基于Snort入侵检测系统在校园网中的应用研究
摘要
近年来,网络安全作为一个严肃的问题呈现在人们面前。入侵检测技术是一种与防火墙不同的动态防御技术,是继防火墙技术之后的最重要的网络安全保障技术。因此研究入侵检测具有十分重要的理论意义和应用价值。
本文分析了入侵检测的方法及统一CIDF的模型,分析了著名的开源网络入侵检测系统Snort的工作原理和模式匹配算法。研究了的规则链表和快速规则匹配引擎所依赖的快速规则链表。
Snort是一个强大的轻量级网络入侵检测系统,它具有实时数据流量分析和日志IP网络数据包能力,能够进行协议分析,对内容进行搜素/匹配;它能够检测各种不同的攻击方式,对攻击进行实时报警;因此,Snort具有很好的扩展性和可移植性,可以满足广泛的网络应用环境。本文在讨论Snort的工作原理的基础上,提出了改进Snort入侵检测系统存在的不足。采用规则优化技术创建高效的规则集以提高规则匹配的速度;改进模式匹配算法,减少模式匹配所花费的时间。
本文最后设计了一个基于开放源代码-Snort的校园网入侵检测系统。该系统在实际的应用中达到预期的效果和目的。
In recent years, we have to face with network security as a serious issue in front of people. Intrusion detection technology is a dynamic defense technology different from firewall technology following the most important network security technology. Therefore research on intrusion detection is great theoretical significance and application value.
Firstly this paper analyzes the intrusion detection method and a unified model CIDF. The rules list and the fast rules list which fast rule matching engine fast rules on were studied. The working principle and pattern-matching algorithms of the well-known open source Snort network intrusion detection system was analyzed. Finally this paper studied the rules list and fast rules matching engine to rely on the list rules.
As a powerful lightweight network IDS, Snort has very good expansibility and portability. It has powerful features and flexibility to adapt a wide range of application environments. By discussing the working of Snort principle, safety deficiencies of IDS were discussed. This paper uses optimization rules technology to create efficient rules in order to improve the speed of matching rules. Improve the pattern matching algorithm to reduce the time it takes.
In this paper, an Intrusion Detection System over Campus Network is designed based on open source—Snort. By using the model of optimization rules technology, the improved detect matching engine is faster than the original one. The system achieves the desired objective by the final tests.
本文分析了入侵检测的方法及统一CIDF的模型,分析了著名的开源网络入侵检测系统Snort的工作原理和模式匹配算法。研究了的规则链表和快速规则匹配引擎所依赖的快速规则链表。
Snort是一个强大的轻量级网络入侵检测系统,它具有实时数据流量分析和日志IP网络数据包能力,能够进行协议分析,对内容进行搜素/匹配;它能够检测各种不同的攻击方式,对攻击进行实时报警;因此,Snort具有很好的扩展性和可移植性,可以满足广泛的网络应用环境。本文在讨论Snort的工作原理的基础上,提出了改进Snort入侵检测系统存在的不足。采用规则优化技术创建高效的规则集以提高规则匹配的速度;改进模式匹配算法,减少模式匹配所花费的时间。
本文最后设计了一个基于开放源代码-Snort的校园网入侵检测系统。该系统在实际的应用中达到预期的效果和目的。
In recent years, we have to face with network security as a serious issue in front of people. Intrusion detection technology is a dynamic defense technology different from firewall technology following the most important network security technology. Therefore research on intrusion detection is great theoretical significance and application value.
Firstly this paper analyzes the intrusion detection method and a unified model CIDF. The rules list and the fast rules list which fast rule matching engine fast rules on were studied. The working principle and pattern-matching algorithms of the well-known open source Snort network intrusion detection system was analyzed. Finally this paper studied the rules list and fast rules matching engine to rely on the list rules.
As a powerful lightweight network IDS, Snort has very good expansibility and portability. It has powerful features and flexibility to adapt a wide range of application environments. By discussing the working of Snort principle, safety deficiencies of IDS were discussed. This paper uses optimization rules technology to create efficient rules in order to improve the speed of matching rules. Improve the pattern matching algorithm to reduce the time it takes.
