大规模DDoS及蠕虫攻击的发现与检测
|
摘要
由于互联网络已经渗透到各个行业领域,与其相关的网络信息技术的应用领域涉及了许多大型、关键的业务系统,如党政部门信息系统、金融业务系统和企业商务系统等,但是在世界各国对Internet的高度依赖的同时,针对大规模网络的以DDoS(Distributed Denial of Service,分布式拒绝服务)和蠕虫攻击等事件为主的恶意攻击已经成为Internet上的一个主要安全威胁,几乎每次这类异常事件的发作都给整个社会造成了巨大的经济损失。因此,为了保障网络安全,针对大规模DDoS及蠕虫攻击进行检测与预警是十分必要的。
本文首先介绍了大规模网络异常的研究现状,分析了目前国内外主要的研究内容和产品技术,同时指出了其不足,给出了改进和研究的方向。接着本论文分析了系统的功能需求,并且根据需求给出了整体的设计,包括采取的检测方式,系统的体系结构,系统物理部署等内容。
本文详细说明了基于网络数据流进行大规模异常检测的流程,包括网络数据流的处理方法,异常发现的机制,警报信息的关联融合处理等过程,同时给出了实现各功能的关键算法和技术。系统采取基于网络数据流的异常发现算法,采用多种检测模型,对大规模网络进行监控,能迅速有效的处理网络中的突变情况,不仅能确定异常源,而且可以提供异常发生时的各种信息,包括网络流量,异常事件的类型,攻击发起时间,持续时间,攻击的重要度以及置信度等详细信息。同时,系统对产生的警报信息进行关联处理,融合多个传感器的信息,对网络中的异常行为进行更高等级的处理,将重复的警报信息,以及一个攻击事件的多个不同警报信息进行处理。
论文最后说明了系统的管理配置和测试方法,根据测试数据,得出结论:系统可以有效检测大规模网络异常行为,符合项目需求。
As the Internet has been widely applied to many domain, especially in the network information technology application domain , the essential and large-scale network , such as party or politics department information system, finance operational system , enterprise commerce system and so on, but while various countries depend to Internet highly, the large-scale abnormal events which were mostly brought by DDoS(Distributed Denial of Service) and Worm attack already became a main security threat. Nearly each time of this kind of abnormity events break out gives the entire society huge economic loss. Therefore, in order to safeguard the network security, research on the detecting and early finding of large-scale DDoS and worm attack is extremely essential.
This thesis first introduced the latest research on large-scale network abnormal event, and analyzed the domestic and foreign main technology and the product on DDoS & Worm, simultaneously had pointed out its insufficiency, and gave the improvement and research direction. After that this thesis analyzed the system function demand, and has produced the whole design according to the demand, including the detecting and finding method which adopted, system structure, physical deployment and so on.
This thesis specified the implement of the large-scale abnormity detecting system which based on the network data stream: network data stream processing, the mechanism of abnormal detecting, the correlation of alarm information and so on, simultaneously provided the key functions and essential algorithm of the system implement. The system based on the data stream to detect the abnormal events ,adapted two kinds of detecting model, could monitor the large-scale network, processed network sudden change rapid and effectively. This System submitted messages by network, such as to provide the warning information to the platform of manage, not only can provide various information of the events, such as the time of event, moreover may provide the network dataflow, the abnormal event type, the source information, the last time of attack, the importance as well as the confidence and so on. At the same time, the system correlated the alarm information from different sensors, provided abnormal information of the whole network by high-grade processing, remove the duplicate alarms and various alarms which different steps of a same event.
This thesis finally provided the method of system management, and the test of system, according to the test data, draws the conclusion: The system may effectively detect and find the large-scale network abnormal behavior, conforms to the system demand.
本文首先介绍了大规模网络异常的研究现状,分析了目前国内外主要的研究内容和产品技术,同时指出了其不足,给出了改进和研究的方向。接着本论文分析了系统的功能需求,并且根据需求给出了整体的设计,包括采取的检测方式,系统的体系结构,系统物理部署等内容。
本文详细说明了基于网络数据流进行大规模异常检测的流程,包括网络数据流的处理方法,异常发现的机制,警报信息的关联融合处理等过程,同时给出了实现各功能的关键算法和技术。系统采取基于网络数据流的异常发现算法,采用多种检测模型,对大规模网络进行监控,能迅速有效的处理网络中的突变情况,不仅能确定异常源,而且可以提供异常发生时的各种信息,包括网络流量,异常事件的类型,攻击发起时间,持续时间,攻击的重要度以及置信度等详细信息。同时,系统对产生的警报信息进行关联处理,融合多个传感器的信息,对网络中的异常行为进行更高等级的处理,将重复的警报信息,以及一个攻击事件的多个不同警报信息进行处理。
论文最后说明了系统的管理配置和测试方法,根据测试数据,得出结论:系统可以有效检测大规模网络异常行为,符合项目需求。
As the Internet has been widely applied to many domain, especially in the network information technology application domain , the essential and large-scale network , such as party or politics department information system, finance operational system , enterprise commerce system and so on, but while various countries depend to Internet highly, the large-scale abnormal events which were mostly brought by DDoS(Distributed Denial of Service) and Worm attack already became a main security threat. Nearly each time of this kind of abnormity events break out gives the entire society huge economic loss. Therefore, in order to safeguard the network security, research on the detecting and early finding of large-scale DDoS and worm attack is extremely essential.
