基于端口和流量分析的局域网安全检测系统的设计与实现
|
摘要
随着信息技术的日益提高和计算机网络的迅猛发展,计算机网络信息系统所面临的安全问题也成为网络应用的关键问题之一。传统的网络安全检测系统已经在这方面做了大量工作,实现了一定的功能;但是也存在误检率高,检测效率较低,检测系统负荷过重等问题。其主要原因有分析数据的来源较为单一,结构较为简单,匹配规则不够具备区分度等。本文针对上述缺点,提出并实现了基于端口扫描检测,协议分析和流量分析技术的网络安全检测系统模型。该检测系统将端口扫描检测和流量异常检测作为系统的预检测,在预检测出现异常后再进行入侵规则匹配,在保证较高的检测率的条件下明显降低了误检率,并降低了系统的负荷。在端口扫描检测模块的实现中,对基于端口分布的端口扫描检测理论做出了一些有益的改进和实现,用D-S数据融合理论将基于端口分布的检测理论与基于序列假设的检测理论结合起来,明显提高了端口扫描的检测效果,对提升整体检测性能起到了关键作用。通过对端口扫描理论以及入侵检测系统的基础测试,初步验证了系统设计方案。
As information technology and computer network are developing rapidly, Network Information System security problem has become one of the key problems. Traditional network intrusion detection system have done a lot of work to achieve a certain function; But there are also some defects : a high rate of misjudgments, ordinary detection efficiency, heavy load of the detection system and other problems. The main reason for this is the source of the data for analysis is a single, relatively simple structure, the matching rules have not enough distinction. Based on the shortcomings above, we propose a network intrusion detection system which is based on port scan detection, protocol analysis and traffic analysis. The detection system uses port scanning detection and network traffic Analysis for the pre-testing before the rule-matching. Such detect structure guarantee higher detection rate conditions with significantly lower false alarm rate and lower system load. In the implementation of Port scanning detection module, we made some improvement to the port scanning detect theory base on port distribution. We use data infusion theory to combine two theory to improve the performance of the system. After that, we did some testing for the system and then provide the result.
As information technology and computer network are developing rapidly, Network Information System security problem has become one of the key problems. Traditional network intrusion detection system have done a lot of work to achieve a certain function; But there are also some defects : a high rate of misjudgments, ordinary detection efficiency, heavy load of the detection system and other problems. The main reason for this is the source of the data for analysis is a single, relatively simple structure, the matching rules have not enough distinction. Based on the shortcomings above, we propose a network intrusion detection system which is based on port scan detection, protocol analysis and traffic analysis. The detection system uses port scanning detection and network traffic Analysis for the pre-testing before the rule-matching. Such detect structure guarantee higher detection rate conditions with significantly lower false alarm rate and lower system load. In the implementation of Port scanning detection module, we made some improvement to the port scanning detect theory base on port distribution. We use data infusion theory to combine two theory to improve the performance of the system. After that, we did some testing for the system and then provide the result.
引文
[1] 中国互联网络信息中心(CNNIC),第19期《中国互连网络发展状况统计报告》,http://www.cnnic.net.cn,2007.1
[2] 国家计算机网络应急技术处理协调中心(CNCERT/CC),《CNCERT/CC 2006年网络安全工作报告》,http://www.cert.org.cn,2007.1
[3] 胡道元,闵京华,《网络安全》,中国北京:清华大学出版社,2004.1
[4] 罗守山,入侵检测,中国北京:北京邮电大学出版社,2004
[5] 蒋建春,冯登国等,网络入侵检测原理与技术,中国北京:国防工业出版社,2001
[6] 唐正军,李建华,入侵检测技术,中国北京:清华大学出版社,2004
[7] Paul E. Proctor, The Practical Intrusion Detection Handbook, 邓琦皓,许鸿飞,张斌 译,中国北京:中国电力出版社,2002
[8] 徐慧,刘凤玉,多特征融合的入侵检测,.计算机工程,2004.8,30(15),PP:103-105
[9] Hongyu Yang, Lixia Xie, Jizhou Sun, An Application of Decision Support to Network Intrusion Detection, IEEE 2004 Canadian Conference on Electrical and Computer Engineering, May, 2004
[10] Fyodor. The Art of Port Scanning [DB/OL]. http://www.phrack. org,1997.
