基于Petri网的层次型入侵检测系统
|
摘要
随着计算机网络的发展,针对网络的攻击日趋多样化,出现了从零碎而简单的攻击形式发展而来的复杂攻击行为。在网络安全实践中,传统入侵检测面临两类漏报问题:第一类问题是由于体系结构和检测方法的局限,复杂攻击行为不能被有效地检测,造成对复杂攻击的漏报;第二类问题是由于工作在IP层的入侵检测系统无法准确审计到达端系统的TCP数据,攻击者可以利用规避技术来逃避检测,导致漏报的发生。
本文主要针对这两种漏报问题展开研究,在分析网络攻击的描述理论基础上,明确了复杂攻击相关概念,设计了一种基于有色Petri网的层次化入侵检测模型来检测复杂攻击,同时采用TCP层入侵检测来限制规避技术对入侵检测系统的影响,从体系结构、攻击描述和抗规避技术三个方面增强了入侵检测系统的检测能力,并将其应用到主动式防火墙系统中。
主要工作包括以下三部分:
1)提出了一种层次化入侵检测模型
本文研究使用有色Petri网来建立复杂攻击的攻击模板,针对第一类漏报问题研究了攻击模式和攻击分类,明确了复杂攻击的相关概念,提出一种具备复杂攻击检测能力的层次化检测模型,深入探讨了该模型的基本原理及其层次化构建方法。
2)设计实现一种基于有色Petri网的入侵检测原型系统
在获得有色Petri网描述的攻击模板后,探讨了将其转化成为入侵检测组件的方式,对变迁与库所进行分类并给出了每一类有色Petri网组件的实现方法;结合对现存的两种有色Petri网实现技术的分析,设计了一种将检测逻辑附着于变迁的实现方案和一个基于有色Petri网的入侵检测原型系统,详细阐述了系统设计方案,详细分析了关键参量的选取,并给出系统特性总结。最后,本文还研究了将原型系统集成到主动式防火墙中的方法,即安全联动的实现技术。
3)研究并实现了TCP层入侵检测的相关支撑技术
针对第二类漏报问题,通过分析Linux系统对IP分片和TCP数据流的重组方式,研究了TCP层数据分析的相关支撑技术,并将其运用到原型系统中。
With the innovation of computer network, there comes out complex attacks evolved from simple and individual ones. But in the network security practice, traditional IDS (Intrusion detection system) become challenged by two false negative drawbacks. On the one hand, limited by present IDS architecture and detection techniques, complex attacks are probably hidden in the large amount of alerts and could not be detected effectively. On the other hand, IDS which audits the IP Layer traffics can not reassemble the application Layer data properly and could be evaded by sophisticated attackers.
The research work of this thesis carries out according to these two problems above. After analyzing the description theory of network attacks, a hierarchical ID (Intrusion Detection) model is proposed. And we employ detection techniques at TCP layer to restrict the evasion by sophisticated attacks. IDS has been enhanced in three ways: architecture, attack description theory and anti-evasion technique.The prototype system was implemented and applied in“Active Firewall”project.
The main contributions include:
1) A hierarchical ID Model
This intrusion detection model employs CPN (Colored Petri Net) to construct complex attack templates. The principles of the model and its hierarchically constructing method are presented in detail. As a solution to the first false negative problem previous mentioned, the attack patterns and its taxonomy are discussed, and a hierarchical ID model to detect complex attacks is drew in detail.
2) Colored Petri Net based IDS
With the attack template drew by CPN model, the techniques of transmitting CPN to IDS component is discussed. Based on the analysis of two available CPN automata techniques, this thesis implemented a CPN based IDS prototype, using the Transitions to express detection logics. This thesis also discusses how to choose the key parameters, and summarizes the characteristics of this prototype system.
3) The Implementation of Intrusion Detection at TCP Layer
To counteract the second false negative drawback, the IP defragmentation and TCP Flow Reassembling component are developed based on the analysis of Linux kernel TCP/IP stack behavior. It is also discussed that how to apply this detection technique into the development of the prototype system.
本文主要针对这两种漏报问题展开研究,在分析网络攻击的描述理论基础上,明确了复杂攻击相关概念,设计了一种基于有色Petri网的层次化入侵检测模型来检测复杂攻击,同时采用TCP层入侵检测来限制规避技术对入侵检测系统的影响,从体系结构、攻击描述和抗规避技术三个方面增强了入侵检测系统的检测能力,并将其应用到主动式防火墙系统中。
主要工作包括以下三部分:
1)提出了一种层次化入侵检测模型
本文研究使用有色Petri网来建立复杂攻击的攻击模板,针对第一类漏报问题研究了攻击模式和攻击分类,明确了复杂攻击的相关概念,提出一种具备复杂攻击检测能力的层次化检测模型,深入探讨了该模型的基本原理及其层次化构建方法。
2)设计实现一种基于有色Petri网的入侵检测原型系统
在获得有色Petri网描述的攻击模板后,探讨了将其转化成为入侵检测组件的方式,对变迁与库所进行分类并给出了每一类有色Petri网组件的实现方法;结合对现存的两种有色Petri网实现技术的分析,设计了一种将检测逻辑附着于变迁的实现方案和一个基于有色Petri网的入侵检测原型系统,详细阐述了系统设计方案,详细分析了关键参量的选取,并给出系统特性总结。最后,本文还研究了将原型系统集成到主动式防火墙中的方法,即安全联动的实现技术。
3)研究并实现了TCP层入侵检测的相关支撑技术
针对第二类漏报问题,通过分析Linux系统对IP分片和TCP数据流的重组方式,研究了TCP层数据分析的相关支撑技术,并将其运用到原型系统中。
With the innovation of computer network, there comes out complex attacks evolved from simple and individual ones. But in the network security practice, traditional IDS (Intrusion detection system) become challenged by two false negative drawbacks. On the one hand, limited by present IDS architecture and detection techniques, complex attacks are probably hidden in the large amount of alerts and could not be detected effectively. On the other hand, IDS which audits the IP Layer traffics can not reassemble the application Layer data properly and could be evaded by sophisticated attackers.
