基于分布式的协议识别还原系统研究与设计
|
摘要
现今,网络技术发展非常迅速,网络规模日益扩大,网络安全问题的出现愈发频繁。协议识别还原技术作为流量统计、敏感词检测等网络安全检测技术的基础,是优化网络配置、净化网络环境的重要手段之一,同时也是近年来的研究热点。
论文提出了基于分类和正则表达式的协议识别方法,设计实现了基于分布式的协议识别还原系统,并解决了该系统的效率问题,满足实际应用需求。具体工作内容如下:
首先,针对应用层协议的识别和解析,具体介绍了常用应用层协议;通过对比三种常用协议识别技术,分析其优缺点,说明本文提出的基于分类和正则表达式的协议识别方法的可行性;研究了协议解析时的流重组原理及其问题。同时,针对整个协议识别还原系统实现的关键技术,研究开源软件Libnids,分析其应用时的不足并加以改进;解决了各模块的效率问题。
其次,以上述研究为基础,设计了基于分类和改进正则表达式的协议识别方法,并扩展了对邮件附件形式信息的还原功能;同时,完成了分布式部署设计、信息捕获模块设计、应用层协议识别模块设计内容解析还原模块设计、管理模块设计等内容,并最终实现了协议识别还原系统。
最后,基于实际网络环境,对协议识别还原系统的功能和性能进行了测试验证,表明本文基于分类和正则表达式的协议识别还原技术的效率和准确率较为理想,具有一定的理论价值和研究价值。
Along with the rapid development and spread of the Internet technology, Internet is increasingly larger, and then network security issues appear more frequently. Protocol identification and restoring is the basic of network security such as Internet network traffic statistics and keywords detection. It is not only the right way to purify Internet and make more efficient use of network bandwidth, but also one of the hot topics of network security technologies.
In this paper, a protocol identification method based on the classification and regular expression is put forward. Then the design of the protocol classification and restoring system is implemented, and the efficiency of this system is also improved, which meets the demands of practical applications. The main content includes:
Firstly, the paper introduces common application layer protocol in detail. By comparing the three kinds of protocol identification technologies and analyzing their advantages ands drawbacks, the improved methodology of protocol identification addressed in this paper is feasible. The principle of TCP flows reassembling and its key problems are also analyzed. Meanwhile, the open source software libnids and the efficiency are improved to implement the system.
Seecondly, in accordance with these issues, the improved methodology of protocol identification is designed. And then restore the attachments in E-mail. Additionally, to be more specific, the system implementation is achieved after the design of each block:distributed deployment, data packages capturing, identification of application layer protocols, protocol analyzing and the system management block.
Last but not the least, the designed system is tested and verified in the real network environment, the function and the performance tests show that the accuracy and efficiency of the improved methodology of protocol identification is relatively ideal and of certain theoretical and research value.
论文提出了基于分类和正则表达式的协议识别方法,设计实现了基于分布式的协议识别还原系统,并解决了该系统的效率问题,满足实际应用需求。具体工作内容如下:
首先,针对应用层协议的识别和解析,具体介绍了常用应用层协议;通过对比三种常用协议识别技术,分析其优缺点,说明本文提出的基于分类和正则表达式的协议识别方法的可行性;研究了协议解析时的流重组原理及其问题。同时,针对整个协议识别还原系统实现的关键技术,研究开源软件Libnids,分析其应用时的不足并加以改进;解决了各模块的效率问题。
其次,以上述研究为基础,设计了基于分类和改进正则表达式的协议识别方法,并扩展了对邮件附件形式信息的还原功能;同时,完成了分布式部署设计、信息捕获模块设计、应用层协议识别模块设计内容解析还原模块设计、管理模块设计等内容,并最终实现了协议识别还原系统。
最后,基于实际网络环境,对协议识别还原系统的功能和性能进行了测试验证,表明本文基于分类和正则表达式的协议识别还原技术的效率和准确率较为理想,具有一定的理论价值和研究价值。
Along with the rapid development and spread of the Internet technology, Internet is increasingly larger, and then network security issues appear more frequently. Protocol identification and restoring is the basic of network security such as Internet network traffic statistics and keywords detection. It is not only the right way to purify Internet and make more efficient use of network bandwidth, but also one of the hot topics of network security technologies.
