统一网络安全管理系统中数据采集关键技术的研究
|
摘要
随着网络技术的快速发展和信息化进程的日渐深入,计算机网络已成为企业高效运营的重要支撑。工作效率的提高、企业信誉的提升、利润来源的拓展都依赖于稳定、高效、安全的网络环境。与此同时,各种网络攻击技术也变得越来越先进、越来越普及化,企业的网络系统面临着随时被攻击的危险,经常遭受不同程度的入侵和破坏,严重干扰了企业网络的正常运行。
日益严峻的安全威胁迫使企业不得不加强对网络系统的安全防护,不断追求多层次、立体化的安全防御体系,逐步引入了防病毒、防火墙、IDS、漏洞扫描等大量异构的单点安全防御技术。然而,现有网络安全防御体系还是以孤立的单点防御为主,彼此间缺乏有效的协作,使得网络安全不得不面对新的挑战。
由于网络中的安全设备数量众多、而且各自都具有自己的控制管理系统,网络安全管理员需要了解不同系统的管理方法,工作复杂度非常大。另外,随着网络规模的变大,安全报警事件的数量也随之增多,管理员疲于应付繁多复杂的安全事件,以致不能发现更深层次的安全问题,导致了安全问题的依然存在。
本文在对当前的统一网络安全管理系统进行介绍和分析的基础上,研究一种数据采集模型的解决方案,介绍了它的设计原理及其体系结构,同时也对其关键技术进行了详细的研究,并总结出一种实现多源数据综合采集的方法,以此给统一网络安全管理系统上层进行数据分析奠定基础。本文在最后阐述了统一网络安全管理系统的数据采集技术在今后的研究方向。
With the rapid development of network technology and the gradual in-depth of information process, computer network has become an important support for efficient development in enterprise. A stable, efficient and secure network environment is good for improving the working efficiency, enhancing the enterprise credibility and expanding the profit source. At the same time, a variety of network attacks have become more advanced and popularity. So the enterprise networks are faced with the danger of attacks at any time, and often suffered with invasions and destructions in different degrees. It seriously interferes with the normal operation of corporate networks.
The increasingly serious security threat forces the enterprises to strengthen network defense, pursues multi-level, three-dimensional security defense system. Then the enterprises introduce a large number of heterogeneous security devices gradually, such as anti-virus, firewall, Intrusion Detection System (IDS), Vulnerability Scanning and etc. However, the existing network defense system is mainly isolated and lack of effective collaboration. This causes new challenges to network security.
There are so many security devices in the network, and all of them have a platform of their own. The administrators need to know how to use every platform. It is a very complex work. Further more, the number of alerts will rapidly grow with the increase of the size of the network. And there are a lot of false positives and a part of false negatives. The administrators are too busy with dealing with so many false positives to find true alerts. So, the security problem is always there.
This thesis has conducted deep research to the key technologies of network security management system, summarizes one kind of data acquisition, and introduces its principle and architecture. In this paper, the key technology is further studied and a comprehensive multi-source data collection method is summarized. They are performed as the foundation for data analysis in unified network security management platform. At last, this thesis gives the future work of data collection technology.
日益严峻的安全威胁迫使企业不得不加强对网络系统的安全防护,不断追求多层次、立体化的安全防御体系,逐步引入了防病毒、防火墙、IDS、漏洞扫描等大量异构的单点安全防御技术。然而,现有网络安全防御体系还是以孤立的单点防御为主,彼此间缺乏有效的协作,使得网络安全不得不面对新的挑战。
由于网络中的安全设备数量众多、而且各自都具有自己的控制管理系统,网络安全管理员需要了解不同系统的管理方法,工作复杂度非常大。另外,随着网络规模的变大,安全报警事件的数量也随之增多,管理员疲于应付繁多复杂的安全事件,以致不能发现更深层次的安全问题,导致了安全问题的依然存在。
本文在对当前的统一网络安全管理系统进行介绍和分析的基础上,研究一种数据采集模型的解决方案,介绍了它的设计原理及其体系结构,同时也对其关键技术进行了详细的研究,并总结出一种实现多源数据综合采集的方法,以此给统一网络安全管理系统上层进行数据分析奠定基础。本文在最后阐述了统一网络安全管理系统的数据采集技术在今后的研究方向。
With the rapid development of network technology and the gradual in-depth of information process, computer network has become an important support for efficient development in enterprise. A stable, efficient and secure network environment is good for improving the working efficiency, enhancing the enterprise credibility and expanding the profit source. At the same time, a variety of network attacks have become more advanced and popularity. So the enterprise networks are faced with the danger of attacks at any time, and often suffered with invasions and destructions in different degrees. It seriously interferes with the normal operation of corporate networks.