The research work of this thesis carries out according to these two problems above. After analyzing the description theory of network attacks, a hierarchical ID (Intrusion Detection) model is proposed. And we employ detection techniques at TCP layer to restrict the evasion by sophisticated attacks. IDS has been enhanced in three ways: architecture, attack description theory and anti-evasion technique.The prototype system was implemented and applied in“Active Firewall”project.
The main contributions include:
1) A hierarchical ID Model
This intrusion detection model employs CPN (Colored Petri Net) to construct complex attack templates. The principles of the model and its hierarchically constructing method are presented in detail. As a solution to the first false negative problem previous mentioned, the attack patterns and its taxonomy are discussed, and a hierarchical ID model to detect complex attacks is drew in detail.
2) Colored Petri Net based IDS
With the attack template drew by CPN model, the techniques of transmitting CPN to IDS component is discussed. Based on the analysis of two available CPN automata techniques, this thesis implemented a CPN based IDS prototype, using the Transitions to express detection logics. This thesis also discusses how to choose the key parameters, and summarizes the characteristics of this prototype system.
3) The Implementation of Intrusion Detection at TCP Layer
To counteract the second false negative drawback, the IP defragmentation and TCP Flow Reassembling component are developed based on the analysis of Linux kernel TCP/IP stack behavior. It is also discussed that how to apply this detection technique into the development of the prototype system.
引文
1 CERT/CC,最初称 CERT, http://www.cert.org
2 http://www.cert.org/stats/cert_stats.html ,该统计 2005 年 1 月发布,原始数据截至 2004 年第二季度
3 http://www.sdl.sri.com/programs/intrusion/history.html#IDES,SRI 项目,编号 6169-70
4 IDWG 系 IETF 下属入侵检测工作组,http://www.ietf.org/html.charters/idwg-charter.html
5 Pcap,一个跨平台网络数据捕获工具集,http://www.pcap.org/
6 NIT,Network Interface Tap,Sun OS 下的网络数据捕获设备
7 Libpcap,一个开放源码的跨平台网络数据包捕获函数库,支持 BPF,http://www.tcpdump.org/
9 CIDF,http://www.isi.edu/gost/cidf/
10 通常 Unix 系统在/etc/rhosts 文件记录信任关系;RSH 服务常用 TCP 端口 514
11 这里的 FTP 服务器为 FileZilla 0.8.9,一个遵循 GPL 的 FTP 服务器,http://sourceforge.net/projects/filezilla/
12 Netcat,其命令行工具为 nc,UNIX 环境下的网络调试工具,常被黑客用以做中继服务来绕过防火墙或逃避入侵检测,http://netcat.sourceforge.net/
13 这里用*号代替明文密码
14 Ethereal,基于 Winpcap 的网络嗅包器,遵循 GPL,http://www.ethereal.org
15 该图采用丹麦 Aarhus 大学开发并提供软件使用授权的 CPN Tools 软件生成,http://wiki.daimi.au.dk/cpntools/cpntools.wiki
17 CERT Advisories 1993-18, http://www.cert.org/advisories/CA-1993-18.html
18 http://www.cert.org/advisories/CA-2003-04.html
19 关于网络时间同步机制的进一步讨论可以参阅 RFC1305 Network Time Protocol (Version 3) Specification, Implementation and Analysis,http://www.rfc-editor.org/rfc/rfc1305.txt
20 很多新系统提供了微秒级精度的时钟中断并且提供函数允许用户进程访问[59]的附录 B 提供了关于计算机系统时钟的简介
21 Snort,基于字符匹配的轻量级开放源码入侵检测系统,遵循 GPL,http://www.snort.org
22 Libpcap 库在 WindowsXP 系统上可以得到微秒精度的数据记录
23 进一步的资料可以参阅美国特拉华大学的时间同步研究项目,http://www.eecis.udel.edu/~mills/ntp.html
25 Libnids,基于 libnet 和 libpcap 的入侵检测工具库,通过代码重用的方法模拟了 Linux2.0.36 内核的 IP 协议栈,但是其关于 TCP 重组的源码存在缓冲区溢出漏洞, http://sourceforge.net/projects/libnids/
26 Sun Microsystems 公司于 1995 年发布 Java 虚拟机系统, http://www.sun.com ,http://www.javasoft.com
27 MySQL,一种开放源码的跨平台数据库,支持基于网络的标准 SQL 操作,http://www.mysql.org
28 http://www.netscape.com/
29 http://www.ietf.org/html.charters/tls-charter.html
30 http://www.ietf.org/html.charters/pkix-charter.html
31 Open SSL,基于 SSLeay 的开发源码 SSL 函数库,封装了 SSLv2.0,SSL v3.0 和 TLS v1.0 的常见功能,http://www.openssl.org
[1] 龚俭, 陆晟, 王倩,计算机网络安全导论[M],ISBN7-81050-648-X,南京,东南大学出版社. 2000
[2] J. Reynolds,RFC1135,The Helminthiasis of the Internet[S],http://www.rfc-editor.org/rfc/rfc1135.txt,1989.12
[3] CERT统计报告[EB/OL],http://www.cert.org/stats/
[4] 张然,钱德沛,过晓兵,防火墙与入侵检测技术[J],计算机应用研究,2001.01
[5] Sandeep Kumar, Eugene H. Spafford, An Application of Pattern Matching in Intrusion Detection[EB/OL],Technical Report CSD-TR-94-013,The COAST Project, Department of Computer Sciences,Purdue University,http://citeseer.ist.psu.edu/kumar94pattern.html, 1994.07
[6] Anderson J.,Computer Security Threat Monitoring and Surveillance[DB/OL],James P. Anderson Company,Fort Washington,Pennsylvania,http://csrc.nist.gov/publications/history/ande80.pdf ,1980
[7] Denning, Dorth, An Intrusion Detection Model[EB/OL], http://www.cose.georgetown.edu/denning/infosec/USAFA.html ,1987
