基于网络通信内容的木马检测系统设计与实现
|
摘要
与信息时代一同到来的,除了互联网应用,还有网络安全威胁。根据统计,木马,正是导致信息破坏与信息窃取的最主要的因素。于是,如何有效的检测与防范木马成为了人们关注的焦点。
当前一般的木马检测与防范方法,大都基于单机安全保护,难以在网络层面提供有效的监控,不利于网络监管部门开展工作。基于入侵检测系统的网络检测,大都着眼于通信端口,而未深入通信内容,难以准确认定木马。为了更有效的监控网络中的木马威胁,网络专用木马检测系统势在必行。因此,本文以某网络监管项目为依托,设计并实现了基于网络通信内容的木马检测系统。
本文对网络中木马的基本原理及通信机制做了研究,并对现存的木马检测技术及产品加以分析,又比较了基于Berkeley Packet Filter的传统Libpcap、New-API中断减轻、Memory-Map内存映射、PF_RING新型套接字与实时中断等多种数据采集相关技术,以及朴素的模式匹配算法、Knuth-Morris-Pratt算法、Boyer-Moore算法、Boyer-Moore-Horspool算法等模式匹配算法,提出了采用集成PF_RING、New-API、实时中断的数据采集技术,以及Boyer-Moore-Horspool匹配算法的基于网络通信内容的木马检测方法。
本文随后详细设计了基于网络通信内容的木马检测系统。本系统使用分布式Client/Server架构,采用数据采集、协议分析、木马检测、响应操作四层结构,实现的功能包括高速数据采集,实时协议分析提取关键信息,高速木马检测及TCP连接检测,将检测结果实时输出到数据库,对指定TCP连接强制阻断等。
本文在对系统的结构、功能进行了详细设计后,对系统进行了实现,并给出了服务器、客户端,以及数据采集、协议分析、木马检测、相应操作各模块的实现流程、重要数据结构、模块接口等内容。
在完成实现后,本文对系统的关键模块、模式匹配算法、TCP阻断功能分别进行了测试,并进行了整体测试。经过测试,系统的各项功能都能正常使用,且系统具有较好的稳定性。在800Mbit/s-900Mbit/s的大流量网络环境中,提供几乎线速的数据采集性能,并能准确检出ZXShell木马样本。
最后,本文进行了总结并提出了展望。希望本文设计并实现的基于网络通信内容的木马检测系统能够为我国的网络安全监管工作提供有益的帮助。
Together with the arrival of the information age, network security threats appear as well as Internet applications. According to statistics, the Trojan has become the most serious factor of destruction and theft of information. Consequently, how to effectively detect and prevent the Trojan has become the focus of attention.
Nowadays general methods of Trojan detection are based on single-computer security protection and are difficult to provide effective network monitoring for regulatory authorities. Detection methods that based on Intrusion Detection System mostly focus on communication ports and it is difficult to accurately identify Trojan without the deep-level content of communications. In order to provide more effective Trojan detection, it is necessary to develop new dedicated Network Trojan Detection System.
This thesis designs and implements a Trojan Detection System Based on Network communication Content which is based on a network security supervision project.
In this paper, after research on basic principles and communication mechanisms of Trojan, analyze the Trojan detection products on the market, compare a variety of packet capture technologies ( BPF based Libpcap, New-API, Memory-Map, PF_RING Real-time IRQ ) and pattern matching algorithms (Simple pattern matching algorithm, Knuth-Morris-Pratt algorithm, Boyer-Moore algorithm, Boyer-Moore-Horspool algorithm ), a Trojan detection method based on network communication content is issued with the packet capture technology which integrates PF_RING, NAPI, Real-time IRQ and the pattern matching algorithm which is called BMH algorithm.
Subsequently, this thesis detailedly designs a Trojan Detection System Based on Network Communication Content. This system is a distributed C/S system which is composed of four layers, such as packet capture layer, protocol analysis layer, Trojan detection layer and response layer. This system captures packets on 1000Mbit-network in high speed and analysis protocols to get key information in real-time. Then it detects Trojan and checks TCP connection. Last, it outputs results to database or interrupt TCP connections as response.
