Research And Implemention On Detection Engine For WWW Server Protection System

With the widely application of web technology and the degradation of network security environment, security problems of website have become increasingly prominent, and WWW server protection technology is of growing importance. Intrusion Detection Technology, a proactive security protection technology, provides real-time protection to internal and external attacks and misuse. It could respond to intercept before the invasion works. Thus Intrusion Detection Technology is widely used in the protection of the WWW servers. Construction of WWW server protection system based on intrusion detection technology has become one of the most important technologies to keep WWW server work normaly, and detection module is one of the key technologies in the protection system.This thesis researches and implements a detection engine of WWW server protection system base on open-source Intrusion Detection System (IDS)—Snort. First, this paper outlines the web security issues and status of common WWW server defense technologies, presents the significance of WWW server protection system research. Then, analyzes the structure and principles of open source system Snort and intrusion detection technologies, describes the wide use of intrusion detection technology in web server protection and inadequates of Snort system.Then, according to the fact that most of intrusion dection systems used in web server protection are based on misuse detection technology of which the efficiency of matching algorithm has a critical impact on the the engine's efficiency, string matching algorithms are researched. Improved BM and KR algorithms are introduced, implemented and tested. And then, the design and implementation of the detection engine are presented, rules analysis, the protocol analysis and the rules matching are described in detail. According to the fact that the intrution datas received by www server in a certain time have some common characteristics, dynamic index adjustment technology is applied here to accelerate rules matching. Following, against SQL injection attacks have serious threat on the WWW server, SQL attack technology is analysed, and rules are defined accordingly. Finally, the test of the detection engine for WWW server protection system is done, and the testing conclusions are given.