智能型包过滤防火墙的研究与实现
|
摘要
随着网络技术的迅猛发展和因特网的广泛普及,网络安全问题变得日益突出。防火墙(Firewall)是网络安全的第一道屏障。合理的使用防火墙有利于提高网络抵抗黑客攻击的能力和系统的安全性。
近年来,网络攻击技术在规模与方法上都发生了较大变化,传统的包过滤防火墙在应对现代网络攻击时,却存在着许多的缺陷:
1、传统的包过滤防火墙都是根据一些事先规定好的过滤规则对网络的数据流进行过滤,从而阻止不合法的访问,同时允许合法的访问顺利通过。这就很难适应现代网络攻击技术综合化和复杂化的特点。
2、网络安全策略的制定,过滤规则的设置,需要专家级的全面、深入的专业领域知识。而在现实中,网络安全专家极其匮乏,这一方面造成普通的网络管理人员在设置防火墙时由于经验或知识上的不足,不能有效地制定网络安全策略,从而导致许多网络安全隐患的存在;另一方面使得包过滤防火墙的推广应用存在很多的误区。
3、传统的防火墙在发现网络攻击时,或只是简单的做包拒绝,或只是通过电子邮件通知网络管理人员,缺乏在第一时间对网络攻击的应变机制。
网络攻击技术的演变与发展对传统的网络防火墙提出了挑战,因此必须对防火墙做技术上的改进以适应网络安全不断发展的要求。
本文的研究任务是将智能化技术应用于网络安全管理任务中,提出一种具有智能特征的包过滤防火墙系统,并在实验室环境中实现了该系统模拟验证。
本文首先描述了智能型包过滤防火墙系统的体系结构。该体系结构把防火墙系统的功能分为四层来实现。这四层分别是数据包截获/协议分析解码层、过滤分析层、决策执行层和审计数据离线分析层;其次对智能型包过滤防火墙系统的过滤规则作了形式化定义,并在关系数据库的基础上建立了知识库。在对规则作了形式化定义后,提出了推理机的模型,并设计和实现了推理算法;接着分析了在网络审计数据离线分析中引入数据挖掘的必要性,并使用Apriori关联规则算法对模拟数据作了挖掘分析。挖掘实验结果分析表明,将数据挖掘智能技术应用到审计数据的离线分析中,能较好的识别未知类型的网络攻击,并可为网络安全专家提取网络攻击特征模式提供有效信息,最终增强防火墙系统抵御网络攻击的能力。最后,提出了课题下一步的研究目标。
With the rapid development of network technology and the wide spread of Internet, the security of network becomes more and more important. Firewall is the first barrier to protect the security of network. Proper application of firewall can improve the defense ability against the attack of hackers and the security of system.
In the last few years, the network attack technology has greatly changed from the scale to method, while the traditional packet-filtering firewall has many limitations to the modern network attack:
1.The traditional packet-filtering firewall filters the data flow according to the rules established beforehand to reject illegal access and accept the legal access. So it is hard to adapt to the comprehensive and complex technology of modern network attack.
2.The establishment of network security strategy and the configuration of filtering rules need the profound and rich domain knowledge as experts hold. But in reality, the expert of network security is very scarce. This leads to the inefficient configuration of firewall set by ordinary network managers because they lack the experience and knowledge, so there exist many security vulnerabilities; on the other hand, this also leads to many mistakes in the spread and application of packet-filtering firewall.
3.Traditional firewalls just simply reject the data packets or inform the administrator of network via e-mail when recognizing the network attack, so they lack the mechanism of responding to the attack in real time.
The evolvement and development of network attack technology is now challenging the traditional firewall, so the technology of firewalls must be improved to meet the demand of the continuously development of network security.
The study in this thesis is focused on applying intelligence technology to security administration of network. And a new kind of packet-filtering firewall system with intelligent character is presented and the verification by simulation is also realized under the lab environment.
In this thesis, the architecture of intelligent packet-filtering firewall is described first. In this architecture the function of firewall is divided into four layers, which is data packet capture/analysis and decoding, filtering and analysis, decision execution and offline analysis for audit data respectively; then the filtering rules in intelligent packet-filtering firewall system are formalized, and the knowledge base on the basis of relational database is established. Then the model of reasoning machine is brought forward and the algorithm is designed and realized; after that, the necessity of the introduction of data mining into offline analysis for audit data is discussed, and Apriori, one of the algorithm of association rules, is adopted to the analysis of experimental data. The experiment result shows that the introduction of data mining into offline analysis for audit data can discover unknown type of network attack, and this will provide valuable information for network security experts to extract the characteristic of attack models, so that the defense ability of firewalls to network attack will be enhanced; at last further research objectives are presented.
