Study Of The Technology Of Monitoring HTTP Packets And Keyword Filtration

With the development of information technology and Internet application, number of the activities of current network attacks and invasion is increasing fast, consequently information system security, in particular, the importance of computer network security is becoming increasingly prominent. Enhance the study and practice of network security has become more important. And monitoring and information system audit and forensics technology is a important means to ensure information system's safe, reliable operation.During the design and implementation of network security monitoring and auditing system, the technology of capture and reassembling of the data packet and Berkeley Packet Filter mechanism in Linux are discussed, and the characteristics of the data acquisition in gateway mode and sniffer mode separately and the principle of data reorganization are analyzed. The design of Network Monitoring System mainly be divided into network probe which is independent on application protocols and HTTP packets reassembling module which is dependent with application protocols, so the programmer responsible for protocol modules just focus on the stuff related to application protocol, which can reduces the complexity of the protocol analysis module greatly and simplifies the module design, but also enhance the robustness of the software indirectly. Network probe is made from data send/receive module, parsing xml file module, log module, packets capture module, cache packet module and reassembling TCP session module. The technology of reassembling HTTP data from raw packets is studied, including decompressing the packets which is compressed with gzip and decode from chunk encoding. The HTTP text data is filtered when it is reassembled, and the matched data is transfer to datacenter to forensics afterwards.The filtration technology for HTTP data is more important to network monitor system.In my paper, I proposed a method using texts match keywords reversely to overcome the shortcoming of the method based on traditional pattern-matching algorithm which is unacceptably slow. A keyword list is stored in a hash table and trie tree separately in my method, and the keyword list is compared with text reversely, which reduce the filtration time greatly.The network monitoring system designed in my paper can alarm in time when sensitive HTTP pages is accessed.In network monitoring system the keyword filter technology seriously affects the performance , and I use the technology of text matching keywords stored in trie tree reversely, which improved the keywords match speed significantly.