基于静态污点分析方法的网络过滤器的研究与设计
|
摘要
随着互联网的迅速发展,网上银行和电子商务等基于网络的金融服务正在逐渐取代人们日常的金融操作。但随着网络拓扑结构的日益复杂,网络安全问题也日益突出,成为整个计算机科学与技术学科关注的热点。
入侵检测系统是网络防火墙等传统互联网安全保护措施后的最新最高效的对比过滤系统。入侵检测技术可以通过对比已有的特征库来识别计算机网络中的恶意攻击行为,并将含有攻击的数据包丢弃。入侵检测已经越来越成为保障网络安全的重要方法之一,也得到了广泛的应用。随着对入侵行为检测应用于互联网的研究越来越深入,应用于互联网的入侵检测系统对比也越来越准确、排除率更为精准。另一方面,网络安全在日益复杂的互联网方面也接受着更大的过滤困难,包括怎样把入侵检测系统的对比过滤速率提高到用户容忍范围内,以应对网络拓扑更加复杂的网络;怎样尽可能的减少入侵检测的误报、错报率,使得入侵检测系统的对比检测准确性,从而提高整个系统的安全性能等。
在一般的入侵检测系统中,对于分析处理恶意攻击代码的网络过滤器,都是对数据包在内核态进行捕捉和过滤,只能过滤一般性的攻击行为。本文利用静态污点分析的方法,引入污点种子的概念,将数据包中的二进制流转换成汇编程序进行检测,过滤掉污点和被污点感染的数据包。针对恶意代码中经常使用的无条件跳转,转移控制权的攻击方式,进行高效的识别和过滤,从而提高网络过滤器的效率和识别率。最后通过实验证明,采用静态污点分析和污点跟踪的方法,有效地提高了对两类无条件跳转类攻击代码和被其感染的三种结构程序中的其他结点的识别效率。
With the rapid development of Internet, online banking and e-commerce web-based financial services is one step to replace the daily financial operations. But with the increasing complexity of network topology, network security issues are also increasingly prominent, the entire discipline of computer science and technology the focus of attention.
Intrusion Detection System is a network firewall and other traditional Internet security protection measures in the comparison of the latest and most efficient filtration system. Intrusion detection technology can compare the characteristics of existing computer database to identify malicious network attacks and only attack packets containing discarded. Intrusion detection has become an increasingly important way to protect one of network security, has also been widely used. With the Internet, intrusion detection of the gradual deepening of intrusion detection technology in the network security research plays an increasingly critical role. Meanwhile, in an increasingly complex network security aspects of the Internet also accept greater challenges, such as how to improve intrusion detection system, contrast detection rate, told the network communication to meet the requirements; how to reduce the false negative intrusion detection systems and false alarm and comparison of intrusion detection system to improve detection accuracy, thereby improving the safety performance of the whole system and so on.
With the development and popularization of computer network, our working and living environment has been greatly improved, the Internet provides a more convenient way to work and makes life easier. However, everything has its other sides, hackers often make use of the vulnerable networks to attack innocent victims frequently. Facing these problems, we were used to passive defense, such as taking the patch, installing a firewall, reinforcing the system, which can only solve the problem temporarily.
入侵检测系统是网络防火墙等传统互联网安全保护措施后的最新最高效的对比过滤系统。入侵检测技术可以通过对比已有的特征库来识别计算机网络中的恶意攻击行为,并将含有攻击的数据包丢弃。入侵检测已经越来越成为保障网络安全的重要方法之一,也得到了广泛的应用。随着对入侵行为检测应用于互联网的研究越来越深入,应用于互联网的入侵检测系统对比也越来越准确、排除率更为精准。另一方面,网络安全在日益复杂的互联网方面也接受着更大的过滤困难,包括怎样把入侵检测系统的对比过滤速率提高到用户容忍范围内,以应对网络拓扑更加复杂的网络;怎样尽可能的减少入侵检测的误报、错报率,使得入侵检测系统的对比检测准确性,从而提高整个系统的安全性能等。
在一般的入侵检测系统中,对于分析处理恶意攻击代码的网络过滤器,都是对数据包在内核态进行捕捉和过滤,只能过滤一般性的攻击行为。本文利用静态污点分析的方法,引入污点种子的概念,将数据包中的二进制流转换成汇编程序进行检测,过滤掉污点和被污点感染的数据包。针对恶意代码中经常使用的无条件跳转,转移控制权的攻击方式,进行高效的识别和过滤,从而提高网络过滤器的效率和识别率。最后通过实验证明,采用静态污点分析和污点跟踪的方法,有效地提高了对两类无条件跳转类攻击代码和被其感染的三种结构程序中的其他结点的识别效率。
With the rapid development of Internet, online banking and e-commerce web-based financial services is one step to replace the daily financial operations. But with the increasing complexity of network topology, network security issues are also increasingly prominent, the entire discipline of computer science and technology the focus of attention.
