摘要
本论文首先概要介绍了入侵检测技术和入侵检测系统,在对入侵检测研究现
状进行分析和总结的基础上,提出了入侵检测系统面临的问题和研究发展趋势。
入侵检测所采用的数学模型是入侵检测策略选取和应用的根据与基础。本文
从数据流与控制流、入侵状态跃迁等角度,结合对入侵过程的空间分析和时间分
析,提出了建立在图论基础上的基于状态跃迁的二维总体模型并对之进行了静态
及动态描述和分析。
传统的入侵检测程序对“拆包攻击”等攻击种类无能为力。本文介绍了应用
层检测的相关背景知识,以及串行重组检测算法在高速网络上遇到的困难,提出
了一种应用于网络入侵检测的应用层协议并行重组算法,介绍了其实现方案并对
实验结果进行了初步分析。
蜜罐系统是入侵检测技术中的重要环节。本文给出了利用 UML 构建虚拟蜜罐
机的方法。并从攻击者身份识别的角度出发,提出了键盘指纹图谱的思想以完善
入侵检测蜜罐系统。
分布式拒绝服务攻击是威胁互联网安全的一种主要攻击方式。本文提出了将
端口反弹技术与拒绝服务攻击结合起来的分布式端口反弹攻击的攻击模型并对
其进行了研究。给出了针对分布式端口反弹攻击的检测思路并提出了一种基于链
路层的分布式拒绝服务攻击源反向追踪的方法。
实时响应是保障网络安全的重要环节。本文介绍了一种基于智能代理的网络
入侵检测系统响应模型。它以智能代理为基础,可以与管理员通过无线方式交互,
提高了网络入侵检测系统对入侵行为的快速响应能力。
本文最后介绍了融合前述研究成果的软件原型系统——网络入侵检测系统
TDNIDS 的设计与实现步骤,阐述了该原型系统在开发流程中的功能需求分析、
概要设计和详细设计方案。最后对该系统的未来发展作了展望与评价。
This dissertation firstly introduces intrusion detection technology and intrusion
detection system. Then it analyzes and summarizes the current state of research on the
technologies. At last it presents problems intrusion detection system faced and trend
of research.
Mathematical model is the basement for selecting and applying intrusion
detection policies, so a 2-dimension collectivity model is proposed after analyzing the
space and time character of intruding activity.
Traditional Network Intrusion Detection System (NIDS) scans the incoming IP
packets and judge the attack types by the sensitive information matching. In this paper,
we devise and implement a parallel reassembling algorithm (APPRA) in application
layer for large-scale network intrusion detection. Experiment result shows that
APPRA is efficient.
This paper describes three classes of honeypots and the building of Trap Network
in detail. User-Mode Linux is used to implement the Virtual Distributed Honeypot
System. On recording technologies, we give a new thought of Keyboard Fingerprint
Spectrum (KFS). A method of KFS based on Win32 Global Hook is also introduced.
The DDoS attack and Port Recall attack have been great dangers to Internet
security. If they are combined together to form a new kind of attack, the effect will be
more serious than any one of them. Therefore, the model called Distributed Port
Recall attacks is presented here to draw attention. In addition, some methods of
misuse detection and anomaly detection are also proposed in this paper.
In this paper, we apply intelligent agent technology for purpose of real-time
response. The main novelty in this technology is its multi-level agent architecture to
perform dynamic policy update in intrusion detection system through wireless net
gate.
Finally, we present TDNIDS as an archetypal network intrusion detection system
and estimate the future development of this system.
引文
[1] Insertion, Evasion, and Denial of Service: Eluding Network Intrusion
Detection. Thomas H. Ptacek, Timothy N. Newsham, Secure Networks, Inc.
January, 1998
[2] An Introduction to Intrusion Detection & ASSESSMENT. ICSA, Inc.
