基于特征检测入侵检测系统的研究与改进
|
摘要
TCP/IP协议的开放性使得Internet迅速成为世界上规模最大的计算机网络,然而,也正是由于它的开放性带来的诸多安全问题越来越引起大家的关注。并且随着Internet的日益普及以及商务应用的逐渐丰富,网络的安全性已经直接影响着Internet发展的前景。
人们纷纷开发各种安全措施,象信息加密、访问控制、防火墙等,这些技术针对不同侧面加强了网络安全。入侵检测是加强网络安全的又一重要手段,基于特征检测的入侵检测系统是目前入侵检测系统的主流。
本文从研究传统计算机安全模型和通用入侵检测模型入手,分析总结了当前主要的入侵检测技术以及技术上的优缺点,并重点分析了基于特征检测的有关技术。文章在如何提高特征检测的效率和准确性方面主要做了下面的工作:
1.在分析了Boyer-Moore算法和Aho-Corasick算法的基础上,提出了将二者结合的提高样式匹配效率的改进算法。对改进算法进行了理论上的分析,对算法实现后进行了实际的性能比较分析。
2.为了提高入侵检测的准确性,分析了入侵检测系统面对的网络“嵌入”攻击、“逃避”攻击、扩展编码等问题,提出了提高入侵检测系统自身适应性的扩充方法和网络流量正常化方法。
The opening of TCP/IP protocol makes the Internet become the largest computer network all over the world. However, the opening brings more and more serious problems in security. As the Internet becomes widely used in our daily life, especially in business area, the security problem will effect the future development of the Internet directly.
Many network security technologies, such as firewalls, access control and data encryption, have been developed and adopted. Intrusion Detection is another important network security technology, and Signature-based Intrusion Detection System is the most popular one now.
This paper studies the traditional computer security model and the Common Intrusion Detection Model first, then analyzes and summarizes the main intrusion detection methods and their features. The Signature-based Intrusion Detection is analyzed with emphasis, and the goal of the paper is to discuss how to improve efficiency and accuracy of the Signature-Based Intrusion Detection. Following are the main points of the paper:
1. Signature-based Intrusion Detection System takes advantages of advanced pattern-match algorithms. Through description of existent algorithms (the Bayer-Moore algorithm and the Aho-Corasick algorithm), the paper describes a newly developed algorithm for matching sets of strings, which integrates the useful concepts from the two algorithms. The modified algorithm is realized and made experimental comparison with the standard Bayer-Moore algorithm.
2. The skilled attacker can evade detection by exploiting ambiguities in the traffic stream as seen by the Network Intrusion Detecting System. This paper proposes a new method to improve NIDS' ability of "knowing" more detailed knowledge of the end-systems. We can add a "normalizer" to eliminate potential ambiguities before the traffic is seen by the IDS.
人们纷纷开发各种安全措施,象信息加密、访问控制、防火墙等,这些技术针对不同侧面加强了网络安全。入侵检测是加强网络安全的又一重要手段,基于特征检测的入侵检测系统是目前入侵检测系统的主流。
本文从研究传统计算机安全模型和通用入侵检测模型入手,分析总结了当前主要的入侵检测技术以及技术上的优缺点,并重点分析了基于特征检测的有关技术。文章在如何提高特征检测的效率和准确性方面主要做了下面的工作:
1.在分析了Boyer-Moore算法和Aho-Corasick算法的基础上,提出了将二者结合的提高样式匹配效率的改进算法。对改进算法进行了理论上的分析,对算法实现后进行了实际的性能比较分析。
2.为了提高入侵检测的准确性,分析了入侵检测系统面对的网络“嵌入”攻击、“逃避”攻击、扩展编码等问题,提出了提高入侵检测系统自身适应性的扩充方法和网络流量正常化方法。
The opening of TCP/IP protocol makes the Internet become the largest computer network all over the world. However, the opening brings more and more serious problems in security. As the Internet becomes widely used in our daily life, especially in business area, the security problem will effect the future development of the Internet directly.
Many network security technologies, such as firewalls, access control and data encryption, have been developed and adopted. Intrusion Detection is another important network security technology, and Signature-based Intrusion Detection System is the most popular one now.
