基于TCP/IP安全性的入侵检测系统的研究与设计
摘要
随着互联网的普及和网络技术的发展,网络的安全问题也越来越突出,在众多的网络安全技术中,入侵检测是非常重要且被计算机应用人员广泛关注的技术。入侵检测技术是一种主动发现网络隐患的安全技术。作为防火墙的合理补充,入侵检测技术能够帮助对付网络攻击,扩展了系统管理员的安全管理能力,提高了信息安全基础结构的完整性。
论文首先分析了TCP/IP协议族层次结构,概述了协议格式,分析了网络不安全因素及黑客们的攻击手段。接着介绍了入侵检测的关键技术。在基于协议分析的检测方法中,分析了IP包的分片重组技术;在基于模式匹配的检测方法中,分析了多种模式匹配算法:KMP、BM、BM的改进算法以及多模式匹配算法,并分析了这些技术在IDS应用中的优势,针对入侵检测系统的安全性进行了分析。最后详细介绍了IDS的设计,阐述了符合CIDF体系结构,基于协议分析的IDS的设计思想和实现方案,针对一些攻击手段提出了相应的解决方法。
系统设计了既具有异常检测功能,又具有误用检测功能的混合式检测系统。实现了基于Libpcap的网络数据包的捕获,对于入侵的行为特征进行了分析,定义了入侵规则库。
在协议分析的基础上,采用IP数据包分片重组、TCP数据流还原等技术,降低漏报率,减少误报率。管理特点上,采用集中管理,管理员在中央控制台可以直接控制各个模块的行为。
整体设计创新引入了模型分析引擎和密钥分配管理中心。模型分析引擎旨在检测新入侵,提高系统的自适应性;密钥分配管理中心旨在对所有通信进行加密,提高了密码技术在保证信息安全传输中的应用,增强了IDS本身的安全性。
With the popularization of Internet and the development of network technology, the security problem of network is more and more prominent. In many network security technologies, intrusion Detection is the most important and attractive technology for many computer operators. Intrusion Detection is one kind of security technologies to find network hidden trouble. As a reasonable makeup to firewall, it can help deal with the attack from network, extend the administrators' ability to protect the system, and make the structure of the security system more integral.First, the thesis analyzes the hierarchy of TCP/IP protocols, and summarizes the format of them, analyzing the factor leading to unsafe network and the means of attack of Crackers. Second, introduces the key technology of intrusion detection. In the detection of protocol analysis model, mainly study the fragment reassembly of IP packet .In the detection of pattern match model, analyze several kinds of pattern match algorithms such as KMP, BM, BMH and multiple pattern match algorithms. Analyze the advantage of the technology in the IDS application and the security of intrusion detection system. Last, introduce the design of IDS basing on the system of CIDF and the protocol analyze. Provide the corresponding methods according the attacks.A composite detect system is designed that can not only misuse detection, but also anomaly detection. The system realizes the capture of network data package based on the Libpcap, analyzes the character of the intrusion behavior, and defines the lib of intrusion rule.On the base of protocol analysis, the system uses the technology of the fragment reassembly of IP packet, TCP data flow reverting, etc. It reduces leak and mistake alert of the intrusion. On the side of the management, the system introduces the center management to directly control every module.The innovation of the design is introducing the model analyse engine and the management center to distribute and manage the secret key. The model analyse engine is to detect the new intrusion, increase the self-adaptability. The management center to distribute and manage the
secret key is to encrypt all the communications, applying the code technology to ensure safe transfers of de data, increasing the security of IDS itself.
