基于IPv6的入侵检测系统的研究与实现

在Snort软件包的基础上,对下一代英特网入侵检测系统的实现进行了研究,提出了基于IPv6的入侵检测系统的解决方案,阐述了协议解析模块、分段包重组模块、规则检测模块和报警输出模块的设计实现方案.     

基于Snort的混合入侵检测系统的研究与实现

在分析研究Snort系统的优缺点的基础上,利用其开源性和支持插件的优势,针对其对无法检测到新出现的入侵行为、漏报率较高以及检测速度较低等问题,在Snort系统的基础上结合入侵检测中的数据挖掘技术,提出一种基于Snort系统的混合入侵检测系统模型。该系统模型在Snort系统原有系统模型基础上增加了正常行为模式构建模块、异常检测模块、分类器模块、规则动态生成模块等扩展功能模块。改进后的混合入侵检测系统能够实时更新系统的检测规则库,进而检测到新的入侵攻击行为;同时,改进后的混合入侵检测系统具有误用检测和异常检测的功能,从而提高检测系统检测效率。     

Snort系统规则优化

Snort入侵检测系统的效率直接取决于用于检测规则的规则集质量.创建理想的规则集,是使Snort检测速度得到提高的关健.现讲述了Snort规则优化的具体过程,优化时出现的问题及对问题的解决办法.     

构建基于Snort的入侵检测系统

入侵检测系统IDS是计算机安全体系结构的重要组成部分,它实现实时检测的功能.本文介绍一个使用Snort、PostgreSQL数据库、Apache、PHP、ACID和Razorback搭建入侵检测系统的解决方案.最后给出了对Snort的评价.     

对于IP地址攻击有效的混合蜜罐入侵检测系统

提出在入侵检测系统中融合蜜罐技术并应用在分布式的网络环境中。主要目的就是通过单播IP地址攻击和组播的IP地址攻击对比单独入侵检测系统与融合了蜜罐技术的入侵检测系统检测攻击的有效性。混合蜜罐网络由Snort和Honeyd组成,Snort的作用是入侵检测而Honeyd组成蜜罐系统。Honeyd安装在Linux系统中,这个系统的传感器探测Snort和Honeyd是否传送数据到主数据库。使用NESSUS对实验数据进行分析。提供给管理员一种更有效的网络管理方式。     

基于误用检测的网络入侵系统实现

随着网络技术的不断发展,网络安全问题日益突出,入侵检测成为网络安全中的核心技术,Snort系统由于开放源代码具有其自身巨大的优势。本文介绍了网络入侵检测技术,具体研究了Snort系统的工作原理和入侵检测流程等,最后对系统进行了一系列实验,实验显示的实验数据和日志情况。     

轻量级网络入侵检测系统Snort及其应用

网络入侵检测系统用来监视网络数据流动情况,当入侵发生时能够提供报警。Snort允许管理员在短时间内通过修改配置进行实时的安全响应。详细介绍了Snort的体系结构、入侵检测机制以及规则的定义、构成和更新,简要介绍了Snort的内置应用。Snort因其具有开放源代码、轻量而功能强大、可移植性强、检测规则简单而有效、允许使用者完全定制自己的规则等特点而有很好的应用前景。     

基于邮政综合网的Snort规则库的优化设计

为了保护邮政综合网的网络安全,在该环境下部署Snort入侵检测系统,该技术可以保护邮政业务应用系统、邮政生产的正常运行。论文在此基础上,研究了如何对入侵检测系统的性能进行优化,文中从系统的核心部件规则库人手,依据细化的原则,应用协议分析技术,提出规则库的优化方案,并通过实验证明该优化方案可显著提高Snort入侵检测系统的性能。     

