网络级入侵检测系统的一种快速算法
|
摘要
随着网络应用的蓬勃发展,网络与信息的安全问题越来越受到人们的重视,网络安全技术也成为计算机网络技术的研究热点。实现网络安全的方法有很多种,其中入侵检测技术是一种非常有效的机制。它是一种能够在计算机系统内部检测正在进行的以及已经发生的攻击的技术。
入侵检测技术从级别上可以分为三个级别:网络级入侵检测、操作系统级入侵检测以及应用的入侵检测,每一级的入侵检测都有其独有的特点和功能。
入侵检测技术从检测的方式上讲主要可以分为基于行为的入侵检测技术和基于知识的入侵检测技术。
本文紧密关注国内外入侵检测技术的最新发展趋势,在初步探讨网络安全领域的入侵检测问题后,对网络级入侵检测领域中最棘手的检测速度问题进行了研究。
1.在这个课题中,选择了最影响检测速度的数据包内容检测问题进行了深入的钻研,并将其抽象为一个多模式快速匹配检测问题。
2.在对这个多模式快速匹配检测问题的解决研究中,将用于解决快速插入和查找问题的散列方法引入到多模式快速匹配检测的解决中。
3.在具体的解决方案中,通过双数组散空间数组的办法解决了散列空间过大的问题;根据数据包的特点和攻击字符串的特点选择了快速而有效的散列函数;通过为不同的模式选择长度相同的特征字符串大大减少了对网络包进行检测的次数,加快了检测的速度。
4.本方案还根据模式提供的启发信息对散列检测的过程进行了优化;区间划分较为简略但有效地提取了模式组的信息,同时充分考虑到数据包自身的特点,适用于模式数量很多的情况;本文为进行多模式检测对进行单模式匹配速度最快的BM算法进行创新性改进,改进后得到的模糊BM算法较为细致地提取了模式的特征,大大提高了检测的速度,适用于模式数量较少的情况。
With the flouring development of network-application, the importance of network security and its information security has become a greater concern for the computer users. The network security technology of intrusion detection, the technology that can examine the attacks inside the computer-system,either present or past, is one of the most effective means which may help protect network security.
Based on the three different grade, The technology of intrusion detection can be classified into network intrusion detection, OS intrusion detection and application intrusion detection, each having its paticular characteristics and functions.
From the point of view of the way of detection, The technology of intrusion detection can be categorized into the intrusion detection technology based on behavior and intrusion detection technolooogy based on information.
Having carefully studied the newest trends of the technology of intrusion detection and initially investigated the problems in the field of network security, the author focuses on the study of the speed of detection, which is so far the most challenging problems in network intrusion detection.
1. In the thesis, the analysis of content of data-package, an element that affects the speed of detection most, is given an in-depth study ,and is abstracted to a issue of fast multi-parrern matching.