After design the structure and functions of this system in detail, this paper implements this system and describes implementations of server, client, packet capture module, protocol analysis module, Trojan detection module and response module with flow charts, data structures, interfaces.
The key modules of this system, the pattern matching algorithm, the TCP interrupt function and the whole system has been tested after implementation. According to the tests, every fuction of this system work normally and stably. This system can capture packets almost in wire-speed and detect Trojan sample which is called ZXShell accurately in the network of 800Mbit/s to 900Mbit/s flow rate.
Finally, this thesis summarizes the system and put forward the direction of future work.This Trojan Detection System Based on Network Communication Content is expected to do a good help for network supervision of our nation.
当前一般的木马检测与防范方法,大都基于单机安全保护,难以在网络层面提供有效的监控,不利于网络监管部门开展工作。基于入侵检测系统的网络检测,大都着眼于通信端口,而未深入通信内容,难以准确认定木马。为了更有效的监控网络中的木马威胁,网络专用木马检测系统势在必行。因此,本文以某网络监管项目为依托,设计并实现了基于网络通信内容的木马检测系统。
本文对网络中木马的基本原理及通信机制做了研究,并对现存的木马检测技术及产品加以分析,又比较了基于Berkeley Packet Filter的传统Libpcap、New-API中断减轻、Memory-Map内存映射、PF_RING新型套接字与实时中断等多种数据采集相关技术,以及朴素的模式匹配算法、Knuth-Morris-Pratt算法、Boyer-Moore算法、Boyer-Moore-Horspool算法等模式匹配算法,提出了采用集成PF_RING、New-API、实时中断的数据采集技术,以及Boyer-Moore-Horspool匹配算法的基于网络通信内容的木马检测方法。
本文随后详细设计了基于网络通信内容的木马检测系统。本系统使用分布式Client/Server架构,采用数据采集、协议分析、木马检测、响应操作四层结构,实现的功能包括高速数据采集,实时协议分析提取关键信息,高速木马检测及TCP连接检测,将检测结果实时输出到数据库,对指定TCP连接强制阻断等。
本文在对系统的结构、功能进行了详细设计后,对系统进行了实现,并给出了服务器、客户端,以及数据采集、协议分析、木马检测、相应操作各模块的实现流程、重要数据结构、模块接口等内容。
在完成实现后,本文对系统的关键模块、模式匹配算法、TCP阻断功能分别进行了测试,并进行了整体测试。经过测试,系统的各项功能都能正常使用,且系统具有较好的稳定性。在800Mbit/s-900Mbit/s的大流量网络环境中,提供几乎线速的数据采集性能,并能准确检出ZXShell木马样本。
最后,本文进行了总结并提出了展望。希望本文设计并实现的基于网络通信内容的木马检测系统能够为我国的网络安全监管工作提供有益的帮助。
Together with the arrival of the information age, network security threats appear as well as Internet applications. According to statistics, the Trojan has become the most serious factor of destruction and theft of information. Consequently, how to effectively detect and prevent the Trojan has become the focus of attention.
Nowadays general methods of Trojan detection are based on single-computer security protection and are difficult to provide effective network monitoring for regulatory authorities. Detection methods that based on Intrusion Detection System mostly focus on communication ports and it is difficult to accurately identify Trojan without the deep-level content of communications. In order to provide more effective Trojan detection, it is necessary to develop new dedicated Network Trojan Detection System.
This thesis designs and implements a Trojan Detection System Based on Network communication Content which is based on a network security supervision project.
In this paper, after research on basic principles and communication mechanisms of Trojan, analyze the Trojan detection products on the market, compare a variety of packet capture technologies ( BPF based Libpcap, New-API, Memory-Map, PF_RING Real-time IRQ ) and pattern matching algorithms (Simple pattern matching algorithm, Knuth-Morris-Pratt algorithm, Boyer-Moore algorithm, Boyer-Moore-Horspool algorithm ), a Trojan detection method based on network communication content is issued with the packet capture technology which integrates PF_RING, NAPI, Real-time IRQ and the pattern matching algorithm which is called BMH algorithm.