[8] Kahn,C., Porras,P., Staniford-Chen,S., Tung,B.,A Common Intrusion Detection Framework[EB/OL],http://www.isi.edu/gost/cidf/papers/cidf-jcs.ps,19980.7
[9] IDWG Intrusion Detection Message Exchange Requirements[EB/OL],http://www.ietf.org/internet-drafts/draft-ietf-idwg-requirements-10.txt
[10] 刘欣然,网络攻击分类技术综述[J],通讯学报,Vol 25.7,2004.7,p30~36
[11] 宋献涛,芦康俊,李祥和,入侵检测系统的分类学研究[J],计算机工程与应用,2002.08,p132~134
[12] Spafford E.H., Zamboni D.,Intrusion Detection using Autonomous Agents[J],Computer Netwrorks,vol 34(2000),p547~570
[13] M. Asaka, S. Okazawa, A. Taguchi,S. Goto,A Method of Tracing Intruders by Use of Mobile Agent[C],INET99,1999.06
[14] Timbass,Multisensor Data Fusion for Next Generation Distributed Intrusion Detection Systems[C],1999 IRIS,ERIM International&Silk Road,1999.04
[15] Josue Kuri, Gonzalo Navarro,Fast Multipattern Algorithms for Intrusion Detection[DB/OL],Fundamenta Informaticae Vol.56, Issue 1,2,2003.07
[16] CERT Coordination Center, Problems With The FTP PORT Command or Why You Don't Want Just Any PORT in a Storm[EB/OL],http://www.cert.org/tech_tips/ftp_port_attacks.html
[17] S. Bellovin,RFC1579,Firewall-Friendly FTP[S],http://www.rfc-editor.org/rfc/rfc1579.txt,1994.02
[18] Charles Hornig,RFC894,A Standard for the Transmission of IP Datagrams over Ethernet [S],http://www.rfc-editor.org/rfc/rfc894.txt,1984.04
[19] Thomas H. Ptacek,Timothy N. Newsham,Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection[EB/OL],Secure Networks Inc,1998.1
[20] Peng Ning,Sushil Jajodia,Intrusion Detection Techniques[EB/OL],North Carolina StateUniversity,George Mason University
[21] Wenke Lee,Salvatore J. Stolfo,Data Mining Approaches for Intrusion Detection[C], Proceedings of the 7th USENIX Security Symposium,San Antonio,Texas,1998.1
[22] Patrik D’haeseleer,An Immunological Approach to Change Detection:Theoretical Results[C],Department of Computer Science,University of New Mexico,9th IEEE Computer Security Foundations Workshop,Dromquinna Manor,County Kerry,Ireland,1996.
[23] Sandeep Kumar,Classification and Detection of Computer Intrusions[D],PhD Dissertation,Purdue University,1995
[24] G.. Helmer, J. Wong, M.. Slagell, V. Honavar, L. Miller, and R. Lutz,Software Fault Tree and Colored Petri Net Based Specification, Design and Implementation of Agent-Based Intrusion Detection Systems[J],ACM Transactions on Information and System Security (TISSEC),2001
[25] 陆晟,基于规则的高速网络入侵检测[D],博士学位论文,东南大学计算机系 2003.12
[26] 丁勇,自动入侵响应系统的研究[D],硕士学位论文,东南大学计算机系,2004
[27] Dan Schnackenberg, Kelly Djahandari, Dan Sterne,Infrastructure for Intrusion Detection and Response[C],Proceedings of the DARPA Information Survivability Conference and Exposition,2000.1
[28] Koral Ilgun,USTAT:A Realtime Intrusion Detection System,MS. Disseration[EB/OL],University of California,Santa Babara,1992.10
[29] Giovanni Vigna,Richard A. Kemmerer,NetSTAT: A Network based Intrusion Detection System[EB/OL],University of California,Santa Babara,1999
[30] Martin D.M., Jr.Rajagopalan S., Rubin A.D.,Blocking Java applets at the firewall, Network and Distributed System Security,p16~26,1997,
[31] 宋显祖,面向内部网环境的网络安全扫描系统的设计和实现[D],硕士学位论文,东南大学计算机系,2004
[32] 王伟,入侵检测系统分析引擎的研究与实现[D],硕士学位论文,东南大学计算机系,2004
[33] 郝宁,罗军舟,杨明,安全联动响应中安全策略中心的设计与应用[J],武汉大学学报(理学版)Vol.50(S1),p135 -138,2004.11
[34] 钱炜,基于安全增强的嵌入式 Linux 的硬件防火墙设计与实现[D],硕士学位论文,东南大学计算机系,2004
[35] Horizon,Defeating Sniffers and Intrusion Detection Systems[EB/OL],Phrack Magazine Vol.8(54),1998.12
[36] Yoann Vandoorselaere, Laurent Oudot,Prelude: an Open Source Hybrid Intrusion Detection System[EB/OL],http://www.prelude-ids.org
[37] Herve Debar, Marc Dacier, Andreas Wespi,A Revised Taxonomy for Intrusion-Detection Systems[EB/OL],IBM Zurich Research Lab,1999
[38] Todd heberlein,Gihan Dias,Karl Levitt, et al,A Network Security Monitor[J],Proceeding of 1990 IEEE Symposium on Research in Security and Privacy,p296~314,Los Alamitos,CA,USA,1990
[39] Sandeep Kumar,Eugene H. Spafford. A pattern matching model for misuse intrusion detection[DB/OL],1994
[40] J. Postel,J. Reynolds,RFC959,FILE TRANSFER PROTOCOL (FTP)[S],http://www.rfc-editor.org/rfc/rfc959.txt,1985.10
[41] Cliff Changchun Zou,Vulnerabilities: taxonomy and classification[EB/OL],http://tennis.ecs.umass.edu/~czou/link/security_course/
[42] 芮苏英,一种符合上下文相关攻击的检测模型[D],硕士学位论文,东南大学计算机系,2003
[43] Ming-Yuh Huang,Thomas M.Wicks,A Large-scale Distributed Intrusion Detection Framwork Based on Attack Strategy Analysis[EB/OL],Technical Report,Boeing Company,Seattle, WA, U.S.A.