[11] dethy. Examining Port Scan Methods2Analysing Audible Tech2niques [DB/OL]. http://syrmergy.net/downloads/papers/portscan.txt,2001.
[12] V Paxson. Bro:A system for detecting network intruders in realtime[J ]. Computer Networks,1999,31(23-24):2435-2463.
[13] M Roesch. Snort:Lightweight intrusion detection for networks[A]. Proceedings of the 13th USENIX Conference on SystemAdministration[C]. Seattle,USA:USENIX,1999. 229-238.
[14] Alfonso Valdes. Detecting novel scans through pattern anomalydetection[A]. Proceedings of the DARPA Information Survivability Conference and Exposition[C]. Washington,USA: IEEE Computer Society,2003,1:140-151.
[15] Raj Basu, Robert K Cunningham, Seth E. Webster, Richard PLippmann. Detecting low2profile probes and novel denial of service attacks [A]. Proceedings of the 2001 IEEE Workshop on Information Assurance[C]. New York,USA:IEEE,2001.
[16] Guo Xiaobing, Qian Depei, Liu Min, Zhang Ran, Xu Bin. Detection and protection against network scanning:IEDP[A]. Proceedings of the 2001 International Conference on Computer Networks and Mobile Computing [C]. Beijing, China: IEEE Computer Society,2001. 487-494.
[17] Jaeyeon J ung,Vem Paxson,Arthur W. Berger, Hari Balakrishnan. Fast portscan detection using sequential hypothesis testing[A]. Proceedings of the IEEE Symposium on Security and Privacy[C]. California,USA:IEEE CS Press,2004. 211-225.
[18] 徐凌宇,张博锋,徐炜民,徐怀宇,郭非凡.DS理论中证据损耗分析及改进方法[J].软件学报,2004,15(1):69-75.
[19] Othmar Kyas著,夏俊杰等译.“网络故障诊断与测试”.人民邮电出版社.2002.11,P132
[20] W.E.Leland,M.S.Taqqu,W.Willinger, and D.V.Wilson.On the Self-Similar Nature of Ethernet Trafficc(Extended Version). ACM/EEE Transactions on Networking,2(1): 1-15,Feb. 1994.
[21] J.Beran,R.Sherman,M.S.Taqqu,and W. Willinger.Long-Range Dependence in Variable-Bit-Rate Video Traffic. To appear on IEEE Transactions on Communications, 1994.
[22] Paxson P, Floyd S. Wide-Area Traffic: The Failure of Poisson Modeling.IEEE/ACM Transaction on Networking, 1995,3:226~244
[23] D. E. Duffy, A.A.Mcintosh, M. Rosenstain and W. Willinger, "Statistical analysis fo CCSN/SS7 Traffic Data from Working CCS Subnetworks", IEEE Journal of Selected Areas in Communication, Vol.12, No. 3, April 1994, Pages 544-551
[24] 薛丽军,第文军,蒋世奇等,一种新的网络流星异常检测方法,燃气涡轮试验与研究。2003.8,Vol.16 No.3.
[25] Crovella M, Bestavros A. Self-similarity in World Wide Web traffic: evidence and possible causes. In Froceedings of the 1996 ACM SIGETRICS International Conference on Measurement and Modeling of Computer systems, May 1996.
[26] Feldmann A, GilberA C, Huang P, WiIIinger W. Dynamics of IF traffic:A study of the role of variability and the impact of control.
[27] Figueiredo D, R, Liu B, Misra V, Towsley D. On the autocorrelation structure of TCP traffic. Technical Report TR 00-55,University of Massachusetts, Computer Science Department,Amherst,MA,2000.