The increasingly serious security threat forces the enterprises to strengthen network defense, pursues multi-level, three-dimensional security defense system. Then the enterprises introduce a large number of heterogeneous security devices gradually, such as anti-virus, firewall, Intrusion Detection System (IDS), Vulnerability Scanning and etc. However, the existing network defense system is mainly isolated and lack of effective collaboration. This causes new challenges to network security.
There are so many security devices in the network, and all of them have a platform of their own. The administrators need to know how to use every platform. It is a very complex work. Further more, the number of alerts will rapidly grow with the increase of the size of the network. And there are a lot of false positives and a part of false negatives. The administrators are too busy with dealing with so many false positives to find true alerts. So, the security problem is always there.
This thesis has conducted deep research to the key technologies of network security management system, summarizes one kind of data acquisition, and introduces its principle and architecture. In this paper, the key technology is further studied and a comprehensive multi-source data collection method is summarized. They are performed as the foundation for data analysis in unified network security management platform. At last, this thesis gives the future work of data collection technology.
引文
[1]张斌,王铭皓,王玮.我国网络犯罪现状与内部网络安全管理模式探讨.国土资源信息化,2004,第4期
[2]启明星辰.泰合信息安全运营中心http://www.xinxihua.cn/other/2006-06/61923.htm
[3]联想网御安全管理平台产品白皮书.联想网御科技(北京)有限公司.2005
[4]北京天元龙马.网络资源安全管理http://www.xinxihua.cn/other/2006-06/61900.htm
[5]天融信.龙蕴可信安全管理平台.http://www.topsec.com.cn/news/show.asp?News1D=304
[6]华为3Com安全管理中心解决方案.http://www.enet.com.cn/article/2005/1116/A20051116472925_2.shtml
[7]OSSIM Agent.http//www.ossim.net/dokuwiki/doku.php?id=documentation:agent
[8]王云龙,冯凯,游雄.电子政务中网络安全管理平台的关键技术.测绘科学.2005.2,30(1).pp.164-167.
[9]龙蕴可信安全管理系统.http://www.topsec.com.cn/news/show.asp?NewsID:304
[10]葛海慧,卢潇,周振宇.网络安全管理平台中的数据融合技术.现代电子技术2004,27(24),pp.69-70,77
[11]姜传菊.网络的安全威胁与对策.情报资料工作.2002
[12]史简,郭山清,谢立.统一网络安全管理平台的研究与实现.计算机应用研究.2006,23(9).pp.92-97
[13]余勇,林为民.基于风险管理的电力系统安全监控中心的研究.计算机安全.2005,(9).pp.54-56
[14]吕建周,曹元大,薛静峰.安全管理平台中日志数据格式统一与融合.电脑开发和应用.2004,17(4).pp.23-24,26
[15]马颖.基于Agent网络入侵检测系统的研究.计算机与现代化.2003,(2).pp:56-57,61
[16]John P.Rouillard.Real-time Log File Analysis Using the Simple Event Correlator.ftlanta,University of Massachusetts at Boston for LISA 2004 Conference.2004
[17]Cristina A bad,Yifan hi.Correlation between NetFlow System and Network View for Intrusion Detection[C].SIAM International Conference on DataMining(ICDM)2004
[18]夏海涛,詹志强编著.新一代网络管理技术.北京邮电学院出版社.2003
[19]Dominique Karg.OSSIM Correlation engine explained,Sample two:Advanced features,Nessus&Snort correlation,rest scenario:Network Worm.2004.3.http://www.ossim.net/docs/correlation_engine_explained_worm_example .pdf
[20]李文印,周治国,张福春.网络计费系统数据采集技术研究.计算机应用,2003,(2).pp.20-23
[21]基于网络和主机的入侵检测比较.http://publish.it168.com/2007/0701/20070701010401.shtml
[22]刘合富.基于syslog技术的防火墙日志数据采集方法的研究.华中师范大学硕士学位论文.2007.5
[23]黄文,谢冬青.基于Syslog的网络日志管理分析模型.湖南科技学院学报.2006.5,27(5).
