校园网环境下入侵检测系统的研究与实现
|
摘要
随着计算机网络和应用的迅速发展,特别是电子银行、电子商务的兴起,网络安全问题也日益突出起来。同样,校园网的网络安全也是当前各高校面临的一个主要问题,从事该项研究具有重要的理论意义和广泛的应用前景。
文章分析了大多数校园网在安全方面所采用的架构,也就是采用基于Iptables包过滤和Squid+socks代理服务器的防火墙体系结构,但很少有校园网部署和实现入侵检测系统(IDS)。作为一种非常重要的网络安全技术,IDS是防火墙的重要补充,其基本功能是监视内部网络的流量,并对识别到的重要攻击特征或异常行为进行警报,监视来自内部网络的对防火墙和其它主机的攻击,但是IDS不能代替防火墙。
文章提出了在使用基于开放源代码软件的校园网环境中使用防火墙+入侵检测系统的校园网网络安全策略,并用著名的网络入侵检测系统snort NIDS加以实现。Snort具有实时数据流量分析和日志网络数据包的能力,能够进行协议分析,对内容进行搜索和匹配,能够检测各种不同的攻击方式并对攻击进行实时警报。
Snort网络入侵检测系统是一个非常特殊的基于字符串匹配技术的应用,在校园网这样的高速网络环境中对它的实时模式匹配能力有很高的要求,如果IDS检测速度跟不上网络数据的传输速度,那么检测系统就会漏掉其中的部分数据包,从而影响系统的准确性和有效性,甚至会造成对网络系统的Dos攻击,因而在IDS中模式匹配算法的性能严重影响IDS的性能。文章的主要目的是改进snort入侵检测系统中的模式匹配算法,提高snort入侵检测速度,减少对系统资源的占用,提高其安全性和准确度。
模式匹配算法已经被广泛地加以研究,snort入侵检测系统使用Aho-Corasick多模式匹配算法,该算法基于确定有限自动机DFA,它的特点是对状态转换矩阵的存储会占用大量的存储器空间,但该算法执行速度快和能同时对多个模式进行匹配,并且性能不受模式集中模式串长度大小的影响,在最坏情况和一般情况下具有相同的性能,因而对IDS来说具有很强的健壮性。为了优化Aho-Corasick算法,文章中研究了几种稀疏矩阵和稀疏向量的存储方式,提出了使用
With the rapid development of computer network and its applications, especially the extensive use of electronic bank and electronic commerce, network security becomes a more and more important issue. At the same time, the security of campus network is also an increasingly highlighted problem confronting with most university, research on security of campus network has a theoretical significance and an extensive application foreground.The thesis analyses general network security architecture of the campus network, which is the firewall architecture of iptables-based packet filter and squid&socks-based proxy server. In general, campus network is rarely equipped with Intrusion Detection System (IDS). As a kind of significant network security technique, IDS is an important complement of firewall although it cannot take the place of firewall. Fundamental functions of IDS include: monitoring the traffic of interior network, giving an alarm for aggressive feature or abnormality that can be recognized, preventing firewall and other masters from attacks coming from interior network.The thesis presents a network security strategy, which is founded on firewall and IDS, for campus network that is based on open source code software. The strategy is implemented with the support of snort NIDS, a famous network intrusion detection system. Besides abilities to analyses network traffic and to log network data package, Snort can also implement the analysis of protocol. Moreover, since it can search and match by contents, Snort is able to check out different types of attack and give real-time alarm.Snort NIDS belongs to a class of special application which is based on string match technique, it requires the excellent performance of the real-time pattern match, especially in the context of campus network. If the speed of IDS's inspection cannot keeps up with that of data transmission, then some data packages may be run out, which sometimes even cause the Dos attack, so correctness and efficiency of the system is affected As a consequence, the performance of IDS is badly determined by that of the pattern match algorithm. The thesis mainly aims at improving the performance of the pattern match algorithm used in IDS, speeding-up inspection of the snort, improving safety and correctness and reducing the cost of system resource.Pattern match algorithm has been extensively studied recently. Snort IDS relies heavily on the Aho-Corasick algorithm, which, based on Deterministic Finite Automata (DFA), is a multi-pattern search algorithm, whose characteristics is the
