基于改进正则表达式规则分组的内网行为审计方案

doi:10.11772/j.issn.1001-9081.2016.08.2241

计算机应用 ›› 2016, Vol. 36 ›› Issue (8): 2241-2245.DOI: 10.11772/j.issn.1001-9081.2016.08.2241

基于改进正则表达式规则分组的内网行为审计方案

俞艺涵, 付钰, 吴晓平

海军工程大学信息安全系, 武汉 430033

收稿日期:2016-01-29 修回日期:2016-03-14 出版日期:2016-08-10 发布日期:2016-08-10
通讯作者: 俞艺涵
作者简介:俞艺涵(1992-),男,浙江金华人,硕士研究生,主要研究方向:信息系统安全;付钰(1982-),女,湖北武汉人,副教授,博士,主要研究方向:信息安全风险评估;吴晓平(1961-),男,山西新绛人,教授,博士,主要研究方向:系统分析与决策。
基金资助:
国家自然科学基金资助项目（61100042）；湖北省自然科学基金资助项目（2015CFC867）；信息保障技术国防重点实验室基金资助项目（KJ-13-111）。

Audit scheme for intranet behavior based on improved regular expression rule grouping

YU Yihan, FU Yu, WU Xiaoping

Department of Information Security, Naval University of Engineering, Wuhan Hubei 430033, China

Received:2016-01-29 Revised:2016-03-14 Online:2016-08-10 Published:2016-08-10
Supported by:
This work is partially supported by the National Natural Science Foundation of China (61402526).

摘要/Abstract

摘要： 针对网络安全审计中对应用层协议审计能力不足的问题，提出一种基于改进正则表达式（RE）规则分组的内网行为审计方案。首先，通过正则表达式对需审计的协议进行描述，并设置相关参数，使内网中出现频率高和审计中相对重要的协议状态在正则表达式描述集中取得高优先级；然后，在正则表达式交互值小的前提下，尽可能地将高优先级协议状态表达式构建到相同自动机分组中以生成审计引擎；最后，根据审计需求，改变相关参数，实现对内网行为的安全审计。实验结果显示，所提出的自动机构建算法在转化时的状态数缩减为经典非确定有限状态自动机（NFA）转化算法Thompson的10%~20%，检测时的吞吐量约为传统自动机分组引擎的8到12倍；所提审计方案能够满足对应用层协议进行安全审计的需求，具有较高的准确性和效率。

关键词: 正则表达式, 协议状态, 安全审计, 自动机分组, 需求选择

Abstract: In view of the insufficient ability of application layer protocol audit, an intranet behavior audit scheme based on improved Regular Expression (RE) rule grouping was proposed. First, the protocol needed to be audited was described by regular expression, and the relevant parameters were set, so that the states of high frequency protocols and the relative importance protocols of the audit in the intranet had the high priority in the RE set. Then, under the premise of the small interaction value of the regular expression, the high priority protocol state expression was built into the same automaton group to generate the audit engine as much as possible. At last, according to the audit requirements, the relevant parameters were changed to achieve security audit of the intranet behavior. Experimental results showed that, compared with the classic Nondeterministic Finite Automaton (NFA) algorithm named Thompson, the state number of the transformation of the proposed automata construction algorithm was reduced to 10% to 20%, and the throughput became 8 to 12 times as much as the throughput of the traditional automata grouping engine in detection. The proposed audit scheme can satisfy the demand of the application layer protocol in safety audit with high accuracy and efficiency.

Key words: regular expression, protocol state, security audit, automaton grouping, demand choice

中图分类号:

TP309.7

俞艺涵, 付钰, 吴晓平. 基于改进正则表达式规则分组的内网行为审计方案[J]. 计算机应用, 2016, 36(8): 2241-2245.

YU Yihan, FU Yu, WU Xiaoping. Audit scheme for intranet behavior based on improved regular expression rule grouping[J]. Journal of Computer Applications, 2016, 36(8): 2241-2245.