论文首先分析了TCP/IP协议族层次结构,概述了协议格式,分析了网络不安全因素及黑客们的攻击手段。接着介绍了入侵检测的关键技术。在基于协议分析的检测方法中,分析了IP包的分片重组技术;在基于模式匹配的检测方法中,分析了多种模式匹配算法:KMP、BM、BM的改进算法以及多模式匹配算法,并分析了这些技术在IDS应用中的优势,针对入侵检测系统的安全性进行了分析。最后详细介绍了IDS的设计,阐述了符合CIDF体系结构,基于协议分析的IDS的设计思想和实现方案,针对一些攻击手段提出了相应的解决方法。
系统设计了既具有异常检测功能,又具有误用检测功能的混合式检测系统。实现了基于Libpcap的网络数据包的捕获,对于入侵的行为特征进行了分析,定义了入侵规则库。
在协议分析的基础上,采用IP数据包分片重组、TCP数据流还原等技术,降低漏报率,减少误报率。管理特点上,采用集中管理,管理员在中央控制台可以直接控制各个模块的行为。
整体设计创新引入了模型分析引擎和密钥分配管理中心。模型分析引擎旨在检测新入侵,提高系统的自适应性;密钥分配管理中心旨在对所有通信进行加密,提高了密码技术在保证信息安全传输中的应用,增强了IDS本身的安全性。
With the popularization of Internet and the development of network technology, the security problem of network is more and more prominent. In many network security technologies, intrusion Detection is the most important and attractive technology for many computer operators. Intrusion Detection is one kind of security technologies to find network hidden trouble. As a reasonable makeup to firewall, it can help deal with the attack from network, extend the administrators' ability to protect the system, and make the structure of the security system more integral.First, the thesis analyzes the hierarchy of TCP/IP protocols, and summarizes the format of them, analyzing the factor leading to unsafe network and the means of attack of Crackers. Second, introduces the key technology of intrusion detection. In the detection of protocol analysis model, mainly study the fragment reassembly of IP packet .In the detection of pattern match model, analyze several kinds of pattern match algorithms such as KMP, BM, BMH and multiple pattern match algorithms. Analyze the advantage of the technology in the IDS application and the security of intrusion detection system. Last, introduce the design of IDS basing on the system of CIDF and the protocol analyze. Provide the corresponding methods according the attacks.A composite detect system is designed that can not only misuse detection, but also anomaly detection. The system realizes the capture of network data package based on the Libpcap, analyzes the character of the intrusion behavior, and defines the lib of intrusion rule.On the base of protocol analysis, the system uses the technology of the fragment reassembly of IP packet, TCP data flow reverting, etc. It reduces leak and mistake alert of the intrusion. On the side of the management, the system introduces the center management to directly control every module.The innovation of the design is introducing the model analyse engine and the management center to distribute and manage the secret key. The model analyse engine is to detect the new intrusion, increase the self-adaptability. The management center to distribute and manage the
secret key is to encrypt all the communications, applying the code technology to ensure safe transfers of de data, increasing the security of IDS itself.
引文
[1] 叶丹编著.网络安全实用技术.北京:清华大学出版社,2002.41~70
