无线局域网入侵检测系统的研究
摘要
随着通信技术的发展,尤其是无线通信技术如Biuetooth、红外线技术等的发展,网络已不再局限于有线的架构。无线网络功能强大、易于安装、组网灵活、即插即用、可扩展性好等优点,提供了不受限制的应用。而与之相伴而来的无线网络安全问题也越来越严重。由于一个无线访问点对内部的所有用户都是公开的,未经授权用户可以很容易的访问无线网络的各种资源,而这个用户极有可能就是恶意的入侵者。加密和认证虽是解决现有安全问题的主要方法,但是随着系统复杂性的增加及各种入侵技术的日趋成熟,仅仅依靠保护是远远不够的。尤其是现在的系统中由于设计或程序的错误,以及各种潜在漏洞的存在,使内部入侵更难防范。在这种情况下,入侵检测技术逐渐成为无线网络安全的研究热点。
本文首先介绍了国内外WLAN入侵检测技术的研究现状,并详细阐述了WLAN的基本概念、协议标准、安全机制及安全技术。在深入研究入侵检测理论、技术和方法的基础上,重点分析了WLAN的入侵行为、入侵检测的典型技术,设计了一个WLAN入侵检测系统模型(WIDS),并给出了该系统模型的逻辑构成,对构成该系统模型的各个模块的功能及其实现技术进行了详细阐述。接下来对入侵规则的组成结构和特点进行研究,详细介绍了本系统模型的规则,给出典型攻击的规则描述,然后对WLAN入侵检测系统中的入侵事件描述语言进行了深入研究,并讨论了怎样用入侵事件描述语言来建立规则,并用这些规则来描述事件。
本论文主要对无线局域网入侵检测规则的工作原理进行分析,在总结已有规则的基础上,归纳了无线局域网的部分入侵检测规则。为了能够动态地对规则进行匹配调整,对无线局域网入侵检测规则的结构进行了改进,在规则解析函数中为每一个规则选项增加一个“索引”(一个指向该选项结点的指针),与规则头相连接,形成“选项索引链表”。该结构动态地调整了规则选项,可以提高对后继攻击方法的匹配检测速度。另外,论文对WIDS中各个组成模块的设计进行了详细的阐述,给出了主要程序的源代码,并研究了整个体系结构的性能,说明了该体系的优缺点。最后通过测试,证明了本系统可以有效地工作,本文所设计的这个入侵检测系统可以很好地检测恶意攻击。
总之,本文实现了一个入侵事件描述语言,并讨论了怎样用此入侵事件描述语言来建立规则,用规则来描述一个事件。既然规则是用入侵检测描述语言建立的,那么对规则的解析就相当于对入侵事件描述语言的解析。其实可以把入侵描述语言理解为C语言,而把规则理解为用C语言写的源代码,对规则的解析就相当于对C语言源代码进行编译。另外,本文设计的WIDS采用了基于网络的入侵检测系统总体设计模型,先对数据包进行捕获,再对捕获的数据包进行分析,并针对入侵的特征设定了多个入侵规则进行匹配,从而可以检测攻击,最后通过实验来证明本系统模型能够提高检测的准确性及效率。
With the development of communication technology, especially wireless technology, such as Bluetooth technology, infrared rays etc, wireless LAN rapidly come into being in environments ranging from offices to enterprise networks because of its characters: good-function, easily installed, conveniently structured, plug and play, well-extensible. The safety problems of WLAN, however, have become serious, and many traditional countermeasures are ineffective in dealing with them. A wireless access point may open to all the user of the inner part, the invaders and the customer of the authorization can enter a wireless network to visit various resources very easily.
When an intrusion takes places, intrusion prevention techniques, such as encryption and authentication, are usually the first line of defense. Prevention alone is not sufficient because systems become ever more complex, while security is still often the after-thought, there are always exploitable weaknesses in the systems due to design and programming errors, or various penetration techniques. This is the reason why intrusion detection becomes the hot-topic now.
