[1]孙美凤,龚俭.网络入侵检测规则的冲突检测和解决[J].东南大学学报(自然科学版),2006,36(4):522-525.[doi:10.3969/j.issn.1001-0505.2006.04.006]
 Sun Meifeng,Gong Jian.Detecting and resolving conflict for network intrusion rule[J].Journal of Southeast University (Natural Science Edition),2006,36(4):522-525.[doi:10.3969/j.issn.1001-0505.2006.04.006]
点击复制

网络入侵检测规则的冲突检测和解决()
分享到:

《东南大学学报(自然科学版)》[ISSN:1001-0505/CN:32-1178/N]

卷:
36
期数:
2006年第4期
页码:
522-525
栏目:
计算机科学与工程
出版日期:
2006-07-20

文章信息/Info

Title:
Detecting and resolving conflict for network intrusion rule
作者:
孙美凤12 龚俭2
1 东南大学计算机科学与工程学院, 南京 210096; 2 扬州大学信息工程学院, 扬州 225000
Author(s):
Sun Meifeng Gong Jian
1 School of Computer Science and Engineering, Southeast University, Nanjing 210096, China
College of Information Engineering, Yangzhou University, Yangzhou 225000,China
关键词:
冲突检测 冲突解决 规则 入侵检测系统
Keywords:
conflict detection conflict resolution rule intrusion detection system
分类号:
TP393
DOI:
10.3969/j.issn.1001-0505.2006.04.006
摘要:
为了解决入侵检测系统中当前输入事件同时匹配入侵规则库中多条规则(检测冲突)从而导致漏报和误报的问题,利用形式化方法研究了冲突的类型和判定标准,给出了冲突检测和解决的算法.对Snort规则库分析的结果表明:提出的冲突判定标准正确有效,且冲突在规则库中实际存在并以交叉冲突为主.因此依靠专家经验建立的规则库不可避免地存在语义矛盾,对规则库进行冲突检测和冲突解决有助于提高入侵检测系统的有效性.
Abstract:
For resolving the conflict which occurs when input event matches more than one rule of intrusion rule base in IDS(intrusion detection system), potentially creating ambiguity in alarm and moreover leading to false positive and false negative, the type of conflict and a set of principles to determine the relationship of two intrusion rules are defined formally, and then two algorithms to detect and resolve conflict are proposed. The analysis of snort rule base implies that the conflict exists in rule base and the principle to determine the relationship of two intrusion rules is correct. So there exists the ambiguity of rule’s semantics inevitably when the rule base is build by human expert, detecting conflict and resolving conflict automatically favors the effectiveness of IDS.

参考文献/References:

[1] Hari A,Suri S,Parulkar G.Detecting and resolving packet filter conflicts[C] //Proc of Infocom’00.Tel Aviv,Israel.2000:1203-1212.
[2] Florin B,George V.Fast and scalable conflict detection for packet classifiers [J]. The International Journal of Computer and Telecommunications Networking,2003,42(6):717-735.
[3] Ehab A,Hazem H.Modeling and management of firewall policies.eTransaction on network & service Management[OB/EL].(2004)[2005-01-01].http://www.mnlab.cs.depaul.edu/projects/FPA/files/tnsm04.pdf.
[4] 陆晟,龚俭.一种新的高维报文分类算法——无相交树[J].计算机学报,2003,26(11):1502-1509.
  Lu Shen,Gong Jian.A multi-dimension packet classification algorithm:nonintersection tree[J]. Chinese Journal of Computers,2003,26(11):1502-1509.(in Chinese)
[5] The Snort Project.Snort users manual 2.2.0[EB/OL].(2004-08)[2005-02-01].http://www.snort.org/docs/snort_manual.

备注/Memo

备注/Memo:
基金项目: 国家重点基础研究发展计划(973计划)资助项目(2003CB314804)、江苏省网络与信息安全重点实验室资助项目(BM2003201).
作者简介: 孙美凤(1970—),女,博士生; 龚俭(联系人),男,博士,教授,博士生导师,jgong@njnet.edu.cn.
更新日期/Last Update: 2006-07-20