智能化入侵检测系统的研究与实现
|
摘要
入侵检测是近年来网络安全研究的热点,随着计算机安全问题的日益突出,对入侵检测系统提出了更高的要求,当前IDS的最大问题是不能快速检测出新出现的异常入侵和较高的误报率。人体免疫系统与网络入侵检测系统具有很大的相似功能,它为研究和开发网络入侵检测系统提供了一个自然的模版。我们可以充分利用人体免疫机理的许多优点如多层次、多样性、独特性、动态防护性、自适应性、联想记忆等,提高系统的健壮性、自适应性和动态防护性。
另一方面,当前的入侵检测研究大部分都集中在提高检测率、降低误报率、加快检测速度等方面,现在的入侵检测系统在响应模块部分还存在尚待解决的问题:入侵响应模块还是单一地对这些攻击事件进行响应,不具有推测功能,属于一种事后的响应活动;没有考虑到分析引擎存在的误报和漏报的情况;对于精巧而有组织的分布式攻击缺乏统一协同防御,无法实现多系统的系统防御。因此有必要对入侵响应进行分析,使入侵响应模块能够在入侵的不同时刻做出不同的响应,减少人工的干预,实现自适应能力。
本文主要的工作是通过分析当前最新的基于免疫的动态入侵检测模型,对其进行改进和实现,并且通过实验证明了改进后的优势。通过分析胸腺和高频变异的生物学理论,将其分别应用于检测器检测过程和检测器生命周期的控制过程。对模型进行的仿真实验表明:这种新型的入侵检测模型较基于免疫的传统动态方法具有更好的适应性。最后实现了一个基于免疫的动态分布式入侵检测系统,且对各个模块进行了详细介绍,然后在实际运行效果的基础上,对当前基于免疫的入侵检测系统的优缺点进行了分析总结。另一方面,通过分析当前入侵响应系统存在的问题,提出了一种基于工作流和作业调度的J2EE框架构建的入侵响应模型,该模型先对所有报警事件进行过滤然后予以响应,并在响应当前报警事件的同时根据报警信息之间的关系,对进一步可能发生的攻击做出在线的预警并产生相应的响应措施。通过实验分析,该模型能够在入侵发生后主动采取措施阻击入侵的延续和降低系统的损失,保护受害系统。另外,通过对Petri网的描述进行扩展,使得Petri网更好的用于对工作流管理模型进行建模。最后给出了对入侵检测系统的一些思考,并对以后在该领域的工作进行了展望。
Intrusion detection is a highlighted topic of network security research in recent years. Computer criminal is becoming more and more dangerous nowdays, which poses urgent demands on the performance of intrusion detection system. The big shortcoming of current intrusion detection system is unable to detect new type of attacks quickly and exactly. Intrusion detection system has so similar function with immune systems that it could provide a naive template for research and development network intrusion detection system. Immune systems have many features such as multiple layers , distributability,diversity,uniqueness , dynamic defensive,adaptability,association memory and so on. The immune-based intrusion detection system tries to apply these features to improve detection performance and to increase system robust ability and adaptability.
Moreover, Intrusion detection system at present moreover greatly part of all concentrated in the aspects of raising an detection rate,lower a misinformation rate and speeding detection speed. The intrusion respond modle still exists to need the problem for resolve. Intrusion respond model carrys on respond to these attack affairses singlely,don't have function of calculate,belongs to a kind of after the event ground to respond to an activity. Don't considerate the analytical misinformation and the circumstance for fail to report of the engine existence. For choiceness but have organization of the distribute type attack lack to unify to be in conjunction with defense,can't carry out the system defense of many systems. Therefore, it is bound to analyze intrusion response model, making it do every moment to respond to differently, reduced artificial, carry out ability from the adaptability and dynamics.