This dissertation gives an overview on status in WLAN Intrusion Detection Technology throughout the world, and introduces the basic conceptions, protocols, security techniques, security mechanisms and problems of the WLAN. Based on the research of the intrusion detection theory, technology and methods, a close study is made on the WLAN Intrusion Detection technology. Architecture of the WIDS (WLAN Intrusion Detection System) is presented. The thesis lucubrates the components and their functions in the WIDS and presents corresponding technology and introduces the topology of the WIDS in the WLAN. And then, the rule and the rule database of this system are introduced in detail. A research on structure and characteristics of intrusion rules and typical model attacks of the rule are described. Further more, the intrusion events description language is thoroughly researched in the WLAN intrusion detect system, and discusses how to use the description language to create rules which is used to describe events.
In this thesis, the principles of the intrusion detection rule for WLAN are analyzed. Part of IDS rules which are based on the fundamental principles in the design that are summed up in existence is summarized. To match the rules dynamically, this paper also put forward a new structure of IDS rule, a option index chain, that is adding "index" for each rule options in the rule resolution function, connecting with each other rule header. This structure can rise the detect speed toward the succeeding attack method due to adjust the option dynamically. What is more, this paper focuses on elaborating the components, structure and characteristics of WIDS, and implementing some specific function. The whole performance of the design and its merits and demerits are also analyzed. Finally, the WIDS validity is proved through experiments testing. This system can do well in detecting rouged attacks, its advantages is able to improve the efficiency and accuracy.
In a word, intrusion events description language is implemented in this paper; also how to use the description language to create rules which is used to describe events is discussed clearly. Owing to the rule which is created by intrusion events description language, the resolution of rules is equivalent to the resolution of intrusion events description language. So the rule in C source code can be compiled. In addition, the design model of Wireless Intrusion Detected System is introduced in this thesis, which is based on the module of Network Intrusion Detected System. It makes good use of the information of gathering from the Internet at first, and then operates the corresponding packets based on the rules information according to the attributes of intrusion and matching them, so as to detect the attacks. At last, it is proved that this model can be more efficient and accurate by experiment.
本文首先介绍了国内外WLAN入侵检测技术的研究现状,并详细阐述了WLAN的基本概念、协议标准、安全机制及安全技术。在深入研究入侵检测理论、技术和方法的基础上,重点分析了WLAN的入侵行为、入侵检测的典型技术,设计了一个WLAN入侵检测系统模型(WIDS),并给出了该系统模型的逻辑构成,对构成该系统模型的各个模块的功能及其实现技术进行了详细阐述。接下来对入侵规则的组成结构和特点进行研究,详细介绍了本系统模型的规则,给出典型攻击的规则描述,然后对WLAN入侵检测系统中的入侵事件描述语言进行了深入研究,并讨论了怎样用入侵事件描述语言来建立规则,并用这些规则来描述事件。
本论文主要对无线局域网入侵检测规则的工作原理进行分析,在总结已有规则的基础上,归纳了无线局域网的部分入侵检测规则。为了能够动态地对规则进行匹配调整,对无线局域网入侵检测规则的结构进行了改进,在规则解析函数中为每一个规则选项增加一个“索引”(一个指向该选项结点的指针),与规则头相连接,形成“选项索引链表”。该结构动态地调整了规则选项,可以提高对后继攻击方法的匹配检测速度。另外,论文对WIDS中各个组成模块的设计进行了详细的阐述,给出了主要程序的源代码,并研究了整个体系结构的性能,说明了该体系的优缺点。最后通过测试,证明了本系统可以有效地工作,本文所设计的这个入侵检测系统可以很好地检测恶意攻击。
总之,本文实现了一个入侵事件描述语言,并讨论了怎样用此入侵事件描述语言来建立规则,用规则来描述一个事件。既然规则是用入侵检测描述语言建立的,那么对规则的解析就相当于对入侵事件描述语言的解析。其实可以把入侵描述语言理解为C语言,而把规则理解为用C语言写的源代码,对规则的解析就相当于对C语言源代码进行编译。另外,本文设计的WIDS采用了基于网络的入侵检测系统总体设计模型,先对数据包进行捕获,再对捕获的数据包进行分析,并针对入侵的特征设定了多个入侵规则进行匹配,从而可以检测攻击,最后通过实验来证明本系统模型能够提高检测的准确性及效率。
With the development of communication technology, especially wireless technology, such as Bluetooth technology, infrared rays etc, wireless LAN rapidly come into being in environments ranging from offices to enterprise networks because of its characters: good-function, easily installed, conveniently structured, plug and play, well-extensible. The safety problems of WLAN, however, have become serious, and many traditional countermeasures are ineffective in dealing with them. A wireless access point may open to all the user of the inner part, the invaders and the customer of the authorization can enter a wireless network to visit various resources very easily.
