从Snort规则的协议信息分析攻击  被引量：4

作　　者：冷峰 张翠玲[2] 陈闻宇[2] 曾宇 LENG Feng;ZHANG Cuiling;CHEN Wenyu;ZENG Yu(Computer Network Information Center,Chinese Academy of Sciences,Beijing 100190,China;China Internet Network Information Center,Beijing 100190,China;University of Chinese Academy of Sciences,Beijing 100049,China)

机构地区：[1]中国科学院计算机网络信息中心,北京100190 [2]中国互联网络信息中心,北京100190 [3]中国科学院大学,北京100049

出　　处：《计算机应用》2022年第S01期173-177,共5页journal of Computer Applications

摘　　要：目前,众多关于入侵检测系统(IDS)的研究都集中在网络流量识别和日志分析上,但是还存在另一种能够了解入侵检测问题的方法,即分析位于IDS核心的规则。基于签名的IDS会把其遭受攻击的特征封装到其本身的规则中,因此对规则的分析可以揭示恶意流量中的各种有用信息。对目前流行的开源入侵检测系统Snort的规则进行了统计和聚类分析,重点关注了规则使用的网络协议,揭示了Snort系统重点针对恶意流量的类型,反映出了恶意流量的入侵方式和频率等特征以及当前入侵检测的手段,可以为编写入侵检测规则和提高入侵检测准确率提供借鉴。实验结果表明,Snort使用的三种主要协议为传输控制协议(TCP)、用户数据报协议(UDP)和Internet控制报文协议(ICMP);Snort规则集可以被合理地划分为3类,其中TCP的使用都处于绝对的主导地位,并能反映出攻击事件的种类、入侵方式和频率的不同;Snort绝大多数的规则都能提取到基于TCP或UDP的应用层协议的特征,即现在的规则更加倾向于能够识别出应用层的协议,其中识别出最多的是超文本传输协议(HTTP)和简单邮件传输协议(SMTP)。At present,although many researches on Intrusion Detection System(IDS)focuse on network traffic identification and log analysis,there is another method to analyze the problem of intrusion detection,which is to research the core rules of IDS.IDS based on signature encapsulated the characteristics of attacks it suffers into its rules,so analysis of the rules can reveal useful information of malicious traffic.The rules of Snort,which is a popular open source intrusion detection system,were analyzed statistically and clustered.The network protocol used by the rules was especially focused on.The types of malicious traffic that Snort focuses on were revealed.The characteristics of the intrusion mode and frequency of malicious traffic and the current means of intrusion detection were reflected,which can provide reference for compiling intrusion detection rules and improving the accuracy of intrusion detection.The experimental results show that three types of protocols mainly used by Snort are Transmission Control Protocol(TCP),User Datagram Protocol(UDP),and Internet Control Message Protocol(ICMP).The Snort rule set can be reasonably divided into three categories with the use of TCP in an absolute dominant position,meanwhile these three categories reflect the corresponding types,methods and frequencies of attack events.For most rules the characteristics of application layer protocols can be extracted,and most of the Snort rules are related to attacks on Hyper Text Transfer Protocol(HTTP)and Simple Mail Transfer Protocol(SMTP).

关 键 词：入侵检测系统 SNORT规则 聚类算法 网络协议 K-MEANS聚类 层次聚类 

分 类 号：TP393.4[自动化与计算机技术—计算机应用技术]