层次化的分布式入侵检测系统研究
|
摘要
网络安全是动态的、整体的,而传统的安全防护模型是静态的、孤立的和被动的。防火墙、入侵检测等各种安全检测手段都有各自的缺陷,并且在防御网络入侵方面没有形成联动,这些安全手段都不能及时有效地保障整个网络系统的安全。因此本文设计了一个网络安全模型——层次化的分布式入侵检测系统,在各部分展开了较为细致的探讨,并给出了具体的实现方法。
论文首先分析了分布式入侵检测系统,对分布式入侵检测系统的优势和不足进行梳理,指出层次化的分布式入侵检测是网络入侵检测研究的重要方向。然后在第三章给出了层次化分布式入侵检测系统体系结构。其次,分别从防火墙与入侵检测模块的联动技术及其实现、模式匹配算法的优化以及基于网络的对等型分布式入侵检测系统设计三个方面对网络防御的三个层次:网络边界、网络内部主机和内部子网进行了深入的研究。为了测试系统的可行性和有效性,论文基于Linux环境,利用Snort软件搭建了分布式入侵检测系统测试平台,给出了防火墙、IDS主机和服务器等的相关配置方案,进行了模拟攻击检测实验,并对检测结果进行了分析。
本文通过对网络入侵防御关键部位的研究,构建了一个层次化的分布式入侵检测系统,该系统使得防火墙规则集在系统中能够得到自动动态更新,基于主机的入侵检测效率得到改善,传统入侵检测系统单点失效和效率瓶颈问题得到优化。经过实验证明,该系统可以提高网络入侵检测效率,为企业网络入侵检测系统的改进提供了一种可行性方案。
Network security is a dynamic and holistic system, but traditional security model is a static and isolated one. Firewall, intrusion detection, virus protection and other security tools have their own defects. Moreover, linkage formation is lacking in Network Intrusion Defense. That means these security tools can not be a timely and effective manner to protect the security of the host. Therefore this paper designs a network security model-Hierarchical Distributed Intrusion Detection System, In the ministries started a more detailed discussion, and gives a specific method.
First of all, this paper analyses the Distributed Intrusion Detection System, and sorts out its advantages and disadvantages. Meanwhile, paper also points out that the Hierarchical Distributed Intrusion Detection is an important trend of the Network Intrusion Detection research. And then, in the third chapter, this paper illustrates the structure of the Hierarchical Distributed Intrusion Detection System. Second, paper analyses the three levels of network defense thoroughly, that is Firewall and Intrusion Detection Module linkage technology and its implementation, the internal hosts and the internal subnet. and this analysis is based on the realization of dynamic firewall technology, the optimized pattern matching algorithms, as well as peer-to-peer network-based design for Distributed Intrusion Detection System. In order to test the feasibility and effectiveness of paper-based Linux environment, the use of Snort intrusion detection system software to build a distributed test platform, given a firewall, IDS, etc. related to the host and server configuration, carried out mock attack detection experiment, the test results are analyzed.
Based on the key parts of the network intrusion prevention research, Construction of a Hierarchical Distributed Intrusion Detection System, The system allows the firewall rule set in the system can be dynamically updated automatically; the efficiency of host-based intrusion detection is improved; the single point failure and the efficiency bottleneck of traditional intrusion detection system has been optimized accordingly. After experimental verification shows that the system can improve Intrusion Detection System effective for enterprises to improve network intrusion detection system provides a feasibility plan.
论文首先分析了分布式入侵检测系统,对分布式入侵检测系统的优势和不足进行梳理,指出层次化的分布式入侵检测是网络入侵检测研究的重要方向。然后在第三章给出了层次化分布式入侵检测系统体系结构。其次,分别从防火墙与入侵检测模块的联动技术及其实现、模式匹配算法的优化以及基于网络的对等型分布式入侵检测系统设计三个方面对网络防御的三个层次:网络边界、网络内部主机和内部子网进行了深入的研究。为了测试系统的可行性和有效性,论文基于Linux环境,利用Snort软件搭建了分布式入侵检测系统测试平台,给出了防火墙、IDS主机和服务器等的相关配置方案,进行了模拟攻击检测实验,并对检测结果进行了分析。
本文通过对网络入侵防御关键部位的研究,构建了一个层次化的分布式入侵检测系统,该系统使得防火墙规则集在系统中能够得到自动动态更新,基于主机的入侵检测效率得到改善,传统入侵检测系统单点失效和效率瓶颈问题得到优化。经过实验证明,该系统可以提高网络入侵检测效率,为企业网络入侵检测系统的改进提供了一种可行性方案。
Network security is a dynamic and holistic system, but traditional security model is a static and isolated one. Firewall, intrusion detection, virus protection and other security tools have their own defects. Moreover, linkage formation is lacking in Network Intrusion Defense. That means these security tools can not be a timely and effective manner to protect the security of the host. Therefore this paper designs a network security model-Hierarchical Distributed Intrusion Detection System, In the ministries started a more detailed discussion, and gives a specific method.