[44] 吴希,罗军舟,郝宁,一种基于有色 Petri 网的上下文相关攻击检测模型[C],海峡两岸信息技术研讨会,2004.11
[45] 吴希,罗军舟,基于有色 Petri 网的分布式网络入侵检测系统[J],武汉大学学报(理学版),Vol.50(S1),2004.10
[46] An Analysis Of Security Incidents On The Internet[EB/OL],http://www.cert.org/research/JHThesis/Start.html,1997
[47] Ulf Lindqvist, Erland Jonsson,How to Systematically Classify Computer Security Intrusions[J],Chalmers University of Technology,IEEE Symposoium on Security and Privacy,p154~163,1997
[48] Richard P. Lippmann, David J. Fried, Isaac Graf, Joshua W. Haines, Kristopher R. Kendall, David McClung,Dan Weber, Seth E. Webster, Dan Wyschogrod, Robert K. Cunningham, Marc A. Zissman,Evaluating Intrusion Detection Systems: The 1998 DARPA Off-line Intrusion Detection Evaluation[J],Proceedings of the 2000 DARPA Information Survivability Conference and Exposition, Vol. 2,Lincoln Laboratory MIT,2000
[49] Staniford-Chen S,Cheung S,Crawford R etal,GrIDS: A graph based intrusion detection system for large networks[J],In Proceedings of the 19th National Information Systems Security Conference,Vol 1. National Institute of Standards and Technology,p361-370,1996
[50] S. Kirkpatrick, M. Stahl, M. Recker,RFC1166,INTERNET NUMBERS[S],http://www.rfc-editor.org/rfc/rfc1166.txt,1990.01
[51] CA Petri,Kommunikation mit Automaten[D],PhD Dissertation,Technische Universit?t Darmstadt, Germany,1962
[52] 袁崇义,Petri 网原理[M], 北京:电子工业出版社,1998
[53] 蒋昌俊,离散事件动态系统的 PN 机理论[M],北京:科学出版社,2000
[54] H. J. Genrich,Predicate/transition nets[J],LNCS,Vol.254,1986
[55] K. Jensen,Colored Petri nets and the invariant method[J],Theoretical Computer Science, volume 14,p317-336,1981
[56] Kurt Jensen, An Inroduction to the Practical Use of Colored Petri Nets[EB/OL], Lecture Notes in Computer Science, Spring-Verlag, Dagstuhl Germany, 1996
[57] Kurt Jensen,An Introduction to the Theoretical Aspects of Coloured Petri Nets[J],A Decade of Concurrency, Lecture Notes in Computer Science vol. 803,Computer Science Department,Aarhus University,DK-8000 Aarhus C, Denmark,p230~272,Springer-Verlag 1994
[58] 屈婉玲,组合数学[M],北京大学出版社,ISBN 7-301-00871-6,北京,1989.11
[59] W.Richard Stevens 著,范建华,胥光辉 等译,TCP/IP 祥解[M],Vol.1 协议,ISBN 7-111-07566-8,机械工业出版社,北京,2000.4
[60] ISO/IEC FCD 15909,Information Technology - High Level Petri Nets – Concepts, Definitions and Graphical Notation[S],, ISO/IEC JTC1/SC7 N1947,1998.6
[61] Jonathan Billington, S?ren Christensen, etc.,The Petri Net Markup Language: Concepts, Technology, and Tools[EB/OL],http://www.informatik.hu-berlin.de/top/PNX/ ,2003.3
[62] Petri Net Markup Language (PNML) website[EB/OL],http://www.informatik.hu-berlin.de/top/pnml/
[63] Olaf Kumar, Frank Wienberg, etc.,XML and Petri Nets –Following the Forces,Meeting on XML/SGML based Interchange Formats for Petri Nets[C],21st International Conference on Application and Theory of Petri Nets,Aarhus, Denmark,2000.6
[64] 张继军,吴哲辉,Petri 网的分层递归模型[J],系统仿真学报 Vol.15 增刊,2003.8
[65] 王勇,状态网络入侵检测系统设计和原形实现[J], 东北大学计算机系,硕士学位论文,2002
[66] Mark Slagell,The Design and Implementation of MAIDS[D],MS Dissertation,Computer Science Department,Iowa State University,Ames Iowa,2001.5
[67] Asaka M., Okazawa S., Taguchi A., Goto S.,A Method of Tracing Intruders by Use of Mobile Agents[EB/OL],INET99,http://www.ipa.go.jp/STC/IDA/index.html,1999.6
[68] 吴哲辉,Pump 引理的 Petri 网描述——Petri 网语言属性的一组判定条件[J],计算机学报,Vol.17(11),1994.11
[69] 程明华, 姚一平,动态故障树分析方法在软、硬件计算机系统中的应用[J],航空学报,Vol.21(1),2000.1
[70] Claus Reinke,Petri Nets, Concurrency and causality ——a guided tour[EB/OL],Computing Lab,University of Kent,http://www.cs.kent.ac.uk/research/groups/tcs/events/summaries/010219Reinke.html
[71] RUIU Dragos, Cautionary tales: Stealth coordinated attack HOWTO[EB/OL],http://www.nswc.navy.mil/ISSEC/CID/Stealth_Coordinated_Attack.html,1999.07
[72] 虞平,一种面向会话的检测模型[D],硕士学位论文,东南大学计算机系,2003