This thesis first introduced the latest research on large-scale network abnormal event, and analyzed the domestic and foreign main technology and the product on DDoS & Worm, simultaneously had pointed out its insufficiency, and gave the improvement and research direction. After that this thesis analyzed the system function demand, and has produced the whole design according to the demand, including the detecting and finding method which adopted, system structure, physical deployment and so on.
This thesis specified the implement of the large-scale abnormity detecting system which based on the network data stream: network data stream processing, the mechanism of abnormal detecting, the correlation of alarm information and so on, simultaneously provided the key functions and essential algorithm of the system implement. The system based on the data stream to detect the abnormal events ,adapted two kinds of detecting model, could monitor the large-scale network, processed network sudden change rapid and effectively. This System submitted messages by network, such as to provide the warning information to the platform of manage, not only can provide various information of the events, such as the time of event, moreover may provide the network dataflow, the abnormal event type, the source information, the last time of attack, the importance as well as the confidence and so on. At the same time, the system correlated the alarm information from different sensors, provided abnormal information of the whole network by high-grade processing, remove the duplicate alarms and various alarms which different steps of a same event.
This thesis finally provided the method of system management, and the test of system, according to the test data, draws the conclusion: The system may effectively detect and find the large-scale network abnormal behavior, conforms to the system demand.
引文
[1] 卿斯汉,蒋建春,马恒太,文伟平,刘雪飞.入侵检测技术研究综述.通信学报.2004(7):1208-1219页
[2] KUMAR S. Classification and Detection of Computer Intrusions.Dissertation, Purdue University, 1995
[3] J. Lemon. Resisting SYN Flood DoS Attacks with a SYN Cache.Proceedings of the BSDC, 2002: 89-97P
[4] Jelena Mirkovic. A Taxonomy of DDoS Attacks and DDoS Defense Mechanisms. 2001
[5] T. Anderson, T. Roscoe, D. Wetherall. Preventing Internet Denial-of-service with Capabilities. ACM SIGCOMM Computer Communication Review. 2004,34(1): 39-44P
[6] A. Hussain, J. Heidemann, C. Papadopolous. A Framework for Classfying Denial-of-Service Attacks. Proceedings of ACM SIGCOMM, 2003:99-110P
[7] D. Moore, G. Voelker, and S. Savage. Inferring Internet Denial-of-Service Activity. USENIX Security Symposium, 2001
[8] J. Aweya, M. Ouellette, and D. Y. Montuno. A Control Theoretic Approach to Active Queue Management. Computer Networks,2001,36(2): 203-235P