[28] Guo L, Crovella M, Matta I How does TCP generate pseudoself-similarity? Proceedings of MASCOTS, Cimeinnati,OH,August 2001.
[29] Park K, Kim G, Crovella M. On the relationship between file sizes, transport protocols, and self-similarity network traffic. Proceeding of ICNP, Columbus,OH,October 1996:171-180.
[30] Akira Kanaoka, Eiji Okamoto, Multivariate Statistical Analysis of Network Traffic for Intrusion Detection, DEXA Workshops 2003, 472-476
[31] H. Teng, K. Chen, S. Lu, Adaptive Real-Time Anomaly Detection Using Inductively Generated Sequential Patterns, In Proceedings of IEEE Symposium on Research in Computer Security and Privacy, 1990
[32] Kunnar A. Comarative performance analysis of versions of TCP in a local network with a lossy link. IEEE/ACM Tram on Networking, 1998,6(4):485-498.
[33] Feldmann A, GilberA C, Huang P, Willinger W. Dynamics of IP traffic:A study of the role of variability and the impact of control.
[34] Figueiredo D, R, Liu B, Misra V, Towsley D. On the autocorrelation structure of TCP traffic. Technical Report TR 00-55,University of Massachusetts, Computer Science Department,Amherst,MA,2000.
[35] Guo L, Crovella M, Matta I How does TCP generate pseudoself-similarity? Proceedings of MASCOTS, Cimeinnati,OH,August 2001.
[36] MIT Lincoln Laboratory. DARPA Intrusion Detection Evaluation[DB/OL]. http://www.11.mit.edu/IST/ideval/,1999.
[2] 国家计算机网络应急技术处理协调中心(CNCERT/CC),《CNCERT/CC 2006年网络安全工作报告》,http://www.cert.org.cn,2007.1
[3] 胡道元,闵京华,《网络安全》,中国北京:清华大学出版社,2004.1
[4] 罗守山,入侵检测,中国北京:北京邮电大学出版社,2004
[5] 蒋建春,冯登国等,网络入侵检测原理与技术,中国北京:国防工业出版社,2001
[6] 唐正军,李建华,入侵检测技术,中国北京:清华大学出版社,2004
[7] Paul E. Proctor, The Practical Intrusion Detection Handbook, 邓琦皓,许鸿飞,张斌 译,中国北京:中国电力出版社,2002
[8] 徐慧,刘凤玉,多特征融合的入侵检测,.计算机工程,2004.8,30(15),PP:103-105
[9] Hongyu Yang, Lixia Xie, Jizhou Sun, An Application of Decision Support to Network Intrusion Detection, IEEE 2004 Canadian Conference on Electrical and Computer Engineering, May, 2004
[10] Fyodor. The Art of Port Scanning [DB/OL]. http://www.phrack. org,1997.
[11] dethy. Examining Port Scan Methods2Analysing Audible Tech2niques [DB/OL]. http://syrmergy.net/downloads/papers/portscan.txt,2001.
[12] V Paxson. Bro:A system for detecting network intruders in realtime[J ]. Computer Networks,1999,31(23-24):2435-2463.
[13] M Roesch. Snort:Lightweight intrusion detection for networks[A]. Proceedings of the 13th USENIX Conference on SystemAdministration[C]. Seattle,USA:USENIX,1999. 229-238.
[14] Alfonso Valdes. Detecting novel scans through pattern anomalydetection[A]. Proceedings of the DARPA Information Survivability Conference and Exposition[C]. Washington,USA: IEEE Computer Society,2003,1:140-151.
[15] Raj Basu, Robert K Cunningham, Seth E. Webster, Richard PLippmann. Detecting low2profile probes and novel denial of service attacks [A]. Proceedings of the 2001 IEEE Workshop on Information Assurance[C]. New York,USA:IEEE,2001.
[16] Guo Xiaobing, Qian Depei, Liu Min, Zhang Ran, Xu Bin. Detection and protection against network scanning:IEDP[A]. Proceedings of the 2001 International Conference on Computer Networks and Mobile Computing [C]. Beijing, China: IEEE Computer Society,2001. 487-494.