2. Hashing method which is usually applied to solve the problem of fast insert and search, is introduced the solution to fast multi-pattern matching
3. In practice, double-array hashing space method is applied in order to solve the problem of the big hashing space; according to features of data-package and those of attack-string ,hashing -function is selected because of its high speed and efficiency; and the speed of detection is improve through the decrdasd of the times of detection to network-package by applying various characteristic-string of the sane length
with their corresponding pattern. 4. Several improvements are achieved according to the process of
hashing-checking using enlighten information provided by pattern: the method of carving-up scan-zone is introduced to pick up enlighten information of the pattern group simply yet effectively, and it is supposed to fit the instance of more amount of pattern in view of the features of data-package; BM algorithm, which has the best speed in single-pattern matching is innovated to carry out multi-pattern matching, and the revised blurry BM algorithm can more precisely picket-up the characteristics of patterns and improve the speed of detection, thus being suitable for the instance less amount of pattern
入侵检测技术从级别上可以分为三个级别:网络级入侵检测、操作系统级入侵检测以及应用的入侵检测,每一级的入侵检测都有其独有的特点和功能。
入侵检测技术从检测的方式上讲主要可以分为基于行为的入侵检测技术和基于知识的入侵检测技术。
本文紧密关注国内外入侵检测技术的最新发展趋势,在初步探讨网络安全领域的入侵检测问题后,对网络级入侵检测领域中最棘手的检测速度问题进行了研究。
1.在这个课题中,选择了最影响检测速度的数据包内容检测问题进行了深入的钻研,并将其抽象为一个多模式快速匹配检测问题。
2.在对这个多模式快速匹配检测问题的解决研究中,将用于解决快速插入和查找问题的散列方法引入到多模式快速匹配检测的解决中。
3.在具体的解决方案中,通过双数组散空间数组的办法解决了散列空间过大的问题;根据数据包的特点和攻击字符串的特点选择了快速而有效的散列函数;通过为不同的模式选择长度相同的特征字符串大大减少了对网络包进行检测的次数,加快了检测的速度。
4.本方案还根据模式提供的启发信息对散列检测的过程进行了优化;区间划分较为简略但有效地提取了模式组的信息,同时充分考虑到数据包自身的特点,适用于模式数量很多的情况;本文为进行多模式检测对进行单模式匹配速度最快的BM算法进行创新性改进,改进后得到的模糊BM算法较为细致地提取了模式的特征,大大提高了检测的速度,适用于模式数量较少的情况。
With the flouring development of network-application, the importance of network security and its information security has become a greater concern for the computer users. The network security technology of intrusion detection, the technology that can examine the attacks inside the computer-system,either present or past, is one of the most effective means which may help protect network security.
Based on the three different grade, The technology of intrusion detection can be classified into network intrusion detection, OS intrusion detection and application intrusion detection, each having its paticular characteristics and functions.
From the point of view of the way of detection, The technology of intrusion detection can be categorized into the intrusion detection technology based on behavior and intrusion detection technolooogy based on information.
Having carefully studied the newest trends of the technology of intrusion detection and initially investigated the problems in the field of network security, the author focuses on the study of the speed of detection, which is so far the most challenging problems in network intrusion detection.
1. In the thesis, the analysis of content of data-package, an element that affects the speed of detection most, is given an in-depth study ,and is abstracted to a issue of fast multi-parrern matching.
