The Research And Implementation Of The Key Technology Of Protocol Behavior Audit

With the advancement of the global informatization, the network application, in the political, economic, military, cultural and other fields, is gradually expanding and deepening. The network security is facing serious challenges. The peoples study various techniques to enhance network security from a variety of perspectives, including firewall, virus killing, intrusion detection, network isolation, security audit, etc. Network behavior audit is used for detecting abnormal network traffic and activities, alarming for accident in time, play an important role in the field of internal network security. The protocol behavior audit technique, as an important part of network behavior audit technique, with the internal network security audit as the starting point, starting from the network protocol itself, deep analysis the contents of network packets on-line, trying to gain the application protocol behavior, purpose be able to audit user activity ultimately.As the current application protocols endless, for the requirements of flexible extension for protocol behavior audit, this paper propose the key technology of protocol behavior audit based on regular expressions, which includes the basic flow of extensible protocol behavior audit, the method for parsing the protocol based on regular expressions and the extension mechanisms for auditing the new protocol. Application protocol behavior analysis based on regular expressions is the core of the protocol behavior audit, firstly describing the application protocol by regular expressions to establish protocol description database, and then dealing with the process of parsing the protocol behavior, which needs the knowledge about the protocol interactive process and using the matching engine for regular expressions. Auditing the new protocol needs adding the description of the new protocol by regular expressions into the protocol description database and modular design of the part for protocol behavior analysis based on regular expressions.According to the requirements of the audit for internal network security, based on the key technology proposed, this paper have chosen the HTTP protocol for browsing web, the SMB protocol for sharing network files and resources and the TNS protocol for remotely accessing to Oracle database as the targets for auditing. With the analysis and the research about the features of the three protocols, a protocol behavior audit system for these three protocols is designed and implemented by using the key technology of protocol behavior audit. The system has been tested by using rigorous methods, which shows that the system meets the design requirements and the basic conditions for practical application, and verifies the feasibility of the key technology of protocol behavior audit based on regular expressions.