基于无线局域网的入侵检测系统研究与设计
|
摘要
入侵检测系统(Intrusion Detection System)是一种主动保护自己免受攻击的网络安全技术。作为防火墙的合理补充,入侵检测技术能够帮助系统对付网络攻击,扩展了系统管理员的安全管理能力,提高了信息安全基础结构的完整性。
本文在深入分析了无线局域网技术以及入侵检测技术的基础上,针对无线局域网络的特点并采用插件设计思想,提出了一个从数据链路层到应用层进行全面检测的无线入侵检测系统模型,并给出了该系统的框架和系统主要的流程步骤,并对其中的关键模块进行了详细设计与编码实现。本系统由检测代理和控制中心组成,检测代理包括包捕获模块、预处理模块、协议解码模块、协议分析模块、规则解析模块等。检测代理可以独立运行,也可以协同工作,相互交换信息,并由控制中心进行统一管理。包捕获模块负责监听、捕获网络中的原始数据包,并按照过滤要求进行数据包过滤;协议解码模块对原始数据包按照协议树结构进行协议解码,以便于预处理模块和检测分析模块进行入侵分析;预处理模块对得到的数据包进行预处理,一方面可以发现针对数据链路层的入侵信息,另一方面为检测分析模块做最后的准备;规则解析模块则是分析规则文件内容,把规则加载到内存中形成规则链;检测分析模块对预处理模块提交的数据,运用改进的BM算法和规则库中的规则进行比较分析,从而判断出是否有入侵行为。
实验表明,本系统能够稳定的工作在网络环境下,并且能够快速地检测出针对无线网络的入侵行为。本系统需要不断更新规则库才能检测新的攻击,对于在规则库中没有的新的攻击行为不能检测。
Intrusion Detection System is a network security technology which protects computers from attacking pro-actively. As a reasonable complementarity to firewall, intrusion detection system technology can help computers’operating systems deal with network attacks, so, it expands the system administrator's security managing capabilities and enhances the integrity of the infrastructure about the information security.
Based on the in-depth analysis of wireless LAN technology and intrusion detection technology, on the basis of the wireless LAN features and interpolation design ideas, a wireless Intrusion Detection System Mode which test comprehensive from data link layer to the application layer is proposed in this paper, we give the framework and the primary processing steps, and we give the detailed design and the implementation of the key modules. The system consists of detection agents and the control center. Detection agents include package capturing module, pre-processing module, protocol decoding module, protocol analyzing module, rules analyzing module, and so on. Detection agents can operate independently, as well as work together, exchanging information, which is controlled by the unified management control centre. Package capturing module is responsible for the monitoring, capturing the raw data package from the network, and filtering the data packages in accordance with the requirements. Protocol decoding module is responsible for decoding of the original data package based on protocol tree, helping pre-processing module and analyzing module conducting the invasion. Pre-processing module does the pretreatment of the data packages, on one hand, the invasion information of the data link layer can be found, on the other hand, support the detection analyzing module for the final preparation. Rules analyzing module analyzes the content of the rules, and set rules to memory to format the chain. Analyzing module submits the data to pre-processing module, using the rules of the BM algorithm and the rules in the ruse base to analyze comparatively, to determine whether there are some attacks or intrusions.
Experiments show that, the system can work in the network environment stability, and can quickly detect wireless network intrusions. The system needs to update the rules base to detect new attacks, but the new attacks not in the rules can not be detected.
本文在深入分析了无线局域网技术以及入侵检测技术的基础上,针对无线局域网络的特点并采用插件设计思想,提出了一个从数据链路层到应用层进行全面检测的无线入侵检测系统模型,并给出了该系统的框架和系统主要的流程步骤,并对其中的关键模块进行了详细设计与编码实现。本系统由检测代理和控制中心组成,检测代理包括包捕获模块、预处理模块、协议解码模块、协议分析模块、规则解析模块等。检测代理可以独立运行,也可以协同工作,相互交换信息,并由控制中心进行统一管理。包捕获模块负责监听、捕获网络中的原始数据包,并按照过滤要求进行数据包过滤;协议解码模块对原始数据包按照协议树结构进行协议解码,以便于预处理模块和检测分析模块进行入侵分析;预处理模块对得到的数据包进行预处理,一方面可以发现针对数据链路层的入侵信息,另一方面为检测分析模块做最后的准备;规则解析模块则是分析规则文件内容,把规则加载到内存中形成规则链;检测分析模块对预处理模块提交的数据,运用改进的BM算法和规则库中的规则进行比较分析,从而判断出是否有入侵行为。
实验表明,本系统能够稳定的工作在网络环境下,并且能够快速地检测出针对无线网络的入侵行为。本系统需要不断更新规则库才能检测新的攻击,对于在规则库中没有的新的攻击行为不能检测。
Intrusion Detection System is a network security technology which protects computers from attacking pro-actively. As a reasonable complementarity to firewall, intrusion detection system technology can help computers’operating systems deal with network attacks, so, it expands the system administrator's security managing capabilities and enhances the integrity of the infrastructure about the information security.