[24]RFC3195.Reliable Delivery for syslog.http://www.faqs.org/rfc3195.html
[25]朱清峰.一种基于SNMP TRAP的告警确认机制.无线通讯.2005,28(23).pp.8-9,13
[26]Snort handbook.http://man.chinaunix.net/network/snort/Snortman.htm
[27]Snort.The open source network intrusion detection system.2003.9http://www.snort.org
[28]Steve Mansour.正则表达式之道.2004.10http://net.pku.edu.cn/~yhf/tao_regexps_zh.html
[29]杜彦辉,马锐,刘玉树.入侵检测系统中数据处理技术.计算机应用.2003,23.pp.277-279
[30]舒俊辉,杨武,李波.Bayesian事件关联算法在分布式入侵检测系统中的应用.计算机科学.2005,32(7).pp.99-101
[31]OSSIM Server. http://www.ossim.net/dokuwiki/doku.php?id=documentation:serverd
[32]OSSIM user_manual http://www.ossim.net/dokuwiki/doku.php?id=user_manual:introduction
[33]IETF.Intrusion Detection Message Exchange Format Data Model and Extensible Markup Language(XML)Document Type Definition[EB/OL].http://www.ietf.org/internet-drafts/draft-ietf-idwg-idmefxml-10.txt
[34]Robert Krauz.Intrusion Detection Message Exchange Format.BTU Cottbus Seminar Recent Advances in Internet Technology.2006
[35]姚键,季龙,施新菊,谢立.集成安全管理平台的研究与实现.计算机应用与软件2006.12,23(12).pp.16-18
[36]Jdom.http://www.jdom.org/
[37]施运梅,杨根兴,张志华.网络安全管理平台中Snort报警的获取方法研究.北京机械工业学院学报.2005.6,20(2).pp.36-39
[38]Netscape.http://www.netscape.com/
[39]RMI.http://www.itisedu.com/phrase/200604281025035.html
[40]罗睿.统一网络安全管理平台关键技术的研究.华中师范大学硕士学位论文.2007.5
[41]NetEye.安全运维平台技术白皮书.2007.3
[42]薛静峰,曹元大.基于XML/RPC的网络安全管理平台的设计与实现.计算机应用.2005.5,25(5).pp.1130-1132
[43]张春瑞.基于漏洞扫描的入侵检测技术研究.中国工程物理研究院.硕士学位文.2006.5
[44]RAYH.SNMP,SNMPv2 and CMIP-the technologies for mul2tivendor net work management.Computer Communications.1997,(20).pp.73-88
[45]ERICK.XML2 RPC HOWTO[DB/OL].http://xmlrpc2c.source2forge.net/xmlrpc2howto/xmlrpc2howto.html,2001204228/2001206220
[2]启明星辰.泰合信息安全运营中心http://www.xinxihua.cn/other/2006-06/61923.htm
[3]联想网御安全管理平台产品白皮书.联想网御科技(北京)有限公司.2005
[4]北京天元龙马.网络资源安全管理http://www.xinxihua.cn/other/2006-06/61900.htm
[5]天融信.龙蕴可信安全管理平台.http://www.topsec.com.cn/news/show.asp?News1D=304
[6]华为3Com安全管理中心解决方案.http://www.enet.com.cn/article/2005/1116/A20051116472925_2.shtml
[7]OSSIM Agent.http//www.ossim.net/dokuwiki/doku.php?id=documentation:agent
[8]王云龙,冯凯,游雄.电子政务中网络安全管理平台的关键技术.测绘科学.2005.2,30(1).pp.164-167.
