摘要
针对网络安全审计中对应用层协议审计能力不足的问题,提出一种基于改进正则表达式(RE)规则分组的内网行为审计方案。首先,通过正则表达式对需审计的协议进行描述,并设置相关参数,使内网中出现频率高和审计中相对重要的协议状态在正则表达式描述集中取得高优先级;然后,在正则表达式交互值小的前提下,尽可能地将高优先级协议状态表达式构建到相同自动机分组中以生成审计引擎;最后,根据审计需求,改变相关参数,实现对内网行为的安全审计。实验结果显示,所提出的自动机构建算法在转化时的状态数缩减为经典非确定有限状态自动机(NFA)转化算法Thompson的10%~20%,检测时的吞吐量约为传统自动机分组引擎的8到12倍;所提审计方案能够满足对应用层协议进行安全审计的需求,具有较高的准确性和效率。
In view of the insufficient ability of application layer protocol audit, an intranet behavior audit scheme based on improved Regular Expression (RE) rule grouping was proposed. First, the protocol needed to be audited was described by regular expression, and the relevant parameters were set, so that the states of high frequency protocols and the relative importance protocols of the audit in the intranet had the high priority in the RE set. Then, under the premise of the small interaction value of the regular expression, the high priority protocol state expression was built into the same automaton group to generate the audit engine as much as possible. At last, according to the audit requirements, the relevant parameters were changed to achieve security audit of the intranet behavior. Experimental results showed that, compared with the classic Nondeterministie Finite Automaton (NFA) algorithm named Thompson, the state number of the transformation of the proposed automata construction algorithm was reduced to 10% to 20%, and the throughput became 8 to 12 times as much as the throughput of the traditional automata grouping engine in detection. The proposed audit scheme can satisfy the demand of the application layer protocol in safety audit with high accuracy and efficiency.
出处
《计算机应用》
CSCD
北大核心
2016年第8期2241-2245,共5页
journal of Computer Applications
基金
国家自然科学基金资助项目(61100042)
湖北省自然科学基金资助项目(2015CFC867)
信息保障技术国防重点实验室基金资助项目(KJ-13-111)~~
关键词
正则表达式
协议状态
安全审计
自动机分组
需求选择
regular expression
protocol state
security audit
automaton grouping
demand choice