Subsequently, this thesis detailedly designs a Trojan Detection System Based on Network Communication Content. This system is a distributed C/S system which is composed of four layers, such as packet capture layer, protocol analysis layer, Trojan detection layer and response layer. This system captures packets on 1000Mbit-network in high speed and analysis protocols to get key information in real-time. Then it detects Trojan and checks TCP connection. Last, it outputs results to database or interrupt TCP connections as response.
After design the structure and functions of this system in detail, this paper implements this system and describes implementations of server, client, packet capture module, protocol analysis module, Trojan detection module and response module with flow charts, data structures, interfaces.
The key modules of this system, the pattern matching algorithm, the TCP interrupt function and the whole system has been tested after implementation. According to the tests, every fuction of this system work normally and stably. This system can capture packets almost in wire-speed and detect Trojan sample which is called ZXShell accurately in the network of 800Mbit/s to 900Mbit/s flow rate.
Finally, this thesis summarizes the system and put forward the direction of future work.This Trojan Detection System Based on Network Communication Content is expected to do a good help for network supervision of our nation.
引文
[1]NAUGHTON J.A Brief History of the Future:From Radio Days to Internet Years in a Lifetime [M].New York:Overlook Press,2001.
[2]TANENBAUM A S.Computer Networks[M].4th ed.Upper Saddle River,New Jersey:Prentice-Hall,2003.
[3]Miniwatts Marketing Group.WORLD INTERNET USAGE AND POPULATION STATISTICS [EB/OL].[2009-03-31].http://www.internetworldstats.com/stats.htm.
[4]谢希仁.计算机网络[M].北京:电子工业出版社,2008:15-16.
[5]中国互联网络信息中心.第23次中国互联网络发展状况统计报告[EB/OL].[2009-01-13].http://www.cnnic.net.cn/index/0E/00/11/index.htm.
[6]孙淑玲.环球网WWW及其使用[M].合肥:中国科技大学出版社,1996.
[7]FOROUZAN B.Cryptography And Network Security[M].New York:McGraw-Hill,2007.
[8]国家计算机病毒应急处理中心.公安部2008年全国信息网络安全状况暨计算机病毒疫情调查报告发布会在津举行[EB/01].[2008-10-20].http://www.antivirus-china.org.cn/head/diaocha2008/xinwengao2008.htm.
[9]AMON C,SHINDER T W,CARASIK-HENMI A.The Best Damn Firewall Book Period[M].St.Louis,Missouri:Elsevier,2003.
[10]SZOR P.The Art of Computer Virus Research and Defense[M].Upper Saddle River,New Jersey:Addison-Wesley Professional,2005.
[11]吴鸿伟.网络信息安全监控系统的研究与设计[D].厦门:厦门大学,2004.
[12]Naiqi Wu,Yanming Qian,Guiqing Chen.A Novel Approach to Trojan Horse Detection by Process Tracing[C]//Networking,Sensing and Control,2006.ICNSC 06.Proceedings of the 2006IEEE International Conference,2006:721-726.
[13]BEYAH R A,HOLLOWAY M C,COPELAND J A.Invisible Trojan:an architecture,implementation and detection method[C]/ MWSCAS-2002.The 2002 45th Midwest Symposium on Circuits and Systems,2002(3):500-504.
[14]Ting Liu,Xiaohong Guan,Qinghua Zheng,et al.Prototype Demonstration:Trojan Detection and Defense System[C]/ Consumer Communications and Networking Conference,2009.CCNC 2009.IEEE,2009(6):1-2.
[15]MOFFIE M,CHENG W,KAELI D,et al.Hunting Trojan Horses[C]//Proceedings of the 1st workshop.Architectural and system support for improving software dependability,2006:12-17.
[16]钱昌明,黄皓.Linux木马检测技术分析与系统调用权限验证法[J].微型机与应用,2005(6):57-60.
