IDS规则匹配算法的改进与实现

论文字数:20602,页数:57  有开题报告，任务书

摘    要

 随着网络技术的飞速发展，计算机网络在社会、经济、文化及人们的日常生活中扮演着越来越重要的角色。人们在使用计算机网络的同时，也深深的感受到网络安全的重要性。入侵检测正是网络安全的一个重要的守卫士。对入侵检测根据其所采用的方法可以分为：误用检测，异常检测和基于规范的检测。
 Snort是一个开放源码的网络入侵检测系统（NIDS），它采用误用检测的方法，具有很强的告警能力，然而Snort在规则匹配方面仍存在缺陷，特别是在高速网络连接下，Snort的规则匹配算法匹配效率较低。因此本文对误用检测中的规则匹配算法进行了研究与改进，结合动态规则匹配技术，改进规则匹配算法，使得Snort的检测效率得到提高。
 本文对改进前后的算法做了对比实验。首先，采用Snort入侵检测模型和改进前的算法，构建一个入侵检测系统，进行实验并得到相应的实验结果；然后，使用改进后的算法，将Snort的规则库内容进行动态排序后，进行实验，并将实验结果与改进前进行比较。对比分析结果表明，改进后的算法提高了检测效率。
 
关键字:规则匹配；规则库；动态匹配
The Implementation　And Improvement
Of IDS Rule-matching Algorithm

ABSTRACT
 With the rapid development of Internet, computer network has become much more important in many areas, namely, society, economics, culture, and the people''s ordinary lives. People is also deeply feel the importance of network security when they use computer networks, Intrusion Detection Network security is an important guard . According to the detection methods of IDS, we can divide IDS into three types: misuse detection ,anomaly detection and standardized detection.
 Snort is an open source network intrusion detection system (NIDS),which use the misuse detection methods and has a strong warning capability, However Snort have some disadvantage in many respects, Especially in the case of the high-speed network link, the rules matching algorithm of Snort is less efficient. Therefore ,we use dynamic rule-matching technology and make some research in order to make some improvements in the detection efficiency.
 In this paper, we make two experiments, one experiment we use the Original algorithm, the other we use the improved algorithm. This paper use Snort Intrusion Detection model, built an intrusion detection system in order to do intrusion detection experiments. Then the rules will be adjusted dynamically by algorithm, continue to do experiments, the results will be compared with before, thus proving that the system improved the detection efficiency. Then, conclude the results of this experiment.
 
 Keywords: IDS; rules matching; rules lab; dynamic matching

目 录
1 绪论 1
1.1 入侵检测系统的起源 1
1.2 入侵检测系统的现状 1
1.2.1 国外IDS现状 2
1.3 入侵检测系统的分类 3
1.3.1 国内IDS产品 5
1.3.2 国外IDS产品介绍 6
1.4 IDS的体系结构 6
1.5 入侵检测系统的发展方向 7
1.6 本文所做的工作 8
2 Snort的研究 9
2.1 Snort的规则 9
2.2 Snort匹配算法解析 13
2.3 Snort 命令介绍 14
2.4 Snort的工作模式 16
3 规则匹配算法 19
3.1 BMH算法 19
3.2 KMP匹配算法 20
3.3 BM算法 22
4 Snort规则匹配算法的改进 24
4.1 引言 24
4.2 算法改进目的 24
4.3 算法改进思想 24
4.4 改进后的Snort规则机制 25
4.5 改进后的Snort模块图 26
5 Snort实验 28
5.1 实验一: Snort的调试实验 28
5.1.1 实验设备 28
5.1.2 实验目的 28
5.1.3 平台搭建 28
5.1.4 实验方案 40
5.1.5 Snort运行页面 40
5.1.6 实验结果 42
5.2 实验二: Snort的改进实验 42
5.2.1 实验设备 42
5.2.2 实验目的 43
5.2.3 实验方案 43
5.2.4 实验结果 43
5.3 结论 43
6 总结和展望 45
致谢 46
参考文献 47
附录 49