large memory requirement to store the table of state transition, has a significant speedup and implement multi-pattern match at one times. The worst-case and the average-case performance of Aho-Corasick algorithm are the same in that its performance is unaffected by the length of pattern string in pattern group, so it is a very robust algorithm for IDS. In order to optimize the Aho-Corasick algorithm, the thesis researches on some basic sparse matrix and vector storage formats, and the Banded-Row format was exploited to optimize the Aho-Corasick state table, thus an improved algorithm which reduces memory requirements and further improves performance on large pattern groups is presented. Finally, the comparison, including performance, storage requirement and speed, when the standard AC algorithm, the optimized version AC algorithm using full matrix storage, and the improved AC algorithm using Banded-Row storage are executed in the context of snort test respectively, is listed.Main works of the thesis include:1. A network security strategy, based on firewall and IDS, for campus network is presented, and it is implemented by software based on open source code.2. Researched on Intrusion Detection System together with pattern match algorithm.3. Analyze Some basic storage formats of sparse matrix and vector.4. A sparse storage format is proposed to optimize Aho-Corasick pattern match algorithm used in snort IDS, and simulated results are compared when different sparse storage format are exploited to implement Aho-Corasick algorithm in snort IDS.
文章分析了大多数校园网在安全方面所采用的架构,也就是采用基于Iptables包过滤和Squid+socks代理服务器的防火墙体系结构,但很少有校园网部署和实现入侵检测系统(IDS)。作为一种非常重要的网络安全技术,IDS是防火墙的重要补充,其基本功能是监视内部网络的流量,并对识别到的重要攻击特征或异常行为进行警报,监视来自内部网络的对防火墙和其它主机的攻击,但是IDS不能代替防火墙。
文章提出了在使用基于开放源代码软件的校园网环境中使用防火墙+入侵检测系统的校园网网络安全策略,并用著名的网络入侵检测系统snort NIDS加以实现。Snort具有实时数据流量分析和日志网络数据包的能力,能够进行协议分析,对内容进行搜索和匹配,能够检测各种不同的攻击方式并对攻击进行实时警报。
Snort网络入侵检测系统是一个非常特殊的基于字符串匹配技术的应用,在校园网这样的高速网络环境中对它的实时模式匹配能力有很高的要求,如果IDS检测速度跟不上网络数据的传输速度,那么检测系统就会漏掉其中的部分数据包,从而影响系统的准确性和有效性,甚至会造成对网络系统的Dos攻击,因而在IDS中模式匹配算法的性能严重影响IDS的性能。文章的主要目的是改进snort入侵检测系统中的模式匹配算法,提高snort入侵检测速度,减少对系统资源的占用,提高其安全性和准确度。
模式匹配算法已经被广泛地加以研究,snort入侵检测系统使用Aho-Corasick多模式匹配算法,该算法基于确定有限自动机DFA,它的特点是对状态转换矩阵的存储会占用大量的存储器空间,但该算法执行速度快和能同时对多个模式进行匹配,并且性能不受模式集中模式串长度大小的影响,在最坏情况和一般情况下具有相同的性能,因而对IDS来说具有很强的健壮性。为了优化Aho-Corasick算法,文章中研究了几种稀疏矩阵和稀疏向量的存储方式,提出了使用
With the rapid development of computer network and its applications, especially the extensive use of electronic bank and electronic commerce, network security becomes a more and more important issue. At the same time, the security of campus network is also an increasingly highlighted problem confronting with most university, research on security of campus network has a theoretical significance and an extensive application foreground.The thesis analyses general network security architecture of the campus network, which is the firewall architecture of iptables-based packet filter and squid&socks-based proxy server. In general, campus network is rarely equipped with Intrusion Detection System (IDS). As a kind of significant network security technique, IDS is an important complement of firewall although it cannot take the place of firewall. Fundamental functions of IDS include: monitoring the traffic of interior network, giving an alarm for aggressive feature or abnormality that can be recognized, preventing firewall and other masters from attacks coming from interior network.The thesis presents a network security strategy, which is founded on firewall and IDS, for campus network that is based on open source code software. The strategy is