[9] 郑军,胡铭曾,云晓春,郑仲.基于数据流方法的大规模网络异常发现.通信学报.2006(2):1-8页
[10] 郝志宇,云晓春,张宏莉,陈雷.基于相似度的DDoS异常检测系统.计算机工程与应用.2004(35):122-124页,225页
[11] 林原.基于网络自相似性的DDoS攻击检测.成都电子科大硕士学位论文.2003:17-25页
[12] 卫瑜,曾凡平,蒋凡.基于相似度分析的分布式拒绝服务攻击检测系 统.计算机辅助工程.2005(2):63-67页
[13] 杨嵘,张国清,韦卫,李仰耀.基于NetFlow流量分析的网络攻击行为发现.计算机工程.2005(13):49-51页
[14] 聂方彦,傅光轩,许淑华,蔡坚.一种基于费歇(Fisher)判别法的异常检测模型设计.计算机应用.2004(12):78-81页
[15] 李爱国,覃征.滑动窗口二次自回归模型预测非线性时间序列.计算机学报.2004(7):1004-1008页
[16] 林白,李鸥,刘庆卫.基于序贯变化检测的DDoS攻击检测方法.计算机工程.2005(9):135-137页
[17] 孙红杰,方滨兴,张宏莉,云晓春.基于链路特征的DDoS攻击检测方法.全国网络与信息安全技术研讨会.2005
[18] 周东清,张海锋,张绍武,胡祥培.基于HMM的分布式拒绝服务攻击检测方法.计算机研究与发展.2005(9):1594-1599页
[19] 李英楠,张宏莉,云晓春,方滨兴.基于网络拓扑的网络安全事件宏观预警与响应分析.哈尔滨工业大学学报.2005(11):1459-1462页
[20] 王欣,方滨兴.DDoS攻击中的相变理论研究.全国网络与信息安全技术研讨会.2005
[21] Balachander Krishnamurthy. Sketch based Change Detection:Methods, Evaluation, and Applications. 2003
[22] 吕志军,郑璟,黄皓.高速网络下的分布式实时入侵检测系统.计算机研究与发展.2004(4):667-673页
[23] 吴刚,赵旭,董永苹.一个分布式协作的大规模网络恶意代码检测系统.大连理工大学学报.2005(10):166-171页
[24] 段海新,吴建平.一种分布式协同入侵检测系统的设计与实现.软件学报.2001(9):1375-1379页
[25] 文伟平,卿斯汉等.网络蠕虫研究与进展.软件学报.2004(8):1208-1219页
[26] 郑辉,李冠一,涂菶生.蠕虫的行为特征描述和工作原理分析.第三届中国信息与通信安全学术会议CCICS.2003
[27] 侯升雄.对蠕虫计算机病毒的分析.网络安全技术与应用.2006(1): 79-81页
[28] Zou CC, Gong W, Towsley D. Code Red worm propagation modeling and analysis. In: Proc. of the 9th ACM Symp. on Computer and Communication Security. Washington, 2002:138-147P
[29] 王平,方滨兴,云晓春,彭大伟.基于用户习惯的蠕虫的早期发现.通信学报.2006(2):56-65页
[30] 高长喜,章甫源,辛阳,钮心忻,杨义先.P2P网络中蠕虫传播与防治模型的研究.2006年首届ICT大会信息、知识、智能及其转换理论第一次高峰论坛会议论文集.2006
[31] 肖颖,云晓春,辛毅.基于搜索引擎蠕虫的分析与检测.计算机工程与应用.2006(7):112-115页
[32] Neil Matthew Richard Stones. Beginning Linux Programming,2nd Edition. Wrox Press, 2002
[33]John Shapley Gray著.Unix进程间通信(第二版).张宁等译.北京希望电子出版社,2002:272-291页
[34] W.Richard Stevens,Bill Fenner,Andrew M.Rudoff著.UNIX网络编程(第一卷:套接口API).杨继张译.清华大学出版社,2006:203-225页
[35] S. Muthukrishnan. Data streams algorithms and Applications.Manuscript based on invited talk from 14th SODA, 2003
[36] Mikkel Thorup, Yin Zhang. Tabulation based 4-universal hashing with applications to second moment estimation, roceedings of the 15th ACM-SIAM Symposium on Discrete Algorithms (SODA), 2004
[37] J. Carter and M. Wegman. Universal classes of hash functions.J. Comp. Syst. Sci., 1979: 143-154P
[38] 邹柏贤,李忠诚.基于AR模型的网络异常检测.微电子学与计算机.2002(12):1-6页
[39] 杨武,方滨兴,云晓春,张宏莉,胡铭曾.一种高性能分布式入侵检测系统的研究与实现.北京邮电大学学报.2004(4):83-87页
[2] KUMAR S. Classification and Detection of Computer Intrusions.Dissertation, Purdue University, 1995
[3] J. Lemon. Resisting SYN Flood DoS Attacks with a SYN Cache.Proceedings of the BSDC, 2002: 89-97P
[4] Jelena Mirkovic. A Taxonomy of DDoS Attacks and DDoS Defense Mechanisms. 2001
[5] T. Anderson, T. Roscoe, D. Wetherall. Preventing Internet Denial-of-service with Capabilities. ACM SIGCOMM Computer Communication Review. 2004,34(1): 39-44P