[3] State of the Practice of Intrusion Detection Technologies. Julia
Allen, Alan Christie, William Fithen, John McHugh,Jed Pickel ,
Ed Stoner etc. January 2000
[4] 蒋建春,冯登国。网络入侵检测原理与技术。国防工业出版社,2001.
[5] IDS
Buyer’s Guide. ICSA lab
[6] IDS FAQ. Robert Graham March 21, 2000
[7] Stephen Northcutt. 网络入侵检测分析员手册。余青霓,王晓程,周刚等
译。人民邮电出版社,2000.
[8] 蒋建春,马恒太,任党恩,卿斯汉。网络安全入侵检测:研究综述。软件学
报, 2001.11(11):1460-1466.
[9] B. Mukherjee, L.T. Heberlein, and K.N. Levitt, Network Intrusion
Detection. IEEE Network, pages 26-41, May/June 1994.
[10] Denning. D. An Intrusion Detection Model, IEEE Iransctions on
Software Engineering, 1987, 13(2): 222~232.
[11]阮耀平,易江波,赵战生。计算机入侵检测模型与方法。计算机工程,1999,
25(9):63-65.
[12] Anderson D., Frivold, Th. and Valdes, A. Next-generation
Intrusion-Detection Expert System (NIDES): A Summary. SRL-CSL-95-07,
SRI International, Menlo Park, CA, May 1995.
[13] Aurobindo Sundaram. An Intrusion to Intrusion Detection.
http://www.cs.purdue.edu/homes/sundaram/papers/intrus.htm.
[14] 刘晨、张槟, 黑客与网络安全,航空工业出版社 1999.
[15] 张小斌、严望佳 黑客分析与防范技术,清华大学出版社,1999 年 5 月.
[16] 唐正军等,网络入侵检测系统的设计与实现,电子工业出版社,2002.
[17] 李腊元 通信协议形式化模型的研究 计算机学报,1998,21(5):419~427
[18] Network Based Intrusion Detection-A review of technologies. DENMAC
SYSTEMS, INC NOVEMBER 1999
101
参考文献
[19] Next Generation Intrusion Detection in High-Speed Networks. Network
Associates
[20] James P. Anderson, "Computer Security Threat Monitoring and
Surveillance", Technical report, James P. Anderson Co., Fort
Washington, PA., April 1980.
[21] Paul E. Proctor 著,邓琦皓,许鸿飞,张斌 译,入侵检测实用手册,2002
[22] 赵海波,李建华,杨宇航.《网络入侵智能化实时检测系统》[J].上海交通大
学学报,1999,36(1):76-79.
[23] 网络入侵检测分析员手册[M].余青霓,等译 北京:人民邮电出版社,2000.
[24] Andrew S.TanenBaum. 计算机网络。熊桂喜,王小虎。清华大学出版社,
1998.
[25] M. Handley, C. Kreibich and V. Paxson, Network Intrusion Detection:
Evasion, Traffic Normalization, and End-to-End Protocol Semantics
Proc. USENIX Security Symposium 2001.
[26] J. Balasubramaniyan, J.O. Garcia-fernandez, David Isacoff, E.H.
Spafford and Diego Zamboni. An Architecture for Intrusion Detection
Using Autonomous Agents, Department of Computer Sciences, Purdue
University, COAST, TR98-05, 1998.
[27] CERT. TCP SYN Flooding and IP Spoofing Attacks. Computer Emergency
Response Team, CERT advisory, 96.21, Sept. 1996.
[28] Gray R. Wright W.Ricjard Stevens. TCP/IP Illustrate, Volume 2: The
Implementation. Addison Wesley Publishing Company, 1995.
[29] ED Taylor. TCP/IP 使用详解。 王虎,邓宏涛,刘志刚等译 机械工业出
版社,1999.
[30] Anderson, J.P. Computer Security Threat Monitoring and Surveillance.
Technical Report, James P Anderson Co., 1980
[31] James Anderson. Computer Security Technology Planning Study.