This paper studies the traditional computer security model and the Common Intrusion Detection Model first, then analyzes and summarizes the main intrusion detection methods and their features. The Signature-based Intrusion Detection is analyzed with emphasis, and the goal of the paper is to discuss how to improve efficiency and accuracy of the Signature-Based Intrusion Detection. Following are the main points of the paper:
1. Signature-based Intrusion Detection System takes advantages of advanced pattern-match algorithms. Through description of existent algorithms (the Bayer-Moore algorithm and the Aho-Corasick algorithm), the paper describes a newly developed algorithm for matching sets of strings, which integrates the useful concepts from the two algorithms. The modified algorithm is realized and made experimental comparison with the standard Bayer-Moore algorithm.
2. The skilled attacker can evade detection by exploiting ambiguities in the traffic stream as seen by the Network Intrusion Detecting System. This paper proposes a new method to improve NIDS' ability of "knowing" more detailed knowledge of the end-systems. We can add a "normalizer" to eliminate potential ambiguities before the traffic is seen by the IDS.
引文
1) Simson G,Spafford G.Practical Unix Security[M].Sebastopol,CA:O'Reilly and Associates, 1991
2) GB/T 9387.2-1995,信息处理系统 开放系统互连基本参考模型 第二部分:安全体系结构[S]。
3) 吴克喜、赵勤燕、章仁龙、白英彩,具有智能特征的防火墙 小型微型计算机系统 1999.6
1) Stephen Northcutt著 余青霞等译 网络入侵检测分析员手册 2000.10
5) 李建萍、郭学理、吕宏辉,Internet的安全机制 微型机与应用 1999.2
6) [美]Terry Escamilla著 吴焱等译 入侵检测(Intrusion Detection)优于防火墙的网络安全措施 1999.7
7) 金诺入侵检测系统白皮书 www.netstd.com
8) 王锐 等译 网络最高安全技术(Maximum Security) 机械工业饿出版社 1998.8
9) 梁晓诚 入侵检测方法研究 桂林工学院学报 2000.7
10) 金波 林家骏 王行愚 入侵检测技术评述 华东理工大学学报 2000.4
11) 聂之铭、丘平,网络信息安全技术 科学出版社 2000.1
12) [美]Scott Fuller&Kevin Pagan著董春等译Intranet防火墙 电子工业出版社 1997.7
13) 张然 钱德沛 过晓兵 防火墙与入侵检测技术 计算机应用研究 2000.6
14) R.S.Boyer and J.S.Moore,"A fast string searching algorithm," Communications of the ACM,vol.20,no.10,pp.762-772,OCT.1997.
15) Dorothy E.Denning ,"An intrusion-detection model," IEEE Transactions on software engineering, vol. 13,no.2,pp.222-232,Feb. 1987.
16) Z.Galil,"On improving the worst case running time of the Boyer-Moore string searching algorithm," Communications of the ACM,vol.22,no.9,pp.505-8,1997.
17) P.Gupta and N.McKeown,"Packet classification on multiple fields," in Proceedings of ACM SIGCOMM'99,1999.
18) D.Gusfield,Algorithms on Strings,Trees,and Sequences, Cambridge University Press,1997.
19) Vern Paxson,"Bro:A system for detecting network intruders in real-time," computer networks,vol.31,no.23-24,pp.2435-2463,Dec.1999.
20) http:www.networkice.com
21) http://www.snort.org
22) http://www.iss.net
23) http://www.erias.purdue.edu
24) Ptacek,Thomas H.,and Newsham,Yimothy N."Insertion, evasion,and denial of service:Eluding network intrusion detection." Available at www.secnet.com 1998
25) Sandeep Kumar&Eugene H.Spafford "An Application of Pattern Matching in Intrusion
Detection" Technical Report CSD-TR-94-013
26) Stephen Northcutt and the Intrusion Detection Team "Intrusion Detection Shadow Style" SANS Institute.
27) Wenker Lee&Salvatore J.Stolfo "Data Mining Approaches for Intrusion Detectoin"
28) Karen Frederick,NFR Security Inc,"Understanding Network Intrusion Detection Signature",April,2002
29) Mark Handley and Vern Paxon "Network Intrusion Detection:Evasion,Traffic Normalization, and End-To-End Protocol Semantics" AT&T Center for Internet Research at ICSI International Computer Science Institute.