When an intrusion takes places, intrusion prevention techniques, such as encryption and authentication, are usually the first line of defense. Prevention alone is not sufficient because systems become ever more complex, while security is still often the after-thought, there are always exploitable weaknesses in the systems due to design and programming errors, or various penetration techniques. This is the reason why intrusion detection becomes the hot-topic now.
This dissertation gives an overview on status in WLAN Intrusion Detection Technology throughout the world, and introduces the basic conceptions, protocols, security techniques, security mechanisms and problems of the WLAN. Based on the research of the intrusion detection theory, technology and methods, a close study is made on the WLAN Intrusion Detection technology. Architecture of the WIDS (WLAN Intrusion Detection System) is presented. The thesis lucubrates the components and their functions in the WIDS and presents corresponding technology and introduces the topology of the WIDS in the WLAN. And then, the rule and the rule database of this system are introduced in detail. A research on structure and characteristics of intrusion rules and typical model attacks of the rule are described. Further more, the intrusion events description language is thoroughly researched in the WLAN intrusion detect system, and discusses how to use the description language to create rules which is used to describe events.
In this thesis, the principles of the intrusion detection rule for WLAN are analyzed. Part of IDS rules which are based on the fundamental principles in the design that are summed up in existence is summarized. To match the rules dynamically, this paper also put forward a new structure of IDS rule, a option index chain, that is adding "index" for each rule options in the rule resolution function, connecting with each other rule header. This structure can rise the detect speed toward the succeeding attack method due to adjust the option dynamically. What is more, this paper focuses on elaborating the components, structure and characteristics of WIDS, and implementing some specific function. The whole performance of the design and its merits and demerits are also analyzed. Finally, the WIDS validity is proved through experiments testing. This system can do well in detecting rouged attacks, its advantages is able to improve the efficiency and accuracy.
In a word, intrusion events description language is implemented in this paper; also how to use the description language to create rules which is used to describe events is discussed clearly. Owing to the rule which is created by intrusion events description language, the resolution of rules is equivalent to the resolution of intrusion events description language. So the rule in C source code can be compiled. In addition, the design model of Wireless Intrusion Detected System is introduced in this thesis, which is based on the module of Network Intrusion Detected System. It makes good use of the information of gathering from the Internet at first, and then operates the corresponding packets based on the rules information according to the attributes of intrusion and matching them, so as to detect the attacks. At last, it is proved that this model can be more efficient and accurate by experiment.
