面向城域网的入侵检测系统的研究与设计
|
摘要
随着计算机和网络技术在社会生活各方面应用的深入发展,计算机网络系统的安全已成为计算机科学研究的热点。随着网络技术的发展及攻击者技术的日益提高,单纯的防火墙已经不能满足安全需求,它无法控制内部网络用户和透过防火墙的入侵者的行为。因此需要采用多方位,多式样的手段来保证网络安全。在当前的网络安全技术中,入侵检测系统(Institution Detection System,IDS)无疑是最热门的技术之一。入侵检测技术能检测出针对某一系统的入侵或入侵企图,并实时作出反应。
本文提出了城域网入侵检测系统的实现研究。交换机、路由器等网络设备是构成城域网的重要设备,许多网络瘫痪都与这些设备有关。特别是路由器,作为互联网络的核心设备,是网络安全的前沿关口。城域网入侵检测系统就是专门加强城域网核心部分安全性的一种入侵检测系统。本文设计的城域网入侵检测系统包括以下六个模块:网络数据包捕获模块、数据处理模块、分类器、分析模块、入侵规则库模块、入侵响应及控制模块。数据包捕获和处理模块主要是获取流经城域网的网络流量,包括所有协议端口、所有子网主机的所有交互数据,采用Sniffer技术与NetFlow技术相结合的办法,并以Linux为开发平台、以Perl语言为开发工具、将所采集的网络数据预处理成NetFlow格式。分析模块将定时分析采集后所生成的NetFlow数据文件,自动生成报表。这些报表主要产生城域网中各IP地址的流量和各种应用类型的流量报告。
在入侵检测系统中设计了新的检测引擎,该检测引擎中的检测规则采用了与SNORT规则兼容的格式,并且结合Boyer-Moore快速字符搜索算法进行模式搜索。在分析和归纳了常用的阻断技术和入侵检测系统的部署方法的基础上,进而描述了基于校园网的阻断模块的设计原理和部署情况,实现了入侵检测系统与防火墙系统的有机融合。
With computer and network technology in the social life in the application of the in-depth development of the computer network system computer security has become a hot research. With the development of network technology and the attacker increasing technology, a simple firewall has been unable to meet security needs, it can not control the internal network users and intruders through the firewall acts. Hence the need for a multi-directional, multi-style means to ensure network security. In the current network security technology,institution detection system (Institution Detection System, IDS) is undoubtedly one of the most popular technology. Intrusion detection technology can detect a system for the invasion or intrusion attempts, and real-time response.
This paper presents MAN Institution Detection System Implementation. Switches, routers and other network equipment constitute important MAN equipment, and many of these networks with the equipment. In particular router, as the core of Internet equipment, is the forefront of network security checkpoints. MAN Intrusion Detection System is the core of specialized MAN who strengthens the security of an institution detection system. In this paper the design MAN Institution Detection System modules include the following six modules: network packet capture module, data-processing module, classification, analysis module, the module invasion of the rules, intrusion response and control module. Packet capture and processing module is the main access to the network traffic flows through the metro, including all the agreements ports, all subnet host all interactive data used in support of Sniffer NetFlow technology and the method of combining, and for Linux Development platform to Perl language development tools, will be collected by the network data preprocessing into NetFlow format. Timing analysis module will be generated by the acquisition of the NetFlow data files, generate reports automatically. These statements arising primarily the metro IP address and also the flow of various types of application traffic reports.
In Institution Detection System design of a new detection engine, the engine of the rules used in the detection SNORT rules compatible with the format, and with rapid characters Boyer-Moore algorithm search model search. In the analysis and summed up the common blocking technology and the deployment of institution detection system on the basis of methods, which are described based on the campus network blocking module design principle and deployment of the realization of the institution detection system and a firewall system of organic integration.
本文提出了城域网入侵检测系统的实现研究。交换机、路由器等网络设备是构成城域网的重要设备,许多网络瘫痪都与这些设备有关。特别是路由器,作为互联网络的核心设备,是网络安全的前沿关口。城域网入侵检测系统就是专门加强城域网核心部分安全性的一种入侵检测系统。本文设计的城域网入侵检测系统包括以下六个模块:网络数据包捕获模块、数据处理模块、分类器、分析模块、入侵规则库模块、入侵响应及控制模块。数据包捕获和处理模块主要是获取流经城域网的网络流量,包括所有协议端口、所有子网主机的所有交互数据,采用Sniffer技术与NetFlow技术相结合的办法,并以Linux为开发平台、以Perl语言为开发工具、将所采集的网络数据预处理成NetFlow格式。分析模块将定时分析采集后所生成的NetFlow数据文件,自动生成报表。这些报表主要产生城域网中各IP地址的流量和各种应用类型的流量报告。
在入侵检测系统中设计了新的检测引擎,该检测引擎中的检测规则采用了与SNORT规则兼容的格式,并且结合Boyer-Moore快速字符搜索算法进行模式搜索。在分析和归纳了常用的阻断技术和入侵检测系统的部署方法的基础上,进而描述了基于校园网的阻断模块的设计原理和部署情况,实现了入侵检测系统与防火墙系统的有机融合。
With computer and network technology in the social life in the application of the in-depth development of the computer network system computer security has become a hot research. With the development of network technology and the attacker increasing technology, a simple firewall has been unable to meet security needs, it can not control the internal network users and intruders through the firewall acts. Hence the need for a multi-directional, multi-style means to ensure network security. In the current network security technology,institution detection system (Institution Detection System, IDS) is undoubtedly one of the most popular technology. Intrusion detection technology can detect a system for the invasion or intrusion attempts, and real-time response.
