PC信息安全防护体系的研究与构造
|
摘要
网络安全状况的恶化威胁着网上PC的安全。针对PC面临的安全问题,如何开发出具有全面功能和良好性能的防护体系已成为安全领域一个新的研究热点。这一安全体系有望解决PC的安全问题,因此有着广阔的应用前景和市场。
在本文中,作者分析了网络安全问题产生的原因、特点及其在PC上的具体表现,并着重对一些网络安全防护体系进行实现原理、优缺点和应用方面的研究。作者的主要工作包括:结合安全问题和PC系统的特点,提出PC信息安全防护体系的整体构建方案,对体系中的功能模块进行功能设计和性能优化,同时利用模块之间的通信实现系统的动态化。最后还在windows2000环境中利用C++等编程语言对方案中的部分功能进行了编程实现。
The labefaction of network's security status threatens the security of PC on net. In allusion to security problems PC faces, how to develop defending system with full function and good performance becomes a new research hotspot. This security system is deemed to resolve security problems of PC and has broad applied future and market.
In this thesis, we analyze the causes, characteristics of network security problems and it's idiographic representation on PC, and especially study the realizing principles, virtues, defects and applications of some network security system. The work we have done includes: Considering the characteristics of security problems and PC system, put forward a holistic construction scheme of PC information security defending system. We also design function and optimize performance for function modules in the system and make the system dynamic in use of communication between various modules. In the end, we also program to realize part function of the scheme by use of C梤 in windows2000.
在本文中,作者分析了网络安全问题产生的原因、特点及其在PC上的具体表现,并着重对一些网络安全防护体系进行实现原理、优缺点和应用方面的研究。作者的主要工作包括:结合安全问题和PC系统的特点,提出PC信息安全防护体系的整体构建方案,对体系中的功能模块进行功能设计和性能优化,同时利用模块之间的通信实现系统的动态化。最后还在windows2000环境中利用C++等编程语言对方案中的部分功能进行了编程实现。
The labefaction of network's security status threatens the security of PC on net. In allusion to security problems PC faces, how to develop defending system with full function and good performance becomes a new research hotspot. This security system is deemed to resolve security problems of PC and has broad applied future and market.
In this thesis, we analyze the causes, characteristics of network security problems and it's idiographic representation on PC, and especially study the realizing principles, virtues, defects and applications of some network security system. The work we have done includes: Considering the characteristics of security problems and PC system, put forward a holistic construction scheme of PC information security defending system. We also design function and optimize performance for function modules in the system and make the system dynamic in use of communication between various modules. In the end, we also program to realize part function of the scheme by use of C梤 in windows2000.
引文
[1] Heady, R., Luger,G., Maccabe, A., et al. The architecture of a network level intrusion detection system. Technical Report, Department of Computer Science, University of New Mexico, 1990.
[2] http://www.cs.ucsb.edu/-kemrn/NetSTAT/docurnents.html.
[3] Kumar, G. Classification and detection of computer intrusions[ph.D. Thesis]. Purdue University, 1995,pp.26-49.
[4] Winn Schwartau. Time-Based Security Explained: Provabole Security Models and Formulas for the Practitioner and Vendor. Computers & Security. 1998, Vol. 17, No.8. pp.693-714.
[5] Mike Frantzen, Florian Kerschbaum, E. Eugene Schultz and Sonia Fahmy. A Framework for Understanding Vulnerabilities in Firewalls Using a Dataflow Model of Firewall Internals. Computers & Security. 2001, Vol.20, No.3. pp.263-270.
[6] Ziemba, G., Reed D. and Traina p, "Security Considerations for IP fragment Filtering." RFC 1858. 1995 October.
[7] Robert Graham. NIDS-Pattern Search vs. Protocol Decode. Computers & Security. 2001, Vol. 20, No. 1. pp. 37-41.
[8] Atkinson R.Security Architecture for the Internet Protocol. RFC1825, 1995, August.
[9] Denning, D.E. An intrusion-detection model. IEEE Transactions on Software Engineering. 1987, vol. 13, No. 2. pp.222-232.
[10] Dr. David Robb. Developing Firewall Technology: Hardwall-White Paper. Computers & Security. 1999, Vol. 18, No. 6. pp. 471-478.
[11] Donald L. Brinkley and Roger R. Schell. Concepts and Terminology for computer Security. Information Security. IEEE Computer Society Press, Los Alamitos, Calif., 1995.
[12] Frame, L. SCOMP: A Solution to the Multilevel Security Problem. Computer. July 1983, Vol. 16, No. 7. pp.26-34.
[13] Thompson, M. G. Introduction to the Gemini Trusted Network Processor. 13th Nat'l Computer Security Conf., 1990. pp.211-217.
[14] Carla, T. L., Brodley, E. Temporal sequence learning and data reduction for anomaly detection. Proceedings of the 5th Conference on Computer and Communications Security. New York: ACM Press.1998. pp.150-158.
[15] Dr Roger R. Schell and Michael F. Thompson. Platform Security: What is Lacking? Information Security Technical Report. 2000, Vol.5, No.1. pp.26-41.