引文
[1] 彭新光,吴兴兴等,计算机网络安全技术与应用,北京,科学出版社,2005年,pp.291-294
[2] Jeff Dixon, Wireless Intrusion Detection Systems, GIAC Security Essentials, London, June 21-26, 2004, pp.21-25
[3] Fatbloke, WIDZ-The Wireless Intrusion Detection System, http://www.loud-fat-bloke.con.uk, 2003
[4] 孙军帅,无线Ad-Hoc网络的入侵检测系统研究,[硕士学位论文],西安,西安电子科技大学,2005
[5] 徐晏琦,基于数据融合的入侵检测技术研究,[硕士学位论文],郑州,中国人民解放军信息工程大学,2004
[6] 余兆力,基于Snort的网络入侵检测系统研究,[硕士学位论文],杭州,浙江工业大学,2004
[7] Mohan K Chimmarnilla, Byrav Ramamurthy, Agent Based Intrusion Detection And Response System for Wireless Laps, IEEE International Conference, 2003, 1, pp.492-496
[8] 侯方明,无线网络中入侵检测系统的研究与设计,[硕士学位论文],济南,山东大学,2005
[9] J. Haines, L. Rossey, R. Lippmann, R. Cunningham, Extending the DARPA Off-Line Intrusion Detection Evaluations, Proceedings of DARPA Information Survivability Conference & Exposition Ⅱ, Volume: 1,2001, pp.35-45
[10] R. Lippmann et. al., Evaluating Intrusion Off-Line Intrusion Detection Evaluation Survivability Conference & Exposition Ⅱ, Detection Systems: The 1998 DARPA, Proceedings of DARPA Information Volume: 2, 1999, pp. 12-26
[11] Yang, H., Xie, L., & Sun J. (2004, June 2), Intrusion detection solution to wlans, Emerging Technologies: Frontiers of Mobile and Wireless Communication, 2004, 2, pp. 553-556, Retrieved Apr 06, 2006, fromhttp://ieeexplore.ieee.org.jproxy.lib.ecu.edu/xpl/RecentCon.jsp?punumber=9237
[12] 唐屹,CIDF框架上的入侵检测规则的扩充,计算机应用,2002,22(10),pp.43-45
[13] 何欣,基于Snort的网络入侵检测系统研究,[硕士学位论文],武汉,华中科技大学,2004
[14] 赖小龙,802.11无线局域网的安全技术,[硕士学位论文],西安,西安电子科技大学,2004
[15] Joshua Wright, GCIH, CCNA. Detecting Wireless LAN MAC Address Spoofing. Http://home.jwu.edu/jwright/.2003.1
[16] Cisco, A Comprehensive Review of 802.11 Wireless LAN Security and the Cisco Wireless Security Suite, pp.21-25
[17] 渠瑜,无线局域网入侵检测技术研究,[硕士学位论文],郑州,中国人民解放军信息工程大学,2005
[18] 刘乃安,无线局域网(WLAN)原理、技术与应用,西安电子科技大学出版社,2004,PP.131-133
[19] 严照楼,潘爱民,无线局域网的安全性研究,计算机工程与应用,2004,5,pp.139-141
[20] 刘琦,何连跃,杨灿群,无线局域网的信息安全保障,计算机应用,2003,23(4),pp.92-95
[21] 齐鸣,无线局域网安全解决方案,[硕士学位论文],大连,海军工程大学,2005
[22] 包广斌,WLAN安全体系结构研究与设计,[硕士学位论文],兰州,兰州理工大学,2005
[23] Dr. Joshua Lackey, PhD.Andrew RothsJim Goddard, CISSP, Wireless Intrusion Detection, http://www-l.ibm.com/indestries/wireless/docJcontent/bin/12-wlan.pdf,2003
[24] 王美琴,王英龙,王少辉,潘景山,周冰,802.11无线局域网的入侵检测,计算机工程与应用,2003,33,PP.194-197
[25] 陈曦,郑继荣,无线局域网的安全机制及安全性分析,计算机应用,2003,23(3),pp.30-32