[73] IDWG,IAP: Intrusion Alert Protocol[EB/OL],http://www.ietf.org/proceedings/01aug/I-D/draft-ietf-idwg-iap-05.txt,2001
[74] D. Curry,IDMEF(Intrusion Detection Message Exchange Format)Draft[EB/OL], http://www.ietf.org/internet-drafts/draft-ietf-idwg-idmef-xml-11.txt,2004
[75] B. Feinstein, IDXP (Intrusion Detection Exchange Protocol)Draft[EB/OL], http://www.ietf.org/internet-drafts/draft-ietf-idwg-beep-idxp-07.txt,2002
[76] D. New,RFC3620,The TUNNEL Profile [S],http://www.rfc-editor.org/rfc/rfc3620.txt,2003.10
[77] B. Feinstein, G. Matthews, J. White,The Intrusion Detection Exchange Protocol (IDXP)[EB/OL],http://www.ietf.org/internet-drafts/draft-ietf-idwg-beep-idxp-07.txt
[78] 韩东海,王超,李群,入侵检测系统实例剖析[M],清华大学出版社,ISBN 7-302-05392-8,北京,2002.5
[79] 方鹏飞,罗军舟,吴希,入侵检测信息交互平台的研究与设计[C],海峡两岸信息技术研讨会,2004.11
[80] H.M.Deital,P.J.Deitel 著,施平安,施惠琼,柳赐佳 译,Java 程序设计教程[M],ISBN 7-302-07892-0,清华大学出版社,2004.3
[81] Erich Gamma, Richard Helm, Raloh Johnson, John Vlissides,Design Patterns Elements of Reusable Object-Oriented Software[M],ISBN 7-111-09507 机械工业出版社,2002.3
[82] Sreekanth Iyer,e-BIT bytes: Comparison operators: equals() versus ==[EB/OL],http://www-106.ibm.com/developerworks/java/library/j-ebb0917a.html,IBM India Software Labs,2002.9
[83] Ragsdale, D. J.; Carver, C. A.; Humphries, J. W.; Pooch, U. W.: Adaptation Techniques for Intrusion Detection and Intrusion Response Systems[J], in Proceedings of the IEEE International Conference on Systems, Man, and Cybernetics, Nashville, Tennessee, October 8-11, 2000, 2344-2349, http://www.itoc.usma.edu/ragsdale/pubs/adapt.pdf
[84] Yu-Sung Wu, Bingrui Foo etc.,ADEPTS: Adaptive Intrusion Containment and Response using Attack Graphs in an E-Commerce Environment[EB/OL],CERIAS Tech Report 2003-32,Purdue University, West Lafayette, IN 47909
[85] Timothy D. Wickham,IDS is Dead, Long life IPS[EB/OL],SANS http://www.sans.org,2003.4
[86] 杨明,主动式防火墙设计与实现[D],硕士学位论文,东南大学计算机系,2003
[87] Alan O. Freier, Philip Karlton, Paul C. Kocher,The SSL Protocol v3.0 规范[S],http://www.netscape.com/eng/ssl3/draft302.txt
[88] Tim Dierks, Eric Rescorla,The TLS Protocol[EB/OL],http://www.ietf.org/internet-drafts/draft-ietf-tls-rfc2246-bis-09.txt
[89] Gary R. Wright, W. Richard Stevens, TCP/IP 详解[M],卷 2:实现,陆雪莹,蒋惠等译,谢希仁较,机械工业出版社,ISBN 7-111-07567-6,2000.7
[90] W. Richard Stevens,尤晋元等译,UNIX 环境高级编程[M],机械工业出版社,ISBN 7-111-07579-X,2000.2
[91] Linux系统源代码交叉分析文档[CP/OL],http://lxr.linpro.no/source/
[92] H.M.Deital,P.J.Deitel 著,施平安,施惠琼,柳赐佳 译,Java 程序设计教程[M],ISBN 7-302-07892-0,清华大学出版社,2004.3
[93] RFC790,http://www.rfc-editor.org/rfc/rfc790.txt
[94] W.Richard Stevens,施振川,周利民等译,UNIX 网络编程,第 1 卷:套接口 API 和X/Open 传输接口 API[M],ISBN 7-3-2-03548-2,清华大学出版社,1999.7
[95] Charles Hornig,RFC894,A Standard for the Transmission of IP Datagrams over Ethernet Networks[S],http://www.rfc-editor.org/rfc/rfc894.txt
[96] 严蔚敏,吴伟民,数据结构(C 语言版)[M],ISBN7-302-02368-9,清华大学出版社,1997.4
2 http://www.cert.org/stats/cert_stats.html ,该统计 2005 年 1 月发布,原始数据截至 2004 年第二季度
3 http://www.sdl.sri.com/programs/intrusion/history.html#IDES,SRI 项目,编号 6169-70
4 IDWG 系 IETF 下属入侵检测工作组,http://www.ietf.org/html.charters/idwg-charter.html
5 Pcap,一个跨平台网络数据捕获工具集,http://www.pcap.org/
6 NIT,Network Interface Tap,Sun OS 下的网络数据捕获设备
7 Libpcap,一个开放源码的跨平台网络数据包捕获函数库,支持 BPF,http://www.tcpdump.org/
9 CIDF,http://www.isi.edu/gost/cidf/
10 通常 Unix 系统在/etc/rhosts 文件记录信任关系;RSH 服务常用 TCP 端口 514
11 这里的 FTP 服务器为 FileZilla 0.8.9,一个遵循 GPL 的 FTP 服务器,http://sourceforge.net/projects/filezilla/
12 Netcat,其命令行工具为 nc,UNIX 环境下的网络调试工具,常被黑客用以做中继服务来绕过防火墙或逃避入侵检测,http://netcat.sourceforge.net/
13 这里用*号代替明文密码
14 Ethereal,基于 Winpcap 的网络嗅包器,遵循 GPL,http://www.ethereal.org
15 该图采用丹麦 Aarhus 大学开发并提供软件使用授权的 CPN Tools 软件生成,http://wiki.daimi.au.dk/cpntools/cpntools.wiki
17 CERT Advisories 1993-18, http://www.cert.org/advisories/CA-1993-18.html