In this paper, a protocol identification method based on the classification and regular expression is put forward. Then the design of the protocol classification and restoring system is implemented, and the efficiency of this system is also improved, which meets the demands of practical applications. The main content includes:
Firstly, the paper introduces common application layer protocol in detail. By comparing the three kinds of protocol identification technologies and analyzing their advantages ands drawbacks, the improved methodology of protocol identification addressed in this paper is feasible. The principle of TCP flows reassembling and its key problems are also analyzed. Meanwhile, the open source software libnids and the efficiency are improved to implement the system.
Seecondly, in accordance with these issues, the improved methodology of protocol identification is designed. And then restore the attachments in E-mail. Additionally, to be more specific, the system implementation is achieved after the design of each block:distributed deployment, data packages capturing, identification of application layer protocols, protocol analyzing and the system management block.
Last but not the least, the designed system is tested and verified in the real network environment, the function and the performance tests show that the accuracy and efficiency of the improved methodology of protocol identification is relatively ideal and of certain theoretical and research value.
引文
[1]中国信息安全发展.[EB/OL].http://xxaqs.miit.gov.cn/n11293472/n11295344/index.html.
[2]陈亮,龚俭,徐选等.应用层协议识别算法综述[J].计算机科学,2007,34(7):73-75.
[3]徐海波.网络流量识别特征码自动提取系统的研究与实现[D].北京邮电大学,2010.
[4]陈佳.应用层协议快速识别的研究与实现[D].北京邮电大学,2010.
[5]T. ElGamal. A public-key crypto system and a signature scheme based on discrete logarithms[J]. IEEE Transactions on Information Theory IT, vol.31, no.4,(1985):469-472.
[6]W. B. Lee and C. C. Chang. User identification and key distribution maintaining anonymity for distributed computer network[J] Computer Systems Science and Engineering, vol.15, no.4, (1999):113-116.
[7]Bruce Schneier. Managed Security Monitoring:Network Security for the 21st Century[J]. Computer and Security,2001,20:491-503.
[8]Jeffrey E.F.Friedl. Mastering Regular Expressions:Understand Your Data and Be More Productive[M]. Third, O' REILLX,2007:31-78.
[9]J.Levandoski, E.Sommer, M.Strait. "Application Layer Packet Classifier for Linux". [EB/OL]. http://17-filter.sourceforge.net/.
[10]翁亮.安全网络的体系结构模型和关键技术研究[D].上海交通大学,2001.
[11]张卫东,王伟,韩维桓等.网络流量测量与监控系统的设计与实现[J].计算机工程与应用,2005,41(32):160-163,189.
[12]焦绪录,胡铭曾,云晓春等.面向TCP连接的网络实时监控系统及其连接阻断技术[J].计算机工程,2004,30(6):48-49,119.
[13]Wang Xuren, He Famei. An Implement of Broadband Network Monitoring System Based on Libnids and Winpcap[J]. New Trends in Information and Service Science,2009:812-814.
[14]The libpcap Project[EB/OL]. http://sourceforge.net/projects/libpcap
[15]Stevens W R. UNIX network programming Networking APIs:sockets and XTI [M]. volume 1, Second Edition:. USA:Addison-Wesley Publishing Company,1999:23-47.
[16]R Shanmugam,尹浩琼,李剑.TCP/IP详解[M].电子工业出版 社,2003:12-56.
[17]吴刚,王旭仁,张信杰等.高速邮件监控审计研究[J].计算机工程与设计,2010,31(6):1195-1197,1201.
[18]Hypertext Transfer Protocol[S].RFC 2616.
[19]Simple Mail Transfer Protocol [S].RFC2821.
[20]付祝财,杨苹元,王阳等.电子邮件SMTP/POP3收发协议的研究与实现[J].信息技术,2004,28(8):57-59.
[21]Post Office Protocol [S]. RFC1939.
[22]Apache POI home page. [EB/OL]http://poi.apache.org/.
[23]YJ.Won, Byung-Chul Park, Hong-Taek Ju. A Hybrid Approach for Accurate Application Traffic Identification. IEEE/IFIP E2EMON, Vancouver, Canada, Apri13 2006:1-8.
[24]Kai Chain, Wen-Chung Kuo and Jiin-Chiou Cheng. An Improved Secure Anonymous Protocol for Distributed Computer Networks. International Journal of Security and Its Applications, Vol.6, No.4, October, 2012:141-150.
[25]Scott Dawson, Farnam Jahanian. Probing and Fault Injection of Protocol Implementations. Distributed Computing Systems. Proceedings of the 15th International Conference on,1995:351-359.
[26]M.-Y. Liao, M.-Y. Luo, C.-S. Yang, C.-H. Chen. Design and evaluation of deep packet inspection system:a case study. IET Networks, Vol.1, No.1, 2012:2-9.
