网络处理器平台下基于角色的分片审计研究

提出了一种基于角色的分片审计模型，以解决因利用各个操作系统分片重组策略不同的特点进行网络渗透而导致安全审计系统识别能力降低的问题．其主要思想是：在处理畸形的分片数据包的同时，将采集终端主机的操作系统类型写入角色信息库，并根据角色信息进行分片重组转发，从而消除了分片语义歧义性．同时，提出了BSD-Linux、BSD-Right和First先行转发策略，以提高系统的性能．采用分阶段流水处理的微引擎设计模型，可使系统原型在网络处理器上得以实现．从实验结果中看出，该模型能有效提高安全审计系统的识别精度，消除分片语义歧义性．在处理大负载的情况下，先行转发策略的运用可使系统的识别精度维持在90％左右。

Research on the Role-Based Fragment Audit Based on Network Processor

A fragment audit model based on role was proposed to solve the problem that the network intrusion carried out by the policy of fragment reassembles according to the character is different in different OS leads to the decrease of the discernment of security audit systems. The main idea is as follows: while dealing with the malformed fragment, the collected OS classes of the terminate host are written into the role database. In order to eliminate the fragment semantic ambiguity, fragments were reassembled according to the role information and transmitted. To improve the performance, the BSD-Linux, the BSD-right and the first pre-forward policy were proposed. Applying the microengine design model of staged pipeline processing, the prototype was implemented well in a network processor. The experiments show that the fragment audit model could improve the discernment precision of security audit systems efficiently and eliminate the fragment semantic ambiguity. With the pre-forward policies, the discernment precision can be maintained about 90% in heavy processing load.