This paper presents MAN Institution Detection System Implementation. Switches, routers and other network equipment constitute important MAN equipment, and many of these networks with the equipment. In particular router, as the core of Internet equipment, is the forefront of network security checkpoints. MAN Intrusion Detection System is the core of specialized MAN who strengthens the security of an institution detection system. In this paper the design MAN Institution Detection System modules include the following six modules: network packet capture module, data-processing module, classification, analysis module, the module invasion of the rules, intrusion response and control module. Packet capture and processing module is the main access to the network traffic flows through the metro, including all the agreements ports, all subnet host all interactive data used in support of Sniffer NetFlow technology and the method of combining, and for Linux Development platform to Perl language development tools, will be collected by the network data preprocessing into NetFlow format. Timing analysis module will be generated by the acquisition of the NetFlow data files, generate reports automatically. These statements arising primarily the metro IP address and also the flow of various types of application traffic reports.
In Institution Detection System design of a new detection engine, the engine of the rules used in the detection SNORT rules compatible with the format, and with rapid characters Boyer-Moore algorithm search model search. In the analysis and summed up the common blocking technology and the deployment of institution detection system on the basis of methods, which are described based on the campus network blocking module design principle and deployment of the realization of the institution detection system and a firewall system of organic integration.
引文
[1]唐正军.入侵检测技术导论[M].北京:机械工业出版社,2004.
[2]Frank P Coyle.XML Web Services,and the Data Revolution[M].Addison-Wesley Press,2003.
[3]刘文涛.Linux网络入侵检测系统[M].北京:电子工业出版社,2004.
[4]KO C,FINK G,LEVITT K.Automated detection of vulnerabilities in privileged programs by execution monitoring[A].Proceedings of the 10~(th)Annual Computer Security Applications Conference[C].Orlando,FL:IEEE Computer Society Press,1994.134-144.
[5]张兴虎.黑客攻防技术内幕[M].北京:清华大学出版社,2002.
[6]南湘浩,陈钟.网络安全技术概论[M].北京:国防工业出版社,2003.
[7]唐正军,李建华编著.入侵检测技术[M].北京:清华大学出版社,2004.
[8]PURDOM PW.Average-Case Performance of the Apriori Algorithm[J].SIAM Journal on Computing,2004,33(5):1223-1260.
[9]Domingo-errer J.Anonymous fingerprinting based on committed oblivious tranfer[J].In:ImaiH,Zheng Y,ed s.PK C'99.LNCS 1560,Berlin:Springer- Verlag,1999.43-52.
[10]Microsoft Corp.Creating and Managing a Web Server Using Microsoft Internet Information Server5.0.[M].Washington:Microsoft Press.2000
[11]韩东海.入侵检测系统及实例剖析[M].北京:清华大学出版社,2002.
[12]薛静锋,宁宇鹏,阎慧.入侵检测技术[M].北京:机械工业出版社,2004.
[13]G Medvinsky,B.C.Neuman.NetCash:A Design for Practical Electronic Currency on the Internet[J],1st ACM Conference on Computer and Communication Security,1993:102-106
[14]Bate R.G著.陈明奇译.入侵检测[M].北京:人民邮电出版社,2001.
[15]张千里,陈光英.网络安全新技术[M].北京:人民邮电出版社,2003.
[16]L.Ferreirra,R.Dahab.A Scheme for Analyzing Electronic Payment Systems[J],14th Annual Computer Security Applications Conference,Dec.1998:137-146
[17]邓亚平.计算机网络安全[M].北京:人民邮电出版社,2004.
[18]陈瑾,罗敏,张焕国.入侵检测技术概述.计算机工程与应用[J],2004-02.
[19]NING P,CUI Y,REEVES D S.Constructing attack scenarios through correlation of intrusion alerts[A].Proceedings of the 9th ACM Conference on Computer&Communications Security[C].Washington,USA:ACM Press,2002.245-254.
