術(shù),它融合了防火墻和入侵檢測技術(shù)各自的優(yōu)點,既能夠?qū)W(wǎng)絡(luò)數(shù)據(jù)包進行深入的攻擊檢測,又能夠及時阻斷攻擊。當(dāng)前,入侵防御系統(tǒng)面臨的最大問題是網(wǎng)絡(luò)時延和丟包造成的性能瓶頸。由于入侵防御系統(tǒng)以串聯(lián)的形式連接到主干網(wǎng)絡(luò)中,一旦出現(xiàn)網(wǎng)絡(luò)時延較大或者丟包的情況,就會對用戶的正常網(wǎng)絡(luò)訪問造成嚴(yán)重影響,因此如何提高入侵防御系統(tǒng)的性能,減小網(wǎng)絡(luò)時延,增加系統(tǒng)吞吐量,是當(dāng)前急需解決的一個問題。本文對開源入侵檢測系統(tǒng)Snort進行了深入的分析,設(shè)計并實現(xiàn)了一個基于Snort的入侵防御系統(tǒng)原型。其中,該系統(tǒng)的濫用檢測模塊移植了Snort的核心檢測引擎。在此基礎(chǔ)上,本文對該系統(tǒng)的濫用檢測模塊進行了單元測試與分析,找出了系統(tǒng)的性能瓶頸所在,針對相關(guān)的環(huán)節(jié)進行了以下改進和優(yōu)化:1)針對Snort的檢測引擎,提出并實現(xiàn)了一種“基于活躍度的規(guī)則鏈動態(tài)優(yōu)先級調(diào)整方案”。通過實驗對比,證明該方案在“大量、持續(xù)攻擊發(fā)生”的網(wǎng)絡(luò)環(huán)境下,能夠有效地提高系統(tǒng)的檢測性能。2)分析了當(dāng)前版本的Snort中所采用的模式匹配BM算法和AC算法,并分析了現(xiàn)有的相關(guān)改進算法。在此基礎(chǔ)上,本文提出了一種改進的多模式匹配算法,并應(yīng)用到系統(tǒng)中。通過實驗對比,證明改進后的算法在實際檢測中的性能優(yōu)于改進前的版本。3)基于多核平臺,本文提出了一種“多核平臺下的并發(fā)檢測引擎模型”,將系統(tǒng)的濫用檢測模塊架構(gòu)從原來的單線程模型改進為多進程并發(fā)模型,以充分發(fā)揮多核CPU各個核心的運算能力,通過在8核硬件平臺上的測試結(jié)果表明,該模型有效地提升了系統(tǒng)網(wǎng)絡(luò)吞吐量,實現(xiàn)了對系統(tǒng)整體檢測性能的提升。最后,本文將以上3種改進方案應(yīng)用到了入侵防御系統(tǒng)中,結(jié)合系統(tǒng)的其他功能模塊進行整體性能測試,測試結(jié)果表明改進后的系統(tǒng)整體性能有了較大提升。
[Abstract]:Nowadays, the development of information technology, especially the rapid development of Internet technology, brings great convenience to the life of contemporary people. However, with the popularity of various network applications, it also provides more opportunities for network attackers. In recent years, network intrusion has been increasing year by year, resulting in loss is incalculable. Intrusion Prevention (IDS) is a special technology to defend all kinds of network attacks. It combines the advantages of firewall and intrusion detection technology. It not only can detect the network packets deeply, but also can block the attacks in time. At present, the biggest problem of intrusion prevention system is the bottleneck caused by network delay and packet loss. As the intrusion prevention system is connected to the backbone network in series, once the network delay is large or the packet is lost, it will seriously affect the users' normal network access, so how to improve the performance of the intrusion prevention system. It is an urgent problem to reduce network delay and increase system throughput. In this paper, the open source intrusion detection system (Snort) is deeply analyzed, and a prototype of intrusion prevention system based on Snort is designed and implemented. Among them, the abuse detection module of the system transplanted the core detection engine of Snort. On this basis, this paper has carried on the unit test and the analysis to the abuse detection module of the system, has found the system performance bottleneck, has carried on the following improvement and the optimization to the correlation link, has carried on the following improvement and the optimization to the Snort detection engine, has aimed at the Snort detection engine, This paper proposes and implements a dynamic priority adjustment scheme of rule chain based on activity degree. The experimental results show that the scheme can effectively improve the detection performance of the system under the network environment of "a large number of continuous attacks". The current version of Snort is analyzed using pattern matching BM algorithm and AC algorithm. The existing improved algorithms are analyzed. On this basis, an improved multi-pattern matching algorithm is proposed and applied to the system. Through experimental comparison, it is proved that the performance of the improved algorithm in actual detection is better than that of the former version .3) based on multi-core platform, a "concurrent detection engine model under multi-core platform" is proposed in this paper. The architecture of the system abuse detection module is improved from the original single-thread model to the multi-process concurrent model in order to give full play to the computing power of each core of the multi-core CPU. The test results on the 8-core hardware platform show that, The model can effectively improve the throughput of the system and improve the detection performance of the whole system. Finally, the above three improved schemes are applied to the intrusion prevention system, and combined with other functional modules of the system to test the overall performance. The test results show that the overall performance of the improved system has been greatly improved.
【學(xué)位授予單位】：電子科技大學(xué)
【學(xué)位級別】：碩士
【學(xué)位授予年份】：2014
【分類號】：TP393.08

【參考文獻】

相關(guān)期刊論文 前7條

1 趙林亮;廖先林;田敏;秦勇;;RTP快速匹配最佳發(fā)送速率算法的研究[J];東北大學(xué)學(xué)報(自然科學(xué)版);2008年05期

2 王浩;周曉峰;;基于入侵檢測系統(tǒng)snort的BM模式匹配算法的研究和改進[J];計算機安全;2009年02期

3 牛建強;徐美玉;陳昕;曹元大;;基于SNORT的入侵規(guī)則動態(tài)排序方法研究[J];計算機工程與應(yīng)用;2006年28期

4 盧捚;吳忠望;王宇;盧昱;;基于kNN算法的異常行為檢測方法研究[J];計算機工程;2007年07期

5 徐帆;沈立;王志英;;基于多核平臺的多線程動態(tài)優(yōu)化框架[J];計算機工程與科學(xué);2011年05期

6 陳虎;彭江鋒;施少懷;;gAC:基于GPU的高性能AC算法[J];計算機工程與應(yīng)用;2012年12期

7 許一震,王永成,沈洲;一種快速的多模式字符串匹配算法[J];上海交通大學(xué)學(xué)報;2002年04期

相關(guān)碩士學(xué)位論文 前1條

1 萬姝伊;基于AC-BM改進算法的IPS研究與實現(xiàn)[D];合肥工業(yè)大學(xué);2011年

，

本文編號：2192455