[17]戴敏,黄亚楼,王维.基于文件静态信息的木马检测模型[J].计算机工程,2006,32(6):198-200.
[18]李晓东,罗平,曾志峰.利用木马的自启动特性对其进行监控[J].计算机应用研究,2007,24(5):141-149.
[19]汪北阳.木马攻击与防范技术研究[J].长江大学学报:自然科学版,2008,5(4):252-253.
[20]王战浩.木马攻击与防范技术研究[D].上海:上海交通大学,2007:3.
[21]刘成光.基于木马的网络攻击技术研究[D].西安:西北工业大学,2004:15.
[22]吕尤.木马程序的工作机理及方位措施的研究[D].北京:北京邮电大学,2007:3-4.
[23]王维,肖新光,戴敏,等.文件静态特性评估下的木马检测机制[J].信息安全与通信保密,2005(8):64-66.
[24]符继征.浅析基于动态行为的木马检测与防范[J].宿州学院学报,2008,23(3):81-83.
[25]李伟斌,王华勇,罗平.通过注册表监控实现木马检测[J].计算机工程与设计,2006,27(12):2220-2222.
[26]刘强,邓亚平,徐震,等.隐藏木马检测技术的研究[J].计算机工程,2006,32(1):180-182.
[27]Kaspersky Lab.Kaspersky Anti-Virus 2009[EB/OL].[2009-04-25].http://www.kaspersky.com/support/kav2009.
[28]程玉伟.企业网络是否被木马入侵的检测与处理[J].一重技术,2005(5):41-42.
[29]DEBBABI M,GIRARD M,POULIN L,et al.Dynamic Monitoring of Malicious Activity in Software[C].//Symposium on Requirements Engineering for Information Security,Indianapolis,Indiana,USA,2001.
[30]The Tcpdump Group.PCAP[EB/OL].[2003-12-21].http://www.tcpdump.org/pcap3_man.html.
[31]MCCANNE S,JACOBSON V.The BSD Packet Filter:A New Architecture for User-level Packet Capture[C]//Proceedings of the USENIX Winter 1993 Conference Proceedings on USENIX Winter 1993 Conference Proceedings,1993:2-2.
[32]刘文涛.网络安全开发包详解[M].北京:电子工业出版社,2005.
[33]张培栋.网络安全审计系统中的数据捕获和数据分析[D].济南:山东大学,2005:24.
[34]ISO/IEC.8802-2.1994.Information Technology-Telecommunications and Information Exchange between Systems-Local and Metropolitan area Networks-Specific Requirements-Part 2:Logical Link Control.
[35]SENIE D.Using the SOCK_PACKET Mechanism in Linux to Gain Complete Control of an Ethernet Interface[EB/OL].c1998.http://www.senie.com/dan/technology/sock_packet.html.
[36]吴咏.高性能包处理过程中的中断减轻机制[J].高性能计算技术,2004(6):23-25.
[37]SALIM J H,OLSSON R,KUZNETSOV A.Beyond softnet[C]//Proceedings of the 5th annual Linux Showcase & Conference,2001:18-18.
[38]KUZNETSOV A,SALIM J H,OLSSON R.Introduction to NAPI[EB/OL].[2002-02-16].http://www.cookinglinux.org/pub/netdev_docs/napi-howto.php3.html.
[39]柳斌,李之棠,黎耀,李战春.基于NAPI的高速网络捕包技术[J].通信学报,2005(1):145-148.
[40]王辉,廖伟.基于NAPI环境的高性能网络捕包技术[J].高性能计算技术,2007(6):45-48.
[41]IEEE Std 1003.1.2004.The Open Group Base Specifications Issue 6-mmap().
[42]柳斌,李之棠,黎耀.基于Linux系统的高速网络捕包技术研究[J].计算机应用研究,2006(5):225-227.
[43]Ntop Group.PF_RING.[EB/OL].[2009-04-25].http://www.ntop.org/PF_RING.html.
[44]DERI L.Improving Passive Packet Capture:Beyond Device Polling[EB/OL].[2004-12-31].http://luca.ntop.org.