[16]Ivan Philips, MSc BSc. Windows 2000 Security: A balanced View. Information Security Technical Report. 2000, Vol.5, No. 1. pp.64-82.
[17]Winn Schwartau. Surviving Denial of Service. Computer & Security. 1999, Vol. 18, No.2. pp.124-133.
[18]Stephen Hinde. The Weakest Link. Computer & Security. 2001. Vol.20, No.4. pp.295-301.
[19]Jonathan Tregear. Risk Assesment. Information Security Technical Report. 2001. Vol.6, No.3. pp.19-27.
[20]Nevil Dunbar. IPSec Networking Standards-An Overview. Information Security Technical Report. 2001. Vol.6, No. 1. pp35-48.
[21]Samantha Donovan, Peter Draubwell etc. Information Security Technical Report. 2000. Vol.6, No. 1. pp49-64.
[22]Mike Frantzan, Florian Kerschbaum etc. A Framework for Understanding Vulnerabilities in Firewalls Using a Dataflow Model of Firewall Internals. 2001. Vol.20, No.3. pp.263-270.
[23]Mariana Gerber, Rossouw Von Solms. From Risk Analusis to Security Requirements. 2001. Vol.20, No.7, pp.577-584.
[24]Dr. Denis Zenkin. Fighting Against the invisible Enemy, Methods for detecting an unknown Virus. 2001. vol.20, No.4. pp316-325.
[25]黄锦,李家滨。基于防火墙日志信息的入侵检测研究。计算机工程。2001/9,Vol.27,No.9.pp.115-117.
[26]王作芬,王芙蓉,黄本雄。虚拟专用网中IPSec隧道技术的研究与实现。计算机工程。2001/6,Vol.27,No.6.pp.118-119.
[27]蒋建春,马恒太,任党恩等。网络安全入侵检测:研究综述。软件学报。2000,Vol.11,No.11。pp.1460-1466。
[28]徐国爱,李中献,杨义先。PC防火墙的设计和实现。计算机工程与应用。2000,No.4。pp.116-118。
[29]龚俭,董庆,陆晟。面向入侵检测的网络安全检测实现模型。小型微型计算机系统。2001,2,vol.22,No.2。pp.145-148.
[30]王晓程,刘恩德,谢小权。网络入侵检测系统的研究。计算机工程与科学。2000,4,Vol.22,No.4.pp.30-36.
[31]干国华,陈昕鑫,杨培根。基于Windows Sockets 2的应用层透明防火墙设计与实现。2000,10,Vol.26,No.10。pp.157-159.
[32]邹勇等。增强型包过滤防火墙规则的形式化及推理机的设计与实现。计算机研究与发展。2000,No.12.pp.1472-1476.
[33]朱承,张骏等。TCP/IP网络中的若干安全问题。计算机工程。1999,12,Vol.25,No.12.pp.88-91.
[34]孙静,曾红卫。网络安全检测与预警。计算机工程。2001/7,Vol.27,No.7.pp.109-110.
[35]陈捷,熊云凤,杨宇航。TCP/IP协议中的一种形式化的分组过滤模型。计算机工程。2001/9,Vol.27,No.10.pp.136-137.
[36]王育民,刘建伟。通信网的安全—理论与技术。西安电子科技大学出版社,1999。Pp.389-417.
作者在攻读硕士期间发表的论文
1.寇芸,宋鹏鹏,王育民。“动态PC防火墙系统结构的研究”,《通信技术》。2001年,第6期,pp.13-15。
2.寇芸,王育民。“DDOS攻击的原理及其防范”,《网络安全技术与应用》。2001年,第8期,pp.32-34。
3.宋鹏鹏,寇芸,王育民。“第三代移动通信系统安全体制浅析”,《网络安全技术与应用》。2001年,第8期,pp.16-19。
4.寇芸,宋鹏鹏,王育民。“入侵检测系统与PC安全的研究”,《计算机工程》。已被录用,并将于2002年刊登。
[2] http://www.cs.ucsb.edu/-kemrn/NetSTAT/docurnents.html.
[3] Kumar, G. Classification and detection of computer intrusions[ph.D. Thesis]. Purdue University, 1995,pp.26-49.
[4] Winn Schwartau. Time-Based Security Explained: Provabole Security Models and Formulas for the Practitioner and Vendor. Computers & Security. 1998, Vol. 17, No.8. pp.693-714.
[5] Mike Frantzen, Florian Kerschbaum, E. Eugene Schultz and Sonia Fahmy. A Framework for Understanding Vulnerabilities in Firewalls Using a Dataflow Model of Firewall Internals. Computers & Security. 2001, Vol.20, No.3. pp.263-270.
[6] Ziemba, G., Reed D. and Traina p, "Security Considerations for IP fragment Filtering." RFC 1858. 1995 October.
[7] Robert Graham. NIDS-Pattern Search vs. Protocol Decode. Computers & Security. 2001, Vol. 20, No. 1. pp. 37-41.
[8] Atkinson R.Security Architecture for the Internet Protocol. RFC1825, 1995, August.