The work of this paper concentrates on analyzing current latest of immune-based intrusion detection system , and carrys on an improvement on it.With analyzing biology theories of the thymus and the somatic hypermutation ,we have applied them to the control process of the detection process of the detector and the life cycle of the detector respectively. The imitation reality experiment explains: This kind of new method that immune-based intrusion detection system compares the traditional dynamic one has better adaptability.Finally,we implemented an dynamic distributed intrusion detect system based on immunity,at the same time,introduced particularly each modules. And then,at the foundation of the practice running result, we analyzed and summarized the advantage and weakness of the system based on immunity. On the other hand,through analyzing the existence questions of current intrusion response system,this paper proposes a intrusion response model based on workflows,scheduling problem and J2EE framework. This model filtrates alarm before response, at the same time,it can also predict the coming attacks on-line and make the corresponding response measures .At last,through experimenting analysis,the intrusion response systems can forwardly take measures to hold back continuing intrusion, minimize the loss of the system and protect the suffering systems after the intrusion happened. In addition,through describing of the Petri Net expanded, Petri Net may construct better model for managing model of workflow .In the last chapter,the discussion of the proposed model is given,and the expected future work is described.
另一方面,当前的入侵检测研究大部分都集中在提高检测率、降低误报率、加快检测速度等方面,现在的入侵检测系统在响应模块部分还存在尚待解决的问题:入侵响应模块还是单一地对这些攻击事件进行响应,不具有推测功能,属于一种事后的响应活动;没有考虑到分析引擎存在的误报和漏报的情况;对于精巧而有组织的分布式攻击缺乏统一协同防御,无法实现多系统的系统防御。因此有必要对入侵响应进行分析,使入侵响应模块能够在入侵的不同时刻做出不同的响应,减少人工的干预,实现自适应能力。
本文主要的工作是通过分析当前最新的基于免疫的动态入侵检测模型,对其进行改进和实现,并且通过实验证明了改进后的优势。通过分析胸腺和高频变异的生物学理论,将其分别应用于检测器检测过程和检测器生命周期的控制过程。对模型进行的仿真实验表明:这种新型的入侵检测模型较基于免疫的传统动态方法具有更好的适应性。最后实现了一个基于免疫的动态分布式入侵检测系统,且对各个模块进行了详细介绍,然后在实际运行效果的基础上,对当前基于免疫的入侵检测系统的优缺点进行了分析总结。另一方面,通过分析当前入侵响应系统存在的问题,提出了一种基于工作流和作业调度的J2EE框架构建的入侵响应模型,该模型先对所有报警事件进行过滤然后予以响应,并在响应当前报警事件的同时根据报警信息之间的关系,对进一步可能发生的攻击做出在线的预警并产生相应的响应措施。通过实验分析,该模型能够在入侵发生后主动采取措施阻击入侵的延续和降低系统的损失,保护受害系统。另外,通过对Petri网的描述进行扩展,使得Petri网更好的用于对工作流管理模型进行建模。最后给出了对入侵检测系统的一些思考,并对以后在该领域的工作进行了展望。
Intrusion detection is a highlighted topic of network security research in recent years. Computer criminal is becoming more and more dangerous nowdays, which poses urgent demands on the performance of intrusion detection system. The big shortcoming of current intrusion detection system is unable to detect new type of attacks quickly and exactly. Intrusion detection system has so similar function with immune systems that it could provide a naive template for research and development network intrusion detection system. Immune systems have many features such as multiple layers , distributability,diversity,uniqueness , dynamic defensive,adaptability,association memory and so on. The immune-based intrusion detection system tries to apply these features to improve detection performance and to increase system robust ability and adaptability.
Moreover, Intrusion detection system at present moreover greatly part of all concentrated in the aspects of raising an detection rate,lower a misinformation rate and speeding detection speed. The intrusion respond modle still exists to need the problem for resolve. Intrusion respond model carrys on respond to these attack affairses singlely,don't have function of calculate,belongs to a kind of after the event ground to respond to an activity. Don't considerate the analytical misinformation and the circumstance for fail to report of the engine existence. For choiceness but have organization of the distribute type attack lack to unify to be in conjunction with defense,can't carry out the system defense of many systems. Therefore, it is bound to analyze intrusion response model, making it do every moment to respond to differently, reduced artificial, carry out ability from the adaptability and dynamics.