[20]薛静锋,宁宇鹏,阎慧.一种校园网入侵检测系统模型的设计 科技情报开发与经济,2007,(24)
[21]Jansen,W A.(2001).Guidelines on Active Content and Mobile Code -NIST Special Publication 800-28[J].Technical report,National Institute of Standard sand Technology
[22]徐林,张德运,孙钦东,张晓彤.基于NAPI的数据包捕获技术研究,计算机工程与应用[J],2004年26期,138-139页.
[23]柯科峰,邵世煌.企业入侵检测系统的研究与实现[J].计算机应用研究,2004,21(2):160-161.
[24]李海鹰,庄镇泉,李斌等.一种基于移动代理的自组网跨层入侵检测系统[J].小型微型计算机系统,2001,22(7):781-784.
[25]Yefim V Natis.Service-Oriented Architecture Scenario[M].Gartner Group,2003.
[26]Park.Nam-Je ed.M-Commerce Security Platform Based on WTLS and J2ME IEEECom[M]M agazine,2001
[27]任慧玉,入侵检测系统逃避技术和对策的研究[D]:[硕士学位论文],开封:河南大学,2004.
[28]程光、龚俭、丁伟,基于网络的入侵检测系统及产品浅谈[J],小型微型计算机系统,2005,Vol.26 No.3.
[29]C Ellison and B Schneier:Ten Risk of PKI:What you' re not being told about Public Key Infrastructure[J].Computer Security Journal,2000,16:12-14
[30]学位论文[D]:[硕士学位论文],基于数据挖掘的网络入侵检测研究,2007.
[31]Charles Arehart,Nimal Chidwbaram,Shashikiran uruprased.Protessional[J]WAP,2001:547-567
[32]程光、龚俭、丁伟.免疫算法在入侵检测中的应用基础抗原编码实验科学与技术,2006,(6)
[33]徐林,张德运,孙钦东,张晓彤.基于Agent的分布式入侵检测系统模型 软件学报,2000,(10)
[34]WU Zhi-gang,FANG Bin-xing,HU Ming-zeng,et al.Security and Atomicity in Electronic Commerce:Model,Protocol and Verification[J],Journal of Software,2001,Vol(12)3
[35]李海鹰,庄镇泉,李斌等.基于免疫算法的入侵检测系统特征选择微电子学与计算机,2007,(3)
[36]免疫算法在入侵检测中的应用基础抗原编码实验科学与技术,2006,(6)
[37]李海鹰,庄镇泉,李斌等.入侵检测系统在网络安全中面临的挑战及对策网络安全技术与应用,2005,(11)
[38]李海鹰,庄镇泉,李斌等.基于危险模式免疫算法的入侵检测系统模型兰州理工大学学报,2005,(4)
[39]程光、龚俭、丁伟.校园网网络安全分析与入侵检测系统的设计 福建电脑,2007,(6)
[40]李海鹰,庄镇泉,李斌等.一种将免疫算法应用于入侵检测的模型实验科学与技术,2007,(1)
[41]任慧玉,免疫算法在入侵检测中的应用基础抗原编码实验科学与技术,2006,(6)
[42]李海鹰,庄镇泉,李斌等.针对“虫洞”攻击的移动Ad hoc网安全路由及仿真实现的研究,2005,(硕士)
[43]Langelaar G Setyawan I,Lagendijk R.Watermarking digital image and video data[J].IEEE Signal Processing Magazine,2000,17(9):20-46.
[2]Frank P Coyle.XML Web Services,and the Data Revolution[M].Addison-Wesley Press,2003.
[3]刘文涛.Linux网络入侵检测系统[M].北京:电子工业出版社,2004.
[4]KO C,FINK G,LEVITT K.Automated detection of vulnerabilities in privileged programs by execution monitoring[A].Proceedings of the 10~(th)Annual Computer Security Applications Conference[C].Orlando,FL:IEEE Computer Society Press,1994.134-144.
[5]张兴虎.黑客攻防技术内幕[M].北京:清华大学出版社,2002.
[6]南湘浩,陈钟.网络安全技术概论[M].北京:国防工业出版社,2003.
[7]唐正军,李建华编著.入侵检测技术[M].北京:清华大学出版社,2004.
[8]PURDOM PW.Average-Case Performance of the Apriori Algorithm[J].SIAM Journal on Computing,2004,33(5):1223-1260.
[9]Domingo-errer J.Anonymous fingerprinting based on committed oblivious tranfer[J].In:ImaiH,Zheng Y,ed s.PK C'99.LNCS 1560,Berlin:Springer- Verlag,1999.43-52.
