基于策略脚本的千兆位入侵检测系统核心技术研究
|
摘要
入侵检测技术作为一种动态网络安全防御技术,是目前安全领域的研究热点,近些年来得到快速的发展。然而,目前大多数入侵检测系统在不牺牲检测质量的前提下,尚无法处理百兆网络满负荷时的数据分析,千兆则更是难以企及的目标。着眼于提高IDS的检测速度及精准度,遵循通用入侵检测框架(CIDF)规范,依据基于网络的入侵检测系统(NIDS)的结构要求,论文提出并实现了GIDS(Gigabits IDS)。该系统依据层次化结构设计的思想,自低向上依次分为数据采集模块、事件生成引擎、策略脚本解释器,入侵保护模块四个部分。
(1)用Libpcap网络数据采集函数库进行数据采集,同时结合零拷贝与设备轮询机制进一步提高数据采集的效率;
(2)事件生成引擎利用动态协议探测技术检测数据包的协议类型,然后根据协议类型判断当前连接的状态,进而产生不同的事件供策略脚本分析处理。此外,GIDS还允许用户把一些典型的攻击特征描述成简单的规则,根据规则匹配网络数据包生成相应的事件。为了提高模式串的描述能力,我们采用正则匹配的方式进行模式匹配;
(3)策略脚本解释器解释执行策略脚本,策略脚本是由Flex与Bison实现的一种类C语法的策略脚本语言——GIDS Script编写,脚本允许用户编写更多的处理逻辑,而不是用生硬的字符串匹配来判断攻击的存在。无论是脚本解析还是正则匹配,都是针对一个完整会话重组过的数据来进行,实现了检测的细粒度,提高了入侵检测的精准度;
(4)为了减轻管理员负担,减少人为干预,入侵保护模块通过伪造TCP的RST报文及与防火墙ACL联动两种方式实现对入侵的及时阻断,从而有效地降低攻击的危害性。
最后,在真实环境中,我们对GIDS的CPU占用率,内存使用率,系统的吞吐量,丢包率等性能指标进行了测试,并对结果数据进行了分析。
Intrusion detection systems (IDSs) have become increasingly more sophisticated as an approach for network security protection over the last several decades. However, resent IDSs have been unable to provide proper analysis or an effective security mechanism for defending attacks under mega-bits network environment because of several limitations. Based on Common Intrusion Detection Framework (CIDF) and Network-Based Intrusion Detection System (NIDS) standards, we presents a novel intrusion detection system called Gigabits IDS (GIDS) to improve the detection speed and accuracy which ensures for monitoring high speed network. The GIDS consists of data capture module, event generation engine, policy script interpreter and intrusion prevention module. The paper is organized as follows:
(1) Combine Zero-copy and Device Polling mechanism with Libpcap to capture data packet which proven to be more efficiency.
(2) Event generator module adopts dynamic protocol detection to determine protocol type and connecting state, this provides policy script analysis for different events. Besides, GIDS permits users to define signature collections with typical attack features, events are generated by comparison of attack signatures to the network data stream, and regular expression is adopted to improve the description ability of signatures.
(3) Policy scripts are interpreted and executed by policy script interpreter; the scripts are coded in GIDS Script language which is implemented with Flex and Bison to provide more flexible detection logic. Both policy script analysis and regular expression matching are all aimed at procession of packets reassembled from a whole session to realize fine grit detection which can improve the accuracy of intrusion detection.
(4) By sending fake RST packets and linking with firewall access control list (ACL), the intrusion prevention module is constructed to block intrusion activities in time to relieve the workload of administrators and reduce user interactive work.
At last, the performance of GIDS is tested through CUP occupancy, memory usage rate, system' throughput and loss tolerance, results show GIDS is strengthen than other IDSs.