[45]王大萌.入侵检测系统中模式匹配算法的研究[D].哈尔滨:哈尔滨工程大学,2006:15-17.
[46]严蔚敏,吴伟民.数据结构:C语言版[M].北京:清华大学出版社,1997:80-84.
[47]MOORE J S,BOYER R S.A Fast String Searching Algorithm[J].Communications of the Association for Computing Machinery,1977,20(10):762-772.
[48]黄金莲.网络入侵检测系统中模式匹配算法的研究[D].北京:华北电力大学,2005:17-18.
[49]程圣宇,白英杰,肖瀛,芦东昕.模式匹配算法性能测试[J].计算机应用,2003,12:358-360.
[50]HORSPOOL N R.Practical Fast Searching in Strings[J].Software Practice and Experience,1980,10(6):501-506.
[51]李雪莹,刘宝旭,等.字符串匹配技术研究[J].计算机工程,2004,30(22):24-26.
[52]许黎,李毅超,刘丹.基于单模式匹配算法的研究[J].网络安全技术与应用,2006(12):85-87.
[53]KERNIGHAN B W,RITCHIE D M.The C Programming Language[M].Upper Saddle River,New Jersey:Prentice-Hall,1978.
[54]陈灿煌.C++Builder 6.彻底研究[M].北京:中国铁道出版社,2003.
[55]STROUSTRUP B.C++程序设计语言:特别版[M].裘宗燕,译.北京:人民邮电出版社,2002.
[56]FU L,SCHWEBEL R.RT PREEMPT HOWTO[EB/OL].[2009-05-18].http://rt.wiki.kernel.org/index.php/RT_PREEMPT_HOWTO.
[57]MATTHEWN,STONES R.Linux程序设计[M].陈健,宋健健,译.第三版.北京:人民邮电出版社,2007.
[58]STEVENS W R.UNIX环境高级编程[M].尤晋元,译.第二版.北京:机械工业出版社,2000.
[59]WRIGHT G R,STEVENS W R.TCP/IP详解(卷2):实现[M].陆雪莹,等,译.北京:机械工业出版社,2004:218.
[60]Ntop Group.TNAPI[EB/OL].[2009-05-18].http://www.ntop.org/TNAPI.html.
[61]DERI L.nCap:Wire-speed Packet Capture and Transmission[EB/OL].[2005-05].http://luca.ntop.org/nCap.pdf.
[62]AHO A V,CORASICK M J.Efficient string matching:an aid to bibliographic search[J].Communications of the ACM,1975,18(6):333-340.
[63]WU S,MANBER U.A fast algorithm for multi-pattern searching[R].Technical Report TR 94-17,University of Arizona,1994(5).
[2]TANENBAUM A S.Computer Networks[M].4th ed.Upper Saddle River,New Jersey:Prentice-Hall,2003.
[3]Miniwatts Marketing Group.WORLD INTERNET USAGE AND POPULATION STATISTICS [EB/OL].[2009-03-31].http://www.internetworldstats.com/stats.htm.
[4]谢希仁.计算机网络[M].北京:电子工业出版社,2008:15-16.
[5]中国互联网络信息中心.第23次中国互联网络发展状况统计报告[EB/OL].[2009-01-13].http://www.cnnic.net.cn/index/0E/00/11/index.htm.
[6]孙淑玲.环球网WWW及其使用[M].合肥:中国科技大学出版社,1996.
[7]FOROUZAN B.Cryptography And Network Security[M].New York:McGraw-Hill,2007.
[8]国家计算机病毒应急处理中心.公安部2008年全国信息网络安全状况暨计算机病毒疫情调查报告发布会在津举行[EB/01].[2008-10-20].http://www.antivirus-china.org.cn/head/diaocha2008/xinwengao2008.htm.
[9]AMON C,SHINDER T W,CARASIK-HENMI A.The Best Damn Firewall Book Period[M].St.Louis,Missouri:Elsevier,2003.