基于手持设备平台的入侵检测系统的研究

操作系统和型号的多样性给手持设备杀毒软件研发带来了诸多问题。鉴于手持设备操作系统的规模及内存容量的限制,丈中提出将Snort技术应用于手持设备安全领域。由于Snort是一个基于Libpcap的轻量级入侵检测系统,所以丈中所研究的用以增强手持设备信息安全的系统模型命名为轻量型手持设备入侵检测系统。限于手持设备平台的特殊性,在优化模式匹配算法与匹配规则相结合的基础上设计了系统模型。     

IPv6网络协议中邻居发现安全问题的研究

针对IPv6自身暴露出来的安全缺陷,以开源Snort平台为基础进行了相关研究。依据IPv6的特征,采用IPv6分析技术,针对当前开源入侵检测系统Snort中无法检测IPv6网络中邻居发现协议攻击行为的问题,研究与设计了能对IPv6中邻居发现协议攻击进行检测的HDU_IPv6_IDS入侵检测系统。     

TCP Window-Based Flow-Oriented Dynamic Assembly Algorithm for OBS Networks

In transport control protocol (TCP) over optical burst switching (OBS) networks, TCP window size and OBS parameters, including assembly period and burst dropping probability, will impact the network performance. In this paper, a parameter window data dropping probability(WDDP), is defined to analyze the impact of the assembly and the burst loss on the network performance in terms of the round trip time and the throughput. To reduce the WDDP without introducing the extra assembly delay penalty, we propose a novel TCP window based flow-oriented assembly algorithm dynamic assembly period (DAP). In the traditional OBS assembly algorithms, the packets with the same destination and class of service (CoS) are assembled into the same burst, i.e., the packets from different sources will be assembled into one burst. In that case, one burst loss will influence multiple TCP sources. In DAP, the packets from one TCP connection are assembled into bursts, which can avoid the above situation. Through comparing the two consecutive burst lengths, DAP can track the variation of TCP window dynamically and update the assembly period for the next assembly. In addition, the ingress node architecture for the flow-oriented assembly is designed. The performance of DAP is evaluated and compared with that of fixed assembly period (FAP) over a single TCP connection and multiple TCP connections. The results show that DAP performs better than FAP at almost the whole range of burst dropping probability.     

Congestion window-based adaptive burst assembly for TCP traffic in OBS networks

Burst assembly is one of the key factors affecting the TCP performance in optical burst switching (OBS) networks. When the TCP congestion window is small, the fixed-delay burst assembler waits unnecessarily long, which increases the end-to-end delay and thus decreases the TCP goodput. On the other hand, when the TCP congestion window becomes larger, the fixed-delay burst assembler may unnecessarily generate a large number of small-sized bursts, which increases the overhead and decreases the correlation gain, resulting in a reduction in the TCP goodput. In this paper, we propose adaptive burst assembly algorithms that use the congestion window sizes of TCP flows. Using simulations, we show that the usage of the congestion window size in the burst assembly algorithm significantly improves the TCP goodput (by up to 38.4% on the average and by up to 173.89% for individual flows) compared with the timer-based assembly, even when the timer-based assembler uses the optimum assembly period. It is shown through simulations that even when estimated values of the congestion window size, that are obtained via passive measurements, are used, TCP goodput improvements are still close to the results obtained by using exact values of the congestion window.     

在OBS网络中改进TCP性能的高效机制

Transmission Control Protocol (TCP) performance over Optical Burst Switching (OBS) is experimentally investigated on an OBS network testbed, concluding that burst losses will lead to a significant drop in the available TCP bandwidth. Two mechanisms are introduced to improve TCP performance. One is concerning the burst assembly optimization and another is based on the novel assembly and scheduling mechanism to reduce the burst losses.     

TCP Performance in Optical Packet-switched Networks

Optical packet assembly is a key function to support inter-working between TCP/IP networks and optical packet-switched networks. It is characterized by the assembly delay and by the segment aggregation needed to form an optical packet. These counter-balancing aspects depend on several environment variables, such as the TCP parameters, the access link speed, the optical packet size whose effects are studied in this paper. Performance evaluations are obtained by extensive simulations in terms of send rate of TCP flows, fairness, efficiency, and assembly delay. Some guidelines in the design of optical packets that take into account the results presented are given.     