[9] Denning, D.E. An intrusion-detection model. IEEE Transactions on Software Engineering. 1987, vol. 13, No. 2. pp.222-232.
[10] Dr. David Robb. Developing Firewall Technology: Hardwall-White Paper. Computers & Security. 1999, Vol. 18, No. 6. pp. 471-478.
[11] Donald L. Brinkley and Roger R. Schell. Concepts and Terminology for computer Security. Information Security. IEEE Computer Society Press, Los Alamitos, Calif., 1995.
[12] Frame, L. SCOMP: A Solution to the Multilevel Security Problem. Computer. July 1983, Vol. 16, No. 7. pp.26-34.
[13] Thompson, M. G. Introduction to the Gemini Trusted Network Processor. 13th Nat'l Computer Security Conf., 1990. pp.211-217.
[14] Carla, T. L., Brodley, E. Temporal sequence learning and data reduction for anomaly detection. Proceedings of the 5th Conference on Computer and Communications Security. New York: ACM Press.1998. pp.150-158.
[15] Dr Roger R. Schell and Michael F. Thompson. Platform Security: What is Lacking? Information Security Technical Report. 2000, Vol.5, No.1. pp.26-41.
[16]Ivan Philips, MSc BSc. Windows 2000 Security: A balanced View. Information Security Technical Report. 2000, Vol.5, No. 1. pp.64-82.
[17]Winn Schwartau. Surviving Denial of Service. Computer & Security. 1999, Vol. 18, No.2. pp.124-133.
[18]Stephen Hinde. The Weakest Link. Computer & Security. 2001. Vol.20, No.4. pp.295-301.
[19]Jonathan Tregear. Risk Assesment. Information Security Technical Report. 2001. Vol.6, No.3. pp.19-27.
[20]Nevil Dunbar. IPSec Networking Standards-An Overview. Information Security Technical Report. 2001. Vol.6, No. 1. pp35-48.
[21]Samantha Donovan, Peter Draubwell etc. Information Security Technical Report. 2000. Vol.6, No. 1. pp49-64.
[22]Mike Frantzan, Florian Kerschbaum etc. A Framework for Understanding Vulnerabilities in Firewalls Using a Dataflow Model of Firewall Internals. 2001. Vol.20, No.3. pp.263-270.
[23]Mariana Gerber, Rossouw Von Solms. From Risk Analusis to Security Requirements. 2001. Vol.20, No.7, pp.577-584.
[24]Dr. Denis Zenkin. Fighting Against the invisible Enemy, Methods for detecting an unknown Virus. 2001. vol.20, No.4. pp316-325.
[25]黄锦,李家滨。基于防火墙日志信息的入侵检测研究。计算机工程。2001/9,Vol.27,No.9.pp.115-117.
[26]王作芬,王芙蓉,黄本雄。虚拟专用网中IPSec隧道技术的研究与实现。计算机工程。2001/6,Vol.27,No.6.pp.118-119.
[27]蒋建春,马恒太,任党恩等。网络安全入侵检测:研究综述。软件学报。2000,Vol.11,No.11。pp.1460-1466。
[28]徐国爱,李中献,杨义先。PC防火墙的设计和实现。计算机工程与应用。2000,No.4。pp.116-118。
[29]龚俭,董庆,陆晟。面向入侵检测的网络安全检测实现模型。小型微型计算机系统。2001,2,vol.22,No.2。pp.145-148.
[30]王晓程,刘恩德,谢小权。网络入侵检测系统的研究。计算机工程与科学。2000,4,Vol.22,No.4.pp.30-36.
[31]干国华,陈昕鑫,杨培根。基于Windows Sockets 2的应用层透明防火墙设计与实现。2000,10,Vol.26,No.10。pp.157-159.
[32]邹勇等。增强型包过滤防火墙规则的形式化及推理机的设计与实现。计算机研究与发展。2000,No.12.pp.1472-1476.
[33]朱承,张骏等。TCP/IP网络中的若干安全问题。计算机工程。1999,12,Vol.25,No.12.pp.88-91.
[34]孙静,曾红卫。网络安全检测与预警。计算机工程。2001/7,Vol.27,No.7.pp.109-110.
[35]陈捷,熊云凤,杨宇航。TCP/IP协议中的一种形式化的分组过滤模型。计算机工程。2001/9,Vol.27,No.10.pp.136-137.
[36]王育民,刘建伟。通信网的安全—理论与技术。西安电子科技大学出版社,1999。Pp.389-417.
作者在攻读硕士期间发表的论文
1.寇芸,宋鹏鹏,王育民。“动态PC防火墙系统结构的研究”,《通信技术》。2001年,第6期,pp.13-15。
2.寇芸,王育民。“DDOS攻击的原理及其防范”,《网络安全技术与应用》。2001年,第8期,pp.32-34。
3.宋鹏鹏,寇芸,王育民。“第三代移动通信系统安全体制浅析”,《网络安全技术与应用》。2001年,第8期,pp.16-19。
4.寇芸,宋鹏鹏,王育民。“入侵检测系统与PC安全的研究”,《计算机工程》。已被录用,并将于2002年刊登。