(1)用Libpcap网络数据采集函数库进行数据采集,同时结合零拷贝与设备轮询机制进一步提高数据采集的效率;
(2)事件生成引擎利用动态协议探测技术检测数据包的协议类型,然后根据协议类型判断当前连接的状态,进而产生不同的事件供策略脚本分析处理。此外,GIDS还允许用户把一些典型的攻击特征描述成简单的规则,根据规则匹配网络数据包生成相应的事件。为了提高模式串的描述能力,我们采用正则匹配的方式进行模式匹配;
(3)策略脚本解释器解释执行策略脚本,策略脚本是由Flex与Bison实现的一种类C语法的策略脚本语言——GIDS Script编写,脚本允许用户编写更多的处理逻辑,而不是用生硬的字符串匹配来判断攻击的存在。无论是脚本解析还是正则匹配,都是针对一个完整会话重组过的数据来进行,实现了检测的细粒度,提高了入侵检测的精准度;
(4)为了减轻管理员负担,减少人为干预,入侵保护模块通过伪造TCP的RST报文及与防火墙ACL联动两种方式实现对入侵的及时阻断,从而有效地降低攻击的危害性。
最后,在真实环境中,我们对GIDS的CPU占用率,内存使用率,系统的吞吐量,丢包率等性能指标进行了测试,并对结果数据进行了分析。
Intrusion detection systems (IDSs) have become increasingly more sophisticated as an approach for network security protection over the last several decades. However, resent IDSs have been unable to provide proper analysis or an effective security mechanism for defending attacks under mega-bits network environment because of several limitations. Based on Common Intrusion Detection Framework (CIDF) and Network-Based Intrusion Detection System (NIDS) standards, we presents a novel intrusion detection system called Gigabits IDS (GIDS) to improve the detection speed and accuracy which ensures for monitoring high speed network. The GIDS consists of data capture module, event generation engine, policy script interpreter and intrusion prevention module. The paper is organized as follows:
(1) Combine Zero-copy and Device Polling mechanism with Libpcap to capture data packet which proven to be more efficiency.
(2) Event generator module adopts dynamic protocol detection to determine protocol type and connecting state, this provides policy script analysis for different events. Besides, GIDS permits users to define signature collections with typical attack features, events are generated by comparison of attack signatures to the network data stream, and regular expression is adopted to improve the description ability of signatures.
(3) Policy scripts are interpreted and executed by policy script interpreter; the scripts are coded in GIDS Script language which is implemented with Flex and Bison to provide more flexible detection logic. Both policy script analysis and regular expression matching are all aimed at procession of packets reassembled from a whole session to realize fine grit detection which can improve the accuracy of intrusion detection.
(4) By sending fake RST packets and linking with firewall access control list (ACL), the intrusion prevention module is constructed to block intrusion activities in time to relieve the workload of administrators and reduce user interactive work.
At last, the performance of GIDS is tested through CUP occupancy, memory usage rate, system' throughput and loss tolerance, results show GIDS is strengthen than other IDSs.
引文
[1]Nation Institute of Standards and Technology.Guide to Intrusion Detection and Prevention Systems(IDPS).2007.2.
[2]J.P Anderson.Computer Security Threat Monitoring and Surveillance.Technical report,James P Anderson Co.,Fort Washington,Pennsylvania,April 1980.
[3]D.E Denning.An Intrusion Detection Model.IEEE Transaction on Software Engineering.Vol.SE-13,No.2,1987,pp.222-232.
[4]L.Heberlein,G.Dias,K.Levitt,B.Mukherjee,J.Wood,and D.Wolber.A Network Security Monitor.In Proceedings of the IEEE Symposium on Research in Security and Privacy,1990.
[5]Phil Porras,Dan Schnackenberg.The Common Intrusion Detection Framework Architecture.http://gost.isi.edu/cidf/.
[6]余详宜,卢刚.CIDF的组件通信分析和算法描述.计算机工程.2002.5.