基于Elman改进的Snort网络入侵检测软件

文中基于人工神经网络（Artificial Neural Network,ANN）改进了Snort IDS。通过人工神经网络工具训练样本集,将训练成功的ANN集成到Snort的预处理器中,优化了Snort攻击检测。经实验验证,改进后的Snort IDS能检测到规则库以外的攻击行为,有效检测多种入侵行为。     

On transmission control protocol synchronization in optical burst switching

This article studies the transmission control protocol (TCP) synchronization effect in optical burst switched networks. Synchronization of TCP flows appears when optical bursts with segments from different flows inside are dropped in the network causing flow congestion windows decreasing simultaneously. In this article, this imminent effect is studied with different assembly schemes and network scenarios. Different metrics are applied to quantitatively assess synchronization with classical assembly schemes. A new burst assembly scheme is proposed that statically or dynamically allocates flows to multiple assembly queues to control flow aggregation within the assembly cycle. The effectiveness of the scheme has been evaluated, showing a good improvement in optical link utilization.     

Using multiple per egress burstifiers for enhanced TCP performance in OBS networks

Burst assembly mechanism is one of the fundamental factors that determine the performance of an optical burst switching (OBS) network. In this paper, we investigate the influence of the number of burstifiers on TCP performance for an OBS network. The goodput of TCP flows between an ingress node and an egress node traveling through an optical network is studied as the number of assembly buffers per destination varies. First, the burst-length independent losses resulting from the contention in the core OBS network using a non-void-filling burst scheduling algorithm, e.g., Horizon, are studied. Then, burst-length dependent losses arising as a result of void-filling scheduling algorithms, e.g., LAUC-VF, are studied for two different TCP flow models: FTP-type long-lived flows and variable size short-lived flows. Simulation results show that for both types of scheduling algorithms, both types of TCP flow models, and different TCP versions (Reno, Newreno and Sack), TCP goodput increases as the number of burst assemblers per egress node is increased for an OBS network employing timer-based assembly algorithm. The improvement from one burstifier to moderate number of burst assemblers is significant (15–50% depending on the burst loss probability, per-hop processing delay, and the TCP version), but the goodput difference between moderate number of buffers and per-flow aggregation is relatively small, implying that an OBS edge switch should use moderate number of assembly buffers per destination for enhanced TCP performance without substantially increasing the hardware complexity.

基于DSP和TCP/IP的嵌入式网络数据采集系统

提出一种有效的、低成本的嵌入式系统TCP/IP协议栈实现方案.阐述了在TMS320F2407A中实现TCP/IP协议的基本原理.通过对TCP/IP协议进行裁减,采用全汇编语言程序设计方法、灵活的消息控制机制和缓冲区管理,在有限的代码空间内实现了TCP/IP协议栈.     

A stochastic model for the behavior of multiple TCP NewReno sources over optical burst switching network

This work proposes a stochastic model to characterize the transmission control protocol (TCP) over optical burst switching (OBS) networks which helps to understand the interaction between the congestion control mechanism of TCP and the characteristic bursty losses in the OBS network. We derive the steady-state throughput of a TCP NewReno source by modeling it as a Markov chain and the OBS network as an open queueing network with rejection blocking. We model all the phases in the evolution of TCP congestion window and evaluate the number of packets sent and time spent in different states of TCP. We model the mixed assembly process, burst assembler and disassembler modules, and the core network using queueing theory and compute the burst loss probability and end-to-end delay in the network. We derive expression for the throughput of a TCP source by solving the models developed for the source and the network with a set of fixed-point equations. To evaluate the impact of a burst loss on each TCP flow accurately, we define the burst as a composition of per-flow-bursts (which is a burst of packets from a single source). Analytical and simulation results validate the model and highlight the importance of accounting for individual phases in the evolution of TCP congestion window.