摘要
随着通讯技术和网络的发展,网络已日益成为生活中不可或缺的工具,在给用户带来方便的同时也使得维护网络安全变得更加困难。为了保护企业的机密信息不被泄漏,封堵网上的不良信息,网络监控系统在网络安全中起到越来越重要的作用。
论文首先介绍了网络嗅探技术中的两种数据包捕获过滤模型:BPF和NPF。并了解了相对应的捕获函数库Libpcap和Winpcap的体系结构;研究了协议分析技术。在此基础上,对系统的三个主要功能模块(网络嗅探器、协议分析引擎、监控台)进行了详细的设计和实现。
其次,论文阐述了几种经典的协议分析技术。基于此,对模式匹配算法进行了改进。改进的算法充分利用每一次匹配比较的信息以跳过尽可能多的字符进行下次比较,提高了网络监控系统的效率。同时也指出了其缺陷。
最后,论文对系统的主要功能模块和改进的模式匹配算法进行了测试。通过对测试结果的分析总结了其优点和不足。
With the development of communication technology and network, the network has already become a tool which is indispensable in everyday. It makes the maintenance for the network security become more difficult. To avert an enterprise's secret information from being leaked, block the harmful information on internet. The network monitor system plays a more and more important role in network security.
At first this paper has introduced two kinds of data capturing and filtering models: BPF and NPF. And comprehended the architecture of Libpcap and Winpcap, which are the function library respectively corresponding BPF and NPF. Study the protocol analysis technology. Base on these, this paper carry on the detail design and implement to the three major function modules (network sniffer, protocol analysis engine、control and monitor console).
Secondly, this paper expatiates on some classical pattern matching algorithms, and analyses their advangtages and disadvantages. On the basis of this, improves the pattern matching algorithms.The improved algorithm makes full use of the information of every matching comparison to skip more characters before the next comparison. Improved the efficiency of the network monitor system. At the same time, point out the defects.
Finally, this paper conducts a number of tests in the ethernet network. To test the main function modules and the improved pattern matching algorithm. After analysising the results of the tests, summarized the merits and the limitations of the network monitor system.
引文
[1] 吴莹.基于Linux的网络监听器设计:[硕士学位论文].山东:山东大学,2001
[2] 梁理,黄樟敛,侯义斌.网络信息侦听系统的研究与实现[J].计算机工程与应用,2002,38(17):184~186
[3] David Kotz, Kobby Essien. Analysis of a campus wide wireless network. ACM Press, 2005, 9(7): 74~82
[4] 刘琦,李建华.网络内容安全监管系统的框架及其关键技术[J].计算机工程,2003,(2):124~126
[5] W.Richard Stevens著.TCP/IP协议详解卷1.范嬄华,胥光浑,张涛译.北京:机械工业出版社,2003
[6] W.Richard Stevens著.TCP/IP协议详解 卷3.谢希仁译.北京:机械工业出版社,2002
[7] Stewart Fraser,Steven Livingstone著.C# XML入门经典[M].毛尧飞,崔伟译.北京.清华大学出版社,2003.68~76
[8] 畅士功.网络数据信息在线分析研究:[硕士学位论文].天津:天津大学,2001
[9] 刘嘉勇,方勇,侯潇沐等.E-mail监听系统的设计与实现[J].四川大学学报,2002
[10] Ronald J.Norman著.面向对象系统分析与设计[M].周之英,肖奔放,柴洪钧译.北京:清华大学出版社,2000
[11] 庞善臣,王淑栋.一种基于模式最长前缀正文分割的串匹配新算法[J].小型微型计算机系统,2004,25(3):404~406
[12] 李佳静,徐辉,潘爱民.入侵检测系统中的协议分析子系统的设计与实现.计算机工程与应用,2003,39(12):152~155
[13] 冯年荣,蒋凡.基于MAC层帧捕获及协议分析的技术研究[J].小型微型计算机系统,2001
[14] 奚文.基于信息内容的网络行为监控系统方法的研究与实现:[硕士学位论文].上海:复旦大学,2004
[15] 陶利民,张基温.轻量级网络入侵检测系统—Snort的研究[J].计算机应用研究,2004,6(4):106~108
[16] 王津琳,赵满胜.网络监控系统在局域网中的应用[J].信息安全与通信保 密,2004,7(2):58~59
[17] 费仁元,王民,徐洪安.基于C/S模式的企业局域网监控系统[J].北京工业大学学报,2004,30(2):139~143