Based on the in-depth analysis of wireless LAN technology and intrusion detection technology, on the basis of the wireless LAN features and interpolation design ideas, a wireless Intrusion Detection System Mode which test comprehensive from data link layer to the application layer is proposed in this paper, we give the framework and the primary processing steps, and we give the detailed design and the implementation of the key modules. The system consists of detection agents and the control center. Detection agents include package capturing module, pre-processing module, protocol decoding module, protocol analyzing module, rules analyzing module, and so on. Detection agents can operate independently, as well as work together, exchanging information, which is controlled by the unified management control centre. Package capturing module is responsible for the monitoring, capturing the raw data package from the network, and filtering the data packages in accordance with the requirements. Protocol decoding module is responsible for decoding of the original data package based on protocol tree, helping pre-processing module and analyzing module conducting the invasion. Pre-processing module does the pretreatment of the data packages, on one hand, the invasion information of the data link layer can be found, on the other hand, support the detection analyzing module for the final preparation. Rules analyzing module analyzes the content of the rules, and set rules to memory to format the chain. Analyzing module submits the data to pre-processing module, using the rules of the BM algorithm and the rules in the ruse base to analyze comparatively, to determine whether there are some attacks or intrusions.
Experiments show that, the system can work in the network environment stability, and can quickly detect wireless network intrusions. The system needs to update the rules base to detect new attacks, but the new attacks not in the rules can not be detected.
引文
[1]张振川.无线局域网技术与协议[M].东北大学出版社.2003年,47~94.
[2]刘少君.基于协议分析的网络入侵检测系统的研究与设计[D].南京:河海大学,2006.
[3]胡道元,闵京华.网络安全[M].清华大学出版社.2005年9月,263~284.
[4]唐正军,李建华.入侵检测技术[M].北京:清华大学出版社,2006年,68~89.
[5]刘文涛.网络安全开发包详解[M].北京:电子工业出版社,2005,108~136.
[6]陈松乔,肖建华.算法与数据结构[M].北京:清华大学出版社,2003,1~153.
[7]陈庆章,赵小敏.TCP/IP网络原理与技术[M].北京:高等教育出版社,2006,1~192.
[8]朱海霞.基于协议分析的入侵检测系统的研究与实现[D].大连:大连海事大学,2006.
[9]冯登国.网络安全原理与技术[M].北京:科学出版社,2003,262~284.
[10]王顺满,陶然.无线局域网络技术与安全[M].北京:机械工业出版社,2005,49~94.
[11]渠瑜.无线局域网入侵检测技术研究[D].重庆:解放军信息工程大学,2005.
[12]胡昌振.网络入侵检测原理与技术[M].北京:北京理工大学出版社,2003,153~167.
[13]张丰翼.无线局域网安全机制研究[D].西安:西安电子科技大学,2004.
[14]王成伟.基于网络的入侵检测技术的研究与实现[D].重庆:重庆大学,2005.
[15]张福泰,李继国.密码学教程[M].武汉:武汉大学出版社,2006,18~69.
[16]冯柳平,刘祥南.基于数据链路层的无线入侵检测[J].桂林电子工业学院学报,2005,6:33~36.
[17]Fatbloke.WIDZ-TheWireless Intrusion Detection System[EB/OL]. http://www.loud-fat-blo - ke.con.uk,2003.
[18]彭诗力.网络入侵检测系统的研究与设计[D].长沙:中南大学,2005.
[19]王大虎,翁翼飞,杨维,柳艳红.针对IEEE802. 11标准的无线局域网的攻击和防卫研究[J].中国安全科学学报,2005,2:77~80.
[20]姜浩伟,李永杰,汪厚祥.Wep协议加密算法安全隐患分析[J].舰船电子工程,2005,5:60~63.
[21]夏新军,俞能海,刘洋.WLAN环境下拒绝服务攻击问题研究[J].计算机工程与应用,2005年,3:128~132.
[22]吴刚,薛质.针对WLAN的特定攻击手段与相关检测技术[J].信息安全与通信保密,2006,7:117~119.
[23]Hongyu Yang,Lixia Xie,Jizhou Sun. Intrusion Detection for Wireless Local Area Network [J]. IEEE,2004:1949~1952.
[24]蒋武,胡昌振.无线局域网环境中分布式入侵检测系统研究[J].北京理工大学学报,2006,1:13~16.
[25]黎喜权,李肯立,李仁发.无线局域网中的入侵检测系统研究[J].科学技术与工程,2006,6:18~20.
[26]唐谦,张大方.入侵检测模式匹配算法的性能分析[J].计算机工程,2005,5:130~132.
