包嗅探与协议解析技术在NIDS中的应用与研究
|
摘要
随着对计算机系统弱点和入侵行为分析研究的深入,入侵检测在网络安全中起到越来越重要的作用。同时,这一领域也面临着诸多挑战,例如:如何提高入侵检测系统的检测速度,以适应网络通信的要求;如何减少入侵检测系统的漏报和误报,提高其安全性和准确度以及如何提高入侵检测系统之间的交互能力,从而提高整个系统的安全性能等。
本论文研究和分析了入侵检测系统的相关背景知识、入侵检测技术和入侵检测的相关协议框架。在网络入侵检测系统的设计中,网络嗅探组件是整个系统的最基础部件。通过网络嗅探工具能有效地截获网络上的数据,从而对网络进行监视。作为入侵检测系统的初步研究,本论文根据网络包嗅探技术,利用了WINDOWS平台下一个开放代码的、公共的网络访问系——WINPCAP提供的接口设计完成了一个网络嗅探器(基于WINDOWS实现的理由也在于在WINDOWS NT/XP系统上,可以达到更高的性能)。其中对协议解析技术在入侵检测系统中的应用进行了讨论。并对从链路层到传输层的多个网络协议完成了相关协议解析引擎的设计与实现。
在本网络嗅探器中通过设置相应的规则(例如:指定相应的协议类型、端口号、IP地址等)可以记录流经本局域网上指定IP地址的数据,为用户分析网络情况、发现入侵提供依据。
With the comprehensive analysis of the vulnerability of the network and intrusion behaviors, the network based Intrusion Detection System (IDS) becomes more and more important in network security. In the mean time, this young field also meets many challenges today. These challenges include how to increase the detecting speed to meet the requirement of the band increase, how to reduce the false positive and false negative to enhance the accuracy of the detection as well as how to realize the interoperation among the IDSs and other security products.
This paper introducing the corresponding background knowledge and analyzing the protocol frame releated to IDS. In the design of NIDS, sniffing component is very important .you can use sniffer log network traffic effectively. This paper take advantage of WINPCAP to design a sniffer. The application of the protocol analysis technology in IDS is also discussed in this paper. In this part, many protocols are analyzed (from datalink layer to network layer).
In this sniffer, you can log your LAN traffic through rule files, which describe the rules, such as protocol type, port number and IP address. With the help of this sniffer you can find valuable information.
本论文研究和分析了入侵检测系统的相关背景知识、入侵检测技术和入侵检测的相关协议框架。在网络入侵检测系统的设计中,网络嗅探组件是整个系统的最基础部件。通过网络嗅探工具能有效地截获网络上的数据,从而对网络进行监视。作为入侵检测系统的初步研究,本论文根据网络包嗅探技术,利用了WINDOWS平台下一个开放代码的、公共的网络访问系——WINPCAP提供的接口设计完成了一个网络嗅探器(基于WINDOWS实现的理由也在于在WINDOWS NT/XP系统上,可以达到更高的性能)。其中对协议解析技术在入侵检测系统中的应用进行了讨论。并对从链路层到传输层的多个网络协议完成了相关协议解析引擎的设计与实现。
在本网络嗅探器中通过设置相应的规则(例如:指定相应的协议类型、端口号、IP地址等)可以记录流经本局域网上指定IP地址的数据,为用户分析网络情况、发现入侵提供依据。
With the comprehensive analysis of the vulnerability of the network and intrusion behaviors, the network based Intrusion Detection System (IDS) becomes more and more important in network security. In the mean time, this young field also meets many challenges today. These challenges include how to increase the detecting speed to meet the requirement of the band increase, how to reduce the false positive and false negative to enhance the accuracy of the detection as well as how to realize the interoperation among the IDSs and other security products.
This paper introducing the corresponding background knowledge and analyzing the protocol frame releated to IDS. In the design of NIDS, sniffing component is very important .you can use sniffer log network traffic effectively. This paper take advantage of WINPCAP to design a sniffer. The application of the protocol analysis technology in IDS is also discussed in this paper. In this part, many protocols are analyzed (from datalink layer to network layer).
In this sniffer, you can log your LAN traffic through rule files, which describe the rules, such as protocol type, port number and IP address. With the help of this sniffer you can find valuable information.
引文
[1] W. Stallings, "Network and Internetwork Security: Principles and Practices", Prentice Hall, 1995.