[7]Aurobindo Sundaram.An Introduction to Intrusion Detection.http://www.acm.org/crossroads/xrds2-4/intrus.html
[8]邓惠平.入侵检测系统发展现状.北京理工大学.2006.10.
[9]Vern Paxson.Bro:A System for Detecting Network Intruders in Real-Time.Computer Networks(Amsterdam,Netherlands:1999),31(23-24):2435-2463,1998.
[10]Andrés Felipe Arboleda,Charles Edward Bedón.SnortTM diagrams for developers.http://afrodita.unicauca.edu.co/-cbedon/snort/snortdevdiagrams.pdf,2005.4.14.
[11]Sanjay Raja.Network Intrusion Prevention Systems.Top Layer Networks,Inc.2005.1.
[12]http://www.tcpdump.org/
[13]Steven McCanne,Van Jacobson.The BSD Packet Filter:A New Architecture for User-level Packet Capture~*.Lawrence Berkeley Laboratory.1992.9
[14]唐正军.网络入侵检测系统的设计与实现.电子工业出版社.2002年4月第1版
[15]戴英侠,连一峰,王航.信息安全与入侵检测.清华大学出版社.2003年3月第1版
[16]张少波.高速IDS面临的技术瓶颈与发展趋势. http://tech.ccidnet.com/art/231/20031009/66358_1.html.2003.10.
[17]Moti N.Thadani,Yousef A.Khalidi.An Efficient Zero-Copy I/O Framework for UNIX(?).http//research.sun.com/techrep/1995/smli_tr-95-39.pdf,1995.5.
[18]王佰玲,方滨兴,云晓春.零拷贝报文捕获平台的研究与实现.计算机学报.2005年01期.
[19]李旭芳.网络信息审计系统中数据采集的研究与实现.计算机工程与设计.2007.2.
[20]Linux设备轮询机制分析.http://blog.csdn.net/drizztzou/archive/2007/06/14/1652588.aspx.
[21]Markatos,E.P.;Katevenis,M.G.H.User-level DMA without operating system kernel modification[C].3rd IEEE Symposium on High-Performance Computer Architecture(HPCA ′97).1997.p322.
[22]柳斌,李之棠,黎耀.基于Linux系统的高速网络捕包技术研究.计算机应用研究2006.5.
[23]Kenneth D.Reed.Protocol Analysis.WB77.0[M].WestNet.Inc.2001.118-122.
[24]Holger Dreger,Anja Feldmann,Michael Mai.Dynamic Application-Layer Protocol Analysis for Network Intrusion Detection.http://www.icir.org/robin/papers/usenix06.pdf.
[25]James Power.Notes On Formal Language Theory and Parsing.Department of Computer Science,National University of Ireland,Maynooth.2002.11
[26]金成植.编译程序构造原理和实现技术,高等教育出版社.2000年7月第1版.
[27]李冬梅,施海虎.编译原理.人民邮电出版社.2006年8月第1版.
[28]Anthony A.Aaby.Compiler Construction using Flex and Bison.Walla Walla College.2005.4
[29]Vern Paxson.Flex,Version2.5 manual.1995.3
[30]Charles Donnelly,Richard Stallman.Bison,Version2.3 manual.2006.5
[31]http://expect.nist.gov/
[32]W.Richard Stevens.TCP/IP详解 卷一:协议.机械工业出版社.2000.
[33]W.Richard Stevens.TCP/IP详解 卷二:实现.机械工业出版社.2000.
[34]Information Sciences Institute.RFC 793 - Transmission Control Protocol.1981.9.
[2]J.P Anderson.Computer Security Threat Monitoring and Surveillance.Technical report,James P Anderson Co.,Fort Washington,Pennsylvania,April 1980.
[3]D.E Denning.An Intrusion Detection Model.IEEE Transaction on Software Engineering.Vol.SE-13,No.2,1987,pp.222-232.
[4]L.Heberlein,G.Dias,K.Levitt,B.Mukherjee,J.Wood,and D.Wolber.A Network Security Monitor.In Proceedings of the IEEE Symposium on Research in Security and Privacy,1990.