18 http://www.cert.org/advisories/CA-2003-04.html
19 关于网络时间同步机制的进一步讨论可以参阅 RFC1305 Network Time Protocol (Version 3) Specification, Implementation and Analysis,http://www.rfc-editor.org/rfc/rfc1305.txt
20 很多新系统提供了微秒级精度的时钟中断并且提供函数允许用户进程访问[59]的附录 B 提供了关于计算机系统时钟的简介
21 Snort,基于字符匹配的轻量级开放源码入侵检测系统,遵循 GPL,http://www.snort.org
22 Libpcap 库在 WindowsXP 系统上可以得到微秒精度的数据记录
23 进一步的资料可以参阅美国特拉华大学的时间同步研究项目,http://www.eecis.udel.edu/~mills/ntp.html
25 Libnids,基于 libnet 和 libpcap 的入侵检测工具库,通过代码重用的方法模拟了 Linux2.0.36 内核的 IP 协议栈,但是其关于 TCP 重组的源码存在缓冲区溢出漏洞, http://sourceforge.net/projects/libnids/
26 Sun Microsystems 公司于 1995 年发布 Java 虚拟机系统, http://www.sun.com ,http://www.javasoft.com
27 MySQL,一种开放源码的跨平台数据库,支持基于网络的标准 SQL 操作,http://www.mysql.org
28 http://www.netscape.com/
29 http://www.ietf.org/html.charters/tls-charter.html
30 http://www.ietf.org/html.charters/pkix-charter.html
31 Open SSL,基于 SSLeay 的开发源码 SSL 函数库,封装了 SSLv2.0,SSL v3.0 和 TLS v1.0 的常见功能,http://www.openssl.org
[1] 龚俭, 陆晟, 王倩,计算机网络安全导论[M],ISBN7-81050-648-X,南京,东南大学出版社. 2000
[2] J. Reynolds,RFC1135,The Helminthiasis of the Internet[S],http://www.rfc-editor.org/rfc/rfc1135.txt,1989.12
[3] CERT统计报告[EB/OL],http://www.cert.org/stats/
[4] 张然,钱德沛,过晓兵,防火墙与入侵检测技术[J],计算机应用研究,2001.01
[5] Sandeep Kumar, Eugene H. Spafford, An Application of Pattern Matching in Intrusion Detection[EB/OL],Technical Report CSD-TR-94-013,The COAST Project, Department of Computer Sciences,Purdue University,http://citeseer.ist.psu.edu/kumar94pattern.html, 1994.07
[6] Anderson J.,Computer Security Threat Monitoring and Surveillance[DB/OL],James P. Anderson Company,Fort Washington,Pennsylvania,http://csrc.nist.gov/publications/history/ande80.pdf ,1980
[7] Denning, Dorth, An Intrusion Detection Model[EB/OL], http://www.cose.georgetown.edu/denning/infosec/USAFA.html ,1987
[8] Kahn,C., Porras,P., Staniford-Chen,S., Tung,B.,A Common Intrusion Detection Framework[EB/OL],http://www.isi.edu/gost/cidf/papers/cidf-jcs.ps,19980.7
[9] IDWG Intrusion Detection Message Exchange Requirements[EB/OL],http://www.ietf.org/internet-drafts/draft-ietf-idwg-requirements-10.txt
[10] 刘欣然,网络攻击分类技术综述[J],通讯学报,Vol 25.7,2004.7,p30~36
[11] 宋献涛,芦康俊,李祥和,入侵检测系统的分类学研究[J],计算机工程与应用,2002.08,p132~134
[12] Spafford E.H., Zamboni D.,Intrusion Detection using Autonomous Agents[J],Computer Netwrorks,vol 34(2000),p547~570
[13] M. Asaka, S. Okazawa, A. Taguchi,S. Goto,A Method of Tracing Intruders by Use of Mobile Agent[C],INET99,1999.06
[14] Timbass,Multisensor Data Fusion for Next Generation Distributed Intrusion Detection Systems[C],1999 IRIS,ERIM International&Silk Road,1999.04
[15] Josue Kuri, Gonzalo Navarro,Fast Multipattern Algorithms for Intrusion Detection[DB/OL],Fundamenta Informaticae Vol.56, Issue 1,2,2003.07
[16] CERT Coordination Center, Problems With The FTP PORT Command or Why You Don't Want Just Any PORT in a Storm[EB/OL],http://www.cert.org/tech_tips/ftp_port_attacks.html
[17] S. Bellovin,RFC1579,Firewall-Friendly FTP[S],http://www.rfc-editor.org/rfc/rfc1579.txt,1994.02
[18] Charles Hornig,RFC894,A Standard for the Transmission of IP Datagrams over Ethernet [S],http://www.rfc-editor.org/rfc/rfc894.txt,1984.04
[19] Thomas H. Ptacek,Timothy N. Newsham,Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection[EB/OL],Secure Networks Inc,1998.1
[20] Peng Ning,Sushil Jajodia,Intrusion Detection Techniques[EB/OL],North Carolina StateUniversity,George Mason University
[21] Wenke Lee,Salvatore J. Stolfo,Data Mining Approaches for Intrusion Detection[C], Proceedings of the 7th USENIX Security Symposium,San Antonio,Texas,1998.1
[22] Patrik D’haeseleer,An Immunological Approach to Change Detection:Theoretical Results[C],Department of Computer Science,University of New Mexico,9th IEEE Computer Security Foundations Workshop,Dromquinna Manor,County Kerry,Ireland,1996.