[26] 魏志宏,诸昌钤,无线局域网安全性分析,计算机应用,2004,24(5),pp.40-43
[27] 王鹏卓,张尧弼,802.11WLAN的安全缺陷及其对策,计算机工程,2004,30(5),PP.133-136
[28] 吴越等,IEEE802.11标准无线局域网安全缺陷分析及其解决方案研究,计算机工程与应用,2003,5,pp.31-34
[29] 陈平等,无线局域网的关键技术及其安全性分析,西南科技大学学报,2002,12,PP.1-5
[30] 孙树峰,贺揉等,802.11无线局域网安全技术研究,计算机工程与应用,2003,7,pp.40-42
[31] Hsieh,W.,Lo C.,Lee J. and Huang L., The implementation of a proactive wireless intrusion detection system, Computer and Information Technology,2004,Sept. 14, pp.581-586. Retrieved Apr 06, 2006,http: //ieeexplore.ieee.org.jproxy.lib.ecu.edu/xpl/RecentCon.j sp?punumber=9381
[32] 刘文涛,Linux入侵检测系统,电子工业出版社,pp.21-23
[33] Ala Laufila J, Mikkonen J, Rinnemaa J. Wireless LAN access network architecture for mobile, IEEE Communications Magazine,2001,39(11),pp.82-89
[34] Joshua Wright, GCIH, CCNA Detecting Wireless LAN MAC Address Spoofing,http://home.jwu.edu/jwright/,2003
[35] YGZhang, WK.Lee,Y.A.Huang, Intrusion Wireless Networks, Wireless Networks No.9, Detection Techniques for Mobile,2003, pp.545-556
[36] 刘翠玲,王美琴,高振明,基于linux的无线网络安全分析与入侵检测,山东电子,2004,3,pp.12-14
[36] 陈丹,李际军,郑增威,基于WinPcap和Boyer-Moore的IDS的实现,计算机应用,2004,24(5),pp.47-48
[37] Winpcap 网站http://winpcap.polito.it/default.htm
[38] Snort 网站http://www.snort.org/
[2] Jeff Dixon, Wireless Intrusion Detection Systems, GIAC Security Essentials, London, June 21-26, 2004, pp.21-25
[3] Fatbloke, WIDZ-The Wireless Intrusion Detection System, http://www.loud-fat-bloke.con.uk, 2003
[4] 孙军帅,无线Ad-Hoc网络的入侵检测系统研究,[硕士学位论文],西安,西安电子科技大学,2005
[5] 徐晏琦,基于数据融合的入侵检测技术研究,[硕士学位论文],郑州,中国人民解放军信息工程大学,2004
[6] 余兆力,基于Snort的网络入侵检测系统研究,[硕士学位论文],杭州,浙江工业大学,2004
[7] Mohan K Chimmarnilla, Byrav Ramamurthy, Agent Based Intrusion Detection And Response System for Wireless Laps, IEEE International Conference, 2003, 1, pp.492-496
[8] 侯方明,无线网络中入侵检测系统的研究与设计,[硕士学位论文],济南,山东大学,2005
[9] J. Haines, L. Rossey, R. Lippmann, R. Cunningham, Extending the DARPA Off-Line Intrusion Detection Evaluations, Proceedings of DARPA Information Survivability Conference & Exposition Ⅱ, Volume: 1,2001, pp.35-45
[10] R. Lippmann et. al., Evaluating Intrusion Off-Line Intrusion Detection Evaluation Survivability Conference & Exposition Ⅱ, Detection Systems: The 1998 DARPA, Proceedings of DARPA Information Volume: 2, 1999, pp. 12-26