Technical Report ESD-TR-73-51, Vols. Ⅰ and Ⅱ, Air Force Electronic
Systems Division, 1972.
[32] J.Frank, Artificial Intelligence and Intrusion Detection: Current
and Future Directions. In Proceedings of 17th National Computer
Security Conference, (Baltimore, Meryland), 11-14 Oct. 1994: 22-33.
[33] Sandeep Kumar. Classification and Detection of Computer
Intrusion[Ph.D. Dissertational], Purdue University 1995.
[34] V. Paxson, Bro: A System for Detecting Network Intruders in Real-Time.
Proceedings of the 7th USENIX Security Symposium, San Antonio, TX,
January 1998.
102
参考文献
[35] 孙家昶,张林波,迟学斌,汪道柳,网络并行计算与分布式编程环境,1996.
[36] 孙家昶,并行计算方法研究与并行计算机,中国科学基金,1991 年第 3 期.
[37] 孙家昶,高速网络并行计算软件环境与算法研究,中国科学基金“交叉领
域战略研讨”专刊,1994 年第 3 期.
[38] Kai Hwang, Zhiwei Xu, “Scalable Parallel Computing:
Technology,Architecture, Programming”, WCB/McGraw-Hill, 1998.
[39] A.D. Malony and G.V. Wilson, “Future Directions in parallel
performance environments”, Performance Measurement and
Visualization of Parallel Systems, Eds.: G. Haring and G. Kotsis,
Elsevier Science Publishers B.V. 1993,331-351.
[40] J. Kohn and W. Wiliams, ATExpert, Journal of Parallel and Distributed
Computing 18, 1993, 205-222.
[41] J.K. Hollingsworth, Finding Bottlenecks in Large Scale Parallel
Programs, Ph.D. Thesis, Unversity of Wisconsin-Madison, 1994.
[42] 周映,并行程序性能分析系统关键技术的研究,西安交通大学硕士学位论
文,1999.
[43] Rajkumar Buyya[美],高性能集群计算:编程与应用(第二卷),电子工
业出版社,2001.
[44] 李晓梅,面向结构的并行算法-设计与分析,长沙:国防科技大学出版社,
1996.
[45] 黄凯,高等计算机系统结构:并行性 可扩展性 可编程性,北京:清华大
学出版社,1995.
[46] W.Ricjard Stevens. TCP/IP Illustrate, Volume 1: The Protocols.
Addison Wesley Publishing Company, 1994.
[47] David D. Clark. RFC815: IP DATAGRAM REASSEMBLY ALGORITHMS, 1982.
[48] PRF 1858: Security Considerations for IP Fragment Filter, 1995.
[49] Xiaoling Zhao, Jizhou Sun, “A Parallel Scheme for IDS”, The Second
International Conference on Machine Learning and Cybernetics(ICMLC),
2003.
[50] Xiaoling Zhao, Jizhou Sun, Shishi Liu, Zunce Wei, “A Parallel
Algorithm for Protocol Reassembling”, Canadian Conference on
Electrical and Computer Engineering(CCECE), v2, 2003, p901-904.
[51] Shishi Liu, Jizhou Sun, Xiaoling Zhao, Zunce Wei, “A General Purpose
Applicaion Layer IDS”, Canadian Conference on Electrical and
Computer Engineering(CCECE), v2, 2003, p927-930.
[52] Hromkovic J et al, Communication Complexity and Parallel Computing,
Springer-Verlag, Berlin, 1997.
103
参考文献
[53] A. Beguelin, J. Dongarra, A. Geist, R. Manchek, and V. Sunderam. A
User Guide to PVM (Parallel Virtual Machine). Technical Report
ORNL/TM-11826, Oak Ridge National Laboratory, July, 1991.