Intrusion Detection System is a network firewall and other traditional Internet security protection measures in the comparison of the latest and most efficient filtration system. Intrusion detection technology can compare the characteristics of existing computer database to identify malicious network attacks and only attack packets containing discarded. Intrusion detection has become an increasingly important way to protect one of network security, has also been widely used. With the Internet, intrusion detection of the gradual deepening of intrusion detection technology in the network security research plays an increasingly critical role. Meanwhile, in an increasingly complex network security aspects of the Internet also accept greater challenges, such as how to improve intrusion detection system, contrast detection rate, told the network communication to meet the requirements; how to reduce the false negative intrusion detection systems and false alarm and comparison of intrusion detection system to improve detection accuracy, thereby improving the safety performance of the whole system and so on.
With the development and popularization of computer network, our working and living environment has been greatly improved, the Internet provides a more convenient way to work and makes life easier. However, everything has its other sides, hackers often make use of the vulnerable networks to attack innocent victims frequently. Facing these problems, we were used to passive defense, such as taking the patch, installing a firewall, reinforcing the system, which can only solve the problem temporarily.
引文
[1]韩东海,王超,李群等.入侵检测系统实例剖析.北京:清华大学出版社,2002年.
[2]董晓梅,王丽娜,于戈等.分布式入侵检测系统综述〔J〕.计算机科学,2002,29(3):16-19.
[3]张然,钱德沛,过晓兵.防火墙与入侵检侧技术.计算机应用研究,2001,(1):4 7
[4]戴云,范平志.入侵检测系统研究综述.计算机工程与应用,2002,(4):17-19
[5]阮耀平,易江波.计算机系统入侵检测模型与方法.计算机工程,1999,25(9):63-6.5
[6]赵文武,刘雪飞,吴伯桥.基于数据挖掘的入侵特征选择与构造的新方法.计算机应用研究,2005,4:128-130.
[7]尤春梅,毛国君,鲁杰.基于数据挖掘的入侵检测模型及其应用.计算机系统应用,200,4(10):38-40.
[8]唐正军,李建华.入侵检测技术.北京:清华大学出版社,200.4
[9]刘美兰.走协同之路.计算机安全,2005,7:15-17.
[10]史志才,季振洲,胡铭曾.分布式网络入侵检测技术研究.计算机工程,2005,31(13):112-114.
[11]马恒太,蒋建春,陈伟峰等.基于Agnet的分布式入侵检测系统模型.软件学报,2000,11(10):1312-1319.
[12]张馄,刘凤玉.基于轻负载代理的协同分布式入侵检测系统.计算机科学,2003,30(6):66-68.
[13]史美林,何浩,董永乐.入侵检测系统负荷问题的一种解决方案.计算机工程与应用,2001,37(20):48-49.
[14]庄春兴,彭奇志.基于Wnipcap的网络嗅探程序设计.计算机与现代化,2002,5:11-13.
[15]宋劲松.网络入侵检测分析、发现和报告攻击.北京:国防工业出版社,200.4
[16]鲁鹏俊,钟亦平,张世永.多模式匹配问题在IDS中的解决.计算机工程,2005,31(4):146-147.