implemented with the support of snort NIDS, a famous network intrusion detection system. Besides abilities to analyses network traffic and to log network data package, Snort can also implement the analysis of protocol. Moreover, since it can search and match by contents, Snort is able to check out different types of attack and give real-time alarm.Snort NIDS belongs to a class of special application which is based on string match technique, it requires the excellent performance of the real-time pattern match, especially in the context of campus network. If the speed of IDS's inspection cannot keeps up with that of data transmission, then some data packages may be run out, which sometimes even cause the Dos attack, so correctness and efficiency of the system is affected As a consequence, the performance of IDS is badly determined by that of the pattern match algorithm. The thesis mainly aims at improving the performance of the pattern match algorithm used in IDS, speeding-up inspection of the snort, improving safety and correctness and reducing the cost of system resource.Pattern match algorithm has been extensively studied recently. Snort IDS relies heavily on the Aho-Corasick algorithm, which, based on Deterministic Finite Automata (DFA), is a multi-pattern search algorithm, whose characteristics is the
large memory requirement to store the table of state transition, has a significant speedup and implement multi-pattern match at one times. The worst-case and the average-case performance of Aho-Corasick algorithm are the same in that its performance is unaffected by the length of pattern string in pattern group, so it is a very robust algorithm for IDS. In order to optimize the Aho-Corasick algorithm, the thesis researches on some basic sparse matrix and vector storage formats, and the Banded-Row format was exploited to optimize the Aho-Corasick state table, thus an improved algorithm which reduces memory requirements and further improves performance on large pattern groups is presented. Finally, the comparison, including performance, storage requirement and speed, when the standard AC algorithm, the optimized version AC algorithm using full matrix storage, and the improved AC algorithm using Banded-Row storage are executed in the context of snort test respectively, is listed.Main works of the thesis include:1. A network security strategy, based on firewall and IDS, for campus network is presented, and it is implemented by software based on open source code.2. Researched on Intrusion Detection System together with pattern match algorithm.3. Analyze Some basic storage formats of sparse matrix and vector.4. A sparse storage format is proposed to optimize Aho-Corasick pattern match algorithm used in snort IDS, and simulated results are compared when different sparse storage format are exploited to implement Aho-Corasick algorithm in snort IDS.
引文
[1].周永红.中国高校信息资源共建共享研究[D].湘潭:湘潭大学.2003.
[2].崔丹.校园网建设及安全管理问题对策的研究[D].哈尔滨:哈尔滨工业大学.2002.
[3].李秀芹.校园网络系统的设计及安全性研究[D].南京:河海大学.2002
[4].俞承杭.特殊校园网安全解决方案[D].成都:四川大学.2003.
[5] 邹红育.网络安全分析与校园网安全体系设计[D].西安:西安交通大学.2003.
[6].魏勇.校园网络应用架构研究与开发[D].合肥:中国科技大学,2003.
[7].郝胜钧.安全网关的技术研究与设计[D].成都:西南交通大学.2001
[8].James Stanger&Patrick T.Lane著,钟日红 宋建才等译.《Linux黑客防范开放源代码安全指南》[M].北京:机械工业出版社,2002:132-174.
[9].ChinaITLab.中国IT认证实验室.IDS新技术介绍 [OL]. http://www.chinaitlab.com/www/news/article_show.asp?id=25410
[10]. Wenke Lee, Salvatore J. Stolfo, Kui W. Mok, A Data Mining Framework for Building Intrusion Detection Models[C], Submitted to the 1999 IEEE Symposium on Security and Privacy.