[11] Yang, H., Xie, L., & Sun J. (2004, June 2), Intrusion detection solution to wlans, Emerging Technologies: Frontiers of Mobile and Wireless Communication, 2004, 2, pp. 553-556, Retrieved Apr 06, 2006, fromhttp://ieeexplore.ieee.org.jproxy.lib.ecu.edu/xpl/RecentCon.jsp?punumber=9237
[12] 唐屹,CIDF框架上的入侵检测规则的扩充,计算机应用,2002,22(10),pp.43-45
[13] 何欣,基于Snort的网络入侵检测系统研究,[硕士学位论文],武汉,华中科技大学,2004
[14] 赖小龙,802.11无线局域网的安全技术,[硕士学位论文],西安,西安电子科技大学,2004
[15] Joshua Wright, GCIH, CCNA. Detecting Wireless LAN MAC Address Spoofing. Http://home.jwu.edu/jwright/.2003.1
[16] Cisco, A Comprehensive Review of 802.11 Wireless LAN Security and the Cisco Wireless Security Suite, pp.21-25
[17] 渠瑜,无线局域网入侵检测技术研究,[硕士学位论文],郑州,中国人民解放军信息工程大学,2005
[18] 刘乃安,无线局域网(WLAN)原理、技术与应用,西安电子科技大学出版社,2004,PP.131-133
[19] 严照楼,潘爱民,无线局域网的安全性研究,计算机工程与应用,2004,5,pp.139-141
[20] 刘琦,何连跃,杨灿群,无线局域网的信息安全保障,计算机应用,2003,23(4),pp.92-95
[21] 齐鸣,无线局域网安全解决方案,[硕士学位论文],大连,海军工程大学,2005
[22] 包广斌,WLAN安全体系结构研究与设计,[硕士学位论文],兰州,兰州理工大学,2005
[23] Dr. Joshua Lackey, PhD.Andrew RothsJim Goddard, CISSP, Wireless Intrusion Detection, http://www-l.ibm.com/indestries/wireless/docJcontent/bin/12-wlan.pdf,2003
[24] 王美琴,王英龙,王少辉,潘景山,周冰,802.11无线局域网的入侵检测,计算机工程与应用,2003,33,PP.194-197
[25] 陈曦,郑继荣,无线局域网的安全机制及安全性分析,计算机应用,2003,23(3),pp.30-32
[26] 魏志宏,诸昌钤,无线局域网安全性分析,计算机应用,2004,24(5),pp.40-43
[27] 王鹏卓,张尧弼,802.11WLAN的安全缺陷及其对策,计算机工程,2004,30(5),PP.133-136
[28] 吴越等,IEEE802.11标准无线局域网安全缺陷分析及其解决方案研究,计算机工程与应用,2003,5,pp.31-34
[29] 陈平等,无线局域网的关键技术及其安全性分析,西南科技大学学报,2002,12,PP.1-5
[30] 孙树峰,贺揉等,802.11无线局域网安全技术研究,计算机工程与应用,2003,7,pp.40-42
[31] Hsieh,W.,Lo C.,Lee J. and Huang L., The implementation of a proactive wireless intrusion detection system, Computer and Information Technology,2004,Sept. 14, pp.581-586. Retrieved Apr 06, 2006,http: //ieeexplore.ieee.org.jproxy.lib.ecu.edu/xpl/RecentCon.j sp?punumber=9381
[32] 刘文涛,Linux入侵检测系统,电子工业出版社,pp.21-23
[33] Ala Laufila J, Mikkonen J, Rinnemaa J. Wireless LAN access network architecture for mobile, IEEE Communications Magazine,2001,39(11),pp.82-89
[34] Joshua Wright, GCIH, CCNA Detecting Wireless LAN MAC Address Spoofing,http://home.jwu.edu/jwright/,2003
[35] YGZhang, WK.Lee,Y.A.Huang, Intrusion Wireless Networks, Wireless Networks No.9, Detection Techniques for Mobile,2003, pp.545-556
[36] 刘翠玲,王美琴,高振明,基于linux的无线网络安全分析与入侵检测,山东电子,2004,3,pp.12-14
[36] 陈丹,李际军,郑增威,基于WinPcap和Boyer-Moore的IDS的实现,计算机应用,2004,24(5),pp.47-48
[37] Winpcap 网站http://winpcap.polito.it/default.htm
[38] Snort 网站http://www.snort.org/