[2] 顾巧论等编著.计算机网络安全.北京:清华大学出版社,2004.12~35
[3] 刘占全编著.网络管理与防火墙技术.北京:人民邮电出版社,1999.5~12
[4] 周明天,王文勇.TCP/IP网络原理与技术.北京:清华大学出版社,1993.10~67
[5] W.Richard Stevens,范建华译.TCP/IP详解.卷一:协议.北京:机械工业出版社,2000.3~37,107~111,17~171
[6] Ofir Arkin. Identifying ICMP Hackery Tools Used In the Wild Today. http://www.securityfocus.com/infocus/1183.2000-12-4
[7] Comer. D. E. Internetworking with TCP/IP Volume 1 Principles, Protocols, and Architectures Fourth Edition. Published by arrangement with Prentice Hall, Pearson, Education, Inc. 2000. 31~98
[8] 宋振锋.SYN攻击的基本原理、工具及检测方法以及防范技术.http://www.china-infosec.org.cn/.2004-3-5
[9] 刘文涛编著.Linux网络入侵检测系统.北京:电子工业出版社,2004.1~95,181~218
[10] 董玉格著.攻击与防护——网络安全与实用防护技术.北京:人民邮电出版社,2002.4~21,78~181,218~332,389~397
[11] 刘宝旭,许榕生等编著.黑客防范技术揭秘.北京:机械工业出版社,2002.21~49
[12] 李涛编著.网络安全概论.北京:电子工业出版社,2004.73~75
[13] Rebecca Gurley Bace著.陈明奇等译.入侵检测.北京:人民邮电出版社,2001.10~45
[14] Denning. D. An Intrusion Detection Model. IEEE Transactions on Software Engineering, 1987,13 (2):222~232
[15] 王秀梅,刘棣华,赵凤全.基于网络入侵检测系统总体框架的设计.吉林工学院学报,2001(12):40~42
[16] Intrusion Detection Message Exchange Requirements. http://www.ietf.org/internet-drafts/draft-ietf-idwg-requirements-10.txt. 2003-4-21
[17] The TUNNEL Profile. http://www.ietf.org/internet-drafts/draft-ietf-idwg-beep-tunnel-05.txt.2003-5-18
[18] Intrusion Detection Message Exchange Format. http://www.ietf.org/internet-drafts/draft-ietf-idwg-idmef-xml-10.txt.2003-5-18
[19] 傅华、温巧燕、杨义先.XML语言在入侵检测系统中的应用.信息网络安全,2002(9):26~29
[20] The Intrusion Detection Exchange Protocol. http://www.ietf.org/internet-drafts/draft-ietf-idwg-beep-idxp-07.txt.2003-5-14
[21] 张千里,陈光荣.网络安全新技术.北京:人民邮电出版社,2003.23~24
[22] 朱树人,李伟琴.入侵检测技术研究.计算机工程与设计,2001,22(4):13~17
[23] 范海绍.入侵检测与预警控制的捷径—设置陷阱.http://www.nbcai.org/forums/inbreaking.htm.2004-5-14
[24] 杨英杰,马范援,苏拉兹.一种基于XML的CISL表示.上海交通大学学报,2002(9):1355~1359
[25] Wenke Lee, Rahul A. Nimbalkar, Kam K. Yee A Data Mining and CIDF Based Approach for Detecting Novel and Distributed Intrusions H. Debar, L. Me, and F. Wu:RAID. 2000. 49~65.
[26] CIDF APIs. http://www.isi.edu/gost/cidf/drafts/api.txt.2003-12-11
[27] 李镇江,戴英侠,陈越.IDS入侵检测系统研究.计算机工程,2001,27(4):7~9
[28] 杨向荣,宋擒豹,沈钧毅.入侵检测技术研究与系统设计.计算机工程与应用,2001(16):1~4
[29] 蒋建春,马恒太,任党思等.网络安全入侵检测研究综述.软件学报,2000,11(11):1460~1466
[30] Neil Desai. Increasing Performance in High Speed NIDS a look at Snort's Internals. http://www.snort.org.2002-9-30
[31] Matthew Tanase. Future of IDS. www.hacker.cn/Get/ewtd/0592711320993751.html.2001-12-4
[32] 褚永刚,杨义先.入侵检测系统的技术发展趋势.http://www.loadstar.com.cn/.2004-11-25
[33] 戴英侠,连一峰,王航.系统安全与入侵检测.北京:清华大学出版社,2002.33~58
[34] Kenneth D.Reed.孙坦译.协议分析(第7版).北京:电子工业出版社,2004.132~196
[35] yawl.IP分片重组的分析和常见碎片攻击v0.2.http://nsfocus.com.2000-7-20
[36] 赵文静.数据结构与算法设计.北京:科学出版社,2005.62~80
[37] Sunday M Daniel. A very fast sub string search algorithm. communication of the ACM, 1990, 33(8):132~142
[38] 王永成,沈州,许一震.改进的多模式匹配算法.计算机研究与发展,2002,39(1):55~60
