SQL Server数据库入侵检测系统的研究
|
摘要
近年来,网络攻击越来越普遍,也难以防范。传统的防火墙技术已难以满足目前网络安全的需要。于是,一项新的安全技术入侵检测系统被提出。由于越来越多的政府、商业、金融等机构和部门将自己的数据库连接到Internet上,网上数据库受到的攻击越来越多,造成的损害越来越大,所以网络数据库安全成为安全的焦点,我们迫切需要研究针对数据库的入侵检测技术来提高安全性。
本文首先介绍了入侵检测系统的发展过程,阐述了入侵检测系统的功能、模型、分类,并详细研究了入侵检测系统的检测技术,同时指出了目前入侵检测系统中存在的问题,指出了入侵检测系统的发展前景。然后介绍了数据库安全方面的问题,重点讨论了SQL SERVER数据库的安全机制。接下来分析基于误用的和基于异常的数据库入侵检测技术,重点讨论了基于异常的数据挖掘检测技术在入侵检测中的应用。本文的核心即基于数据挖掘技术的数据库入侵检测系统的设计,在设计过程中我们利用关联规则Apriori算法来对用户行为进行数据挖掘,根据用户历史行为模式和当前行为模式比较相似度来检测用户当前行为模式的异常,在本文最后给出了实验结果分析。
In the last decade, attacks to network are becoming more common and sophisticated .However,it is a difficult task to detect intrusion.The traditional technology such as firewall is not enough to solve all kind of attacks.For this reason,intrusion detection as a new technology is put forward.With more and more governments .business and finance having their own databases connected to the intemet,we much more attack break into these network databases.Then current security is focused on network database security. So we need to study intrusion detection technology on databases to intensify the security.
At first this paper introduces the development process of intrusion detection system. Then we describe the function, model and taxonomy of intrusion detection systems, particularly discuss the model of intrusion detection system. And the framework and standardization of intrusion detection system are thoroughly discussed in this paper. The problems and future of intrusion detection system are put forward in this paper. The international standard of database security is also given here and then the security mechanism of SQL Server is detailedly discussed. The application of Misuse detection technology and anomaly detection technology in SQL Server are talked about thoroughly in this paper. We show more emphasis on the anomaly detection technology based on data mining. Finally, the constructing process of database intrusion detection is detailedly discussed here. By use of Aprior association rule algorithm, the user's historical data are mined. We alse give the test data in this paper.By comparing the similarties between the history profiles and present ones we can detect the anomaly in present profiles. Result of experiments shows the differences between them.
本文首先介绍了入侵检测系统的发展过程,阐述了入侵检测系统的功能、模型、分类,并详细研究了入侵检测系统的检测技术,同时指出了目前入侵检测系统中存在的问题,指出了入侵检测系统的发展前景。然后介绍了数据库安全方面的问题,重点讨论了SQL SERVER数据库的安全机制。接下来分析基于误用的和基于异常的数据库入侵检测技术,重点讨论了基于异常的数据挖掘检测技术在入侵检测中的应用。本文的核心即基于数据挖掘技术的数据库入侵检测系统的设计,在设计过程中我们利用关联规则Apriori算法来对用户行为进行数据挖掘,根据用户历史行为模式和当前行为模式比较相似度来检测用户当前行为模式的异常,在本文最后给出了实验结果分析。
In the last decade, attacks to network are becoming more common and sophisticated .However,it is a difficult task to detect intrusion.The traditional technology such as firewall is not enough to solve all kind of attacks.For this reason,intrusion detection as a new technology is put forward.With more and more governments .business and finance having their own databases connected to the intemet,we much more attack break into these network databases.Then current security is focused on network database security. So we need to study intrusion detection technology on databases to intensify the security.
At first this paper introduces the development process of intrusion detection system. Then we describe the function, model and taxonomy of intrusion detection systems, particularly discuss the model of intrusion detection system. And the framework and standardization of intrusion detection system are thoroughly discussed in this paper. The problems and future of intrusion detection system are put forward in this paper. The international standard of database security is also given here and then the security mechanism of SQL Server is detailedly discussed. The application of Misuse detection technology and anomaly detection technology in SQL Server are talked about thoroughly in this paper. We show more emphasis on the anomaly detection technology based on data mining. Finally, the constructing process of database intrusion detection is detailedly discussed here. By use of Aprior association rule algorithm, the user's historical data are mined. We alse give the test data in this paper.By comparing the similarties between the history profiles and present ones we can detect the anomaly in present profiles. Result of experiments shows the differences between them.
引文
[1] CERT.CA:95-13 Syslog Vulnerability -a workaround for Sendmail. Oct, 1995. Available from :ftp://info.cert.org/pub/cert_advisories/.
[2] 喻剑平,闫巧.入侵检测系统的研究和发展方向,信息安全与通信保密,2002年总第5期,30-35.