近年来,网络攻击技术在规模与方法上都发生了较大变化,传统的包过滤防火墙在应对现代网络攻击时,却存在着许多的缺陷:
1、传统的包过滤防火墙都是根据一些事先规定好的过滤规则对网络的数据流进行过滤,从而阻止不合法的访问,同时允许合法的访问顺利通过。这就很难适应现代网络攻击技术综合化和复杂化的特点。
2、网络安全策略的制定,过滤规则的设置,需要专家级的全面、深入的专业领域知识。而在现实中,网络安全专家极其匮乏,这一方面造成普通的网络管理人员在设置防火墙时由于经验或知识上的不足,不能有效地制定网络安全策略,从而导致许多网络安全隐患的存在;另一方面使得包过滤防火墙的推广应用存在很多的误区。
3、传统的防火墙在发现网络攻击时,或只是简单的做包拒绝,或只是通过电子邮件通知网络管理人员,缺乏在第一时间对网络攻击的应变机制。
网络攻击技术的演变与发展对传统的网络防火墙提出了挑战,因此必须对防火墙做技术上的改进以适应网络安全不断发展的要求。
本文的研究任务是将智能化技术应用于网络安全管理任务中,提出一种具有智能特征的包过滤防火墙系统,并在实验室环境中实现了该系统模拟验证。
本文首先描述了智能型包过滤防火墙系统的体系结构。该体系结构把防火墙系统的功能分为四层来实现。这四层分别是数据包截获/协议分析解码层、过滤分析层、决策执行层和审计数据离线分析层;其次对智能型包过滤防火墙系统的过滤规则作了形式化定义,并在关系数据库的基础上建立了知识库。在对规则作了形式化定义后,提出了推理机的模型,并设计和实现了推理算法;接着分析了在网络审计数据离线分析中引入数据挖掘的必要性,并使用Apriori关联规则算法对模拟数据作了挖掘分析。挖掘实验结果分析表明,将数据挖掘智能技术应用到审计数据的离线分析中,能较好的识别未知类型的网络攻击,并可为网络安全专家提取网络攻击特征模式提供有效信息,最终增强防火墙系统抵御网络攻击的能力。最后,提出了课题下一步的研究目标。
With the rapid development of network technology and the wide spread of Internet, the security of network becomes more and more important. Firewall is the first barrier to protect the security of network. Proper application of firewall can improve the defense ability against the attack of hackers and the security of system.
In the last few years, the network attack technology has greatly changed from the scale to method, while the traditional packet-filtering firewall has many limitations to the modern network attack:
1.The traditional packet-filtering firewall filters the data flow according to the rules established beforehand to reject illegal access and accept the legal access. So it is hard to adapt to the comprehensive and complex technology of modern network attack.
2.The establishment of network security strategy and the configuration of filtering rules need the profound and rich domain knowledge as experts hold. But in reality, the expert of network security is very scarce. This leads to the inefficient configuration of firewall set by ordinary network managers because they lack the experience and knowledge, so there exist many security vulnerabilities; on the other hand, this also leads to many mistakes in the spread and application of packet-filtering firewall.
3.Traditional firewalls just simply reject the data packets or inform the administrator of network via e-mail when recognizing the network attack, so they lack the mechanism of responding to the attack in real time.
The evolvement and development of network attack technology is now challenging the traditional firewall, so the technology of firewalls must be improved to meet the demand of the continuously development of network security.
The study in this thesis is focused on applying intelligence technology to security administration of network. And a new kind of packet-filtering firewall system with intelligent character is presented and the verification by simulation is also realized under the lab environment.
In this thesis, the architecture of intelligent packet-filtering firewall is described first. In this architecture the function of firewall is divided into four layers, which is data packet capture/analysis and decoding, filtering and analysis, decision execution and offline analysis for audit data respectively; then the filtering rules in intelligent packet-filtering firewall system are formalized, and the knowledge base on the basis of relational database is established. Then the model of reasoning machine is brought forward and the algorithm is designed and realized; after that, the necessity of the introduction of data mining into offline analysis for audit data is discussed, and Apriori, one of the algorithm of association rules, is adopted to the analysis of experimental data. The experiment result shows that the introduction of data mining into offline analysis for audit data can discover unknown type of network attack, and this will provide valuable information for network security experts to extract the characteristic of attack models, so that the defense ability of firewalls to network attack will be enhanced; at last further research objectives are presented.