[18] Douglas E.Comer,David L.Stevens著.用TCP/工P进行网际互连[M].赵刚,林瑶,蒋慧译.北京:电子工业出版社,1998.198~205
[19] David J.Kruglinski.Visual C++技术内幕[M].潘爱民译.北京:清华大学出版社,1999.268~289
[20] Jeffrey Richter著.Windows核心编程[M].王建华,张焕生,后丽坤译.北京:机械工业出版社,2004.286~302
[21] 温研,王怀民,胡华平.分布式网络行为监控系统的研究与实现[J].计算机工程与科学,2005,10(4):79~81
[22] 曾志峰.网络安全测防体系的研究与实现:[博士学位论文].北京:北京邮电大学,2001
[23] 李信满.网络入侵检测技术若干关键问题研究:[博士学位论文].沈阳:东北大学,2002
[24] 赵海雁,陈立潮,叶树华.基于Windows的网络监听技术在局域网中的实现[J].计算机工程,2004,30(22):117
[25] 张洋.基于局域网的嗅探器发现技术的研究[J].微计算机信息,2005,21(11):33
[26] 李晓莺,曾启铭.NDIS网络驱动程序的研究与实现[J].计算机应用,2002,12(22):29~30
[27] 潭思亮.监听与隐藏—网络侦听揭秘与数据保护技术[M].北京:人民邮电出版社,2003,8
[28] 王晓平,钟军.Visum C++网络通信协议分析与应用实现[M].北京:人民邮电出版社,2003,2
[29] 丘亮,孙亚刚.网络安全工具及案例分析[M].北京:电子工业出版社,2004,4
[30] Vishkin U. Deterministic sampling ~ a new technique for fast pattern matching[J]. SIAM Journal on Computing. 1991, 20(1): 22~40
[31] 8aeza Yates R, Gonnet GH. A new approach to text searching[J]. ACM Press, 1992, 35(10): 74~82
[32] 黄占友,刘悦.对KMP串匹配算法的改进.第四次全国便携计算机学术交流会论文集[C].北京:科学出版社,1997.20~22
[33] 丁勇,黄凌云,蒋朝根.深入剖析嗅探器[J].微计算机应用,2003,9(12): 103~104
[34] Lecroq T. Experimental results on string matching algorithms [J]. Software~Practice and Experience, 1995, 25(7): 727~765
[35] R. Graham. Nids-Pattern Search vs. Protocol Decode. Computers & Security, 2001, (20): 37~41
[36] 李亚桓,唐毅.网络安全监控系统[J].计算机工程.2002,4(5):164~166
[37] J. Postel. RFC 793 Transmission Control Protocol. 1981
[38] J. Postel. RFC 792 Internet Control Message Protocol. 1981
[39] Douglas E.Comer and David L.Stevens,Internetworking with TCP/IP(vol2).北京:清华大学出版社,1998
[40] D. Deering. RFC 1256 ICMP Router Discovery Messages. 1991
[41] 聂刚.基于Netfiliter的IP包过滤技术[J].信息技术,2004,10(7):72~89
[42] 安金萍,张景,李军怀.状态检测包过滤技术在Linux下的实现[J].计算机工程,2005,2(12):141~143
[43] 万加富,张文斐,张占松.网络监控系统原理与应用[M].北京:机械工程出版社,2003
[44] 陈冬梅.基于C/S的实时网络监控软件的开发.[硕士论文].湖北:武汉理工大学.2005
[45] R. Graham. Nids-Pattern Search vs. Protocol Decode. Computers & Security, 2001, 4(20): 37~41
[46] S. Lee, D. Heinbuch. Training a Neural-network Based Intrusion Detector to Recognize Novel Attacks. IEEE Transactions on Systems, 2001, 5(31): 294~299
[47] J. Kim, P. Bentley, J. Towards. An Artificial Immune System for Network Intrusion Detection: An Investigation of Dynamic Clonal Selection. In Proceedings of the Congress on Evolutionary Computation (CEC-2002), 2002, 8(22): 1015~1020
[48] F. Neri. Comparing Local Search with Respect to Genetic Evolution to Detect Intrusions in Computer Networks. Congress on Evolutionary Computation, La Jolla, 2000, 8(24): 238~243
[49] Rebecca M,Riordan著.ADO.NET程序设计[M].李高健译.北京:清华大学出版社,2002
[50] Kouresh ArdeStani.高效掌握ADO.NET-C#编程篇[M].北京:清华大学出版 社,2002
[51] Kevin Johnson著.Internet Email协议开发指南[M].科欣翻译组译.北京:机械工业出版社,2000
[52] B. Feinstein, G. Matthews, J. White. The Intrusion Detection Exchange Protocol, Internet Society, 2002
[53] Denning. D. E. An Intrusion Detection Model, IEEE Transaction on Software Engineering, 1997, 13(2): 222~232
[54] 王清贤,陈新玉.嗅探器原理及预防检测方法[J].信息工程大学学报,2000,1(4):55~56
[55] 王宇,张宁.网络监听器原理分析与实现[J].计算机应用研究,2003,7(5):142