[17]方杰,许峰,黄皓.一种优化入侵检测系统的方案.计算机应用,2005,25()l:147-149
[18]蒋建春,马恒太,任党恩等.网络安全入侵检测:研究综述.软件学报,2000, 11(11):146-1467
[19]张瑞霞,王勇.入侵检测综述:计算机科学与工程,2002,24:27-31
[20]卢勇,曹阳,凌军等.基于数据挖掘的入侵检测系统框架.武汉大学学报(理学版) ,2002,148(l):63-66
[21]盛思源,战守义,石耀斌.基于数据挖掘的入侵检测系统,计算机工程2003,129(l):156-158
[22]司赵铭,罗均周.基于agent入侵检测系统框架研究.计算机工程与应用,2002(18):176-181
[23]杨向容,宋擒豹,沈均毅.基于数据挖掘的智能化入侵检测系统.计算机工程,2001,127 ( 9 ): 17^-19
[24]宁玉杰,郭小淳.基于数据挖掘技术的网络入侵检测系统.计算机测量与控制,2002 ,10(3):189-190
[25]徐著,刘宝旭,许榕生.基于数据挖掘技术的入侵检测系统设计与实现.计算机工程2002 ,28(6 ):9 -11
[26]詹瑾瑜,熊光泽,孙明.基于DM的入侵检测系统结构方案.电子科技大学学报2002 ,31(5):504-50
[27] Christopher Kruegel and Giovanni Vigna. Anomaly Detection of Webbased Attacks. In IEEE Symposium on Security and Privacy, pages 146{161, Oakland, California, May 1999.
[28] Ramkumar Chinchani and Eric Van Den Berg. A fast static analysis approach to detect exploit code inside networkflows. In RAID, 2005.
[29] C. Cifuentes and A. Fraboulet. Intraprocedural static slicing of binary xecutables.
[30] C. Collberg, C. Thomborson, and D. Low. A taxonomy of obfuscating transformations. Technical Report 148,University of Auckland, July 1997.
[31] Thomas H. Cormen, Charles E. Leiserson, and Ronald L. Rivest. Introduction to Algorithms. MIT Press/McGraw-Hill, 1990.
[32] Hyang-Ah Kim and B. Karp. Autograph: Toward automated, distributed worm signature detection. In Proceedingsof the 13th Usenix Security Symposium, 2004.
[33] James C. King. Symbolic execution and program testing. Communications of the ACM, 19(7), 1976.
[34] C. Kruegel, E. Kirda, D. Mutz, W. Robertson, and G. Vigna. Polymorphic worm detection using structural informationof executables. In RAID, 2005.
[35] J. Newsome, B. Karp, and D. Song. Polygraph: Automatic signature generation for polymorphic worms. In IEEESecurity and Privacy Symposium, May 2005.
[36] Michalis Polychronakis, Kostas G. Anagnostakis, and Evangelos P. Markatos. Network-level polymorphic shellcodedetection using emulation. In DIMVA, 2006.
[37] G. Vigna, W. Robertson, and D. Balzarotti. Testing network-based intrusion detection signatures using mutantexploits. In ACM CCS, 2005.
[38] XinranWang, Chi-Chun Pan, Peng Liu, and Sencun Zhu. Sigfree: A signature-free buffer overflow attack blocker.In 15th Usenix Security Symposium, July 2006.
[2]董晓梅,王丽娜,于戈等.分布式入侵检测系统综述〔J〕.计算机科学,2002,29(3):16-19.
[3]张然,钱德沛,过晓兵.防火墙与入侵检侧技术.计算机应用研究,2001,(1):4 7
[4]戴云,范平志.入侵检测系统研究综述.计算机工程与应用,2002,(4):17-19
[5]阮耀平,易江波.计算机系统入侵检测模型与方法.计算机工程,1999,25(9):63-6.5
[6]赵文武,刘雪飞,吴伯桥.基于数据挖掘的入侵特征选择与构造的新方法.计算机应用研究,2005,4:128-130.
[7]尤春梅,毛国君,鲁杰.基于数据挖掘的入侵检测模型及其应用.计算机系统应用,200,4(10):38-40.
[8]唐正军,李建华.入侵检测技术.北京:清华大学出版社,200.4
[9]刘美兰.走协同之路.计算机安全,2005,7:15-17.
[10]史志才,季振洲,胡铭曾.分布式网络入侵检测技术研究.计算机工程,2005,31(13):112-114.