[10]SZOR P.The Art of Computer Virus Research and Defense[M].Upper Saddle River,New Jersey:Addison-Wesley Professional,2005.
[11]吴鸿伟.网络信息安全监控系统的研究与设计[D].厦门:厦门大学,2004.
[12]Naiqi Wu,Yanming Qian,Guiqing Chen.A Novel Approach to Trojan Horse Detection by Process Tracing[C]//Networking,Sensing and Control,2006.ICNSC 06.Proceedings of the 2006IEEE International Conference,2006:721-726.
[13]BEYAH R A,HOLLOWAY M C,COPELAND J A.Invisible Trojan:an architecture,implementation and detection method[C]/ MWSCAS-2002.The 2002 45th Midwest Symposium on Circuits and Systems,2002(3):500-504.
[14]Ting Liu,Xiaohong Guan,Qinghua Zheng,et al.Prototype Demonstration:Trojan Detection and Defense System[C]/ Consumer Communications and Networking Conference,2009.CCNC 2009.IEEE,2009(6):1-2.
[15]MOFFIE M,CHENG W,KAELI D,et al.Hunting Trojan Horses[C]//Proceedings of the 1st workshop.Architectural and system support for improving software dependability,2006:12-17.
[16]钱昌明,黄皓.Linux木马检测技术分析与系统调用权限验证法[J].微型机与应用,2005(6):57-60.
[17]戴敏,黄亚楼,王维.基于文件静态信息的木马检测模型[J].计算机工程,2006,32(6):198-200.
[18]李晓东,罗平,曾志峰.利用木马的自启动特性对其进行监控[J].计算机应用研究,2007,24(5):141-149.
[19]汪北阳.木马攻击与防范技术研究[J].长江大学学报:自然科学版,2008,5(4):252-253.
[20]王战浩.木马攻击与防范技术研究[D].上海:上海交通大学,2007:3.
[21]刘成光.基于木马的网络攻击技术研究[D].西安:西北工业大学,2004:15.
[22]吕尤.木马程序的工作机理及方位措施的研究[D].北京:北京邮电大学,2007:3-4.
[23]王维,肖新光,戴敏,等.文件静态特性评估下的木马检测机制[J].信息安全与通信保密,2005(8):64-66.
[24]符继征.浅析基于动态行为的木马检测与防范[J].宿州学院学报,2008,23(3):81-83.
[25]李伟斌,王华勇,罗平.通过注册表监控实现木马检测[J].计算机工程与设计,2006,27(12):2220-2222.
[26]刘强,邓亚平,徐震,等.隐藏木马检测技术的研究[J].计算机工程,2006,32(1):180-182.
[27]Kaspersky Lab.Kaspersky Anti-Virus 2009[EB/OL].[2009-04-25].http://www.kaspersky.com/support/kav2009.
[28]程玉伟.企业网络是否被木马入侵的检测与处理[J].一重技术,2005(5):41-42.
[29]DEBBABI M,GIRARD M,POULIN L,et al.Dynamic Monitoring of Malicious Activity in Software[C].//Symposium on Requirements Engineering for Information Security,Indianapolis,Indiana,USA,2001.
[30]The Tcpdump Group.PCAP[EB/OL].[2003-12-21].http://www.tcpdump.org/pcap3_man.html.
[31]MCCANNE S,JACOBSON V.The BSD Packet Filter:A New Architecture for User-level Packet Capture[C]//Proceedings of the USENIX Winter 1993 Conference Proceedings on USENIX Winter 1993 Conference Proceedings,1993:2-2.
[32]刘文涛.网络安全开发包详解[M].北京:电子工业出版社,2005.
[33]张培栋.网络安全审计系统中的数据捕获和数据分析[D].济南:山东大学,2005:24.
[34]ISO/IEC.8802-2.1994.Information Technology-Telecommunications and Information Exchange between Systems-Local and Metropolitan area Networks-Specific Requirements-Part 2:Logical Link Control.
[35]SENIE D.Using the SOCK_PACKET Mechanism in Linux to Gain Complete Control of an Ethernet Interface[EB/OL].c1998.http://www.senie.com/dan/technology/sock_packet.html.