[39] 李恒华,田捷,常(王争)等.基于滥用检测和异常检测的入侵检测系统.计算机工程,2003,29(10):14~16
[40] 楠楠.基于网络入侵检测系统的实现机制.http://www.zhongguonannan.com/.2004-6-21
[41] 陈晓苏,宁翔,肖道举.一种基于CIDF的入侵检测系统模型.华中科技大学学报,2002(3):1~3,18
[42] 李彪,张申生.动态公开密钥基础设施的构造和应用.上海交通大学学报,2002(9):1291~1293
[43] W. Ricjard Stevens. UNIX Network Programming Volume 1 Networking APIs:Sockets and XTI(second edition). Prentice Hall PTR, 1998.4~34
[44] Martin Casado, Packet Capture With libpcap and other Low Level Network Tricks, tutorial, http://www.cet.nau.edu/-mc8/Socket/Tutorials/sectionl.html.2004-2-11
[45] 罗桂琼.基于协议分析的入侵检测系统.电脑与信息技术,2005(4):56~59
[46] 周婕.协议分析在入侵检测系统中的应用.电讯技术,2003(6):137~140
[47] Marc Norton. Snort 2.0. http://www.snort.org/docs.2003-9-15
[48] 许金鹏.新一代IDS的标志——事件描述描述语言.信息网络安全,2002(3):46~48
[49] Willian Stallings.密码学与网络安全原理,李杰等译.北京:电子工业出版社,2001.45~96
[50] 李文嘉,张大方,谢高岗.一种基于数据包分析的网络入侵检测探针.同济大学学报,2002(10):1235~1238
[2] 顾巧论等编著.计算机网络安全.北京:清华大学出版社,2004.12~35
[3] 刘占全编著.网络管理与防火墙技术.北京:人民邮电出版社,1999.5~12
[4] 周明天,王文勇.TCP/IP网络原理与技术.北京:清华大学出版社,1993.10~67
[5] W.Richard Stevens,范建华译.TCP/IP详解.卷一:协议.北京:机械工业出版社,2000.3~37,107~111,17~171
[6] Ofir Arkin. Identifying ICMP Hackery Tools Used In the Wild Today. http://www.securityfocus.com/infocus/1183.2000-12-4
[7] Comer. D. E. Internetworking with TCP/IP Volume 1 Principles, Protocols, and Architectures Fourth Edition. Published by arrangement with Prentice Hall, Pearson, Education, Inc. 2000. 31~98
[8] 宋振锋.SYN攻击的基本原理、工具及检测方法以及防范技术.http://www.china-infosec.org.cn/.2004-3-5
[9] 刘文涛编著.Linux网络入侵检测系统.北京:电子工业出版社,2004.1~95,181~218
[10] 董玉格著.攻击与防护——网络安全与实用防护技术.北京:人民邮电出版社,2002.4~21,78~181,218~332,389~397
[11] 刘宝旭,许榕生等编著.黑客防范技术揭秘.北京:机械工业出版社,2002.21~49
[12] 李涛编著.网络安全概论.北京:电子工业出版社,2004.73~75
[13] Rebecca Gurley Bace著.陈明奇等译.入侵检测.北京:人民邮电出版社,2001.10~45
[14] Denning. D. An Intrusion Detection Model. IEEE Transactions on Software Engineering, 1987,13 (2):222~232
[15] 王秀梅,刘棣华,赵凤全.基于网络入侵检测系统总体框架的设计.吉林工学院学报,2001(12):40~42
[16] Intrusion Detection Message Exchange Requirements. http://www.ietf.org/internet-drafts/draft-ietf-idwg-requirements-10.txt. 2003-4-21
[17] The TUNNEL Profile. http://www.ietf.org/internet-drafts/draft-ietf-idwg-beep-tunnel-05.txt.2003-5-18
[18] Intrusion Detection Message Exchange Format. http://www.ietf.org/internet-drafts/draft-ietf-idwg-idmef-xml-10.txt.2003-5-18
[19] 傅华、温巧燕、杨义先.XML语言在入侵检测系统中的应用.信息网络安全,2002(9):26~29
[20] The Intrusion Detection Exchange Protocol. http://www.ietf.org/internet-drafts/draft-ietf-idwg-beep-idxp-07.txt.2003-5-14
[21] 张千里,陈光荣.网络安全新技术.北京:人民邮电出版社,2003.23~24
[22] 朱树人,李伟琴.入侵检测技术研究.计算机工程与设计,2001,22(4):13~17
[23] 范海绍.入侵检测与预警控制的捷径—设置陷阱.http://www.nbcai.org/forums/inbreaking.htm.2004-5-14
[24] 杨英杰,马范援,苏拉兹.一种基于XML的CISL表示.上海交通大学学报,2002(9):1355~1359
[25] Wenke Lee, Rahul A. Nimbalkar, Kam K. Yee A Data Mining and CIDF Based Approach for Detecting Novel and Distributed Intrusions H. Debar, L. Me, and F. Wu:RAID. 2000. 49~65.