[9]龙蕴可信安全管理系统.http://www.topsec.com.cn/news/show.asp?NewsID:304
[10]葛海慧,卢潇,周振宇.网络安全管理平台中的数据融合技术.现代电子技术2004,27(24),pp.69-70,77
[11]姜传菊.网络的安全威胁与对策.情报资料工作.2002
[12]史简,郭山清,谢立.统一网络安全管理平台的研究与实现.计算机应用研究.2006,23(9).pp.92-97
[13]余勇,林为民.基于风险管理的电力系统安全监控中心的研究.计算机安全.2005,(9).pp.54-56
[14]吕建周,曹元大,薛静峰.安全管理平台中日志数据格式统一与融合.电脑开发和应用.2004,17(4).pp.23-24,26
[15]马颖.基于Agent网络入侵检测系统的研究.计算机与现代化.2003,(2).pp:56-57,61
[16]John P.Rouillard.Real-time Log File Analysis Using the Simple Event Correlator.ftlanta,University of Massachusetts at Boston for LISA 2004 Conference.2004
[17]Cristina A bad,Yifan hi.Correlation between NetFlow System and Network View for Intrusion Detection[C].SIAM International Conference on DataMining(ICDM)2004
[18]夏海涛,詹志强编著.新一代网络管理技术.北京邮电学院出版社.2003
[19]Dominique Karg.OSSIM Correlation engine explained,Sample two:Advanced features,Nessus&Snort correlation,rest scenario:Network Worm.2004.3.http://www.ossim.net/docs/correlation_engine_explained_worm_example .pdf
[20]李文印,周治国,张福春.网络计费系统数据采集技术研究.计算机应用,2003,(2).pp.20-23
[21]基于网络和主机的入侵检测比较.http://publish.it168.com/2007/0701/20070701010401.shtml
[22]刘合富.基于syslog技术的防火墙日志数据采集方法的研究.华中师范大学硕士学位论文.2007.5
[23]黄文,谢冬青.基于Syslog的网络日志管理分析模型.湖南科技学院学报.2006.5,27(5).
[24]RFC3195.Reliable Delivery for syslog.http://www.faqs.org/rfc3195.html
[25]朱清峰.一种基于SNMP TRAP的告警确认机制.无线通讯.2005,28(23).pp.8-9,13
[26]Snort handbook.http://man.chinaunix.net/network/snort/Snortman.htm
[27]Snort.The open source network intrusion detection system.2003.9http://www.snort.org
[28]Steve Mansour.正则表达式之道.2004.10http://net.pku.edu.cn/~yhf/tao_regexps_zh.html
[29]杜彦辉,马锐,刘玉树.入侵检测系统中数据处理技术.计算机应用.2003,23.pp.277-279
[30]舒俊辉,杨武,李波.Bayesian事件关联算法在分布式入侵检测系统中的应用.计算机科学.2005,32(7).pp.99-101
[31]OSSIM Server. http://www.ossim.net/dokuwiki/doku.php?id=documentation:serverd
[32]OSSIM user_manual http://www.ossim.net/dokuwiki/doku.php?id=user_manual:introduction
[33]IETF.Intrusion Detection Message Exchange Format Data Model and Extensible Markup Language(XML)Document Type Definition[EB/OL].http://www.ietf.org/internet-drafts/draft-ietf-idwg-idmefxml-10.txt
[34]Robert Krauz.Intrusion Detection Message Exchange Format.BTU Cottbus Seminar Recent Advances in Internet Technology.2006
[35]姚键,季龙,施新菊,谢立.集成安全管理平台的研究与实现.计算机应用与软件2006.12,23(12).pp.16-18
[36]Jdom.http://www.jdom.org/
[37]施运梅,杨根兴,张志华.网络安全管理平台中Snort报警的获取方法研究.北京机械工业学院学报.2005.6,20(2).pp.36-39
[38]Netscape.http://www.netscape.com/
[39]RMI.http://www.itisedu.com/phrase/200604281025035.html
[40]罗睿.统一网络安全管理平台关键技术的研究.华中师范大学硕士学位论文.2007.5
[41]NetEye.安全运维平台技术白皮书.2007.3
[42]薛静峰,曹元大.基于XML/RPC的网络安全管理平台的设计与实现.计算机应用.2005.5,25(5).pp.1130-1132
[43]张春瑞.基于漏洞扫描的入侵检测技术研究.中国工程物理研究院.硕士学位文.2006.5
[44]RAYH.SNMP,SNMPv2 and CMIP-the technologies for mul2tivendor net work management.Computer Communications.1997,(20).pp.73-88
[45]ERICK.XML2 RPC HOWTO[DB/OL].http://xmlrpc2c.source2forge.net/xmlrpc2howto/xmlrpc2howto.html,2001204228/2001206220