[36]吴咏.高性能包处理过程中的中断减轻机制[J].高性能计算技术,2004(6):23-25.
[37]SALIM J H,OLSSON R,KUZNETSOV A.Beyond softnet[C]//Proceedings of the 5th annual Linux Showcase & Conference,2001:18-18.
[38]KUZNETSOV A,SALIM J H,OLSSON R.Introduction to NAPI[EB/OL].[2002-02-16].http://www.cookinglinux.org/pub/netdev_docs/napi-howto.php3.html.
[39]柳斌,李之棠,黎耀,李战春.基于NAPI的高速网络捕包技术[J].通信学报,2005(1):145-148.
[40]王辉,廖伟.基于NAPI环境的高性能网络捕包技术[J].高性能计算技术,2007(6):45-48.
[41]IEEE Std 1003.1.2004.The Open Group Base Specifications Issue 6-mmap().
[42]柳斌,李之棠,黎耀.基于Linux系统的高速网络捕包技术研究[J].计算机应用研究,2006(5):225-227.
[43]Ntop Group.PF_RING.[EB/OL].[2009-04-25].http://www.ntop.org/PF_RING.html.
[44]DERI L.Improving Passive Packet Capture:Beyond Device Polling[EB/OL].[2004-12-31].http://luca.ntop.org.
[45]王大萌.入侵检测系统中模式匹配算法的研究[D].哈尔滨:哈尔滨工程大学,2006:15-17.
[46]严蔚敏,吴伟民.数据结构:C语言版[M].北京:清华大学出版社,1997:80-84.
[47]MOORE J S,BOYER R S.A Fast String Searching Algorithm[J].Communications of the Association for Computing Machinery,1977,20(10):762-772.
[48]黄金莲.网络入侵检测系统中模式匹配算法的研究[D].北京:华北电力大学,2005:17-18.
[49]程圣宇,白英杰,肖瀛,芦东昕.模式匹配算法性能测试[J].计算机应用,2003,12:358-360.
[50]HORSPOOL N R.Practical Fast Searching in Strings[J].Software Practice and Experience,1980,10(6):501-506.
[51]李雪莹,刘宝旭,等.字符串匹配技术研究[J].计算机工程,2004,30(22):24-26.
[52]许黎,李毅超,刘丹.基于单模式匹配算法的研究[J].网络安全技术与应用,2006(12):85-87.
[53]KERNIGHAN B W,RITCHIE D M.The C Programming Language[M].Upper Saddle River,New Jersey:Prentice-Hall,1978.
[54]陈灿煌.C++Builder 6.彻底研究[M].北京:中国铁道出版社,2003.
[55]STROUSTRUP B.C++程序设计语言:特别版[M].裘宗燕,译.北京:人民邮电出版社,2002.
[56]FU L,SCHWEBEL R.RT PREEMPT HOWTO[EB/OL].[2009-05-18].http://rt.wiki.kernel.org/index.php/RT_PREEMPT_HOWTO.
[57]MATTHEWN,STONES R.Linux程序设计[M].陈健,宋健健,译.第三版.北京:人民邮电出版社,2007.
[58]STEVENS W R.UNIX环境高级编程[M].尤晋元,译.第二版.北京:机械工业出版社,2000.
[59]WRIGHT G R,STEVENS W R.TCP/IP详解(卷2):实现[M].陆雪莹,等,译.北京:机械工业出版社,2004:218.
[60]Ntop Group.TNAPI[EB/OL].[2009-05-18].http://www.ntop.org/TNAPI.html.
[61]DERI L.nCap:Wire-speed Packet Capture and Transmission[EB/OL].[2005-05].http://luca.ntop.org/nCap.pdf.
[62]AHO A V,CORASICK M J.Efficient string matching:an aid to bibliographic search[J].Communications of the ACM,1975,18(6):333-340.
[63]WU S,MANBER U.A fast algorithm for multi-pattern searching[R].Technical Report TR 94-17,University of Arizona,1994(5).