First of all, this paper analyses the Distributed Intrusion Detection System, and sorts out its advantages and disadvantages. Meanwhile, paper also points out that the Hierarchical Distributed Intrusion Detection is an important trend of the Network Intrusion Detection research. And then, in the third chapter, this paper illustrates the structure of the Hierarchical Distributed Intrusion Detection System. Second, paper analyses the three levels of network defense thoroughly, that is Firewall and Intrusion Detection Module linkage technology and its implementation, the internal hosts and the internal subnet. and this analysis is based on the realization of dynamic firewall technology, the optimized pattern matching algorithms, as well as peer-to-peer network-based design for Distributed Intrusion Detection System. In order to test the feasibility and effectiveness of paper-based Linux environment, the use of Snort intrusion detection system software to build a distributed test platform, given a firewall, IDS, etc. related to the host and server configuration, carried out mock attack detection experiment, the test results are analyzed.
Based on the key parts of the network intrusion prevention research, Construction of a Hierarchical Distributed Intrusion Detection System, The system allows the firewall rule set in the system can be dynamically updated automatically; the efficiency of host-based intrusion detection is improved; the single point failure and the efficiency bottleneck of traditional intrusion detection system has been optimized accordingly. After experimental verification shows that the system can improve Intrusion Detection System effective for enterprises to improve network intrusion detection system provides a feasibility plan.
引文
[1]http://www.cert.org/work/secure_systems.html
[2]唐正军,李建华.入侵检测技术.2004年第1版.北京:清华大学出版社.2006.9.6-7.
[3]尹红.网络攻击与防御技术研究.计算机安全.2007.8.48-49.
[4]唐正军,李建华.入侵检测技术.2004年第1版.北京:清华大学出版社.2006.9.134-147.
[5]Andrew S. Tanenbaum/Maarten van Steen(著).杨剑峰,常晓波,李敏(译).分布式系统原理与范型.2004年9月第1版.北京:清华大学出版社.2006.8.1-43,384-444.
[6]Jiawei Han/Micheline Kamben(著).范明,孟小峰(译).数据控掘概念与技术.2007年3月第1版.北京:机械工业出版社.2007.3.1-34.
[7]Willian H.Inmon(著).王志海(译).数据仓库.2006年8月第1版.北京:机械工业出版社.2006.8.35-67.
[8]刘宝旭.黑客入侵的主动防御.2007年11月第1版.北京:电子工业出版社.2007.11.94-104.
[9]刘听,吴秋峰,袁萌.DDoS(分布式拒绝服务)研究与探讨.计算机工程与应用.2000(5).131-133.
[10]张小强.几类高效入侵检测技术研究.西安交通大学博士学位论文.2006.5.80-88.
[11]曾志锋.基于代理的分布式入侵检测系统研究与设计.航空计算技术.2006.5.第36卷第3期.60-64.
[12]查婷民.多用户并发控制防火墙和IDS联动实验系统的设计和实现.上海交通大学硕士学位论文.2008.1.3-5.
[13]李声.防火墙与入侵检测系统联动技术的研究与实现.南京航空航天大学硕士学位论文.2007.1.6-9.
[14]金舒,刘凤玉.基于动态防火墙SecuRouter的网络安全框架.微计算机信息.2006第22卷第4-3期.66-68.
[15]胡文,黄皓.自动入侵响应技术研究.计算机工程.2005,31(18).143-145.
[16]World Wide Web Consortium, "Extensible Markup Language(XML)1.0", W3CXML,February 1998,http://www. w3c.org/TR/1998/RFC-xml-19980212.
[17]Rescorla E,崔凯译,SSL与TLS Designing and Building Secure Systems,北京:中国电力出版社,2002.
[18]A Pattern Matching Model for Misuse Intrusion Detection[A]. Sandeep Kumar, Eugene Spafford. In Proceedings of the 17th National Computer Security Conference[C],1995,11-21.
[19]杨武,方滨兴,云晓春,等.入侵检测系统中高效模式匹配算法的研究.计算机工程,2004,30(13).92-94.
[20]黄金莲.网络入侵检测系统中模式匹配算法的研究.华北电力大学硕士学位论文.2005.12.17-18.
[21]黄金莲.网络入侵检测系统中模式匹配算法的研究.华北电力大学硕士学位论文.2005.12.14-17.
