基于协议分析的入侵检测技术研究

【作者】 戴宏伟；

【导师】 费洪晓；

【作者基本信息】 中南大学 ， 通信与信息系统， 2007， 硕士

【摘要】 入侵检测作为一种主动的安全防护手段，为主机和网络提供了动态的安全保障。它不仅检测来自外部的入侵行为，同时也对内部的未授权活动进行监督。利用网络协议的高度规则性，采用协议分析的方法，结合优秀的模式匹配算法，能较好地解决当前入侵检测系统中准确性与实时性之间的矛盾。论文对BM模式匹配算法进行了改进，使之更适应入侵检测系统中入侵规则的重复后缀频繁出现的情况。然后从基于协议分析的入侵检测系统的基本框架出发，深入探讨了其中的包捕获机制、包过滤机制和协议分析机制，重点描述了包括IP重组、TCP流重组和HTTP解码的协议分析预处理过程的设计。利用Winpcap函数库其中的BPF过滤机制，实现了对网络接口设备上的数据捕获和过滤；在TCP／IP协议族层次结构的基础上，实现了对其中的重要协议，如IP、TCP、UDP、HTTP等的分析，能够有效提高系统检测的精度和速度。测试结果表明，改进的BM算法能较好地处理重复后缀较多的情形。网络数据包的捕获、过滤及协议分析模块能够对TCP／IP数据包进行比较详细的解码，系统能够很好地检测出一些典型的网络攻击。更多还原

【Abstract】 As a new active security-defensive mechanism, Intrusion Detection System can provide the host and network dynamic protection.It not only detects the intrusion from the extranet hacker but also monitors intranet users. Now next generation IDS are mostly using a strategy of combining protocol analysis which makes use of the specifications of protocol and outstanding pattern matching algorithm, to solve the contradiction between the accuracy and the timeliness.On the basis of detailed expatiation of BM-algorithm, a improved pattern matching algorithm which is more suitable for the condition of having more repeated suffix in the rules, was proposed in this paper. Then deeply probes into the packet capture module, packet filter module and protocol analysis module of a IDS,according to network IDS framework based on protocol analysis, described the protocol analysis pretreatment process design with emphasis, which including the IP reorganization, the TCP flow reorganzition and the HTTP decoding In the first two modules, it implements a porgramme on the basis of the Winpcap library and its BPF mechanism to capture and filter data on the network interface card. And in the third module, it implements a routine to analyze the important protocols in the TCP/IP protocol stack, such as IP, TCP, UDP and HTTP, which could make the precision and speed of intrusion detection improved.The test result shows that the improved pattern matching algorithm is more efficient under the condition of having more repeated suffix. While the protocol analysis module, the network packet capture module and the packet filter module implemented in this paper can decode the TCP/IP datagram perfectly. The whole intrusion detection system has good ability of detecting some typical attack.更多还原