[11]. Snort~(TM) 2.1.3 Users Manual, The Snort Project[M], June 2004
[12].Peter Moulding.《PHP技术内幕》[M],北京:中国水利出版社,2003:108-149.
[13].张鑫.快速模式串匹配技术的研究及一个邮件内容过滤系统的实现,中国科学院计算技术研究所硕士论文,20030510.
[14]. Sun Wu and Udi Manber. A fast Algorithm for Multi-Pattern Searching. May 1994.
[15]. Alfred V. Aho and Margaret J. Corasick. Efficient String Matching: An Aid to Bibliographic. Search: Bell Labs[J], Communications of the ACM Jun 1975 Volume 18 Number 6.
[16]. Alfred V. Aho, Ravi Sethi, Jeffrey D. Ullman. Compilers Principles, Techniques, and Tools[M]. Addison Wesley 1986 ISBN 0-201-10086-6, I. S. Duff, A. M. Erishman, J.K. Reid. Direct Methods for Sparse Matrices[M]. Oxford University Press 1986, ISBN 0-19-85342103.
[17]. Marc Norton and Daniel Roelker. Snort Multi-Rule Inspection Engine[OL]. http://www.idsresearch.org/papers.html.
[18]. Johnson, S. C. Yacc-Yet another compiler, Computing science technology report 32[R], AT&T Bell Laboratories, Murray Hill, N. J. 1975.
[19]. Tarjan, R. E., and Yao, A. C.-C. Storing a sparse table[J]. Commun. ACM 21, 11. 1979.
[20]. Marc Norton. Optimizing Pattern Matching for Intrusion Detection[EB/OL]. SourceFire, Inc, September 2004.
[21].张邈 徐辉 潘爱民,高效串匹配型入侵检测系统,《计算机工程》[J],Vol 29.No19 2003.
[22].王虹宇 张福利编著.《Linux服务器管理员教程》[M].北京:国防工业出版社,2001:215-248.
[23].Stephen Northcutt著,余青霓 王晓程译.网络入侵检测分析员手册[M].北京:人民邮电出版社,2002:61-71.
[24]. Wood. M. Intrusion Detection Message Exchange Requirements. Interact-Draft Internet Engineering Task Force[R]. Interact Security Systems, October, 1999
[25].钱焕延.《编译技术》[M].南京:东南大学出版社.2002:58~63.
[26].李晓秋 孙学涛 谢余强 杜祝平,入侵检测系统中的快速多模式匹配[J],《计算机应用与软件》,2004.Vol 21.No2
[27].朱杰 黄烟波 翁艳彬,入侵检测中的快速过滤算法,《计算机工程》[J],Vol 29.No 16,2003.
[28].李昀 李伟华,面向入侵检测的模式匹配算法研究,《计算机工程与应用》 [J],2003.6
[29].严蔚敏 吴伟民,《数据结构》[M],清华大学出版社,page82~88,1991.6
[30].张铭 刘晓丹.数据结构与算法分析[M].北京:电子工业出版社出版.1998:全书.
[31].刘水.防火墙与入侵检测系统在校园网中结合应用的初探[D].南京:南京理工大学.2003.
[32]. Thomas H. Cormen. Charles E. Leiserson. Ronald L. Rivest. Clifford Stein, Introduction to Algorithms(Second Edition)[M]. 北京:Higher Education Press&The MIT Press, 2002: page909-923.
[33]. An Introduction to Intrusion Detection& ASSESSMENT ICSA, Inc.
[34]. State of the Practice of Intrusion Detection Technologies Julia Allen[C], Alan Christie, William Fithen, John McHugh, Jed Pickel , Ed Stoner, January 2000
[35]. Network Based Intrusion Detection-A review of technologies[P]. DENMAC SYSTEMS, INC, NOVEMBER 1999
[36]. Next Generation Intrusion Detection in High-Speed Networks[C]. Network Associates
[37]. Mike Fisk, George Varghese. Fast Content-Based Packet Handing for Intrusion Detection. 2002.
