摘要
传统的网络入侵检测方法基于传输层以下的数据包特性来检测入侵,因此存在一些难以克服的缺点,如易受欺骗(evasion)、误报警(false positive)多、检测效率低等,难以适应高速的网络环境。为了解决这些问题,本文提出将应用协议分析方法应用到网络入侵检测中,实现基于应用的检测,并提出了一个改进的多模式匹配算法,进一步提高检测的效率;同时针对高速网络环境,利用基于数据过滤的压缩技术与负载均衡技术提出了一个新的网络入侵检测系统结构模型,给出了系统的设计与实现方法。实验测试表明系统能够对吉比特以太网进行有效的实时检测。
The traditional network intrusion detection system only detect intrusions according to thepacket features below the transport layer, hard problems exist such as easy to be evaded, high false positive and low efficiency. In order to solve these problems, a detecting method based on application protocol analysis is used and an efficient multiple-pattern searching algorithm is presented in order to improve the efficiency of the NIDS. A new architecture and model of NIDS based on data filtering and load balance is described, the design and implementation is also discussed. Lab tests reveals that the system is good at detecting the high-speed network such as gigabit Ethernet.
出处
《通信学报》
EI
CSCD
北大核心
2002年第9期1-7,共7页
Journal on Communications
基金
国家863高技术计划资助项目(863-317-01-03-99)
关键词
网络入侵检测
协议分析
模式匹配
负载均衡
数据过滤
代理
network intrusion detection
protocol analysis
pattern searching
load balance
data filtering
agent