[11]马恒太,蒋建春,陈伟峰等.基于Agnet的分布式入侵检测系统模型.软件学报,2000,11(10):1312-1319.
[12]张馄,刘凤玉.基于轻负载代理的协同分布式入侵检测系统.计算机科学,2003,30(6):66-68.
[13]史美林,何浩,董永乐.入侵检测系统负荷问题的一种解决方案.计算机工程与应用,2001,37(20):48-49.
[14]庄春兴,彭奇志.基于Wnipcap的网络嗅探程序设计.计算机与现代化,2002,5:11-13.
[15]宋劲松.网络入侵检测分析、发现和报告攻击.北京:国防工业出版社,200.4
[16]鲁鹏俊,钟亦平,张世永.多模式匹配问题在IDS中的解决.计算机工程,2005,31(4):146-147.
[17]方杰,许峰,黄皓.一种优化入侵检测系统的方案.计算机应用,2005,25()l:147-149
[18]蒋建春,马恒太,任党恩等.网络安全入侵检测:研究综述.软件学报,2000, 11(11):146-1467
[19]张瑞霞,王勇.入侵检测综述:计算机科学与工程,2002,24:27-31
[20]卢勇,曹阳,凌军等.基于数据挖掘的入侵检测系统框架.武汉大学学报(理学版) ,2002,148(l):63-66
[21]盛思源,战守义,石耀斌.基于数据挖掘的入侵检测系统,计算机工程2003,129(l):156-158
[22]司赵铭,罗均周.基于agent入侵检测系统框架研究.计算机工程与应用,2002(18):176-181
[23]杨向容,宋擒豹,沈均毅.基于数据挖掘的智能化入侵检测系统.计算机工程,2001,127 ( 9 ): 17^-19
[24]宁玉杰,郭小淳.基于数据挖掘技术的网络入侵检测系统.计算机测量与控制,2002 ,10(3):189-190
[25]徐著,刘宝旭,许榕生.基于数据挖掘技术的入侵检测系统设计与实现.计算机工程2002 ,28(6 ):9 -11
[26]詹瑾瑜,熊光泽,孙明.基于DM的入侵检测系统结构方案.电子科技大学学报2002 ,31(5):504-50
[27] Christopher Kruegel and Giovanni Vigna. Anomaly Detection of Webbased Attacks. In IEEE Symposium on Security and Privacy, pages 146{161, Oakland, California, May 1999.
[28] Ramkumar Chinchani and Eric Van Den Berg. A fast static analysis approach to detect exploit code inside networkflows. In RAID, 2005.
[29] C. Cifuentes and A. Fraboulet. Intraprocedural static slicing of binary xecutables.
[30] C. Collberg, C. Thomborson, and D. Low. A taxonomy of obfuscating transformations. Technical Report 148,University of Auckland, July 1997.
[31] Thomas H. Cormen, Charles E. Leiserson, and Ronald L. Rivest. Introduction to Algorithms. MIT Press/McGraw-Hill, 1990.
[32] Hyang-Ah Kim and B. Karp. Autograph: Toward automated, distributed worm signature detection. In Proceedingsof the 13th Usenix Security Symposium, 2004.
[33] James C. King. Symbolic execution and program testing. Communications of the ACM, 19(7), 1976.
[34] C. Kruegel, E. Kirda, D. Mutz, W. Robertson, and G. Vigna. Polymorphic worm detection using structural informationof executables. In RAID, 2005.
[35] J. Newsome, B. Karp, and D. Song. Polygraph: Automatic signature generation for polymorphic worms. In IEEESecurity and Privacy Symposium, May 2005.
[36] Michalis Polychronakis, Kostas G. Anagnostakis, and Evangelos P. Markatos. Network-level polymorphic shellcodedetection using emulation. In DIMVA, 2006.
[37] G. Vigna, W. Robertson, and D. Balzarotti. Testing network-based intrusion detection signatures using mutantexploits. In ACM CCS, 2005.
[38] XinranWang, Chi-Chun Pan, Peng Liu, and Sencun Zhu. Sigfree: A signature-free buffer overflow attack blocker.In 15th Usenix Security Symposium, July 2006.