[38]. Nathan Tuck, Timothy Sherwood, Brad Calder, George Varghese. Deterministic Memory Efficient String matching Algorithms for Intrusion Detection. 2003.
[39]. Stephen Gossen, Neil Jones, Neil McCurdy, Ryan Persaud. Pattern Matching in SNORT. 2002.
[40].钟培军.泰州职校校园网安全性方案的设计[D].南京:南京理工大学,2001.
[41].黄锋.校园网防火墙的规划与实现[D].合肥:中国科技大学,2003.
[42].陈莉.基于Linux的网络入侵检测系统的研究[D].武汉:武汉理工大 字,2004.
[43].张猛.网络入侵检测系统中的多模式匹配算法[D].吉林:吉林大学,2003.
[44].于占虎.网络安全中的防火墙与IDS联动工作策略[J].辽宁师专学报(自然科学版),2004年03期.
[45].衣治安 尹淑欣 王惠嫒.入侵检测系统中模式匹配算法探讨[J].辽宁工程技术大学学报,2004年06期
[46].李雪莹 刘宝旭 许榕生.字符串匹配技术研究[J].计算机工程,2004年22期.
[47].ChinaITLab中国IT认证实验室.入侵检测系统(IDS)简介[OL].http://www.chinaitlab.com/www/news/article_show.asp?id=2508.
[2].崔丹.校园网建设及安全管理问题对策的研究[D].哈尔滨:哈尔滨工业大学.2002.
[3].李秀芹.校园网络系统的设计及安全性研究[D].南京:河海大学.2002
[4].俞承杭.特殊校园网安全解决方案[D].成都:四川大学.2003.
[5] 邹红育.网络安全分析与校园网安全体系设计[D].西安:西安交通大学.2003.
[6].魏勇.校园网络应用架构研究与开发[D].合肥:中国科技大学,2003.
[7].郝胜钧.安全网关的技术研究与设计[D].成都:西南交通大学.2001
[8].James Stanger&Patrick T.Lane著,钟日红 宋建才等译.《Linux黑客防范开放源代码安全指南》[M].北京:机械工业出版社,2002:132-174.
[9].ChinaITLab.中国IT认证实验室.IDS新技术介绍 [OL]. http://www.chinaitlab.com/www/news/article_show.asp?id=25410
[10]. Wenke Lee, Salvatore J. Stolfo, Kui W. Mok, A Data Mining Framework for Building Intrusion Detection Models[C], Submitted to the 1999 IEEE Symposium on Security and Privacy.
[11]. Snort~(TM) 2.1.3 Users Manual, The Snort Project[M], June 2004
[12].Peter Moulding.《PHP技术内幕》[M],北京:中国水利出版社,2003:108-149.
[13].张鑫.快速模式串匹配技术的研究及一个邮件内容过滤系统的实现,中国科学院计算技术研究所硕士论文,20030510.
[14]. Sun Wu and Udi Manber. A fast Algorithm for Multi-Pattern Searching. May 1994.
[15]. Alfred V. Aho and Margaret J. Corasick. Efficient String Matching: An Aid to Bibliographic. Search: Bell Labs[J], Communications of the ACM Jun 1975 Volume 18 Number 6.
[16]. Alfred V. Aho, Ravi Sethi, Jeffrey D. Ullman. Compilers Principles, Techniques, and Tools[M]. Addison Wesley 1986 ISBN 0-201-10086-6, I. S. Duff, A. M. Erishman, J.K. Reid. Direct Methods for Sparse Matrices[M]. Oxford University Press 1986, ISBN 0-19-85342103.
[17]. Marc Norton and Daniel Roelker. Snort Multi-Rule Inspection Engine[OL]. http://www.idsresearch.org/papers.html.
[18]. Johnson, S. C. Yacc-Yet another compiler, Computing science technology report 32[R], AT&T Bell Laboratories, Murray Hill, N. J. 1975.