[27]潘文婵,章韵Wireshark在TCP/IP网络协议教学中的应用[J].计算机教育,2010,(6):158-160,111.
[28]谢希仁.计算机网络(第五版)[M].北京:电子工业出版社,2008:12-34.
[29]郑燕飞,余海燕Linux的多线程机制探讨与实践[J].计算机应用,2001,21(1):81-83.
[30]Kwang-Hui Lee. A distributed network management system[A]. IEEE. GLOBECOM '94[C]. San Francisco:IEEE Press, vol.1,28 Nov-2 Dec 1994:548-552.
[31]王佰玲,方滨兴,云晓春等.零拷贝报文捕获平台的研究与实现[J].计算机学报,2005,28(1):46-52.
[32]32李静.字符串的模式匹配算法——基于KMP算法的讨论[J].青岛化工学院学报(自然科学版),2002,23(2):78-80.
[33]张顺,陈兴蜀,杜敏等.基于免疫粒子群的P2P协议识别方法[J].计算机工程与设计,2011,32(10):3301-3304.
[34]SEN S, Spatscheck O, Wang D, Accurate, Scalable in-network identification of P2P traffic using application signatures[C]. Proceedings of the 13th International Conference on World Wide Web. NY:ACM Press, 2007:512-521.
[35]谭炜,吴健.基于半监督学习的P2P协议识别[J].计算机工程与设计,2009,30(2):291-293,369.
[36]Log4J. [EB/OL]. http://logging.apache.org/log4j/1.2/apidocs/index.html.
[37]伍德雁.Tomcat应用系统乱码问题研究[J].电脑知识与技术,2008,3(22):693-695.
[38]边清刚,潘东华.Tomcat和Apache集成支持JSP技术探讨[J].计算机应用研究,2003,20(6):12-14.
[39]兰旭辉,熊家军,邓刚等.基于MySQL的应用程序设计[J].计算机工程与设计,2004,25(3):442-443,468.
[40]David M.Kroenke,施伯乐[译].Database Processing:Fundamentals,Design,and Implemention,Tenth Edition, Prentice Hall/Pearson.数据库处理--基础设计与实现(第10版)[M].电子工业出版社,2006:14-39.
[41]暴志刚,胡艳军,顾新建等.基于Web的系统权限管理实现方法[J].计算机工程,2006,32(1):169-170,182.
[42]闫丽丽,涂天禄,周兴涛等.Libpcap数据包捕获机制剖析与研究[J].网络安全技术与应用,2006,(4):38-40.
[43]陈亮,龚俭,徐选等.基于特征串的应用层协议识别[J].计算机工程与应用,2006,42(24):16-19,86.
[2]陈亮,龚俭,徐选等.应用层协议识别算法综述[J].计算机科学,2007,34(7):73-75.
[3]徐海波.网络流量识别特征码自动提取系统的研究与实现[D].北京邮电大学,2010.
[4]陈佳.应用层协议快速识别的研究与实现[D].北京邮电大学,2010.
[5]T. ElGamal. A public-key crypto system and a signature scheme based on discrete logarithms[J]. IEEE Transactions on Information Theory IT, vol.31, no.4,(1985):469-472.
[6]W. B. Lee and C. C. Chang. User identification and key distribution maintaining anonymity for distributed computer network[J] Computer Systems Science and Engineering, vol.15, no.4, (1999):113-116.
[7]Bruce Schneier. Managed Security Monitoring:Network Security for the 21st Century[J]. Computer and Security,2001,20:491-503.
[8]Jeffrey E.F.Friedl. Mastering Regular Expressions:Understand Your Data and Be More Productive[M]. Third, O' REILLX,2007:31-78.
[9]J.Levandoski, E.Sommer, M.Strait. "Application Layer Packet Classifier for Linux". [EB/OL]. http://17-filter.sourceforge.net/.
[10]翁亮.安全网络的体系结构模型和关键技术研究[D].上海交通大学,2001.
[11]张卫东,王伟,韩维桓等.网络流量测量与监控系统的设计与实现[J].计算机工程与应用,2005,41(32):160-163,189.
[12]焦绪录,胡铭曾,云晓春等.面向TCP连接的网络实时监控系统及其连接阻断技术[J].计算机工程,2004,30(6):48-49,119.
[13]Wang Xuren, He Famei. An Implement of Broadband Network Monitoring System Based on Libnids and Winpcap[J]. New Trends in Information and Service Science,2009:812-814.