[2] Rich Feiertag etc., A Common Intrusion Specification Language, CIDF Working Group document, 2000
[3] Clifford Kahn, Communication in the Common Intrusion Detection Framework, CIDF Working Group document, 1998
[4] Brian Tung, CIDF APIs: Their Care and Feeding, CIDF working group document
[5] Atkins, P. Buis, C. Hare, R. Kelley, C. Nachenberg, A.B. Nelson, P. Phillips, T. Ritchey and W. Steen. Internet Security Professional Reference.New Riders Publishing, 1996
[6] Douglas E. Comer and David L. Stevens, Internetworking with TCP/IP(Vol 1:Principles, Protocols, and Architecture),清华大学出版社·PRINTICE HALL, 2000
[7] Douglas E. Comer and David L. Stevens, Internetworking with TCP/IP(Vol 2:Design, Implementation, and Internals),清华大学出版社·PRINTICE HALL, 2000
[8] Andrew S. Tanenbaum, Computer Networks(Third Edition),清华大学出版社·PRINTICE HALL, 1998
[9] W. Richard Stevens, TCP/IP Illustrated, Volume 1: The Protocols,机械工业出版社,2002
[10] W. Stallings, "Network and Internetwork Security: Principles and Practices", Prentice Hall, 1995.
[11] B.S. Feinstein ,G.A. Matthews, The Intrusion Detection Exchange Protocol
[12] D. Curry, H. Debar, H. Debar, Intrusion Detection Message Exchange Format Data Model and Extensible Markup Language (XML) Document Type Definition, Intrusion Detection Working Group, 2003
[13] B. Feinstein, G. Matthews, J. White The Intrusion Detection Exchange Protocol (IDXP), Internet Society, 2002
[14] C. Hornig. RFC 894 Standard for the transmission of IP datagrams over Ethernet networks. Apr-01-1984.
[15] D. Katz. RFC 1188 Proposed Standard for the Transmission of IP Datagrams over FDDI Networks. Oct-01-1990.
[16] J. Poste1. RFC 791 Internet Protocol. Sep-01-1981.
[17] J. Reynolds, J. Postel. RFC 1700 Assigned Numbers. October 1994.
[18] D.C. Plummer. RFC 826 Ethernet Address Resolution Protocol: Or converting network protocol addresses to 48. bit Ethernet address for transmission on
Ethernet hardware. Nov-01-1982.
[19] R. Finlayson, T. Mann, J.C. Mogul, M. Theimer. RFC 903 Reverse Address Resolution Protocol. Jun-01-1984.
[20] J. Postel. RFC 793 Transmission Control Protocol. Sep-01-1981.
[21] J. Postel. RFC 768 User Datagram Protocol. Aug-28-1980.
[22] J. Postel. RFC 792 Internet Control Message Protocol. Sep-01-1981.
[23] S. Deering. RFC 1256 ICMP Router Discovery Messages. Sep-01-1991.
[24] W. Simpson. RFC 1788 ICMP Domain Name Messages. April 1995.
[25] Stephen Northcutt,网络入侵检测分析员手册,人民邮电出版社,2001
[26] Stephen Northcutt, Mark Cooper, Matt Fearnow, Karen Fredrick,林琪,Intrusion Signatures and Analysis,中国电力出版社,2002
[27] 卢津榕,冯宝坤等,解读黑客—黑客是怎样炼成的,北京希望电子出版社,2001
[28] Rebecca Gurley Bace,入侵检测,人民邮电出版社,2001.
[29] Thomas A.Maufer,IP技术基础—编址和路由,机械工业出版社,2000
[30] Brian Caeswell, Jay Beale, James C. Forster, Jeffery Posluns,宋劲松,Snort 2.0入侵检测,国防工业出版社,2004
[31] 唐正军,黑客入侵防护系统源代码分析,机械工业出版社,2002
[32] 张耀疆,聚焦黑客—攻击手段与防护策略,人民邮电出版社,2003
[33] 韩东海,王超,李群,入侵检测系统及实例剖析分析,清化大学出版社,2002
[34] 蒋建春,冯登国,网络入侵检测原理与技术,国防工业出版社,2001
[35] 胡昌振,网络入侵检测技术及发展,信息安全与通信保密,2002,10,50~51
[36] Bjarne Stroustrup,裘宗燕,C++程序设计语言,机械工业出版社·Person Education. 2003
[37] 郭嵩涛,分布式网络入侵检测系统关键技术研究(硕士论文),成都,电子科技大学,2002
[38] 王玉锋,入侵检测系统的研究,计算机仿真,2004,5
[39] Http://www.snort.org/
[40] Http://www.ca.com/
[41] Http://www.iss.net/
[2] Rich Feiertag etc., A Common Intrusion Specification Language, CIDF Working Group document, 2000
[3] Clifford Kahn, Communication in the Common Intrusion Detection Framework, CIDF Working Group document, 1998
[4] Brian Tung, CIDF APIs: Their Care and Feeding, CIDF working group document
[5] Atkins, P. Buis, C. Hare, R. Kelley, C. Nachenberg, A.B. Nelson, P. Phillips, T. Ritchey and W. Steen. Internet Security Professional Reference.New Riders Publishing, 1996
[6] Douglas E. Comer and David L. Stevens, Internetworking with TCP/IP(Vol 1:Principles, Protocols, and Architecture),清华大学出版社·PRINTICE HALL, 2000
[7] Douglas E. Comer and David L. Stevens, Internetworking with TCP/IP(Vol 2:Design, Implementation, and Internals),清华大学出版社·PRINTICE HALL, 2000
[8] Andrew S. Tanenbaum, Computer Networks(Third Edition),清华大学出版社·PRINTICE HALL, 1998
[9] W. Richard Stevens, TCP/IP Illustrated, Volume 1: The Protocols,机械工业出版社,2002
[10] W. Stallings, "Network and Internetwork Security: Principles and Practices", Prentice Hall, 1995.