[54] Honeynet Project, http://www.honeynet.net
[55] 刘宝旭等,主动型安全防护措施——网络陷阱的研究与设计,计算机工程,
2002(12)
[56]“To Build a Honeypot”, Lance Spitzer, 2000 June 7,
http://www.enteract.com/~lspitz/honeypot.html
[57] Know Your Enemy: Honeynets – 20 April, 2001 Honeynet Project,
http://project.honeynet.org
[58] ManTrap: Covertly Protect Your Network from Attack and Intrusion.
Recourse Technologies, 2001,
http://www.mantrap.com/resources/white/whitepaper_form.php
[59] Hartley Bruce. “Honeypots: A new Dimension to Intrusion Detection”
August 2000
URL: http://www.advisor.com/MIS
[60] Lance Spitzner. Honeypots Definitions and Value of Honeypots. 29
September 2001
URL: http://www.enteract.com/~lspitz
[61] Peter Sommer. Intrusion detection systems as evidence. Computer
Networks, 2000, 34(4): 605-621
[62] Refik Molva. Internet security architecture. Computer Networks, 1999,
31(8):787-804
[63] The Deception Toolkit Home Page and Mailing List,
http://www.all.net/dtk/index.html
[64] VMware, http://www.vmware.com
[65] User-Mode Linux, http://user-mode-linux.sourceforge.net
[66] 内核编译简法,http://www.chinalinuxpub.com/read.htm?id=1255
[67] Netfilter/IPTables, http://www.netfilter.org/
[68] W.Ricjard Stevens. TCP/IP Illustrate, Volume 1: The Protocols.
Addison Wesley Publishing Company, 1994.
[69] Linux 内核 IPTables 桥接模式补丁,
http://bridge.sourceforge.net/download.html
[70] rc.firewall 实例
http://project.honeynet.org/papers/honeynet/tools/rc.firewall
[71] Snort, http://www.snort.org
104
参考文献
[72] Snort 配置文件实例,
http://project.honeynet.org/papers/honeynet/tools/snort.conf
[73] tty 描述,
http://www.collaborium.org/onsite/jos2000/lectures/christian/over
view/html/file-system.html#important-dirs
[74] Chan K P, Fu A W. Efficient time series matching by wavelets [A].
15th ICDE, Sydney, Australia, 1999.
[75] Agrawal R, Lin K I, Sawhney H S, et al. Fast similarity search in
the presence of noise, scaling, and translation in time-series
database [A]. 21st Conference on Very Large Data Bases [C]. San
Francisco: Morgan Kaufmann, 1995. 490501.
[76] Rafiei D, Mendelzon A. On similarity-based queries for time series
data [A]. 15th International Conference on Data Engineering, Sydney,
Australia, 1999.
[77] 李爱国,覃征,贺升平 时间序列数据的相似模式抽取,西安交通大学学报,
2002
[78] Agrawal R, Faloutsos C, Swami A. Efficient Similarity search in
sequence databases [A]. The 4th Conf on FODO [C]. Berlin: Springer
Verlag, 1993. 6984.
[79] Faloutsos C, Ranganathan M, Manolopoulos Y. Fast subsequence
matching in time-series databases [A]. The ACM SIGMOD Conf on
Management of Data [C]. Minneapolis, USA:ACM, 1994. 419429.
[80] Keogh E, Chakrabarti K, Pazzani M, et al. Dimensionality reduction
for fast similarity search in large time series databases [J]. Journal
of Knowledge and Information System, 2002, 3 (3):263286.
[81] Keogh E, Chakrabarti K, Mehrotra S, et al. Locally adaptive
dimensionality reduction for indexing large time series database [A].
The ACM SIGMOD, Santa Barbara, California, 2001.
[82] 蒋嵘,李德毅,程辉 基于形态表示德时间序列相似性搜索[J]. 计算机研
究与发展,2000,37(5):601608.