[26] CIDF APIs. http://www.isi.edu/gost/cidf/drafts/api.txt.2003-12-11
[27] 李镇江,戴英侠,陈越.IDS入侵检测系统研究.计算机工程,2001,27(4):7~9
[28] 杨向荣,宋擒豹,沈钧毅.入侵检测技术研究与系统设计.计算机工程与应用,2001(16):1~4
[29] 蒋建春,马恒太,任党思等.网络安全入侵检测研究综述.软件学报,2000,11(11):1460~1466
[30] Neil Desai. Increasing Performance in High Speed NIDS a look at Snort's Internals. http://www.snort.org.2002-9-30
[31] Matthew Tanase. Future of IDS. www.hacker.cn/Get/ewtd/0592711320993751.html.2001-12-4
[32] 褚永刚,杨义先.入侵检测系统的技术发展趋势.http://www.loadstar.com.cn/.2004-11-25
[33] 戴英侠,连一峰,王航.系统安全与入侵检测.北京:清华大学出版社,2002.33~58
[34] Kenneth D.Reed.孙坦译.协议分析(第7版).北京:电子工业出版社,2004.132~196
[35] yawl.IP分片重组的分析和常见碎片攻击v0.2.http://nsfocus.com.2000-7-20
[36] 赵文静.数据结构与算法设计.北京:科学出版社,2005.62~80
[37] Sunday M Daniel. A very fast sub string search algorithm. communication of the ACM, 1990, 33(8):132~142
[38] 王永成,沈州,许一震.改进的多模式匹配算法.计算机研究与发展,2002,39(1):55~60
[39] 李恒华,田捷,常(王争)等.基于滥用检测和异常检测的入侵检测系统.计算机工程,2003,29(10):14~16
[40] 楠楠.基于网络入侵检测系统的实现机制.http://www.zhongguonannan.com/.2004-6-21
[41] 陈晓苏,宁翔,肖道举.一种基于CIDF的入侵检测系统模型.华中科技大学学报,2002(3):1~3,18
[42] 李彪,张申生.动态公开密钥基础设施的构造和应用.上海交通大学学报,2002(9):1291~1293
[43] W. Ricjard Stevens. UNIX Network Programming Volume 1 Networking APIs:Sockets and XTI(second edition). Prentice Hall PTR, 1998.4~34
[44] Martin Casado, Packet Capture With libpcap and other Low Level Network Tricks, tutorial, http://www.cet.nau.edu/-mc8/Socket/Tutorials/sectionl.html.2004-2-11
[45] 罗桂琼.基于协议分析的入侵检测系统.电脑与信息技术,2005(4):56~59
[46] 周婕.协议分析在入侵检测系统中的应用.电讯技术,2003(6):137~140
[47] Marc Norton. Snort 2.0. http://www.snort.org/docs.2003-9-15
[48] 许金鹏.新一代IDS的标志——事件描述描述语言.信息网络安全,2002(3):46~48
[49] Willian Stallings.密码学与网络安全原理,李杰等译.北京:电子工业出版社,2001.45~96
[50] 李文嘉,张大方,谢高岗.一种基于数据包分析的网络入侵检测探针.同济大学学报,2002(10):1235~1238