In this paper, an Intrusion Detection System over Campus Network is designed based on open source—Snort. By using the model of optimization rules technology, the improved detect matching engine is faster than the original one. The system achieves the desired objective by the final tests.
引文
[1].赵宏宇,网络入侵检测技术研究[J].四川大学学报,2003
[2].韩东海,王超,李群.入侵检测系统实例剖析[M].清华大学出版社,2002:1-30
[3].韩运宝.基于Snort的入侵检测系统的研究与改进[D].硕士论文.北京交通大学,2007:15-17
[4].Denning,D.E.An intrusion-detection model[J]Softwecare Engineering,IEEE Transactions on,1987
[5].朱伟.Snort系统规则优化[J].信息技术,2008 8
[6].胡大辉,刘乃琦.高效的Snort规则匹配机制[J].微计算机信息,2006,22(06):10-11
[7].严蔚敏,吴伟民.数据结构(第二版)[M].清华大学出版社,1998.
[8].周建国,曹庆国.计算机网络入侵检测系统的研究[J].计算机工程,2003.29(2):78-79
[9].韩东海,王超,李群.入侵检测系统实例剖析.清华大学出版社.2002
[10].杨武,方滨兴,云晓春等.入侵检测系统中高效模式匹配算法的研究[J].计算机工程,2004.30(13):92-94.
[11].Alfred V.Aho,Margaret J.Corasick.Efficient String Matching:An Aid to Bibliographic Search[J],Communications of the ACM,1975,18(6):333-340.
[12].Alfred V.Aho,JefFrey D.Ullman.Optimal Partial-Match Retrieval When Fields Are Independently Specified[J],TODS,1979,4(2):168-179.
[13].现代校园网安全问题与缺陷分析及相应对策[EB/OL].2009[2009-5-6]http://www.edu.cn/li_lun_yj_1652/20090506/t20090506_376619.shtml
[14].宋劲松 等译Brian Caswell Jay Beale著.Snort2.O入侵检测[M].北京国防工业出版社,2004.
[15].罗守山.入侵检测[M].北京邮电大学出版社,2004
[16].彭新光吴新新等.入侵检测技术综述[J].微型电脑应用,2005:56-58
[17].膨新光吴新新等.计算机网络安全技术应用[M].科学出版社2006:161-165
[18].胡昌振.网络入侵检测原理与技术[M].北京理工大学出版社2006:10-12
[19].宁海滨.基于校园网的入侵检测系统设计与实现[D].硕士论文.北京:北京大学2008:
[22].陈瑾,罗敏,张焕国.入侵检测技术概述[J].计算机工程与应用,2004(2)
[24].Jack Koziol.Intrusion Detection with Snort[M].Pearson ducation,2003.
[25].A.Goscinski A synchronization algorithm for processes with dynamic priorities in computer networks with node failures[J].Information Processing Letters,1989,32(3):129-136.
[26].高平利等.基于Snort入侵检测系统的分析与实现[J].计算机应用与软件2006,23(8):134-138
[27].张小强.几类高效入侵检测技术研究[D].博士论文.成都西南交通大学,2006:6-11
[28].W.Richard Stevens.UNIX网络编程第一卷[M].清华大学出版社,1999
[29].谢希仁.计算机网络教程[M].人民邮电出版社,2004:171
[30].韩东海,王超,李群.入侵检测系统实例剖析[M].清华大学出版社,2002
[31].中国互联网发展状况统计报告[EB/OL].2009[2009-2-13]http://www.cnnic.net.cn/uploadfiles/pdf/2009/1/13/92458.pdf
[32].CNCERT/CC 2008年上半年 中国互联网网络报告[EB/OL].2009[2009-2-13]http://www.cert.org.cn/UserFiles/File/CISR2008fh.pdf
[33].魏宇欣.网络入侵检测系统关键技术研[D].博士论文.北京:北京邮电大学,2008:1-2
[34].高校校园网解决方案[EB/OL].2006[2009-2-13]http://www.studa.net/network/060227/16404458.html
[35].张庆平.一种基于Snort的入侵检测系统的实现与应用[D].硕士论文.吉林大学,2008:29-31
[36].楼亮.基于Snort入侵检测系统的分析和改进[D].硕士论文.上海交通大学,2006:19-20
[2].韩东海,王超,李群.入侵检测系统实例剖析[M].清华大学出版社,2002:1-30
[3].韩运宝.基于Snort的入侵检测系统的研究与改进[D].硕士论文.北京交通大学,2007:15-17
[4].Denning,D.E.An intrusion-detection model[J]Softwecare Engineering,IEEE Transactions on,1987
[5].朱伟.Snort系统规则优化[J].信息技术,2008 8
[6].胡大辉,刘乃琦.高效的Snort规则匹配机制[J].微计算机信息,2006,22(06):10-11
[7].严蔚敏,吴伟民.数据结构(第二版)[M].清华大学出版社,1998.