[14]The libpcap Project[EB/OL]. http://sourceforge.net/projects/libpcap
[15]Stevens W R. UNIX network programming Networking APIs:sockets and XTI [M]. volume 1, Second Edition:. USA:Addison-Wesley Publishing Company,1999:23-47.
[16]R Shanmugam,尹浩琼,李剑.TCP/IP详解[M].电子工业出版 社,2003:12-56.
[17]吴刚,王旭仁,张信杰等.高速邮件监控审计研究[J].计算机工程与设计,2010,31(6):1195-1197,1201.
[18]Hypertext Transfer Protocol[S].RFC 2616.
[19]Simple Mail Transfer Protocol [S].RFC2821.
[20]付祝财,杨苹元,王阳等.电子邮件SMTP/POP3收发协议的研究与实现[J].信息技术,2004,28(8):57-59.
[21]Post Office Protocol [S]. RFC1939.
[22]Apache POI home page. [EB/OL]http://poi.apache.org/.
[23]YJ.Won, Byung-Chul Park, Hong-Taek Ju. A Hybrid Approach for Accurate Application Traffic Identification. IEEE/IFIP E2EMON, Vancouver, Canada, Apri13 2006:1-8.
[24]Kai Chain, Wen-Chung Kuo and Jiin-Chiou Cheng. An Improved Secure Anonymous Protocol for Distributed Computer Networks. International Journal of Security and Its Applications, Vol.6, No.4, October, 2012:141-150.
[25]Scott Dawson, Farnam Jahanian. Probing and Fault Injection of Protocol Implementations. Distributed Computing Systems. Proceedings of the 15th International Conference on,1995:351-359.
[26]M.-Y. Liao, M.-Y. Luo, C.-S. Yang, C.-H. Chen. Design and evaluation of deep packet inspection system:a case study. IET Networks, Vol.1, No.1, 2012:2-9.
[27]潘文婵,章韵Wireshark在TCP/IP网络协议教学中的应用[J].计算机教育,2010,(6):158-160,111.
[28]谢希仁.计算机网络(第五版)[M].北京:电子工业出版社,2008:12-34.
[29]郑燕飞,余海燕Linux的多线程机制探讨与实践[J].计算机应用,2001,21(1):81-83.
[30]Kwang-Hui Lee. A distributed network management system[A]. IEEE. GLOBECOM '94[C]. San Francisco:IEEE Press, vol.1,28 Nov-2 Dec 1994:548-552.
[31]王佰玲,方滨兴,云晓春等.零拷贝报文捕获平台的研究与实现[J].计算机学报,2005,28(1):46-52.
[32]32李静.字符串的模式匹配算法——基于KMP算法的讨论[J].青岛化工学院学报(自然科学版),2002,23(2):78-80.
[33]张顺,陈兴蜀,杜敏等.基于免疫粒子群的P2P协议识别方法[J].计算机工程与设计,2011,32(10):3301-3304.
[34]SEN S, Spatscheck O, Wang D, Accurate, Scalable in-network identification of P2P traffic using application signatures[C]. Proceedings of the 13th International Conference on World Wide Web. NY:ACM Press, 2007:512-521.
[35]谭炜,吴健.基于半监督学习的P2P协议识别[J].计算机工程与设计,2009,30(2):291-293,369.
[36]Log4J. [EB/OL]. http://logging.apache.org/log4j/1.2/apidocs/index.html.
[37]伍德雁.Tomcat应用系统乱码问题研究[J].电脑知识与技术,2008,3(22):693-695.
[38]边清刚,潘东华.Tomcat和Apache集成支持JSP技术探讨[J].计算机应用研究,2003,20(6):12-14.
[39]兰旭辉,熊家军,邓刚等.基于MySQL的应用程序设计[J].计算机工程与设计,2004,25(3):442-443,468.
[40]David M.Kroenke,施伯乐[译].Database Processing:Fundamentals,Design,and Implemention,Tenth Edition, Prentice Hall/Pearson.数据库处理--基础设计与实现(第10版)[M].电子工业出版社,2006:14-39.
[41]暴志刚,胡艳军,顾新建等.基于Web的系统权限管理实现方法[J].计算机工程,2006,32(1):169-170,182.
[42]闫丽丽,涂天禄,周兴涛等.Libpcap数据包捕获机制剖析与研究[J].网络安全技术与应用,2006,(4):38-40.
[43]陈亮,龚俭,徐选等.基于特征串的应用层协议识别[J].计算机工程与应用,2006,42(24):16-19,86.