[23] Sandeep Kumar,Classification and Detection of Computer Intrusions[D],PhD Dissertation,Purdue University,1995
[24] G.. Helmer, J. Wong, M.. Slagell, V. Honavar, L. Miller, and R. Lutz,Software Fault Tree and Colored Petri Net Based Specification, Design and Implementation of Agent-Based Intrusion Detection Systems[J],ACM Transactions on Information and System Security (TISSEC),2001
[25] 陆晟,基于规则的高速网络入侵检测[D],博士学位论文,东南大学计算机系 2003.12
[26] 丁勇,自动入侵响应系统的研究[D],硕士学位论文,东南大学计算机系,2004
[27] Dan Schnackenberg, Kelly Djahandari, Dan Sterne,Infrastructure for Intrusion Detection and Response[C],Proceedings of the DARPA Information Survivability Conference and Exposition,2000.1
[28] Koral Ilgun,USTAT:A Realtime Intrusion Detection System,MS. Disseration[EB/OL],University of California,Santa Babara,1992.10
[29] Giovanni Vigna,Richard A. Kemmerer,NetSTAT: A Network based Intrusion Detection System[EB/OL],University of California,Santa Babara,1999
[30] Martin D.M., Jr.Rajagopalan S., Rubin A.D.,Blocking Java applets at the firewall, Network and Distributed System Security,p16~26,1997,
[31] 宋显祖,面向内部网环境的网络安全扫描系统的设计和实现[D],硕士学位论文,东南大学计算机系,2004
[32] 王伟,入侵检测系统分析引擎的研究与实现[D],硕士学位论文,东南大学计算机系,2004
[33] 郝宁,罗军舟,杨明,安全联动响应中安全策略中心的设计与应用[J],武汉大学学报(理学版)Vol.50(S1),p135 -138,2004.11
[34] 钱炜,基于安全增强的嵌入式 Linux 的硬件防火墙设计与实现[D],硕士学位论文,东南大学计算机系,2004
[35] Horizon,Defeating Sniffers and Intrusion Detection Systems[EB/OL],Phrack Magazine Vol.8(54),1998.12
[36] Yoann Vandoorselaere, Laurent Oudot,Prelude: an Open Source Hybrid Intrusion Detection System[EB/OL],http://www.prelude-ids.org
[37] Herve Debar, Marc Dacier, Andreas Wespi,A Revised Taxonomy for Intrusion-Detection Systems[EB/OL],IBM Zurich Research Lab,1999
[38] Todd heberlein,Gihan Dias,Karl Levitt, et al,A Network Security Monitor[J],Proceeding of 1990 IEEE Symposium on Research in Security and Privacy,p296~314,Los Alamitos,CA,USA,1990
[39] Sandeep Kumar,Eugene H. Spafford. A pattern matching model for misuse intrusion detection[DB/OL],1994
[40] J. Postel,J. Reynolds,RFC959,FILE TRANSFER PROTOCOL (FTP)[S],http://www.rfc-editor.org/rfc/rfc959.txt,1985.10
[41] Cliff Changchun Zou,Vulnerabilities: taxonomy and classification[EB/OL],http://tennis.ecs.umass.edu/~czou/link/security_course/
[42] 芮苏英,一种符合上下文相关攻击的检测模型[D],硕士学位论文,东南大学计算机系,2003
[43] Ming-Yuh Huang,Thomas M.Wicks,A Large-scale Distributed Intrusion Detection Framwork Based on Attack Strategy Analysis[EB/OL],Technical Report,Boeing Company,Seattle, WA, U.S.A.
[44] 吴希,罗军舟,郝宁,一种基于有色 Petri 网的上下文相关攻击检测模型[C],海峡两岸信息技术研讨会,2004.11
[45] 吴希,罗军舟,基于有色 Petri 网的分布式网络入侵检测系统[J],武汉大学学报(理学版),Vol.50(S1),2004.10
[46] An Analysis Of Security Incidents On The Internet[EB/OL],http://www.cert.org/research/JHThesis/Start.html,1997
[47] Ulf Lindqvist, Erland Jonsson,How to Systematically Classify Computer Security Intrusions[J],Chalmers University of Technology,IEEE Symposoium on Security and Privacy,p154~163,1997
[48] Richard P. Lippmann, David J. Fried, Isaac Graf, Joshua W. Haines, Kristopher R. Kendall, David McClung,Dan Weber, Seth E. Webster, Dan Wyschogrod, Robert K. Cunningham, Marc A. Zissman,Evaluating Intrusion Detection Systems: The 1998 DARPA Off-line Intrusion Detection Evaluation[J],Proceedings of the 2000 DARPA Information Survivability Conference and Exposition, Vol. 2,Lincoln Laboratory MIT,2000
[49] Staniford-Chen S,Cheung S,Crawford R etal,GrIDS: A graph based intrusion detection system for large networks[J],In Proceedings of the 19th National Information Systems Security Conference,Vol 1. National Institute of Standards and Technology,p361-370,1996
[50] S. Kirkpatrick, M. Stahl, M. Recker,RFC1166,INTERNET NUMBERS[S],http://www.rfc-editor.org/rfc/rfc1166.txt,1990.01
[51] CA Petri,Kommunikation mit Automaten[D],PhD Dissertation,Technische Universit?t Darmstadt, Germany,1962
[52] 袁崇义,Petri 网原理[M], 北京:电子工业出版社,1998
[53] 蒋昌俊,离散事件动态系统的 PN 机理论[M],北京:科学出版社,2000
[54] H. J. Genrich,Predicate/transition nets[J],LNCS,Vol.254,1986
[55] K. Jensen,Colored Petri nets and the invariant method[J],Theoretical Computer Science, volume 14,p317-336,1981
[56] Kurt Jensen, An Inroduction to the Practical Use of Colored Petri Nets[EB/OL], Lecture Notes in Computer Science, Spring-Verlag, Dagstuhl Germany, 1996
[57] Kurt Jensen,An Introduction to the Theoretical Aspects of Coloured Petri Nets[J],A Decade of Concurrency, Lecture Notes in Computer Science vol. 803,Computer Science Department,Aarhus University,DK-8000 Aarhus C, Denmark,p230~272,Springer-Verlag 1994
[58] 屈婉玲,组合数学[M],北京大学出版社,ISBN 7-301-00871-6,北京,1989.11