[3] Anderson J P. Computer security thread mosurveillance[R]. FortWashington, PA:Jame P Anderson co, 1980.
[4] Amoro E G. Intrusion detection.An Introduction to Internet Surveilance, Correlation,Traps,TraceBaek,and Response. http://www.intrusion.net, 1999.
[5] Dorthy E. Denning IEEE Transactions on Software Engineering, Vol. SE-13, No. 2, February 1987, 222-232.
[6] S.Kummar, and Eugene H.Spafford.A Pattern Matching Model for Misuse Intrusion Detection,In Proceedings of 17th National Computer Security Conference ,October 1994: 11-21.
[7] Steven R. Snapp, James Brentano, and Gihan V.Dias et al. A system for distributed Intrusion detection Proceeding of the IEEE COMPCON 91,San Francisco,CA.,February 1991.
[8] CIDF working group. The Common Intrusion Detection Framework Architecture http://www.gidos.org/, 1998.
[9] IDWG. http://www.IETF.org/html/charters/idwg-chaerter.html,2000-10-12.
[10] Aurobindo Sundaram. An Introduction to Intrusion Detection. http://www.cs.purdue.edu/homes/sundaram/papers/intrus.htm.
[11] R. A. Kemmerer, NSTAT: A model-based real-time network intrusion detection system.Technical Report TRCS-97-18,Department of Computer Science,UC Santa Barbara, Nov., 1997.
[12] D. Curry and H. Debar. Intrusion detection message exchange format data model and extensible markup language (xml)document type definition, draft-ietfidwg-idmef-xml-07.txt, June 2002, expires December 19,2002.
[13] Chen S S. Common Intrusion Detection Framework[EB/OL]. http://seclab.cs.ucdavis.edu/cidf/,2000-10-08.
[14] Robert D,Terrence C,Brian W, et al.Testing and Evaluating Computer Intrusion Detection Systems[J].Communication ofACM, 1999,42(7):53-61.
[15] CurryD,DebarH.Intrusion Detection Message Format.Internet-Draft,Internet Engineering Task Force,2001-02-14.
[16] 冯登国.计算机通信网络安全.北京:清华大学出版社,2001.
[17] http://www. hacker. com. cn/article/list. asp?id=2880
[18] http://distance. njtu. edu. cn/course/8100062/kejian/web/5-1. htm
[19] SQL Server2000联机文档。Microsoft,2000.
[20] 朱明.数据挖掘.合肥:中国科学技术大学出版社,2002
[21] U.Fayyad, D. Haussler, and P. Sto lorz.Mining scientific data. Communications of the ACM, 39(11): 51-57, November 1996.
[22]] W. Lee, S. J. Stolfo, K. W. Mok, A data mining framework for building intrusion detection models. IEEE Security and Privacy, 1999.
[23] Eleazar Eskin, Matthew Miller, Zhi-Da Zhong et al. Adaptive Model Generation for Intrusion Detection Systems.http://citeseer.nj.nec.com/.
[24] Jiawei Han,Micheline Kamber.数据挖掘概念与技术.北京:机械工业出版社,2001.
[25] Ming-Svan chen, Chang-Hung Lee. Sliding-Window Filtering: An Efficient Algorithm for Incremental Mining. ACM New York, NY, USA, 2001. ACM SIGCOMM http://ita.ee.lbl.gov/html/traces.html.
[26] Allen J, Christie A. State of practice of intrusion detection technologies. Technical report CMU/SEI-99-TR-028, 1999.
[27] Stefan A. Intrusion Detection Systems: A Survey and Taxonomy. Technical Report, Department of Computer Engineering, Chalmers University, 2000.
[28] Kim J. and Bentley P.J. Towards an Artificial Immune System for Network Intrusion Detection. In the Proceedings of Congress on Evolutionary Computation, 2002.
[29] 龚俭,董庆,陆晟.面向入侵检测的网络安全检测实现模型.小型微型计算机系统,.22(2),2001.
[30] 张凡.基于移动Agent的分布式网络管理和入侵检测系统及其设计与实现[硕士论文],西安:西北大学,2002年7月.
[31] 戴英侠,连一峰,王航.系统安全与入侵检测.北京:清华大学出版社,2002.
[32] 王丽苹,房鼎益,吴晓南.基于行为模式挖掘的分布式入侵检测系统.2003国家通信网络安全会议,2003年7月.
[33] 刘美兰,姚京松.神经网络在入侵检测系统中的应用.计算机工程与应用,1999,35(6):37-38
[34] 王珊.数据仓库技术与联机分析处理.北京:科学出版社,1998
[35] 马恒太等.基于Agent的分布式入侵检测系统模型.软件学报,2000,11(10):1312~1319
[2] 喻剑平,闫巧.入侵检测系统的研究和发展方向,信息安全与通信保密,2002年总第5期,30-35.