[83] 范明,孟小峰 数据挖掘技术与概念 北京 机械工业出版社 2001
[84] 张跃 模糊数学方法及其应用 北京 煤炭工业出版社 1992
[85] 徐扬,秦克云,刘军等 模糊模式识别及其应用 成都:西南交通大学出
版社 1998
[86] 何清. 模糊聚类分析理论与应用研究进展. 模糊系统与数学, 1998, 12(2):
89~94
105
参考文献
[87] Paul J. Criscuolo. Distributed Denial of Service--Trin00,Tribe Flood
Network, Tribe Flood Network 2000, CIAC-2319
http://www.itpapers.com/cgi/PSummaryIT.pl?paperid=23520&scid=903
[88] 戴英侠,连一峰,王航. 系统安全与入侵检测. 清华大学出版社,2002 年
3 月
[89] 霍宝锋,刘伯莹,岳兵,谢冰. 常见网络攻击方法及其对策研究,计算机
工程. 2002 年 8 月:9~12
[90] Forrest S, Hofmeyr S, Somayaji A. Computer immunology [J].
Communications of the ACM,1997,40(10):88~96.
[91] Chapman DB, Zwicky ED. Building Internet Firwalls [M]. Sebastopol,
CA: O'Reilly and Associates Inc,1995.
[92] 吴虎,刘云超,陈挺. 对 DDoS 攻击防范策略的研究及若干实现, 计算机
应用研究. 2002:34~36
[93] Snapp SR, Brentano J, Dias GV, etal. A system for distributed
intrusion detection[A]. Proceedings of the IEEECOMPCON91
[C].SanFrancisco,CA:IEEE,1991.170~176.
[94] 网络入侵检测分析员手册[M].余青霓,等译.北京:人民邮电出版社,2000.
[95] Network Based Intrusion Detection-A review of technologies. DENMAC
SYSTEMS, INC NOVEMBER 1999
[96] 刘晨,张槟. 《黑客与网络安全》. 航空工业出版社 1999 年 9 月.
[97] 黄允充、严望佳,《网络安全基础》,清华大学出版社,1999 年 2 月.
[98] 石纯一,黄昌宁,王家钦.《人工智能原理》.北京:清华大学出版社
[99] Gangadharan,M. Kai Hwang. Intranet security with micro-firewalls and
mobile agents for proactive intrusion response., Computer Networks
and Mobile Computing, 2001.
[100] 葛陵元,胡湘陵,郑若忠.《计算机密码学[M]》.成都:西南交通大学出版
社,1989
[101] Intrusion Detection Message Exchange Requirements. Internet-Draft
Internet Engineering Task Force Wood, M. Internet Security Systems
October, 1999
[102] Intrusion Alert Protocol – IAP. Internet Draft Internet
Engineering Task Force Gupta Hewlett-Packard March 31, 2000
[103] 李腊元.《通信协议形式化模型的研究》.计算机学报,1998,21(5):419~
427
[104] UNIX network programming. W.Richard Stevens ISBN 7-302-02942-3
[105] Developing linux application with GTK+ and GDK, Eric Harlow ISBN
7-5053-5680-1
106
参考文献
[106] A Common Intrusion Detection Framework. Clifford Kahn, Phillip A.
Porras ,Stuart Staniford-Chen ,Brian Tung 15 July 1998
[107] Simson G, Spafford G. Practical Unix Security [M].Se-bastopol,
CA:O'Reilly and Associates,1991.
[108] Ross Andersion, Abida Khattak. The use of informationre-trieval
techniques for intrusion detection [R].Louvain-la-691
[109] Anderson JP. Computer security thread monitor in gand surveillance
[R].Fort Washington, PA: Jame P AndersonCo, 1980.
[110] Tener WT. Discovery: an expert system in the commercial data
security environment[R]. North Holland: Proc Fourth JFIPTC11
International Conference on Computer Security,1986.
[111] 赵海波,李建华,杨宇航.《网络入侵智能化实时检测系统》[J].上海交通
大学学报,1999,36(1):76-79.