[22]李志清.基于模式匹配和协议分析的入侵检测系统研究.广东工业大学硕士学位论文.2007.4.20-26.
[23]Aho, A. V, M. J. Corasick. Efficient string matching[J]. An aid to bibliographic search Communications of ACM,1975,18 (6).333-340.
[24]邓琦皓.分布式主动协同入侵检测系统研究与实践.中国人民解放军信息工程大学硕士学位论文.2005.4.P68-69.
[25]Fan Jang-Jong, Su Keh-Yih. An Efficient Algorithm for Matching Multiple Patterns[J]. IEEE Transaction on Knowledge and Data Engineering,1993,5 (2).339-351.
[26]MIT Lincoln Laboratory.1999DARRA Intrusion Detection Evaluation Data Sets. http://www.ll.mit.edu/IST/,1999.
[27]金舒,刘凤玉,许满武.基于P2P模型的网络入侵检测系统PeerIDS.计算机工程与应用.2006.5.114-119.
[28]曾志锋.基于代理的分布式入侵检测系统研究与设计.航空计算技术.2006年5月第36卷第3期.60-64.
[29]Kruegel C,Valeur F, Vigna G, Kemmerer R.Stateful intrusion detection forhigh-speednetworks.SecurityandPrivacy.2002.Proceedings.2002IEEE Symposium.on.2002.266-274
[30]Den Burger,M.Kielmann etc.,Balanced Multicasting:High-throughput Communication for Grid Applicttions,Supercomputing,Priceedings of the ACM/IEEC SC 2005 Conference.The Netherland.2005.
[31]Zhi Xiong,Puliu Yan,Juntao Wang,A Self-Adjusting Size-Based Load Balance Policy for Web Server Cluster,Computer and Information Technology,Proceedings of the The Fifth Intermational Conference.2005.9.368-374.
[32]吴湘宁,胡成玉,汪渊等.P2P计算机网格路由和负载均衡算法.计算机工 程与应用.2007.43.(32).105-107,240.
[33]赵晓锋,刘利军,怀进鹏.网络入侵检测系统中动态负载平衡策略的设计.计算机工程与应用.2003(24).146-250.
[34]PACSON V.Bro,A System for Detecting Network Intruders in Real-Time[J],Comouter Network.1999.31(10).2435-2463.
[35]张峰.分布式高速网络入侵检测系统研究与实现.汕头大学硕士学位论文.2007.20-27.
[36]李洋,汪虎松等,Red Hat Linuxg系统与网络管理教程,2006年3月第1版,北京:电子工业出版社,2007.4.218-283,315-373.
[37]JackKozioli(著)吴溥峰孙默等(译),Snort入侵检测实用解决方案,2005年第1版,北京:机械工业出版社,2005.7.20-149,200-221.
[38]宋劲松.网络入侵检测----分析、发现和报告攻击,2004年9月第1版,北京:国防工业出版社,2004.9. 41-228.
[39]VineentJ.NestlerWm,ArthurConklin/GregoryB.WhiteMatthewP.Hirseh:著)汪青清(译),计算机安全实验手册,2006年12月第1版,北京:清华大学出版社,2006.12.108-212,330-359.
[2]唐正军,李建华.入侵检测技术.2004年第1版.北京:清华大学出版社.2006.9.6-7.
[3]尹红.网络攻击与防御技术研究.计算机安全.2007.8.48-49.
[4]唐正军,李建华.入侵检测技术.2004年第1版.北京:清华大学出版社.2006.9.134-147.
[5]Andrew S. Tanenbaum/Maarten van Steen(著).杨剑峰,常晓波,李敏(译).分布式系统原理与范型.2004年9月第1版.北京:清华大学出版社.2006.8.1-43,384-444.
[6]Jiawei Han/Micheline Kamben(著).范明,孟小峰(译).数据控掘概念与技术.2007年3月第1版.北京:机械工业出版社.2007.3.1-34.
[7]Willian H.Inmon(著).王志海(译).数据仓库.2006年8月第1版.北京:机械工业出版社.2006.8.35-67.
[8]刘宝旭.黑客入侵的主动防御.2007年11月第1版.北京:电子工业出版社.2007.11.94-104.
[9]刘听,吴秋峰,袁萌.DDoS(分布式拒绝服务)研究与探讨.计算机工程与应用.2000(5).131-133.
[10]张小强.几类高效入侵检测技术研究.西安交通大学博士学位论文.2006.5.80-88.
[11]曾志锋.基于代理的分布式入侵检测系统研究与设计.航空计算技术.2006.5.第36卷第3期.60-64.