The work of this paper concentrates on analyzing current latest of immune-based intrusion detection system , and carrys on an improvement on it.With analyzing biology theories of the thymus and the somatic hypermutation ,we have applied them to the control process of the detection process of the detector and the life cycle of the detector respectively. The imitation reality experiment explains: This kind of new method that immune-based intrusion detection system compares the traditional dynamic one has better adaptability.Finally,we implemented an dynamic distributed intrusion detect system based on immunity,at the same time,introduced particularly each modules. And then,at the foundation of the practice running result, we analyzed and summarized the advantage and weakness of the system based on immunity. On the other hand,through analyzing the existence questions of current intrusion response system,this paper proposes a intrusion response model based on workflows,scheduling problem and J2EE framework. This model filtrates alarm before response, at the same time,it can also predict the coming attacks on-line and make the corresponding response measures .At last,through experimenting analysis,the intrusion response systems can forwardly take measures to hold back continuing intrusion, minimize the loss of the system and protect the suffering systems after the intrusion happened. In addition,through describing of the Petri Net expanded, Petri Net may construct better model for managing model of workflow .In the last chapter,the discussion of the proposed model is given,and the expected future work is described.
引文
[1] Stefan Axels son, The base-rate fallacy and the difficulty of intrusion Detection, ACM Transaction on information and System Security ,August 2000, 3(3): 186~205
[2] R.F .Breather, K.L. Walker, D.A. Frincke, Intrusion and Misuse Detection in Large-scale Systems , IEEE Computer Graphics and Applications, 2002, 22(1): 38~47
[3] 薛静锋,宁宇鹏,阎慧编著,入侵检测技术,北京,机械工业出版社,2004.
[4] 李涛,《网络安全概论》,电子工业出版社,2004.10.
[5] Curtis A. Carver, John M.D. Hill, and Duo W. Pooch, Limiting Uncertainty in Intrusion Response, Proceedings of the IEEE Workshop on Information Assurance and Security, 2001, 53(12), 28-36
[6] Wane Lee; Toward Cost-Sensitive Modeling for Intrusion Detection and Response, Journal of Computer Security, 2002,10(2), 318-336
[7] Curry D, Debar H, Intrusion detection message exchange format data model and extensible markup language(XML) document type definition, [J]. IETF Network Working Group, 2001,9(3), 28-33
[8] Guo Daifei, Yang Yixian, Hu zhengming, Design of a secure distributed intrusion detection system[J]. Journal of CHUPT, 2002,9(6): 17-24.
[9] Thomas Toth and Christopher K. Evaluating the impact of automated intrusion response mechanisms[C].18th, Annual Computer Security Applications Conference, Las Vegas, Decmber. 2002.
[10] L.N. de Castro and J. Timmis, Artificial Immune Systems: A New Computational Approach. Springer-Verlag, London. UK., September 2002.
[11] Stephanie Forrest, Steven A Homeyr, Anil Somayaji. Computer Immunology. Communication of the ACM, Vol. 40(10),1997,
[12] Paul K Harmer, Paul D Willams , Gregg H Gunsch, Gary B Lamont. An Artificial Immune System Architecture for Computer Security Applications. IEEE Transactions on Evolutionary Computation ,vol. 6(3),2002
[13] D Dasgupta, F Nino. A Comparison of Negative and Positive Selection Algorithms in Novel Pattern Detection. Proceedings of the IEEE International Conference on Systems, Nashville, USA, 2000.8
[14] 杨向荣,沉钧毅,罗浩.人工免疫原理在网络入侵检测中的应用.计算机工程,2003,29(6):27~29
[15] 任相花,基于生物免疫的入侵检测系统的研究与实现,工学硕士学位论文,哈尔滨理工大学,2005年3月
[16] 路秋静,基于人工免疫的网络入侵检测算法研究,硕士学位论文,长沙理工大学,2005-3
[17] Fernando Esponda, Stephanic Forrest, Paul Helman.,A Formal Framework for Positive and Negative Detection Schemes , IEEE TRANSACTIONS ON SYSTEMS, MAN, AND CYBERNETICS-PARTB:VYBERNETICS, VOL. 34, NO.1, FEBRYARY 2004, pp:357-373.
