Journal of Computer Applications ›› 2016, Vol. 36 ›› Issue (8): 2241-2245.DOI: 10.11772/j.issn.1001-9081.2016.08.2241

Previous Articles     Next Articles

Audit scheme for intranet behavior based on improved regular expression rule grouping

YU Yihan, FU Yu, WU Xiaoping   

  1. Department of Information Security, Naval University of Engineering, Wuhan Hubei 430033, China
  • Received:2016-01-29 Revised:2016-03-14 Online:2016-08-10 Published:2016-08-10
  • Supported by:
    This work is partially supported by the National Natural Science Foundation of China (61402526).


俞艺涵, 付钰, 吴晓平   

  1. 海军工程大学 信息安全系, 武汉 430033
  • 通讯作者: 俞艺涵
  • 作者简介:俞艺涵(1992-),男,浙江金华人,硕士研究生,主要研究方向:信息系统安全;付钰(1982-),女,湖北武汉人,副教授,博士,主要研究方向:信息安全风险评估;吴晓平(1961-),男,山西新绛人,教授,博士,主要研究方向:系统分析与决策。
  • 基金资助:

Abstract: In view of the insufficient ability of application layer protocol audit, an intranet behavior audit scheme based on improved Regular Expression (RE) rule grouping was proposed. First, the protocol needed to be audited was described by regular expression, and the relevant parameters were set, so that the states of high frequency protocols and the relative importance protocols of the audit in the intranet had the high priority in the RE set. Then, under the premise of the small interaction value of the regular expression, the high priority protocol state expression was built into the same automaton group to generate the audit engine as much as possible. At last, according to the audit requirements, the relevant parameters were changed to achieve security audit of the intranet behavior. Experimental results showed that, compared with the classic Nondeterministic Finite Automaton (NFA) algorithm named Thompson, the state number of the transformation of the proposed automata construction algorithm was reduced to 10% to 20%, and the throughput became 8 to 12 times as much as the throughput of the traditional automata grouping engine in detection. The proposed audit scheme can satisfy the demand of the application layer protocol in safety audit with high accuracy and efficiency.

Key words: regular expression, protocol state, security audit, automaton grouping, demand choice

摘要: 针对网络安全审计中对应用层协议审计能力不足的问题,提出一种基于改进正则表达式(RE)规则分组的内网行为审计方案。首先,通过正则表达式对需审计的协议进行描述,并设置相关参数,使内网中出现频率高和审计中相对重要的协议状态在正则表达式描述集中取得高优先级;然后,在正则表达式交互值小的前提下,尽可能地将高优先级协议状态表达式构建到相同自动机分组中以生成审计引擎;最后,根据审计需求,改变相关参数,实现对内网行为的安全审计。实验结果显示,所提出的自动机构建算法在转化时的状态数缩减为经典非确定有限状态自动机(NFA)转化算法Thompson的10%~20%,检测时的吞吐量约为传统自动机分组引擎的8到12倍;所提审计方案能够满足对应用层协议进行安全审计的需求,具有较高的准确性和效率。

关键词: 正则表达式, 协议状态, 安全审计, 自动机分组, 需求选择

CLC Number: