基于改进型BMH算法的入侵检测系统研究
摘要
入侵检测(ID,Intrusion Detection)技术是一种主动保护自己免受攻击的一种网络安全技术,是继“防火墙”、“数据加密”等传统安全保护措施后新一代的安全保障技术。作为防火墙的合理补充,入侵检测技术能够帮助系统对付网络攻击,扩展了系统管理员的安全管理能力(包括安全审计监视、攻击识别和响应),提高信息安全基础结构的完整性。
本文提出一种基于部件的入侵检测系统,具有良好的分布性能和可扩展性。他将基于网络和基于主机的入侵检测系统有机地结合在一起,提供集成化的检测、报告和响应功能。
在网络引擎的实现上,使用了协议分析和模式匹配相结合的方法,有效减小目标的匹配范围,提高了检测速度。同时改进了匹配算法,使得网络引擎具有更好的实时性能。在主机代理中的网络接口检测功能,有效地解决了未来交换式网络中入侵检测系统无法检测的致命弱点。
Intrusion Detection (ID)technology is that one kind protects oneself from a kind of network safe practice attacked voluntarily, Continue the security technology of new generation after the traditional safe protective measure , such as" fire wall"," the data are encrypted",etc.. As rational supplement of fire wall, invade detection technique can help the system to deal with attack of network , Expand security managerial ability of system manager( including auditting and monitor, attack and discern and respond safely), Raise the integrality of the safe infrastructure of the information.
Whether propose kinds of invasion detection system not based on part this text,have good distribution performance of and can expanding.It combine the network-based IDS and host-based EDS into a system, and provide detection, report and respone together.
In the implement of the network engine, the combination of network protocol analyze and pattern match technology is used, and reduce scope to search. We also improved pattern match algorithm, the network engine can search intrusion signal more quickly. We use network interface detection in host agent, which will enable the IDS work on switch network fine.
本文提出一种基于部件的入侵检测系统,具有良好的分布性能和可扩展性。他将基于网络和基于主机的入侵检测系统有机地结合在一起,提供集成化的检测、报告和响应功能。
在网络引擎的实现上,使用了协议分析和模式匹配相结合的方法,有效减小目标的匹配范围,提高了检测速度。同时改进了匹配算法,使得网络引擎具有更好的实时性能。在主机代理中的网络接口检测功能,有效地解决了未来交换式网络中入侵检测系统无法检测的致命弱点。
Intrusion Detection (ID)technology is that one kind protects oneself from a kind of network safe practice attacked voluntarily, Continue the security technology of new generation after the traditional safe protective measure , such as" fire wall"," the data are encrypted",etc.. As rational supplement of fire wall, invade detection technique can help the system to deal with attack of network , Expand security managerial ability of system manager( including auditting and monitor, attack and discern and respond safely), Raise the integrality of the safe infrastructure of the information.
Whether propose kinds of invasion detection system not based on part this text,have good distribution performance of and can expanding.It combine the network-based IDS and host-based EDS into a system, and provide detection, report and respone together.
In the implement of the network engine, the combination of network protocol analyze and pattern match technology is used, and reduce scope to search. We also improved pattern match algorithm, the network engine can search intrusion signal more quickly. We use network interface detection in host agent, which will enable the IDS work on switch network fine.
引文
1) Cowen, L.J. and Priebe. C.E., "Randomized Nonlinear Projections Uncover High Dimensional Str[icture", Advances in Applied Mathematics, Vol. 9, pp. 319-202, 1997.
2) Cowen, L.J. and Priebe, C.E., "Approximate Distance Clustering", Computing Science aiid Statistics", Vol. 29, pp. 337-346, 1997.
3) Forrest, S., Hofmeyr, S., and Somayaji, A., "Computer immunology", Communications ofthe ACM, Vol. 40, No. 10, pp. 88-96, 1997.
4) McLachlan, GJ., and Basford, K.E., Mixture Models: Inferertce and Applications to Clustering, Marcel Dehaer, 1998.
5) Priebe, C.E., Marchette, D.J., and Rogers, GW., "Altemating Keriiel aiid Mixture Models", The Johiis Hopkins University Department of Mathematicai Sciences Technical Report #574, 1997.,
6) Debra Anderson, Teresa Lunt, Harold Javitz, Ann TamanJ, and Alfonso Valdes. Safeguard final report Detecting unusual program behavior using the NIDES statistical component. Techiiical report,~~~~1999.