[18] 肖人彬,王磊,人工免疫系统:原理、模型、分析及展望.计算机学报,25(12),2002,1281-1293,
[19] 梁可心,基于人工免疫的入侵检测系统的研究与实现,四川大学,2004-4-30
[20] S. Forrest, S. A. Hofmeyr, A. Somayaji and T. A. Longstaff,, "A sense of self for UNIX processes",in Proc .of the 1996 IEEE Symposium on Security and Privacy, Los A1amitos, CA, pp. 120-128, 1996.
[21] S. Hofmeyr and S. Forrest, "Architecture for an Artificial Immune System", Evolutionary Computation, vol. 7, no. 1, pp. 443-473, 2000.
[22] H. Bersini, "Self-Assertion versus Self-Recognition: A Tribute to Francisco Varela", in Proc. of the first International Conference on Artificial Immune System, 2002.
[23] 李涛,《计算机免疫学》,电子工业出版社,2004.
[24] Jungwon Kim, Peter J. Bentley, "Negative selection: how to generate detectors," in Proc. Of the First International Conference on Artificial Immune Systems (ICARIS) Canterbury, September 9-11, 2002, 89-98
[25] 刘勇,李涛,基于人工免疫的入侵检测,计算机工程,2005。
[26] J. Kephart,A biologically inspired immune system for computers, in Proc. of the Fourth International Workshop on Synthesis and Simulatoin of Living Systems, Artificial Life Ⅳ, pages 130-139, 1994.
[27] 闫巧,基于免疫机理的入侵检测系统研究,西安电子科技大学博士学位论文,2003-3
[28] 谷建鑫 仇建伟,基于Petri网的工作流模型,计算机工程与设计,2005.2,26(2),123-126
[29] 王晖 刘卫东 杨胜春,基于Petri网的工作流模型分析与应用,计算机工程与应用,2003.6,100
[30] 将国银 何跃,基于高级对象Petri网的工作流过程建模研究,系统工程理论与实践,2005.3第三期
[31] 卫刚,基于Petri网的工作流建模工具的研究与实现,硕士学位论文,南京航空航天大学,2005.1
[32] Workflow Management Coalition , The Workflow Process Definition Interface-XML(WFMC- TC-lO25),WFMC, 2002
[33] G. Berthelot, R. Terrat. Petri nets theory for the correcting of protocol [J]. IEEE Trans on Communications, Vol. 30, No. 12,1982.
[34] Y.Y. Du, C.J. Jiang. Formal Representation and Analysis of Batch Stocks Trading Systems Through Logical Petri Net Workflows.,Lecture Notes in Computer Science, 2002,10.
[35] 范路桥 常会友 朱旭东,作业调度问题研究,现代计算机,2004-5,187(21),24-26
[36] Shafaei R, Brunn P. Workshop, scheduling using practical data, [J].International Journal of Production Research, 1999,37(18):4105~4117.
[2] R.F .Breather, K.L. Walker, D.A. Frincke, Intrusion and Misuse Detection in Large-scale Systems , IEEE Computer Graphics and Applications, 2002, 22(1): 38~47
[3] 薛静锋,宁宇鹏,阎慧编著,入侵检测技术,北京,机械工业出版社,2004.
[4] 李涛,《网络安全概论》,电子工业出版社,2004.10.
[5] Curtis A. Carver, John M.D. Hill, and Duo W. Pooch, Limiting Uncertainty in Intrusion Response, Proceedings of the IEEE Workshop on Information Assurance and Security, 2001, 53(12), 28-36
[6] Wane Lee; Toward Cost-Sensitive Modeling for Intrusion Detection and Response, Journal of Computer Security, 2002,10(2), 318-336
[7] Curry D, Debar H, Intrusion detection message exchange format data model and extensible markup language(XML) document type definition, [J]. IETF Network Working Group, 2001,9(3), 28-33
[8] Guo Daifei, Yang Yixian, Hu zhengming, Design of a secure distributed intrusion detection system[J]. Journal of CHUPT, 2002,9(6): 17-24.
[9] Thomas Toth and Christopher K. Evaluating the impact of automated intrusion response mechanisms[C].18th, Annual Computer Security Applications Conference, Las Vegas, Decmber. 2002.
[10] L.N. de Castro and J. Timmis, Artificial Immune Systems: A New Computational Approach. Springer-Verlag, London. UK., September 2002.