[11] B.S. Feinstein ,G.A. Matthews, The Intrusion Detection Exchange Protocol
[12] D. Curry, H. Debar, H. Debar, Intrusion Detection Message Exchange Format Data Model and Extensible Markup Language (XML) Document Type Definition, Intrusion Detection Working Group, 2003
[13] B. Feinstein, G. Matthews, J. White The Intrusion Detection Exchange Protocol (IDXP), Internet Society, 2002
[14] C. Hornig. RFC 894 Standard for the transmission of IP datagrams over Ethernet networks. Apr-01-1984.
[15] D. Katz. RFC 1188 Proposed Standard for the Transmission of IP Datagrams over FDDI Networks. Oct-01-1990.
[16] J. Poste1. RFC 791 Internet Protocol. Sep-01-1981.
[17] J. Reynolds, J. Postel. RFC 1700 Assigned Numbers. October 1994.
[18] D.C. Plummer. RFC 826 Ethernet Address Resolution Protocol: Or converting network protocol addresses to 48. bit Ethernet address for transmission on
Ethernet hardware. Nov-01-1982.
[19] R. Finlayson, T. Mann, J.C. Mogul, M. Theimer. RFC 903 Reverse Address Resolution Protocol. Jun-01-1984.
[20] J. Postel. RFC 793 Transmission Control Protocol. Sep-01-1981.
[21] J. Postel. RFC 768 User Datagram Protocol. Aug-28-1980.
[22] J. Postel. RFC 792 Internet Control Message Protocol. Sep-01-1981.
[23] S. Deering. RFC 1256 ICMP Router Discovery Messages. Sep-01-1991.
[24] W. Simpson. RFC 1788 ICMP Domain Name Messages. April 1995.
[25] Stephen Northcutt,网络入侵检测分析员手册,人民邮电出版社,2001
[26] Stephen Northcutt, Mark Cooper, Matt Fearnow, Karen Fredrick,林琪,Intrusion Signatures and Analysis,中国电力出版社,2002
[27] 卢津榕,冯宝坤等,解读黑客—黑客是怎样炼成的,北京希望电子出版社,2001
[28] Rebecca Gurley Bace,入侵检测,人民邮电出版社,2001.
[29] Thomas A.Maufer,IP技术基础—编址和路由,机械工业出版社,2000
[30] Brian Caeswell, Jay Beale, James C. Forster, Jeffery Posluns,宋劲松,Snort 2.0入侵检测,国防工业出版社,2004
[31] 唐正军,黑客入侵防护系统源代码分析,机械工业出版社,2002
[32] 张耀疆,聚焦黑客—攻击手段与防护策略,人民邮电出版社,2003
[33] 韩东海,王超,李群,入侵检测系统及实例剖析分析,清化大学出版社,2002
[34] 蒋建春,冯登国,网络入侵检测原理与技术,国防工业出版社,2001
[35] 胡昌振,网络入侵检测技术及发展,信息安全与通信保密,2002,10,50~51
[36] Bjarne Stroustrup,裘宗燕,C++程序设计语言,机械工业出版社·Person Education. 2003
[37] 郭嵩涛,分布式网络入侵检测系统关键技术研究(硕士论文),成都,电子科技大学,2002
[38] 王玉锋,入侵检测系统的研究,计算机仿真,2004,5
[39] Http://www.snort.org/
[40] Http://www.ca.com/
[41] Http://www.iss.net/