2. Hashing method which is usually applied to solve the problem of fast insert and search, is introduced the solution to fast multi-pattern matching
3. In practice, double-array hashing space method is applied in order to solve the problem of the big hashing space; according to features of data-package and those of attack-string ,hashing -function is selected because of its high speed and efficiency; and the speed of detection is improve through the decrdasd of the times of detection to network-package by applying various characteristic-string of the sane length
with their corresponding pattern. 4. Several improvements are achieved according to the process of
hashing-checking using enlighten information provided by pattern: the method of carving-up scan-zone is introduced to pick up enlighten information of the pattern group simply yet effectively, and it is supposed to fit the instance of more amount of pattern in view of the features of data-package; BM algorithm, which has the best speed in single-pattern matching is innovated to carry out multi-pattern matching, and the revised blurry BM algorithm can more precisely picket-up the characteristics of patterns and improve the speed of detection, thus being suitable for the instance less amount of pattern
引文
[1] Terry Escamilla,入侵者检测,电子工业出版社,1999.7
[2] Stephen Northcutt,网络入侵检测分析员手册,人民邮电出版社,2000.10
[3] 拉斯.克兰德,挑战黑客—网络安全的最终解决方案电子工业出版社,2000.6
[4] 前导工作室,网络安全技术内幕,机械工业出版社,1998.9
[5] 阎雪,黑客就这么几招,万方数据电子出版社,2000.11
[6] McClure,Secmbray,Kurtz,黑客大曝光,清华大学出版社,2000.9
[7] Bruce Schneier,应用密码学,机械工业出版社,1999.12
[8] 周明天、汪文勇,TCP/IP网络原理与技术,清华大学出版社,1993.6
[9] 阮耀平、易江波、赵战生,计算机系统入侵检测模型与方法,计算机工程,Vol.25 No.9 1999
[10] 张伟奇、汪为农,基于Agent的多域网络安全模型,计算机工程,Vol.25 No.9 1999
[11] 胡刚,曹晓敏,沈雁,用户网络行为习惯模型,指挥技术学院学报,Vol.11 No.3 1999.6
[12] 宋如顺、钱刚、陈波,基于小波神经网络的入侵检测模型,www.info-sec.org.cn
[13] 王雨晨,入侵检测常见理论与技术分析,华北计算技术研究所网络室
[14] 赵海波,李建华,杨宇航,网络入侵智能化实时检测系统,上海交通大学电子工程系
[15] Mboy,分布式入侵检测系统的设计与实现,www.docshow.net
[16] 李莉莉,古典型的入侵检测,http://tech.sina.com.cn 2000/09/13,软件世界,
[17] 林勇、宋征,Visual C++6.0应用指南,人民邮电出版社,1993.3
[18] 编程高手工作室,Visual C++6.0编程高手,北京希望电子出版社,1999.6
[19] 雷斌、杨建华,Visual C++6.0网络编程技术,人民邮电出版社,2000.1
[20] 高鹏、严望佳,UNIX系统安全,清华大学出版社,1999.6
[21] 蒋东兴、刘启新,Windows Sockets网络程序设计大全,清华大学出版社,1999.4
[22] Peter Dyson,IIS4从入门到精通,电子工业出版社,1999.5
[23] Snort入侵检测系统规则库,www.snort.org
[24] 苏德富、钟诚,计算机算法设计与分析,电子工业出版社,1999.6
[2] Stephen Northcutt,网络入侵检测分析员手册,人民邮电出版社,2000.10
[3] 拉斯.克兰德,挑战黑客—网络安全的最终解决方案电子工业出版社,2000.6
[4] 前导工作室,网络安全技术内幕,机械工业出版社,1998.9
[5] 阎雪,黑客就这么几招,万方数据电子出版社,2000.11
[6] McClure,Secmbray,Kurtz,黑客大曝光,清华大学出版社,2000.9
[7] Bruce Schneier,应用密码学,机械工业出版社,1999.12
[8] 周明天、汪文勇,TCP/IP网络原理与技术,清华大学出版社,1993.6
[9] 阮耀平、易江波、赵战生,计算机系统入侵检测模型与方法,计算机工程,Vol.25 No.9 1999
[10] 张伟奇、汪为农,基于Agent的多域网络安全模型,计算机工程,Vol.25 No.9 1999
[11] 胡刚,曹晓敏,沈雁,用户网络行为习惯模型,指挥技术学院学报,Vol.11 No.3 1999.6
[12] 宋如顺、钱刚、陈波,基于小波神经网络的入侵检测模型,www.info-sec.org.cn
[13] 王雨晨,入侵检测常见理论与技术分析,华北计算技术研究所网络室
[14] 赵海波,李建华,杨宇航,网络入侵智能化实时检测系统,上海交通大学电子工程系
[15] Mboy,分布式入侵检测系统的设计与实现,www.docshow.net
[16] 李莉莉,古典型的入侵检测,http://tech.sina.com.cn 2000/09/13,软件世界,
[17] 林勇、宋征,Visual C++6.0应用指南,人民邮电出版社,1993.3
[18] 编程高手工作室,Visual C++6.0编程高手,北京希望电子出版社,1999.6
[19] 雷斌、杨建华,Visual C++6.0网络编程技术,人民邮电出版社,2000.1
[20] 高鹏、严望佳,UNIX系统安全,清华大学出版社,1999.6
[21] 蒋东兴、刘启新,Windows Sockets网络程序设计大全,清华大学出版社,1999.4
[22] Peter Dyson,IIS4从入门到精通,电子工业出版社,1999.5
[23] Snort入侵检测系统规则库,www.snort.org
[24] 苏德富、钟诚,计算机算法设计与分析,电子工业出版社,1999.6