發(fā)布時(shí)間：2018-01-25 04:01

  本文關(guān)鍵詞： 網(wǎng)絡(luò)靶場 入侵檢測系統(tǒng) Snort改進(jìn)模型 數(shù)據(jù)挖掘　出處：《重慶理工大學(xué)》2015年碩士論文　論文類型：學(xué)位論文

【摘要】：網(wǎng)絡(luò)靶場是一個(gè)仿真的網(wǎng)絡(luò)安全、攻防演練、人員培訓(xùn)的虛擬訓(xùn)練場,其目的是提升訓(xùn)練人員的網(wǎng)絡(luò)攻防技能。靶場模擬訓(xùn)練時(shí)會產(chǎn)生網(wǎng)絡(luò)攻防流量,對這些攻防流量的檢測與記錄一般是通過入侵檢測系統(tǒng)來實(shí)現(xiàn)的。實(shí)時(shí)檢測和日志記錄是入侵檢測系統(tǒng)的兩大核心功能,實(shí)時(shí)檢測網(wǎng)絡(luò)數(shù)據(jù)包的功能能夠捕獲到網(wǎng)絡(luò)攻防對抗演練中產(chǎn)生的入侵行為,作用就如同攻防對抗的記錄儀一樣反映著演練的情況;日志記錄功能提供的日志數(shù)據(jù)則為攻防訓(xùn)練的展示及評價(jià)提供了很好的依據(jù)。靶場跟蹤系統(tǒng)能準(zhǔn)確檢測并實(shí)時(shí)展示攻防演練情況,其主要利用的就是入侵檢測系統(tǒng)的這兩大核心功能。正因?yàn)榇?入侵檢測系統(tǒng)是靶場跟蹤系統(tǒng)的重要組成部分。綜合考慮成本與技術(shù)因素,著名入侵檢測系統(tǒng)Snort以其開源和免費(fèi)的優(yōu)勢而被網(wǎng)絡(luò)訓(xùn)練靶場跟蹤系統(tǒng)選用。在實(shí)際的運(yùn)用過程中,Snort表現(xiàn)出了很多缺陷和問題,但因Snort開放靈活的特點(diǎn),擁有巨大的改進(jìn)空間,是非常值得研究的。該文為改進(jìn)Snort在靶場跟蹤系統(tǒng)中的應(yīng)用性能展開研究。首先,對入侵檢測的發(fā)展概況及Snort的應(yīng)用現(xiàn)狀進(jìn)行了深入分析,分析了Snort固有的缺點(diǎn);其次,論文對現(xiàn)有Snort系統(tǒng)的體系結(jié)構(gòu)、各主要功能模塊及其檢測機(jī)制進(jìn)行了詳細(xì)分析,并研究了運(yùn)用到入侵檢測中的數(shù)據(jù)挖掘技術(shù);針對靶場中攻防訓(xùn)練較多時(shí),Snort檢測效率低下,不能將監(jiān)控產(chǎn)生的日志及時(shí)送達(dá)跟蹤系統(tǒng)展示給考核人員的問題,為Snort設(shè)計(jì)了一個(gè)異常檢測模塊,用來過濾掉大量正常網(wǎng)絡(luò)流量,以提升檢測效率;針對訓(xùn)練人員會在靶場環(huán)境中不斷嘗試新攻擊的現(xiàn)象,為Snort設(shè)計(jì)了一個(gè)新規(guī)則生成模塊,以使Snort具備檢測新入侵行為的能力,并最終提出了一個(gè)基于數(shù)據(jù)挖掘的Snort混合模型。在提出新模型的基礎(chǔ)上,對新增模塊中用到的K-means聚類算法和Apriori算法進(jìn)行了深入的分析,提出改進(jìn),并將改進(jìn)后的算法引入新增功能模塊,以插件形式加入Snort中,通過實(shí)驗(yàn)證明了改進(jìn)的Snort混合檢測模型在網(wǎng)絡(luò)靶場應(yīng)用中的可行性和有效性。
[Abstract]:The network shooting range is a virtual training ground for network security, attack and defense drills and personnel training, which aims to improve the network attack and defense skills of the trainers. When the range is simulated, the network attack and defense flow will be generated. The detection and recording of these attack and defense flows are generally realized by intrusion detection system. Real-time detection and log recording are the two core functions of intrusion detection system. The function of detecting network data packets in real time can capture the intrusion behavior in the network attack and defense countermeasure drill, which reflects the situation of the drill just like the recorder of the attack and defense countermeasure. The log data provided by the logging function can provide a good basis for the display and evaluation of attack and defense training. The range tracking system can accurately detect and display the situation of attack and defense drills in real time. It mainly uses these two core functions of IDS. Because of this, IDS is an important part of range tracking system. The cost and technical factors are considered comprehensively. The famous intrusion detection system (Snort) is chosen by the network training range tracking system because of its advantages of open source and free. In the process of practical application snort shows a lot of defects and problems. However, due to the open and flexible characteristics of Snort, there is a huge room for improvement, which is very worthy of study. This paper studies how to improve the performance of Snort in range tracking system. First of all. The development of intrusion detection and the application status of Snort are analyzed, and the inherent shortcomings of Snort are analyzed. Secondly, the architecture, main function modules and detection mechanism of the existing Snort system are analyzed in detail, and the data mining technology used in intrusion detection is studied. In view of the low efficiency of snort detection in the shooting range when there is more attack and defense training, the log generated by monitoring can not be sent to the tracking system in time to show the problem to the examiner. An anomaly detection module is designed for Snort to filter out a large number of normal network traffic to improve detection efficiency. Aiming at the phenomenon that trainers try new attacks in range environment, a new rule generation module is designed for Snort to enable Snort to detect new intrusions. Finally, a Snort hybrid model based on data mining is proposed. The K-means clustering algorithm and Apriori algorithm used in the new module are deeply analyzed and improved, and the improved algorithm is introduced into the new functional module. The application of the improved Snort hybrid detection model in the network shooting range is proved to be feasible and effective by adding Snort in the form of plug-in.
【學(xué)位授予單位】：重慶理工大學(xué)
【學(xué)位級別】：碩士
【學(xué)位授予年份】：2015
【分類號】：TP393.08

【參考文獻(xiàn)】

相關(guān)期刊論文 前5條

1 楊武,方濱興,云曉春,張宏莉;入侵檢測系統(tǒng)中高效模式匹配算法的研究[J];計(jì)算機(jī)工程;2004年13期

2 蘇彥君;沈剛;劉昕;;基于網(wǎng)絡(luò)聚合行為的異常檢測方法研究[J];計(jì)算機(jī)工程與科學(xué);2010年03期

3 宋宇翔;劉琰;;特征和分類器聯(lián)合優(yōu)化的網(wǎng)絡(luò)入侵檢測算法[J];計(jì)算機(jī)工程與應(yīng)用;2012年19期

4 翟東海;魚江;高飛;于磊;丁鋒;;最大距離法選取初始簇中心的K-means文本聚類算法的研究[J];計(jì)算機(jī)應(yīng)用研究;2014年03期

5 王文娟;王杰;李冬梅;杜光輝;;基于Apriori改進(jìn)算法的入侵檢測系統(tǒng)的研究[J];微計(jì)算機(jī)信息;2006年33期

相關(guān)碩士學(xué)位論文 前1條

1 智云生;Snort檢測引擎中檢測算法的研究與改進(jìn)[D];湖南大學(xué);2007年

，

本文編號：1461922