[11] Stephanie Forrest, Steven A Homeyr, Anil Somayaji. Computer Immunology. Communication of the ACM, Vol. 40(10),1997,
[12] Paul K Harmer, Paul D Willams , Gregg H Gunsch, Gary B Lamont. An Artificial Immune System Architecture for Computer Security Applications. IEEE Transactions on Evolutionary Computation ,vol. 6(3),2002
[13] D Dasgupta, F Nino. A Comparison of Negative and Positive Selection Algorithms in Novel Pattern Detection. Proceedings of the IEEE International Conference on Systems, Nashville, USA, 2000.8
[14] 杨向荣,沉钧毅,罗浩.人工免疫原理在网络入侵检测中的应用.计算机工程,2003,29(6):27~29
[15] 任相花,基于生物免疫的入侵检测系统的研究与实现,工学硕士学位论文,哈尔滨理工大学,2005年3月
[16] 路秋静,基于人工免疫的网络入侵检测算法研究,硕士学位论文,长沙理工大学,2005-3
[17] Fernando Esponda, Stephanic Forrest, Paul Helman.,A Formal Framework for Positive and Negative Detection Schemes , IEEE TRANSACTIONS ON SYSTEMS, MAN, AND CYBERNETICS-PARTB:VYBERNETICS, VOL. 34, NO.1, FEBRYARY 2004, pp:357-373.
[18] 肖人彬,王磊,人工免疫系统:原理、模型、分析及展望.计算机学报,25(12),2002,1281-1293,
[19] 梁可心,基于人工免疫的入侵检测系统的研究与实现,四川大学,2004-4-30
[20] S. Forrest, S. A. Hofmeyr, A. Somayaji and T. A. Longstaff,, "A sense of self for UNIX processes",in Proc .of the 1996 IEEE Symposium on Security and Privacy, Los A1amitos, CA, pp. 120-128, 1996.
[21] S. Hofmeyr and S. Forrest, "Architecture for an Artificial Immune System", Evolutionary Computation, vol. 7, no. 1, pp. 443-473, 2000.
[22] H. Bersini, "Self-Assertion versus Self-Recognition: A Tribute to Francisco Varela", in Proc. of the first International Conference on Artificial Immune System, 2002.
[23] 李涛,《计算机免疫学》,电子工业出版社,2004.
[24] Jungwon Kim, Peter J. Bentley, "Negative selection: how to generate detectors," in Proc. Of the First International Conference on Artificial Immune Systems (ICARIS) Canterbury, September 9-11, 2002, 89-98
[25] 刘勇,李涛,基于人工免疫的入侵检测,计算机工程,2005。
[26] J. Kephart,A biologically inspired immune system for computers, in Proc. of the Fourth International Workshop on Synthesis and Simulatoin of Living Systems, Artificial Life Ⅳ, pages 130-139, 1994.
[27] 闫巧,基于免疫机理的入侵检测系统研究,西安电子科技大学博士学位论文,2003-3
[28] 谷建鑫 仇建伟,基于Petri网的工作流模型,计算机工程与设计,2005.2,26(2),123-126
[29] 王晖 刘卫东 杨胜春,基于Petri网的工作流模型分析与应用,计算机工程与应用,2003.6,100
[30] 将国银 何跃,基于高级对象Petri网的工作流过程建模研究,系统工程理论与实践,2005.3第三期
[31] 卫刚,基于Petri网的工作流建模工具的研究与实现,硕士学位论文,南京航空航天大学,2005.1
[32] Workflow Management Coalition , The Workflow Process Definition Interface-XML(WFMC- TC-lO25),WFMC, 2002
[33] G. Berthelot, R. Terrat. Petri nets theory for the correcting of protocol [J]. IEEE Trans on Communications, Vol. 30, No. 12,1982.
[34] Y.Y. Du, C.J. Jiang. Formal Representation and Analysis of Batch Stocks Trading Systems Through Logical Petri Net Workflows.,Lecture Notes in Computer Science, 2002,10.
[35] 范路桥 常会友 朱旭东,作业调度问题研究,现代计算机,2004-5,187(21),24-26
[36] Shafaei R, Brunn P. Workshop, scheduling using practical data, [J].International Journal of Production Research, 1999,37(18):4105~4117.