引文
1 李海泉,李健.计算机网络安全与加密技术.中国,科学出版社,2001:91~113
2 匿名.网络安全技术内幕.前导工作室.中国,机械工业出版社,2000:98~101
3 陈彦学.信息安全理论与实务.中国,中国铁道出版社,2001:25~27
4 戴英侠,连一峰.系统安全与入侵检测.中国,清华大学出版社,2002:7~11
5 Marcus Goncalves.防火墙技术指南.宋书明,朱智强等.中国,机械工业出版社,2000:85~98
6 Zigeler.Linux防火墙.余青霓.中国,人民邮电出版社,2001:15~32
7 Proctor.入侵检测实用手册.许宏飞.中国,中国电力出版社,2001,5~10
8 Stalling W. Network and Internetwork Security. Principles and Practice,Prentice-Hall. 1995
9 刘克龙,卿斯汉等.一种新型的防火墙系统.计算机学报,2000(23):231~236
10 李信满,赵宏.具有信息分析功能的防火墙系统研究.计算机科学,2000(27):40~42
11 许强,江早等.基于图像内容过滤的智能防火墙系统研究与实现.计算机研究与发展,2000(37):458~464
12 张亮,蒋东兴等.主机网络安全及其关键技术研究.计算机工程与应用,2001(10):42~44
13 胡道元.TCP/IP网络原理和技术.北京,清华大学出版社,1993
14 李成大.Windows下TCP/IP协议分析软件的设计开发.计算机应用研究,2002(2):133~135
15 卿斯汉.基于安全数据结构的防火墙.计算机科学,2001(28):56~59
16 Viscarola.Windows NT与Windows 2000设备驱动及开发.新智工作室.中国,电子工业出版社,2000,231~237
17 冯年荣,蒋凡.基于MAC层帧捕获及协议分析的技术研究.小型微型计算机系统,2001(22):154~156
18 王岩梅等.单机版防火墙系统种数据包过滤技术的研究.计算机工程,2001(11):191~193
19 徐国爱,胡正名等.安全局域网的设计和实现.计算机工程与应用,2001(8):30~31
20 Derek Atkins,Paul Buis. Internet Security(Second Edition),New riders Publishing,1997
21 Comer,Stevens. Internetworking with TCP/IP,VolumeⅡ:Design,Implementation,and Internals. Prentice-Hall International Inc,1998
22 Donald A. Waterman.专家系统指南. 周洪泽.中国,东北林业大学出版社,2000,5~23
23 石纯一,黄昌宁.人工智能原理.清华大学出版社.2002,145~164
24 吴泉源,马少平.专家系统原理与实践.清华大学出版社.2000,223~256
25 Denning D. An intrusion-detection model. IEEE transactions on software Engineering,1999(2):222~232
26 蒋立源.编译原理.西北工业大学出版社.1996,12~20
27 Dafonte,Arcay. Database based reasoning for real time monitoring and data analysis in intensive care units. Expert System,1997(14):190~197
28 Jiang Zao. A new information security technology : Data Hiding. Journal of Image and Graphics,1998(3):83~86
29 陆汝钤.人工智能.科学出版社.2000,743~784
30 Herringshaw. Detecting attacks on networks. Computer,1997(12):16~17
31 谭浩强.C语言程序设计.科学出版社.2001,121~123
32 Shiuh-Pyng Shieh. On a pattern-oriented model for instruction detection. IEEE Transactions on Knowledge and Data Engineering,1997,9
33 J.Han.数据挖掘概念与技术(影印版).北京.高等教育出版社.2001,11~13
34 钟晓,张钹.数据挖掘综述.模式识别与人工智能.2001(1):48~52
35 张学工.模式识别.北京.清华大学出版社.2000,92~97
36 王宏.数据挖掘在网络营销中的应用.计算机应用与软件.2000(6):49~54
37 Huang Z. .Clustering Large Data Sets with Mixed Numeric and Categorical Values. Knowledge Discovery.1998(4):21~34
38 王剑,沈理.采掘关联规则的高效并行算法.计算机研究与发展.2000(10):1160~1165
39 陆丽娜,陈亚平. 挖掘关联规则中Apriori算法的研究.小型微型计算机系统.2000(9):940~943
40 Y. Fu. Discovery of multiple-level association rules from large database. Knowledge Discovery. 2000(5):45~57