[5]Phil Porras,Dan Schnackenberg.The Common Intrusion Detection Framework Architecture.http://gost.isi.edu/cidf/.
[6]余详宜,卢刚.CIDF的组件通信分析和算法描述.计算机工程.2002.5.
[7]Aurobindo Sundaram.An Introduction to Intrusion Detection.http://www.acm.org/crossroads/xrds2-4/intrus.html
[8]邓惠平.入侵检测系统发展现状.北京理工大学.2006.10.
[9]Vern Paxson.Bro:A System for Detecting Network Intruders in Real-Time.Computer Networks(Amsterdam,Netherlands:1999),31(23-24):2435-2463,1998.
[10]Andrés Felipe Arboleda,Charles Edward Bedón.SnortTM diagrams for developers.http://afrodita.unicauca.edu.co/-cbedon/snort/snortdevdiagrams.pdf,2005.4.14.
[11]Sanjay Raja.Network Intrusion Prevention Systems.Top Layer Networks,Inc.2005.1.
[12]http://www.tcpdump.org/
[13]Steven McCanne,Van Jacobson.The BSD Packet Filter:A New Architecture for User-level Packet Capture~*.Lawrence Berkeley Laboratory.1992.9
[14]唐正军.网络入侵检测系统的设计与实现.电子工业出版社.2002年4月第1版
[15]戴英侠,连一峰,王航.信息安全与入侵检测.清华大学出版社.2003年3月第1版
[16]张少波.高速IDS面临的技术瓶颈与发展趋势. http://tech.ccidnet.com/art/231/20031009/66358_1.html.2003.10.
[17]Moti N.Thadani,Yousef A.Khalidi.An Efficient Zero-Copy I/O Framework for UNIX(?).http//research.sun.com/techrep/1995/smli_tr-95-39.pdf,1995.5.
[18]王佰玲,方滨兴,云晓春.零拷贝报文捕获平台的研究与实现.计算机学报.2005年01期.
[19]李旭芳.网络信息审计系统中数据采集的研究与实现.计算机工程与设计.2007.2.
[20]Linux设备轮询机制分析.http://blog.csdn.net/drizztzou/archive/2007/06/14/1652588.aspx.
[21]Markatos,E.P.;Katevenis,M.G.H.User-level DMA without operating system kernel modification[C].3rd IEEE Symposium on High-Performance Computer Architecture(HPCA ′97).1997.p322.
[22]柳斌,李之棠,黎耀.基于Linux系统的高速网络捕包技术研究.计算机应用研究2006.5.
[23]Kenneth D.Reed.Protocol Analysis.WB77.0[M].WestNet.Inc.2001.118-122.
[24]Holger Dreger,Anja Feldmann,Michael Mai.Dynamic Application-Layer Protocol Analysis for Network Intrusion Detection.http://www.icir.org/robin/papers/usenix06.pdf.
[25]James Power.Notes On Formal Language Theory and Parsing.Department of Computer Science,National University of Ireland,Maynooth.2002.11
[26]金成植.编译程序构造原理和实现技术,高等教育出版社.2000年7月第1版.
[27]李冬梅,施海虎.编译原理.人民邮电出版社.2006年8月第1版.
[28]Anthony A.Aaby.Compiler Construction using Flex and Bison.Walla Walla College.2005.4
[29]Vern Paxson.Flex,Version2.5 manual.1995.3
[30]Charles Donnelly,Richard Stallman.Bison,Version2.3 manual.2006.5
[31]http://expect.nist.gov/
[32]W.Richard Stevens.TCP/IP详解 卷一:协议.机械工业出版社.2000.
[33]W.Richard Stevens.TCP/IP详解 卷二:实现.机械工业出版社.2000.
[34]Information Sciences Institute.RFC 793 - Transmission Control Protocol.1981.9.