[17] Jaeyeon J ung,Vem Paxson,Arthur W. Berger, Hari Balakrishnan. Fast portscan detection using sequential hypothesis testing[A]. Proceedings of the IEEE Symposium on Security and Privacy[C]. California,USA:IEEE CS Press,2004. 211-225.
[18] 徐凌宇,张博锋,徐炜民,徐怀宇,郭非凡.DS理论中证据损耗分析及改进方法[J].软件学报,2004,15(1):69-75.
[19] Othmar Kyas著,夏俊杰等译.“网络故障诊断与测试”.人民邮电出版社.2002.11,P132
[20] W.E.Leland,M.S.Taqqu,W.Willinger, and D.V.Wilson.On the Self-Similar Nature of Ethernet Trafficc(Extended Version). ACM/EEE Transactions on Networking,2(1): 1-15,Feb. 1994.
[21] J.Beran,R.Sherman,M.S.Taqqu,and W. Willinger.Long-Range Dependence in Variable-Bit-Rate Video Traffic. To appear on IEEE Transactions on Communications, 1994.
[22] Paxson P, Floyd S. Wide-Area Traffic: The Failure of Poisson Modeling.IEEE/ACM Transaction on Networking, 1995,3:226~244
[23] D. E. Duffy, A.A.Mcintosh, M. Rosenstain and W. Willinger, "Statistical analysis fo CCSN/SS7 Traffic Data from Working CCS Subnetworks", IEEE Journal of Selected Areas in Communication, Vol.12, No. 3, April 1994, Pages 544-551
[24] 薛丽军,第文军,蒋世奇等,一种新的网络流星异常检测方法,燃气涡轮试验与研究。2003.8,Vol.16 No.3.
[25] Crovella M, Bestavros A. Self-similarity in World Wide Web traffic: evidence and possible causes. In Froceedings of the 1996 ACM SIGETRICS International Conference on Measurement and Modeling of Computer systems, May 1996.
[26] Feldmann A, GilberA C, Huang P, WiIIinger W. Dynamics of IF traffic:A study of the role of variability and the impact of control.
[27] Figueiredo D, R, Liu B, Misra V, Towsley D. On the autocorrelation structure of TCP traffic. Technical Report TR 00-55,University of Massachusetts, Computer Science Department,Amherst,MA,2000.
[28] Guo L, Crovella M, Matta I How does TCP generate pseudoself-similarity? Proceedings of MASCOTS, Cimeinnati,OH,August 2001.
[29] Park K, Kim G, Crovella M. On the relationship between file sizes, transport protocols, and self-similarity network traffic. Proceeding of ICNP, Columbus,OH,October 1996:171-180.
[30] Akira Kanaoka, Eiji Okamoto, Multivariate Statistical Analysis of Network Traffic for Intrusion Detection, DEXA Workshops 2003, 472-476
[31] H. Teng, K. Chen, S. Lu, Adaptive Real-Time Anomaly Detection Using Inductively Generated Sequential Patterns, In Proceedings of IEEE Symposium on Research in Computer Security and Privacy, 1990
[32] Kunnar A. Comarative performance analysis of versions of TCP in a local network with a lossy link. IEEE/ACM Tram on Networking, 1998,6(4):485-498.
[33] Feldmann A, GilberA C, Huang P, Willinger W. Dynamics of IP traffic:A study of the role of variability and the impact of control.
[34] Figueiredo D, R, Liu B, Misra V, Towsley D. On the autocorrelation structure of TCP traffic. Technical Report TR 00-55,University of Massachusetts, Computer Science Department,Amherst,MA,2000.
[35] Guo L, Crovella M, Matta I How does TCP generate pseudoself-similarity? Proceedings of MASCOTS, Cimeinnati,OH,August 2001.
[36] MIT Lincoln Laboratory. DARPA Intrusion Detection Evaluation[DB/OL]. http://www.11.mit.edu/IST/ideval/,1999.