7) J.P Anderson. Computer sec[inty threat monitoring and surveillance. Techiiical report, James E Anderson Company, Fort Washington, Pennsylvania, April 1998.
8) Matthew Bishop. Security Problems with the UNIX Operating System. Techiiical report, Department of Computer Sciences, Purdue University, jan 2000. Condential Techiiical Memo.
9) L.T. Heberlein B. MuklieDee and K. N. Levitt. Network intrusion detection. IEEE Network, May 1999.
10) M. Bishop and L. Snyder. The transfert ofinformation and authority in a protection system. ACM 0-8979 1-009-5/79/1 200/0045,2000.
11) Here Debar, Monique Becker, and Didier Siboni. A neural network component for an intrusion detection system. In IEEE Symposium of Research in Computer Security and Privacy, pages 240—250, May 2000.
12) Kevin L. Fox, Ronda R. Henning, Jonathan H. Reed, and Richard P. Simonian. A neural network approach towards intrusion detection. Harris Corporation technical Report, 2000.
13) TD. Garvey and T F. Lunt. Model-based intrusion detection. In 14th National Computer Security Conference, October 2000.
14) R. Agrawal and R. SrikantFast algorithms for mining association rules. In Proceedings of the 20th VLDB Conference, Santiago, Chile, 1994.
15) R. Agrawal and R.Srikant. Mining sequential patterns. In Proceedings of the 11th International Conference on Data Engineering, Taipei, Taiwan, 1995.
16) R. Agrawal, T.Imielinski, and A.Swami.Mining association rules between sets of items in arge databases. In Proceedings of the ACM SIGMOD Conference on Management of Data, pages 207 "C216, 1993.
17) Atkins, P. Buis, C.Hare, R. Kelley, C.Nachenberg, A.B.Nelson, P. Phillips,T. Rit chey, and W. Steen. Internet Security Professional Reference. New Riders Publishing, 1996.
18) S.M.Bellovin. Security problems in the TCP/IP protocol suite. Computer Communication Review, 19(2):32 "C48, April 1989.. 170
19) P.K. Chan and S.J.Stolfo. Toward paralle and distributed learning by meta-earning. In AAAI Workshop in Knowledge Discovery in Databases, pages 227 "C240, 1993.
20) P. Clark and TNiblett. The CN2 induction algorithm. Machine Learning, 3(4):261 "C283, 1989.
21) J. Frank. Arti. cial intelligence and intrusion detection: Current andfuture directions. In Proceedings of the 17th National Computer Security
Conference, October 1994.
22) ET. Grampp and R.H.Morris. Unix system security. AT&T Bell Laboratories Technical Journal, 63(8): 1649 "C1672, October 1984.
23) R.Heady, GLuger, A.Maccabe, and M. Servilla. The architecture of a network evel intrusion detection system. Technica report, Computer Science Department, University of New Mexico, August 1990.
24) K.H .at. onen, M.Klemettinen, H.Mannila, and P. Ronkainenand H. Toivonen. TASA:Telecommunication alarm sequence analyzer. In Proceedings of the IEEE/IFIP 1996 Network Operations and Management Symposium, April 1996.
25) K.Ilgun, R.A. Kemmerer, and P.A.Porras. State transition analysis:A role-based intrusion detection approach. IEEE Transactions on Software Engineering, 21(3): 181 "C199, March 1995.
26) M. Klemettinen, H.Mannila, P. Ronkainen, H. Toivonen, and. I. Verkamo. Finding imeresting rules from large sets of discovered association rules. In Proceedings of the 3rd International Conference on Information and Knowledge Management (CIKM'94), pages 401 "C407, Gainthersburg, MD, 1994.
27) C.Ko,G.Fink, and K.Levitt. Automated detection of vulnerabilities in privileged programs by execution monitoring. In Proceedings of the 10th Annual Computer Security Applications Conference, pages 134 "C144, December 1994.
28) S.Kumar and E.H. Spa. ord. A software architecture to support misuse intrusion detection. In Proceedings of the 18th National Information Security Conference, pages 194 "C204, 1995.
29) W. Lee and S.J. Stolfo. Data mining approaches for intrusion detection. In Proceedings of the 7th USENIX Security Symposium, San Antonio, TX, January 1998.