蔡忠闽,孙国基.入侵检测系统评估环境的设计与实现.系统仿真学报,2002(3)377~380
2 匿名.网络安全技术内幕.前导工作室.中国,机械工业出版社,2000:98~101
3 陈彦学.信息安全理论与实务.中国,中国铁道出版社,2001:25~27
4 戴英侠,连一峰.系统安全与入侵检测.中国,清华大学出版社,2002:7~11
5 Marcus Goncalves.防火墙技术指南.宋书明,朱智强等.中国,机械工业出版社,2000:85~98
6 Zigeler.Linux防火墙.余青霓.中国,人民邮电出版社,2001:15~32
7 Proctor.入侵检测实用手册.许宏飞.中国,中国电力出版社,2001,5~10
8 Stalling W. Network and Internetwork Security. Principles and Practice,Prentice-Hall. 1995
9 刘克龙,卿斯汉等.一种新型的防火墙系统.计算机学报,2000(23):231~236
10 李信满,赵宏.具有信息分析功能的防火墙系统研究.计算机科学,2000(27):40~42
11 许强,江早等.基于图像内容过滤的智能防火墙系统研究与实现.计算机研究与发展,2000(37):458~464
12 张亮,蒋东兴等.主机网络安全及其关键技术研究.计算机工程与应用,2001(10):42~44
13 胡道元.TCP/IP网络原理和技术.北京,清华大学出版社,1993
14 李成大.Windows下TCP/IP协议分析软件的设计开发.计算机应用研究,2002(2):133~135
15 卿斯汉.基于安全数据结构的防火墙.计算机科学,2001(28):56~59
16 Viscarola.Windows NT与Windows 2000设备驱动及开发.新智工作室.中国,电子工业出版社,2000,231~237
17 冯年荣,蒋凡.基于MAC层帧捕获及协议分析的技术研究.小型微型计算机系统,2001(22):154~156
18 王岩梅等.单机版防火墙系统种数据包过滤技术的研究.计算机工程,2001(11):191~193
19 徐国爱,胡正名等.安全局域网的设计和实现.计算机工程与应用,2001(8):30~31
20 Derek Atkins,Paul Buis. Internet Security(Second Edition),New riders Publishing,1997
21 Comer,Stevens. Internetworking with TCP/IP,VolumeⅡ:Design,Implementation,and Internals. Prentice-Hall International Inc,1998
22 Donald A. Waterman.专家系统指南. 周洪泽.中国,东北林业大学出版社,2000,5~23
23 石纯一,黄昌宁.人工智能原理.清华大学出版社.2002,145~164
24 吴泉源,马少平.专家系统原理与实践.清华大学出版社.2000,223~256
25 Denning D. An intrusion-detection model. IEEE transactions on software Engineering,1999(2):222~232
26 蒋立源.编译原理.西北工业大学出版社.1996,12~20
27 Dafonte,Arcay. Database based reasoning for real time monitoring and data analysis in intensive care units. Expert System,1997(14):190~197
28 Jiang Zao. A new information security technology : Data Hiding. Journal of Image and Graphics,1998(3):83~86
29 陆汝钤.人工智能.科学出版社.2000,743~784
30 Herringshaw. Detecting attacks on networks. Computer,1997(12):16~17
31 谭浩强.C语言程序设计.科学出版社.2001,121~123
32 Shiuh-Pyng Shieh. On a pattern-oriented model for instruction detection. IEEE Transactions on Knowledge and Data Engineering,1997,9
33 J.Han.数据挖掘概念与技术(影印版).北京.高等教育出版社.2001,11~13
34 钟晓,张钹.数据挖掘综述.模式识别与人工智能.2001(1):48~52
35 张学工.模式识别.北京.清华大学出版社.2000,92~97
36 王宏.数据挖掘在网络营销中的应用.计算机应用与软件.2000(6):49~54
37 Huang Z. .Clustering Large Data Sets with Mixed Numeric and Categorical Values. Knowledge Discovery.1998(4):21~34
38 王剑,沈理.采掘关联规则的高效并行算法.计算机研究与发展.2000(10):1160~1165
39 陆丽娜,陈亚平. 挖掘关联规则中Apriori算法的研究.小型微型计算机系统.2000(9):940~943
40 Y. Fu. Discovery of multiple-level association rules from large database. Knowledge Discovery. 2000(5):45~57
蔡忠闽,孙国基.入侵检测系统评估环境的设计与实现.系统仿真学报,2002(3)377~380