[6] A. Hussain, J. Heidemann, C. Papadopolous. A Framework for Classfying Denial-of-Service Attacks. Proceedings of ACM SIGCOMM, 2003:99-110P
[7] D. Moore, G. Voelker, and S. Savage. Inferring Internet Denial-of-Service Activity. USENIX Security Symposium, 2001
[8] J. Aweya, M. Ouellette, and D. Y. Montuno. A Control Theoretic Approach to Active Queue Management. Computer Networks,2001,36(2): 203-235P
[9] 郑军,胡铭曾,云晓春,郑仲.基于数据流方法的大规模网络异常发现.通信学报.2006(2):1-8页
[10] 郝志宇,云晓春,张宏莉,陈雷.基于相似度的DDoS异常检测系统.计算机工程与应用.2004(35):122-124页,225页
[11] 林原.基于网络自相似性的DDoS攻击检测.成都电子科大硕士学位论文.2003:17-25页
[12] 卫瑜,曾凡平,蒋凡.基于相似度分析的分布式拒绝服务攻击检测系 统.计算机辅助工程.2005(2):63-67页
[13] 杨嵘,张国清,韦卫,李仰耀.基于NetFlow流量分析的网络攻击行为发现.计算机工程.2005(13):49-51页
[14] 聂方彦,傅光轩,许淑华,蔡坚.一种基于费歇(Fisher)判别法的异常检测模型设计.计算机应用.2004(12):78-81页
[15] 李爱国,覃征.滑动窗口二次自回归模型预测非线性时间序列.计算机学报.2004(7):1004-1008页
[16] 林白,李鸥,刘庆卫.基于序贯变化检测的DDoS攻击检测方法.计算机工程.2005(9):135-137页
[17] 孙红杰,方滨兴,张宏莉,云晓春.基于链路特征的DDoS攻击检测方法.全国网络与信息安全技术研讨会.2005
[18] 周东清,张海锋,张绍武,胡祥培.基于HMM的分布式拒绝服务攻击检测方法.计算机研究与发展.2005(9):1594-1599页
[19] 李英楠,张宏莉,云晓春,方滨兴.基于网络拓扑的网络安全事件宏观预警与响应分析.哈尔滨工业大学学报.2005(11):1459-1462页
[20] 王欣,方滨兴.DDoS攻击中的相变理论研究.全国网络与信息安全技术研讨会.2005
[21] Balachander Krishnamurthy. Sketch based Change Detection:Methods, Evaluation, and Applications. 2003
[22] 吕志军,郑璟,黄皓.高速网络下的分布式实时入侵检测系统.计算机研究与发展.2004(4):667-673页
[23] 吴刚,赵旭,董永苹.一个分布式协作的大规模网络恶意代码检测系统.大连理工大学学报.2005(10):166-171页
[24] 段海新,吴建平.一种分布式协同入侵检测系统的设计与实现.软件学报.2001(9):1375-1379页
[25] 文伟平,卿斯汉等.网络蠕虫研究与进展.软件学报.2004(8):1208-1219页
[26] 郑辉,李冠一,涂菶生.蠕虫的行为特征描述和工作原理分析.第三届中国信息与通信安全学术会议CCICS.2003
[27] 侯升雄.对蠕虫计算机病毒的分析.网络安全技术与应用.2006(1): 79-81页
[28] Zou CC, Gong W, Towsley D. Code Red worm propagation modeling and analysis. In: Proc. of the 9th ACM Symp. on Computer and Communication Security. Washington, 2002:138-147P
[29] 王平,方滨兴,云晓春,彭大伟.基于用户习惯的蠕虫的早期发现.通信学报.2006(2):56-65页
[30] 高长喜,章甫源,辛阳,钮心忻,杨义先.P2P网络中蠕虫传播与防治模型的研究.2006年首届ICT大会信息、知识、智能及其转换理论第一次高峰论坛会议论文集.2006
[31] 肖颖,云晓春,辛毅.基于搜索引擎蠕虫的分析与检测.计算机工程与应用.2006(7):112-115页
[32] Neil Matthew Richard Stones. Beginning Linux Programming,2nd Edition. Wrox Press, 2002
[33]John Shapley Gray著.Unix进程间通信(第二版).张宁等译.北京希望电子出版社,2002:272-291页
[34] W.Richard Stevens,Bill Fenner,Andrew M.Rudoff著.UNIX网络编程(第一卷:套接口API).杨继张译.清华大学出版社,2006:203-225页
[35] S. Muthukrishnan. Data streams algorithms and Applications.Manuscript based on invited talk from 14th SODA, 2003
[36] Mikkel Thorup, Yin Zhang. Tabulation based 4-universal hashing with applications to second moment estimation, roceedings of the 15th ACM-SIAM Symposium on Discrete Algorithms (SODA), 2004
[37] J. Carter and M. Wegman. Universal classes of hash functions.J. Comp. Syst. Sci., 1979: 143-154P
[38] 邹柏贤,李忠诚.基于AR模型的网络异常检测.微电子学与计算机.2002(12):1-6页
[39] 杨武,方滨兴,云晓春,张宏莉,胡铭曾.一种高性能分布式入侵检测系统的研究与实现.北京邮电大学学报.2004(4):83-87页