[12]查婷民.多用户并发控制防火墙和IDS联动实验系统的设计和实现.上海交通大学硕士学位论文.2008.1.3-5.
[13]李声.防火墙与入侵检测系统联动技术的研究与实现.南京航空航天大学硕士学位论文.2007.1.6-9.
[14]金舒,刘凤玉.基于动态防火墙SecuRouter的网络安全框架.微计算机信息.2006第22卷第4-3期.66-68.
[15]胡文,黄皓.自动入侵响应技术研究.计算机工程.2005,31(18).143-145.
[16]World Wide Web Consortium, "Extensible Markup Language(XML)1.0", W3CXML,February 1998,http://www. w3c.org/TR/1998/RFC-xml-19980212.
[17]Rescorla E,崔凯译,SSL与TLS Designing and Building Secure Systems,北京:中国电力出版社,2002.
[18]A Pattern Matching Model for Misuse Intrusion Detection[A]. Sandeep Kumar, Eugene Spafford. In Proceedings of the 17th National Computer Security Conference[C],1995,11-21.
[19]杨武,方滨兴,云晓春,等.入侵检测系统中高效模式匹配算法的研究.计算机工程,2004,30(13).92-94.
[20]黄金莲.网络入侵检测系统中模式匹配算法的研究.华北电力大学硕士学位论文.2005.12.17-18.
[21]黄金莲.网络入侵检测系统中模式匹配算法的研究.华北电力大学硕士学位论文.2005.12.14-17.
[22]李志清.基于模式匹配和协议分析的入侵检测系统研究.广东工业大学硕士学位论文.2007.4.20-26.
[23]Aho, A. V, M. J. Corasick. Efficient string matching[J]. An aid to bibliographic search Communications of ACM,1975,18 (6).333-340.
[24]邓琦皓.分布式主动协同入侵检测系统研究与实践.中国人民解放军信息工程大学硕士学位论文.2005.4.P68-69.
[25]Fan Jang-Jong, Su Keh-Yih. An Efficient Algorithm for Matching Multiple Patterns[J]. IEEE Transaction on Knowledge and Data Engineering,1993,5 (2).339-351.
[26]MIT Lincoln Laboratory.1999DARRA Intrusion Detection Evaluation Data Sets. http://www.ll.mit.edu/IST/,1999.
[27]金舒,刘凤玉,许满武.基于P2P模型的网络入侵检测系统PeerIDS.计算机工程与应用.2006.5.114-119.
[28]曾志锋.基于代理的分布式入侵检测系统研究与设计.航空计算技术.2006年5月第36卷第3期.60-64.
[29]Kruegel C,Valeur F, Vigna G, Kemmerer R.Stateful intrusion detection forhigh-speednetworks.SecurityandPrivacy.2002.Proceedings.2002IEEE Symposium.on.2002.266-274
[30]Den Burger,M.Kielmann etc.,Balanced Multicasting:High-throughput Communication for Grid Applicttions,Supercomputing,Priceedings of the ACM/IEEC SC 2005 Conference.The Netherland.2005.
[31]Zhi Xiong,Puliu Yan,Juntao Wang,A Self-Adjusting Size-Based Load Balance Policy for Web Server Cluster,Computer and Information Technology,Proceedings of the The Fifth Intermational Conference.2005.9.368-374.
[32]吴湘宁,胡成玉,汪渊等.P2P计算机网格路由和负载均衡算法.计算机工 程与应用.2007.43.(32).105-107,240.
[33]赵晓锋,刘利军,怀进鹏.网络入侵检测系统中动态负载平衡策略的设计.计算机工程与应用.2003(24).146-250.
[34]PACSON V.Bro,A System for Detecting Network Intruders in Real-Time[J],Comouter Network.1999.31(10).2435-2463.
[35]张峰.分布式高速网络入侵检测系统研究与实现.汕头大学硕士学位论文.2007.20-27.
[36]李洋,汪虎松等,Red Hat Linuxg系统与网络管理教程,2006年3月第1版,北京:电子工业出版社,2007.4.218-283,315-373.
[37]JackKozioli(著)吴溥峰孙默等(译),Snort入侵检测实用解决方案,2005年第1版,北京:机械工业出版社,2005.7.20-149,200-221.
[38]宋劲松.网络入侵检测----分析、发现和报告攻击,2004年9月第1版,北京:国防工业出版社,2004.9. 41-228.
[39]VineentJ.NestlerWm,ArthurConklin/GregoryB.WhiteMatthewP.Hirseh:著)汪青清(译),计算机安全实验手册,2006年12月第1版,北京:清华大学出版社,2006.12.108-212,330-359.