[59] W.Richard Stevens 著,范建华,胥光辉 等译,TCP/IP 祥解[M],Vol.1 协议,ISBN 7-111-07566-8,机械工业出版社,北京,2000.4
[60] ISO/IEC FCD 15909,Information Technology - High Level Petri Nets – Concepts, Definitions and Graphical Notation[S],, ISO/IEC JTC1/SC7 N1947,1998.6
[61] Jonathan Billington, S?ren Christensen, etc.,The Petri Net Markup Language: Concepts, Technology, and Tools[EB/OL],http://www.informatik.hu-berlin.de/top/PNX/ ,2003.3
[62] Petri Net Markup Language (PNML) website[EB/OL],http://www.informatik.hu-berlin.de/top/pnml/
[63] Olaf Kumar, Frank Wienberg, etc.,XML and Petri Nets –Following the Forces,Meeting on XML/SGML based Interchange Formats for Petri Nets[C],21st International Conference on Application and Theory of Petri Nets,Aarhus, Denmark,2000.6
[64] 张继军,吴哲辉,Petri 网的分层递归模型[J],系统仿真学报 Vol.15 增刊,2003.8
[65] 王勇,状态网络入侵检测系统设计和原形实现[J], 东北大学计算机系,硕士学位论文,2002
[66] Mark Slagell,The Design and Implementation of MAIDS[D],MS Dissertation,Computer Science Department,Iowa State University,Ames Iowa,2001.5
[67] Asaka M., Okazawa S., Taguchi A., Goto S.,A Method of Tracing Intruders by Use of Mobile Agents[EB/OL],INET99,http://www.ipa.go.jp/STC/IDA/index.html,1999.6
[68] 吴哲辉,Pump 引理的 Petri 网描述——Petri 网语言属性的一组判定条件[J],计算机学报,Vol.17(11),1994.11
[69] 程明华, 姚一平,动态故障树分析方法在软、硬件计算机系统中的应用[J],航空学报,Vol.21(1),2000.1
[70] Claus Reinke,Petri Nets, Concurrency and causality ——a guided tour[EB/OL],Computing Lab,University of Kent,http://www.cs.kent.ac.uk/research/groups/tcs/events/summaries/010219Reinke.html
[71] RUIU Dragos, Cautionary tales: Stealth coordinated attack HOWTO[EB/OL],http://www.nswc.navy.mil/ISSEC/CID/Stealth_Coordinated_Attack.html,1999.07
[72] 虞平,一种面向会话的检测模型[D],硕士学位论文,东南大学计算机系,2003
[73] IDWG,IAP: Intrusion Alert Protocol[EB/OL],http://www.ietf.org/proceedings/01aug/I-D/draft-ietf-idwg-iap-05.txt,2001
[74] D. Curry,IDMEF(Intrusion Detection Message Exchange Format)Draft[EB/OL], http://www.ietf.org/internet-drafts/draft-ietf-idwg-idmef-xml-11.txt,2004
[75] B. Feinstein, IDXP (Intrusion Detection Exchange Protocol)Draft[EB/OL], http://www.ietf.org/internet-drafts/draft-ietf-idwg-beep-idxp-07.txt,2002
[76] D. New,RFC3620,The TUNNEL Profile [S],http://www.rfc-editor.org/rfc/rfc3620.txt,2003.10
[77] B. Feinstein, G. Matthews, J. White,The Intrusion Detection Exchange Protocol (IDXP)[EB/OL],http://www.ietf.org/internet-drafts/draft-ietf-idwg-beep-idxp-07.txt
[78] 韩东海,王超,李群,入侵检测系统实例剖析[M],清华大学出版社,ISBN 7-302-05392-8,北京,2002.5
[79] 方鹏飞,罗军舟,吴希,入侵检测信息交互平台的研究与设计[C],海峡两岸信息技术研讨会,2004.11
[80] H.M.Deital,P.J.Deitel 著,施平安,施惠琼,柳赐佳 译,Java 程序设计教程[M],ISBN 7-302-07892-0,清华大学出版社,2004.3
[81] Erich Gamma, Richard Helm, Raloh Johnson, John Vlissides,Design Patterns Elements of Reusable Object-Oriented Software[M],ISBN 7-111-09507 机械工业出版社,2002.3
[82] Sreekanth Iyer,e-BIT bytes: Comparison operators: equals() versus ==[EB/OL],http://www-106.ibm.com/developerworks/java/library/j-ebb0917a.html,IBM India Software Labs,2002.9
[83] Ragsdale, D. J.; Carver, C. A.; Humphries, J. W.; Pooch, U. W.: Adaptation Techniques for Intrusion Detection and Intrusion Response Systems[J], in Proceedings of the IEEE International Conference on Systems, Man, and Cybernetics, Nashville, Tennessee, October 8-11, 2000, 2344-2349, http://www.itoc.usma.edu/ragsdale/pubs/adapt.pdf
[84] Yu-Sung Wu, Bingrui Foo etc.,ADEPTS: Adaptive Intrusion Containment and Response using Attack Graphs in an E-Commerce Environment[EB/OL],CERIAS Tech Report 2003-32,Purdue University, West Lafayette, IN 47909
[85] Timothy D. Wickham,IDS is Dead, Long life IPS[EB/OL],SANS http://www.sans.org,2003.4
[86] 杨明,主动式防火墙设计与实现[D],硕士学位论文,东南大学计算机系,2003
[87] Alan O. Freier, Philip Karlton, Paul C. Kocher,The SSL Protocol v3.0 规范[S],http://www.netscape.com/eng/ssl3/draft302.txt
[88] Tim Dierks, Eric Rescorla,The TLS Protocol[EB/OL],http://www.ietf.org/internet-drafts/draft-ietf-tls-rfc2246-bis-09.txt
[89] Gary R. Wright, W. Richard Stevens, TCP/IP 详解[M],卷 2:实现,陆雪莹,蒋惠等译,谢希仁较,机械工业出版社,ISBN 7-111-07567-6,2000.7
[90] W. Richard Stevens,尤晋元等译,UNIX 环境高级编程[M],机械工业出版社,ISBN 7-111-07579-X,2000.2
[91] Linux系统源代码交叉分析文档[CP/OL],http://lxr.linpro.no/source/
[92] H.M.Deital,P.J.Deitel 著,施平安,施惠琼,柳赐佳 译,Java 程序设计教程[M],ISBN 7-302-07892-0,清华大学出版社,2004.3
[93] RFC790,http://www.rfc-editor.org/rfc/rfc790.txt
[94] W.Richard Stevens,施振川,周利民等译,UNIX 网络编程,第 1 卷:套接口 API 和X/Open 传输接口 API[M],ISBN 7-3-2-03548-2,清华大学出版社,1999.7
[95] Charles Hornig,RFC894,A Standard for the Transmission of IP Datagrams over Ethernet Networks[S],http://www.rfc-editor.org/rfc/rfc894.txt
[96] 严蔚敏,吴伟民,数据结构(C 语言版)[M],ISBN7-302-02368-9,清华大学出版社,1997.4