[19]. Tarjan, R. E., and Yao, A. C.-C. Storing a sparse table[J]. Commun. ACM 21, 11. 1979.
[20]. Marc Norton. Optimizing Pattern Matching for Intrusion Detection[EB/OL]. SourceFire, Inc, September 2004.
[21].张邈 徐辉 潘爱民,高效串匹配型入侵检测系统,《计算机工程》[J],Vol 29.No19 2003.
[22].王虹宇 张福利编著.《Linux服务器管理员教程》[M].北京:国防工业出版社,2001:215-248.
[23].Stephen Northcutt著,余青霓 王晓程译.网络入侵检测分析员手册[M].北京:人民邮电出版社,2002:61-71.
[24]. Wood. M. Intrusion Detection Message Exchange Requirements. Interact-Draft Internet Engineering Task Force[R]. Interact Security Systems, October, 1999
[25].钱焕延.《编译技术》[M].南京:东南大学出版社.2002:58~63.
[26].李晓秋 孙学涛 谢余强 杜祝平,入侵检测系统中的快速多模式匹配[J],《计算机应用与软件》,2004.Vol 21.No2
[27].朱杰 黄烟波 翁艳彬,入侵检测中的快速过滤算法,《计算机工程》[J],Vol 29.No 16,2003.
[28].李昀 李伟华,面向入侵检测的模式匹配算法研究,《计算机工程与应用》 [J],2003.6
[29].严蔚敏 吴伟民,《数据结构》[M],清华大学出版社,page82~88,1991.6
[30].张铭 刘晓丹.数据结构与算法分析[M].北京:电子工业出版社出版.1998:全书.
[31].刘水.防火墙与入侵检测系统在校园网中结合应用的初探[D].南京:南京理工大学.2003.
[32]. Thomas H. Cormen. Charles E. Leiserson. Ronald L. Rivest. Clifford Stein, Introduction to Algorithms(Second Edition)[M]. 北京:Higher Education Press&The MIT Press, 2002: page909-923.
[33]. An Introduction to Intrusion Detection& ASSESSMENT ICSA, Inc.
[34]. State of the Practice of Intrusion Detection Technologies Julia Allen[C], Alan Christie, William Fithen, John McHugh, Jed Pickel , Ed Stoner, January 2000
[35]. Network Based Intrusion Detection-A review of technologies[P]. DENMAC SYSTEMS, INC, NOVEMBER 1999
[36]. Next Generation Intrusion Detection in High-Speed Networks[C]. Network Associates
[37]. Mike Fisk, George Varghese. Fast Content-Based Packet Handing for Intrusion Detection. 2002.
[38]. Nathan Tuck, Timothy Sherwood, Brad Calder, George Varghese. Deterministic Memory Efficient String matching Algorithms for Intrusion Detection. 2003.
[39]. Stephen Gossen, Neil Jones, Neil McCurdy, Ryan Persaud. Pattern Matching in SNORT. 2002.
[40].钟培军.泰州职校校园网安全性方案的设计[D].南京:南京理工大学,2001.
[41].黄锋.校园网防火墙的规划与实现[D].合肥:中国科技大学,2003.
[42].陈莉.基于Linux的网络入侵检测系统的研究[D].武汉:武汉理工大 字,2004.
[43].张猛.网络入侵检测系统中的多模式匹配算法[D].吉林:吉林大学,2003.
[44].于占虎.网络安全中的防火墙与IDS联动工作策略[J].辽宁师专学报(自然科学版),2004年03期.
[45].衣治安 尹淑欣 王惠嫒.入侵检测系统中模式匹配算法探讨[J].辽宁工程技术大学学报,2004年06期
[46].李雪莹 刘宝旭 许榕生.字符串匹配技术研究[J].计算机工程,2004年22期.
[47].ChinaITLab中国IT认证实验室.入侵检测系统(IDS)简介[OL].http://www.chinaitlab.com/www/news/article_show.asp?id=2508.