30) W. Lee, S.J.Stolfo, and K.W. Mok. Mining audit data to build intrusion
detection models.In Proceedings of the 4th International Conference. 174 on Knowledge Discovery and Data Mining, New York, NY, August 1998. AAAI Press.
31) W.Lee, S.J. Stolfo, and K.W. Mok. A data mining frame work for building intrusion detection models. In Proceedings of the 1999 IEEE Symposium on Security and Privacy, May 1999.
32) Network Flight Recorder Inc. Network. light recorder. http://www.nfr.com, 1997.
33) V. Paxson. End-to-end internet packet dynamics. In Proceedings of SIGCOMM'97, September 1997.
34) V. Paxson. Bro:A system for detecting network intruders in real-time. In Proceedings of the 7th USENIX Security Symposium, San Antonio, TX, 1998.
35) P.A. Porras and P.G.Neumann. EMERALD: Event monitoring enabling responses to anomalous live disturbances. In National Information Systems Security Conference, Baltimore MD, October 1997.. 176
36) P.A.Porras and A.Valdes.Live tra.c analysis of TCP/IP gateways. In Proceedings of the Internet Society Symposium on Network and Distributed System Security, March 1998.
37) SunSoft. SunSHIELD Basic Security Module Guide. SunSoft, Mountain View, CA, 1995.
38) [美]Art Baker著《Linux系统调用指南》机械工业出版社
39) A.S.Tanenbaum 《计算机网络》第三版清华大学出版社
40) 周明天 江文勇编著《TCP/IP网络原理与技术》清华大学出版社
41) Stephen Northcutt著,余青霞 王晓程 等译《网络入侵检测分析员手册》人民邮电出版社
2) Cowen, L.J. and Priebe, C.E., "Approximate Distance Clustering", Computing Science aiid Statistics", Vol. 29, pp. 337-346, 1997.
3) Forrest, S., Hofmeyr, S., and Somayaji, A., "Computer immunology", Communications ofthe ACM, Vol. 40, No. 10, pp. 88-96, 1997.
4) McLachlan, GJ., and Basford, K.E., Mixture Models: Inferertce and Applications to Clustering, Marcel Dehaer, 1998.
5) Priebe, C.E., Marchette, D.J., and Rogers, GW., "Altemating Keriiel aiid Mixture Models", The Johiis Hopkins University Department of Mathematicai Sciences Technical Report #574, 1997.,
6) Debra Anderson, Teresa Lunt, Harold Javitz, Ann TamanJ, and Alfonso Valdes. Safeguard final report Detecting unusual program behavior using the NIDES statistical component. Techiiical report,~~~~1999.
7) J.P Anderson. Computer sec[inty threat monitoring and surveillance. Techiiical report, James E Anderson Company, Fort Washington, Pennsylvania, April 1998.
8) Matthew Bishop. Security Problems with the UNIX Operating System. Techiiical report, Department of Computer Sciences, Purdue University, jan 2000. Condential Techiiical Memo.
9) L.T. Heberlein B. MuklieDee and K. N. Levitt. Network intrusion detection. IEEE Network, May 1999.
10) M. Bishop and L. Snyder. The transfert ofinformation and authority in a protection system. ACM 0-8979 1-009-5/79/1 200/0045,2000.
11) Here Debar, Monique Becker, and Didier Siboni. A neural network component for an intrusion detection system. In IEEE Symposium of Research in Computer Security and Privacy, pages 240—250, May 2000.
12) Kevin L. Fox, Ronda R. Henning, Jonathan H. Reed, and Richard P. Simonian. A neural network approach towards intrusion detection. Harris Corporation technical Report, 2000.
13) TD. Garvey and T F. Lunt. Model-based intrusion detection. In 14th National Computer Security Conference, October 2000.
14) R. Agrawal and R. SrikantFast algorithms for mining association rules. In Proceedings of the 20th VLDB Conference, Santiago, Chile, 1994.
15) R. Agrawal and R.Srikant. Mining sequential patterns. In Proceedings of the 11th International Conference on Data Engineering, Taipei, Taiwan, 1995.
16) R. Agrawal, T.Imielinski, and A.Swami.Mining association rules between sets of items in arge databases. In Proceedings of the ACM SIGMOD Conference on Management of Data, pages 207 "C216, 1993.