30) G.R.Malan,D.Watson,EJahanian and P.Howell,"Transport and Application Protocol Scrubbing",Proceedings of the IEEE INFOCOM 2000 Conference,Mar.2000.
31) Steven R.Snapp and Stephen E.Smaha "Signature Analysis Model Definition and Formalism",In Proc.Fourth Workshop on Computer Security Incident Handling,Denver, CO,August 19992.
32) Robert A.Wagner and Michael J.Fischer.The String-to-String Correction Problem.IN journal of ACM,volume 21,pages 168-178,january 1974
2) GB/T 9387.2-1995,信息处理系统 开放系统互连基本参考模型 第二部分:安全体系结构[S]。
3) 吴克喜、赵勤燕、章仁龙、白英彩,具有智能特征的防火墙 小型微型计算机系统 1999.6
1) Stephen Northcutt著 余青霞等译 网络入侵检测分析员手册 2000.10
5) 李建萍、郭学理、吕宏辉,Internet的安全机制 微型机与应用 1999.2
6) [美]Terry Escamilla著 吴焱等译 入侵检测(Intrusion Detection)优于防火墙的网络安全措施 1999.7
7) 金诺入侵检测系统白皮书 www.netstd.com
8) 王锐 等译 网络最高安全技术(Maximum Security) 机械工业饿出版社 1998.8
9) 梁晓诚 入侵检测方法研究 桂林工学院学报 2000.7
10) 金波 林家骏 王行愚 入侵检测技术评述 华东理工大学学报 2000.4
11) 聂之铭、丘平,网络信息安全技术 科学出版社 2000.1
12) [美]Scott Fuller&Kevin Pagan著董春等译Intranet防火墙 电子工业出版社 1997.7
13) 张然 钱德沛 过晓兵 防火墙与入侵检测技术 计算机应用研究 2000.6
14) R.S.Boyer and J.S.Moore,"A fast string searching algorithm," Communications of the ACM,vol.20,no.10,pp.762-772,OCT.1997.
15) Dorothy E.Denning ,"An intrusion-detection model," IEEE Transactions on software engineering, vol. 13,no.2,pp.222-232,Feb. 1987.
16) Z.Galil,"On improving the worst case running time of the Boyer-Moore string searching algorithm," Communications of the ACM,vol.22,no.9,pp.505-8,1997.
17) P.Gupta and N.McKeown,"Packet classification on multiple fields," in Proceedings of ACM SIGCOMM'99,1999.
18) D.Gusfield,Algorithms on Strings,Trees,and Sequences, Cambridge University Press,1997.
19) Vern Paxson,"Bro:A system for detecting network intruders in real-time," computer networks,vol.31,no.23-24,pp.2435-2463,Dec.1999.
20) http:www.networkice.com
21) http://www.snort.org
22) http://www.iss.net
23) http://www.erias.purdue.edu
24) Ptacek,Thomas H.,and Newsham,Yimothy N."Insertion, evasion,and denial of service:Eluding network intrusion detection." Available at www.secnet.com 1998
25) Sandeep Kumar&Eugene H.Spafford "An Application of Pattern Matching in Intrusion
Detection" Technical Report CSD-TR-94-013
26) Stephen Northcutt and the Intrusion Detection Team "Intrusion Detection Shadow Style" SANS Institute.
27) Wenker Lee&Salvatore J.Stolfo "Data Mining Approaches for Intrusion Detectoin"
28) Karen Frederick,NFR Security Inc,"Understanding Network Intrusion Detection Signature",April,2002
29) Mark Handley and Vern Paxon "Network Intrusion Detection:Evasion,Traffic Normalization, and End-To-End Protocol Semantics" AT&T Center for Internet Research at ICSI International Computer Science Institute.
30) G.R.Malan,D.Watson,EJahanian and P.Howell,"Transport and Application Protocol Scrubbing",Proceedings of the IEEE INFOCOM 2000 Conference,Mar.2000.
31) Steven R.Snapp and Stephen E.Smaha "Signature Analysis Model Definition and Formalism",In Proc.Fourth Workshop on Computer Security Incident Handling,Denver, CO,August 19992.
32) Robert A.Wagner and Michael J.Fischer.The String-to-String Correction Problem.IN journal of ACM,volume 21,pages 168-178,january 1974