[27]尹花子.无线局域网安全漏洞剖析[J].江汉大学学报,2005,12:46~50.
[28]廖俊云.基于协议分析的网络入侵检测系统的研究与设计[D].成都:电子科技大学,2005.
[29]Knuth.D.E,Morris.J.H. Fast pattern matching in string[J]. SIAM Journal on Computing, 1977,(6):323~350.
[30]司纪锋,王美琴.无线局域网MAC地址欺骗攻击的检测[J].计算机技术与发展,2006,2:232~234.
[31]何一凡.入侵检测引擎的设计研究[D].杭州:浙江大学,2006.
[32]Boyer.R.S,Moore.J.S. A fast string searching algorithm [J]. Communications of ACM, 1977,20(10):762 ~772.
[33]宋连涛.基于异常的入侵检测技术研究[D].南京:河海大学,2006.
[2]刘少君.基于协议分析的网络入侵检测系统的研究与设计[D].南京:河海大学,2006.
[3]胡道元,闵京华.网络安全[M].清华大学出版社.2005年9月,263~284.
[4]唐正军,李建华.入侵检测技术[M].北京:清华大学出版社,2006年,68~89.
[5]刘文涛.网络安全开发包详解[M].北京:电子工业出版社,2005,108~136.
[6]陈松乔,肖建华.算法与数据结构[M].北京:清华大学出版社,2003,1~153.
[7]陈庆章,赵小敏.TCP/IP网络原理与技术[M].北京:高等教育出版社,2006,1~192.
[8]朱海霞.基于协议分析的入侵检测系统的研究与实现[D].大连:大连海事大学,2006.
[9]冯登国.网络安全原理与技术[M].北京:科学出版社,2003,262~284.
[10]王顺满,陶然.无线局域网络技术与安全[M].北京:机械工业出版社,2005,49~94.
[11]渠瑜.无线局域网入侵检测技术研究[D].重庆:解放军信息工程大学,2005.
[12]胡昌振.网络入侵检测原理与技术[M].北京:北京理工大学出版社,2003,153~167.
[13]张丰翼.无线局域网安全机制研究[D].西安:西安电子科技大学,2004.
[14]王成伟.基于网络的入侵检测技术的研究与实现[D].重庆:重庆大学,2005.
[15]张福泰,李继国.密码学教程[M].武汉:武汉大学出版社,2006,18~69.
[16]冯柳平,刘祥南.基于数据链路层的无线入侵检测[J].桂林电子工业学院学报,2005,6:33~36.
[17]Fatbloke.WIDZ-TheWireless Intrusion Detection System[EB/OL]. http://www.loud-fat-blo - ke.con.uk,2003.
[18]彭诗力.网络入侵检测系统的研究与设计[D].长沙:中南大学,2005.
[19]王大虎,翁翼飞,杨维,柳艳红.针对IEEE802. 11标准的无线局域网的攻击和防卫研究[J].中国安全科学学报,2005,2:77~80.
[20]姜浩伟,李永杰,汪厚祥.Wep协议加密算法安全隐患分析[J].舰船电子工程,2005,5:60~63.
[21]夏新军,俞能海,刘洋.WLAN环境下拒绝服务攻击问题研究[J].计算机工程与应用,2005年,3:128~132.
[22]吴刚,薛质.针对WLAN的特定攻击手段与相关检测技术[J].信息安全与通信保密,2006,7:117~119.
[23]Hongyu Yang,Lixia Xie,Jizhou Sun. Intrusion Detection for Wireless Local Area Network [J]. IEEE,2004:1949~1952.
[24]蒋武,胡昌振.无线局域网环境中分布式入侵检测系统研究[J].北京理工大学学报,2006,1:13~16.
[25]黎喜权,李肯立,李仁发.无线局域网中的入侵检测系统研究[J].科学技术与工程,2006,6:18~20.
[26]唐谦,张大方.入侵检测模式匹配算法的性能分析[J].计算机工程,2005,5:130~132.
[27]尹花子.无线局域网安全漏洞剖析[J].江汉大学学报,2005,12:46~50.
[28]廖俊云.基于协议分析的网络入侵检测系统的研究与设计[D].成都:电子科技大学,2005.
[29]Knuth.D.E,Morris.J.H. Fast pattern matching in string[J]. SIAM Journal on Computing, 1977,(6):323~350.
[30]司纪锋,王美琴.无线局域网MAC地址欺骗攻击的检测[J].计算机技术与发展,2006,2:232~234.
[31]何一凡.入侵检测引擎的设计研究[D].杭州:浙江大学,2006.
[32]Boyer.R.S,Moore.J.S. A fast string searching algorithm [J]. Communications of ACM, 1977,20(10):762 ~772.
[33]宋连涛.基于异常的入侵检测技术研究[D].南京:河海大学,2006.