Font Size: a A A

Research And Implementation Of Protocol Identification Based On Regular Expression

Posted on:2008-12-06Degree:MasterType:Thesis
Country:ChinaCandidate:H P FanFull Text:PDF
GTID:2178360242999285Subject:Computer Science and Technology
Abstract/Summary:PDF Full Text Request
Recently, the protocol identification by content analyzing of the network flow in application layer is demanded by security technologies such as content auditing and intrusion detection of high-speed network. Traditional methods of the protocol identification based on ports can't ensure the correctness because of more and more new protocols applying in network. In order to improve the correctness of protocol identification, the methods based on packet body detection and based on statistic and model are adopted in protocol identification, which are more veracious than the method based on port. But they can't satisfy the requirement of high-speed of the backbone network. In order to obtain the correctness and high-speed of protocol identification, this thesis studies on the method of protocol identification based on regular expression, and realizes the system combined with software and hardware.The main results and contributions in this thesis are as follows:1. In order to improve the veracity of the protocol identification, this thesis modifies the regular expressions of Edonkey, BT and QQ based on L7-filter and real flow analysis, which meets the requirement of practical better.2. DFA is adopted to make regular expression matching, which improves the matching speed. After compiling regular expression to NFA using classical Thompson algorithm, theε-compressed NFA (ECNFA) conformation algorithm is used to compressεedges of the NFA, then NFA is compiled to DFA by classical subset conformation algorithm. The experiment results show that these methods improve the compiling speed of regular expression and the identifying speed of protocols.3. The One-Pass scanning algorithm is used to scan DFA. Compared with L7-filter, it improves the speed of protocol matching.4. A matching algorithm for hardware matching engine is designed, which converts DFA into state transfer table stored in SRAM. A single packet matching mode of regular expression protocol identification is presented in this thesis, and the simulation test shows that the algorithm accelerates the speed of protocol identification matching.The methods in this thesis make the correction and performance of protocol identification better than L7-filter. The works are applied in an actual project, which has passed the middle check, the correction and performance of protocol identification satisfies the guide line of project in test.
Keywords/Search Tags:network security, protocol identification, Nondeterministic Finite Automaton (NFA), Deterministic Finite Automaton (DFA), regular expression, state transfer table
PDF Full Text Request
Related items