[8].周建国,曹庆国.计算机网络入侵检测系统的研究[J].计算机工程,2003.29(2):78-79
[9].韩东海,王超,李群.入侵检测系统实例剖析.清华大学出版社.2002
[10].杨武,方滨兴,云晓春等.入侵检测系统中高效模式匹配算法的研究[J].计算机工程,2004.30(13):92-94.
[11].Alfred V.Aho,Margaret J.Corasick.Efficient String Matching:An Aid to Bibliographic Search[J],Communications of the ACM,1975,18(6):333-340.
[12].Alfred V.Aho,JefFrey D.Ullman.Optimal Partial-Match Retrieval When Fields Are Independently Specified[J],TODS,1979,4(2):168-179.
[13].现代校园网安全问题与缺陷分析及相应对策[EB/OL].2009[2009-5-6]http://www.edu.cn/li_lun_yj_1652/20090506/t20090506_376619.shtml
[14].宋劲松 等译Brian Caswell Jay Beale著.Snort2.O入侵检测[M].北京国防工业出版社,2004.
[15].罗守山.入侵检测[M].北京邮电大学出版社,2004
[16].彭新光吴新新等.入侵检测技术综述[J].微型电脑应用,2005:56-58
[17].膨新光吴新新等.计算机网络安全技术应用[M].科学出版社2006:161-165
[18].胡昌振.网络入侵检测原理与技术[M].北京理工大学出版社2006:10-12
[19].宁海滨.基于校园网的入侵检测系统设计与实现[D].硕士论文.北京:北京大学2008:
[22].陈瑾,罗敏,张焕国.入侵检测技术概述[J].计算机工程与应用,2004(2)
[24].Jack Koziol.Intrusion Detection with Snort[M].Pearson ducation,2003.
[25].A.Goscinski A synchronization algorithm for processes with dynamic priorities in computer networks with node failures[J].Information Processing Letters,1989,32(3):129-136.
[26].高平利等.基于Snort入侵检测系统的分析与实现[J].计算机应用与软件2006,23(8):134-138
[27].张小强.几类高效入侵检测技术研究[D].博士论文.成都西南交通大学,2006:6-11
[28].W.Richard Stevens.UNIX网络编程第一卷[M].清华大学出版社,1999
[29].谢希仁.计算机网络教程[M].人民邮电出版社,2004:171
[30].韩东海,王超,李群.入侵检测系统实例剖析[M].清华大学出版社,2002
[31].中国互联网发展状况统计报告[EB/OL].2009[2009-2-13]http://www.cnnic.net.cn/uploadfiles/pdf/2009/1/13/92458.pdf
[32].CNCERT/CC 2008年上半年 中国互联网网络报告[EB/OL].2009[2009-2-13]http://www.cert.org.cn/UserFiles/File/CISR2008fh.pdf
[33].魏宇欣.网络入侵检测系统关键技术研[D].博士论文.北京:北京邮电大学,2008:1-2
[34].高校校园网解决方案[EB/OL].2006[2009-2-13]http://www.studa.net/network/060227/16404458.html
[35].张庆平.一种基于Snort的入侵检测系统的实现与应用[D].硕士论文.吉林大学,2008:29-31
[36].楼亮.基于Snort入侵检测系统的分析和改进[D].硕士论文.上海交通大学,2006:19-20