参考文献

[1] 付钰,李洪成,吴晓平,等.基于大数据分析的APT攻击检测研究综述[J].通信学报,2015,36(11):1-14.(FU Y,LI H C,WU X P,et al.Detecting APT attacks:a survey from the perspective of big data analysis[J].Journal on Communications,2015,36(11):1-14.)
[2] CHEN P,DESMET L,HUYGENS C.A study on advanced persistent threats[C]//CMS 2014:Proceedings of the 15th IFIP TC 6/TC 11 International Conference on Communications and Multimedia Security,LNCS 8735.Berlin:Springer-Verlag,2014:63-72.
[3] VIRVILIS N,GRITZALIS D A.The big four-what we did wrong in advanced persistent threat detection?[C]//ARES'13:Proceedings of the 2013 International Conference on Availability,Reliability and Security.Washington,DC:IEEE Computer Society,2013:248-254.
[4] YANG G,TIAN Z,DUAN W.The prevent of advanced persistent threat[J].Journal of Chemical and Pharmaceutical Research,2014,6(7):572-576.
[5] XIA Q.Log-based network security audit system research and design[J].Advanced Materials Research,2010,129-131:1426-1431.
[6] LV T,LIU P.Multi-Agent network security audit system based on information entropy[C]//SWS 2010:Proceedings of the 2010 IEEE 2nd Symposium on Web Society.Piscataway:IEEE,2010:367-371
[7] HUANG X,HUENG X,QUAN P.Research on firewall system for confidential network[J].Advanced Materials Research,2012,434-440:4279-4283.
[8] 张树壮,罗浩,方滨兴.面向网络安全的正则表达式匹配技术[J].软件学报,2011,22(8):1838-1854.(ZHANG S Z,LUO H,FANG B X.Regular expressions matching for network security[J].Journal of Software,2011,22(8):1838-1854.)
[9] 邵妍.正则表达式匹配算法并行化技术研究[D].北京:北京邮电大学,2013:15-18.(SHAO Y.Parallelization technology of regular expression matching algorithms[D].Beijing:Beijing University of Posts and Telecommunications,2013:15-18.)
[10] YU F,CHEN Z F,DIAO Y L,et al.Fast and memory-efficient regular expression matching for deep packet inspection[C]//ANCS'06:Proceedings of the 2006 IEEE/ACM Symposium on Architectures for Networking and Communications Systems.New York:ACM,2006:93-102.
[11] 蔡良伟,程璐,李军,等.基于遗传算法的正则表达式规则分组优化[J].深圳大学学报(理工版),2015,32(3):281-289.(CAI L W,CHENG L,LI J,et al.Regular expression grouping optimization based on genetic algorithm[J].Journal of Shenzhen University (Science and Engineering),2015,32(3):281-289.)
[12] 张运明.协议行为审计关键技术研究与实现[D].长沙:国防科学技术大学,2010:11-13.(ZHANG Y M.The research and implementation of the key technology of protocol behavior audit[D].Changsha:National University of Defense Technology,2010:11-13.)
[13] 陈曙晖,苏金树.基于内容分析的协议识别研究[J].国防科技大学学报,2008,30(4):82-87.(CHEN S H,SU J S.Protocol identification research based on content analysis[J].Journal of National University of Defense Technology,2008,30(4):82-87.)

[1]	常征, 吕勇. 基于正则表达式的海量数据清洗系统[J]. 计算机应用, 2019, 39(10): 2942-2947.
[2]	麦涛涛, 潘晓中, 王亚奇, 苏阳. 基于预定义类的紧凑型正则表达式匹配算法[J]. 计算机应用, 2017, 37(2): 397-401.
[3]	徐开勇, 龚雪容, 成茂才. 基于改进Apriori算法的审计日志关联规则挖掘[J]. 计算机应用, 2016, 36(7): 1847-1851.
[4]	卓艳男, 刘强, 姜磊, 戴琼. 基于FPGA改进电路的高性能正则表达式匹配算法[J]. 计算机应用, 2016, 36(4): 927-930.
[5]	黄笑言陈性元祝宁唐慧林. 基于状态标注的协议状态机逆向方法[J]. 计算机应用, 2013, 33(12): 3486-3489.
[6]	贺炜郭云飞莫涵扈红超. 基于多字符DFA的高速正则表达式匹配算法[J]. 计算机应用, 2013, 33(08): 2370-2374.
[7]	李娟. 形式语言在网页制作操作题自动阅卷中的应用[J]. 计算机应用, 2013, 33(03): 882-885.
[8]	唐球姜磊谭建龙刘金刚. 基于FPGA的正则表达式匹配算法综述[J]. 计算机应用, 2011, 31(11): 2943-2946.
[9]	姚远刘鹏王辉笱程成. 基于稀疏矩阵存储的状态表压缩算法[J]. 计算机应用, 2010, 30(8): 2157-2160.
[10]	姚远刘鹏单征田双鹏. 面向存储的正则表达式匹配算法综述[J]. 计算机应用, 2009, 29(12): 3171-3173.
[11]	丁晶陈晓岚吴萍. 基于正则表达式的深度包检测算法[J]. 计算机应用, 2007, 27(9): 2184-2186.
[12]	张毅坤刘伟. 基于自动机模型的构件集成软件测试要素的提取[J]. 计算机应用, 2007, 27(4): 857-859.
[13]	王新昌杨艳刘育楠. 一种基于局域网络监控日志的安全审计系统[J]. 计算机应用, 2007, 27(2): 292-294.
[14]	江伟陈龙王国胤 . 用户行为异常检测在安全审计系统中的应用[J]. 计算机应用, 2006, 26(7): 1637-1639.

基于改进正则表达式规则分组的内网行为审计方案

Audit scheme for intranet behavior based on improved regular expression rule grouping

PDF

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 14

编辑推荐

Metrics