17) Atkins, P. Buis, C.Hare, R. Kelley, C.Nachenberg, A.B.Nelson, P. Phillips,T. Rit chey, and W. Steen. Internet Security Professional Reference. New Riders Publishing, 1996.
18) S.M.Bellovin. Security problems in the TCP/IP protocol suite. Computer Communication Review, 19(2):32 "C48, April 1989.. 170
19) P.K. Chan and S.J.Stolfo. Toward paralle and distributed learning by meta-earning. In AAAI Workshop in Knowledge Discovery in Databases, pages 227 "C240, 1993.
20) P. Clark and TNiblett. The CN2 induction algorithm. Machine Learning, 3(4):261 "C283, 1989.
21) J. Frank. Arti. cial intelligence and intrusion detection: Current andfuture directions. In Proceedings of the 17th National Computer Security
Conference, October 1994.
22) ET. Grampp and R.H.Morris. Unix system security. AT&T Bell Laboratories Technical Journal, 63(8): 1649 "C1672, October 1984.
23) R.Heady, GLuger, A.Maccabe, and M. Servilla. The architecture of a network evel intrusion detection system. Technica report, Computer Science Department, University of New Mexico, August 1990.
24) K.H .at. onen, M.Klemettinen, H.Mannila, and P. Ronkainenand H. Toivonen. TASA:Telecommunication alarm sequence analyzer. In Proceedings of the IEEE/IFIP 1996 Network Operations and Management Symposium, April 1996.
25) K.Ilgun, R.A. Kemmerer, and P.A.Porras. State transition analysis:A role-based intrusion detection approach. IEEE Transactions on Software Engineering, 21(3): 181 "C199, March 1995.
26) M. Klemettinen, H.Mannila, P. Ronkainen, H. Toivonen, and. I. Verkamo. Finding imeresting rules from large sets of discovered association rules. In Proceedings of the 3rd International Conference on Information and Knowledge Management (CIKM'94), pages 401 "C407, Gainthersburg, MD, 1994.
27) C.Ko,G.Fink, and K.Levitt. Automated detection of vulnerabilities in privileged programs by execution monitoring. In Proceedings of the 10th Annual Computer Security Applications Conference, pages 134 "C144, December 1994.
28) S.Kumar and E.H. Spa. ord. A software architecture to support misuse intrusion detection. In Proceedings of the 18th National Information Security Conference, pages 194 "C204, 1995.
29) W. Lee and S.J. Stolfo. Data mining approaches for intrusion detection. In Proceedings of the 7th USENIX Security Symposium, San Antonio, TX, January 1998.
30) W. Lee, S.J.Stolfo, and K.W. Mok. Mining audit data to build intrusion
detection models.In Proceedings of the 4th International Conference. 174 on Knowledge Discovery and Data Mining, New York, NY, August 1998. AAAI Press.
31) W.Lee, S.J. Stolfo, and K.W. Mok. A data mining frame work for building intrusion detection models. In Proceedings of the 1999 IEEE Symposium on Security and Privacy, May 1999.
32) Network Flight Recorder Inc. Network. light recorder. http://www.nfr.com, 1997.
33) V. Paxson. End-to-end internet packet dynamics. In Proceedings of SIGCOMM'97, September 1997.
34) V. Paxson. Bro:A system for detecting network intruders in real-time. In Proceedings of the 7th USENIX Security Symposium, San Antonio, TX, 1998.
35) P.A. Porras and P.G.Neumann. EMERALD: Event monitoring enabling responses to anomalous live disturbances. In National Information Systems Security Conference, Baltimore MD, October 1997.. 176
36) P.A.Porras and A.Valdes.Live tra.c analysis of TCP/IP gateways. In Proceedings of the Internet Society Symposium on Network and Distributed System Security, March 1998.
37) SunSoft. SunSHIELD Basic Security Module Guide. SunSoft, Mountain View, CA, 1995.
38) [美]Art Baker著《Linux系统调用指南》机械工业出版社
39) A.S.Tanenbaum 《计算机网络》第三版清华大学出版社
40) 周明天 江文勇编著《TCP/IP网络原理与技术》清华大学出版社
41) Stephen Northcutt著,余青霞 王晓程 等译《网络入侵检测分析员手册》人民邮电出版社