CASIA OpenIR  > 毕业生  > 硕士学位论文
Alternative TitleThe Design and Prototype Implementation of Rule-based Network Intrusion Detection System
Thesis Advisor田捷
Degree Grantor中国科学院研究生院
Place of Conferral中国科学院自动化研究所
Degree Discipline模式识别与智能系统
Keyword网络入侵检测 规则 自动机 异常检测 滥用检测 Network Intrusion Detection Rule Automaton Misuse Detection Anomaly Detection
Abstract网络入侵检测系统是对防火墙的必要补充,可对系统或网络资源进行实时检 测,及时发现入侵者,也可预防合法用户对资源的误操作。在国内,随着上网 的关键部门、关键业务越来越多,迫切需要具有自主版权的入侵检测产品。但 现状是入侵检测技术还不够成熟,处于发展阶段,需要进一步的研究。 网络入侵检测技术主要分为两类:基于行为的异常检测和基于规则的滥用检 测。在实际应用中,基于规则的检测系统具有报警准确率高,易于更新管理的 特点,因此是绝大多数成型商业产品采用的方法。基于规则的网络入侵检测系 统的重点在于:如何用规则表达现有攻击的特征,如何有效组织规则。 本文首先总结了现有网络入侵检测系统的发展情况,讨论了协议分析在网络 入侵检测中的作用。在分析已有网络入侵检测模型的基础上,提出了一个基于 规则的网络入侵检测系统模型框架。该系统的主要贡献如下: 1. 提出了一种用自动机组织规则的方法。利用snort的规则格式,对已知 攻击进行描述,并且用自动机的模型来组织规则,利用自动机的特点对 多条规则进行整合并对其进行化简。 2. 提出了一种对端口扫描和拒绝服务等攻击进行有效检测的方法:基于状 态异常检测,对TCP连接进行统计跟踪。 并且,上述方法已被集成在FPDigital网络入侵检测的原型系统中,本人参 与了该系统的开发工作。
Other AbstractThe Network Intrusion Detection System (NIDS) is a new security technology, apart from tradition security protect technology, such as firewall and data crypt, which watches the computer and network traffic for intrusive and suspicious activities. In China, there is urgent need for NIDS products with independent intellectual property rights. The technology of NIDS is far more than full developed, and more effort is needed to devote to this research area. There are two key detection methods in Network Intrusion Detection: rule-based misuse detection and behavior-based anomaly detection. Because of its high successful alert rate, rule-based NIDS is the main product in the market. The main difficulty of Rule-based Network Intrusion Detection System is how to define the attack signatures and how to organize the rules efficiently. In this thesis, we survey the network intrusion detection technology and the NIDS systems, discuss Protocol Analysis in Network Intrusion Detection. Based on the analysis of the existing Network Intrusion Detection Systems, we present a rule-based Network Intrusion Detection System. The main contributions of this system are: 1. Present a rule-organizing method, which is based on automaton model. We describe the attack signature with the rule specification of SNORT and use automaton model to organize the, rule sets. We introduce the method to construct the automation of multiple rules, and optimize it through the sub-automaton sharing. 2. Present a method to detect the Port Scan attack and Denials of Services attack, which is based on the stateful anomaly detection. We implement these methods into the prototype NIDS - FPDigital.
Other Identifier710
Document Type学位论文
Recommended Citation
GB/T 7714
常琤. 基于规则的网络入侵检测系统设计与原型实现[D]. 中国科学院自动化研究所. 中国科学院研究生院,2003.
Files in This Item:
There are no files associated with this item.
Related Services
Recommend this item
Usage statistics
Export to Endnote
Google Scholar
Similar articles in Google Scholar
[常琤]'s Articles
Baidu academic
Similar articles in Baidu academic
[常琤]'s Articles
Bing Scholar
Similar articles in Bing Scholar
[常琤]'s Articles
Terms of Use
No data!
Social Bookmark/Share
All comments (0)
No comment.

Items in the repository are protected by copyright, with all rights reserved, unless otherwise indicated.