[10]Microsoft Corp.Creating and Managing a Web Server Using Microsoft Internet Information Server5.0.[M].Washington:Microsoft Press.2000
[11]韩东海.入侵检测系统及实例剖析[M].北京:清华大学出版社,2002.
[12]薛静锋,宁宇鹏,阎慧.入侵检测技术[M].北京:机械工业出版社,2004.
[13]G Medvinsky,B.C.Neuman.NetCash:A Design for Practical Electronic Currency on the Internet[J],1st ACM Conference on Computer and Communication Security,1993:102-106
[14]Bate R.G著.陈明奇译.入侵检测[M].北京:人民邮电出版社,2001.
[15]张千里,陈光英.网络安全新技术[M].北京:人民邮电出版社,2003.
[16]L.Ferreirra,R.Dahab.A Scheme for Analyzing Electronic Payment Systems[J],14th Annual Computer Security Applications Conference,Dec.1998:137-146
[17]邓亚平.计算机网络安全[M].北京:人民邮电出版社,2004.
[18]陈瑾,罗敏,张焕国.入侵检测技术概述.计算机工程与应用[J],2004-02.
[19]NING P,CUI Y,REEVES D S.Constructing attack scenarios through correlation of intrusion alerts[A].Proceedings of the 9th ACM Conference on Computer&Communications Security[C].Washington,USA:ACM Press,2002.245-254.
[20]薛静锋,宁宇鹏,阎慧.一种校园网入侵检测系统模型的设计 科技情报开发与经济,2007,(24)
[21]Jansen,W A.(2001).Guidelines on Active Content and Mobile Code -NIST Special Publication 800-28[J].Technical report,National Institute of Standard sand Technology
[22]徐林,张德运,孙钦东,张晓彤.基于NAPI的数据包捕获技术研究,计算机工程与应用[J],2004年26期,138-139页.
[23]柯科峰,邵世煌.企业入侵检测系统的研究与实现[J].计算机应用研究,2004,21(2):160-161.
[24]李海鹰,庄镇泉,李斌等.一种基于移动代理的自组网跨层入侵检测系统[J].小型微型计算机系统,2001,22(7):781-784.
[25]Yefim V Natis.Service-Oriented Architecture Scenario[M].Gartner Group,2003.
[26]Park.Nam-Je ed.M-Commerce Security Platform Based on WTLS and J2ME IEEECom[M]M agazine,2001
[27]任慧玉,入侵检测系统逃避技术和对策的研究[D]:[硕士学位论文],开封:河南大学,2004.
[28]程光、龚俭、丁伟,基于网络的入侵检测系统及产品浅谈[J],小型微型计算机系统,2005,Vol.26 No.3.
[29]C Ellison and B Schneier:Ten Risk of PKI:What you' re not being told about Public Key Infrastructure[J].Computer Security Journal,2000,16:12-14
[30]学位论文[D]:[硕士学位论文],基于数据挖掘的网络入侵检测研究,2007.
[31]Charles Arehart,Nimal Chidwbaram,Shashikiran uruprased.Protessional[J]WAP,2001:547-567
[32]程光、龚俭、丁伟.免疫算法在入侵检测中的应用基础抗原编码实验科学与技术,2006,(6)
[33]徐林,张德运,孙钦东,张晓彤.基于Agent的分布式入侵检测系统模型 软件学报,2000,(10)
[34]WU Zhi-gang,FANG Bin-xing,HU Ming-zeng,et al.Security and Atomicity in Electronic Commerce:Model,Protocol and Verification[J],Journal of Software,2001,Vol(12)3
[35]李海鹰,庄镇泉,李斌等.基于免疫算法的入侵检测系统特征选择微电子学与计算机,2007,(3)
[36]免疫算法在入侵检测中的应用基础抗原编码实验科学与技术,2006,(6)
[37]李海鹰,庄镇泉,李斌等.入侵检测系统在网络安全中面临的挑战及对策网络安全技术与应用,2005,(11)
[38]李海鹰,庄镇泉,李斌等.基于危险模式免疫算法的入侵检测系统模型兰州理工大学学报,2005,(4)
[39]程光、龚俭、丁伟.校园网网络安全分析与入侵检测系统的设计 福建电脑,2007,(6)
[40]李海鹰,庄镇泉,李斌等.一种将免疫算法应用于入侵检测的模型实验科学与技术,2007,(1)
[41]任慧玉,免疫算法在入侵检测中的应用基础抗原编码实验科学与技术,2006,(6)
[42]李海鹰,庄镇泉,李斌等.针对“虫洞”攻击的移动Ad hoc网安全路由及仿真实现的研究,2005,(硕士)
[43]Langelaar G Setyawan I,Lagendijk R.Watermarking digital image and video data[J].IEEE Signal Processing Magazine,2000,17(9):20-46.