[3] Anderson J P. Computer security thread mosurveillance[R]. FortWashington, PA:Jame P Anderson co, 1980.
[4] Amoro E G. Intrusion detection.An Introduction to Internet Surveilance, Correlation,Traps,TraceBaek,and Response. http://www.intrusion.net, 1999.
[5] Dorthy E. Denning IEEE Transactions on Software Engineering, Vol. SE-13, No. 2, February 1987, 222-232.
[6] S.Kummar, and Eugene H.Spafford.A Pattern Matching Model for Misuse Intrusion Detection,In Proceedings of 17th National Computer Security Conference ,October 1994: 11-21.
[7] Steven R. Snapp, James Brentano, and Gihan V.Dias et al. A system for distributed Intrusion detection Proceeding of the IEEE COMPCON 91,San Francisco,CA.,February 1991.
[8] CIDF working group. The Common Intrusion Detection Framework Architecture http://www.gidos.org/, 1998.
[9] IDWG. http://www.IETF.org/html/charters/idwg-chaerter.html,2000-10-12.
[10] Aurobindo Sundaram. An Introduction to Intrusion Detection. http://www.cs.purdue.edu/homes/sundaram/papers/intrus.htm.
[11] R. A. Kemmerer, NSTAT: A model-based real-time network intrusion detection system.Technical Report TRCS-97-18,Department of Computer Science,UC Santa Barbara, Nov., 1997.
[12] D. Curry and H. Debar. Intrusion detection message exchange format data model and extensible markup language (xml)document type definition, draft-ietfidwg-idmef-xml-07.txt, June 2002, expires December 19,2002.
[13] Chen S S. Common Intrusion Detection Framework[EB/OL]. http://seclab.cs.ucdavis.edu/cidf/,2000-10-08.
[14] Robert D,Terrence C,Brian W, et al.Testing and Evaluating Computer Intrusion Detection Systems[J].Communication ofACM, 1999,42(7):53-61.
[15] CurryD,DebarH.Intrusion Detection Message Format.Internet-Draft,Internet Engineering Task Force,2001-02-14.
[16] 冯登国.计算机通信网络安全.北京:清华大学出版社,2001.
[17] http://www. hacker. com. cn/article/list. asp?id=2880
[18] http://distance. njtu. edu. cn/course/8100062/kejian/web/5-1. htm
[19] SQL Server2000联机文档。Microsoft,2000.
[20] 朱明.数据挖掘.合肥:中国科学技术大学出版社,2002
[21] U.Fayyad, D. Haussler, and P. Sto lorz.Mining scientific data. Communications of the ACM, 39(11): 51-57, November 1996.
[22]] W. Lee, S. J. Stolfo, K. W. Mok, A data mining framework for building intrusion detection models. IEEE Security and Privacy, 1999.
[23] Eleazar Eskin, Matthew Miller, Zhi-Da Zhong et al. Adaptive Model Generation for Intrusion Detection Systems.http://citeseer.nj.nec.com/.
[24] Jiawei Han,Micheline Kamber.数据挖掘概念与技术.北京:机械工业出版社,2001.
[25] Ming-Svan chen, Chang-Hung Lee. Sliding-Window Filtering: An Efficient Algorithm for Incremental Mining. ACM New York, NY, USA, 2001. ACM SIGCOMM http://ita.ee.lbl.gov/html/traces.html.
[26] Allen J, Christie A. State of practice of intrusion detection technologies. Technical report CMU/SEI-99-TR-028, 1999.
[27] Stefan A. Intrusion Detection Systems: A Survey and Taxonomy. Technical Report, Department of Computer Engineering, Chalmers University, 2000.
[28] Kim J. and Bentley P.J. Towards an Artificial Immune System for Network Intrusion Detection. In the Proceedings of Congress on Evolutionary Computation, 2002.
[29] 龚俭,董庆,陆晟.面向入侵检测的网络安全检测实现模型.小型微型计算机系统,.22(2),2001.
[30] 张凡.基于移动Agent的分布式网络管理和入侵检测系统及其设计与实现[硕士论文],西安:西北大学,2002年7月.
[31] 戴英侠,连一峰,王航.系统安全与入侵检测.北京:清华大学出版社,2002.
[32] 王丽苹,房鼎益,吴晓南.基于行为模式挖掘的分布式入侵检测系统.2003国家通信网络安全会议,2003年7月.
[33] 刘美兰,姚京松.神经网络在入侵检测系统中的应用.计算机工程与应用,1999,35(6):37-38
[34] 王珊.数据仓库技术与联机分析处理.北京:科学出版社,1998
[35] 马恒太等.基于Agent的分布式入侵检测系统模型.软件学报,2000,11(10):1312~1319