基于黑客行为特征的入侵检测研究
|
摘要
鉴于目前入侵检测系统中存在着较高的虚警率、不能有效地检测出不明类型的攻击行为、以及难以准确判断某些巧妙的攻击行为的出现等问题,本论文深入研究和探讨了基于黑客攻击行为特征的入侵检测技术。文章对入侵检测技术的发展现状作了归纳和阐述,提出了黑客行为与入侵检测的分类方法,给出了黑客行为分类的参照条件、判定模型和入侵检测分类的主要方法;重点研究了黑客行为特征及其危害度,定义了黑客行为和行为特征的概念,提出了黑客攻击行为的判定方法,详细论述了黑客攻击行为的关联分析方法及其运用,结合实验有创造性地研究了黑客的通联行为的主要特点和规律,提出了较为实用的检测方法,探讨设计了基于黑客行为特征的分析检测系统;从安全防御的角度,描述了人与制度、技术结合的攻击行为分类模型,并对入侵检测的发展前景作了初步的预测。本论文对于优化入侵检测方法,有效评估入侵的危害,制定针对性强的应对策略,进一步增强计算机网络的安全防范能力,具有较好的参考价值。
Due to high false negative rate, inefficient detection of unknown attacks and difficulties in accurately determining the occurrence of certain crafty attacks in the current Intrusion Detection System (IDS), this thesis makes a deep research on the intrusion detection technology based on the characteristics of the hacker attack. Firstly, the current situation of the development of the intrusion detection technology is summarized and elaborated in the thesis. It describes the classification measures of the hacker behaviors and the intrusion detection, and establishes references and determining models to assort the hacker behaviors. The thesis then focuses on the characteristics and the severity of the hacker behaviors. It defines the hacker behavior and its characteristics, and provides measures to determine the hacker attack. It disserts on the correlation analysis of the hacker attack and its application. Based on certain experiments, the thesis innovatively studies the main characteristics and the rule of the hackers’communicating behavior, and works out applied detecting measures, assessing models of the severity and their applications. Finally, from the perspective of security protection, the thesis illustrates the classification models of the hacker attack involving systems and technologies, and makes a preliminary forecast of the future development of the intrusion detection. The thesis gives a good reference on how to optimize the measures of detecting intrusions, effectively assess the severity of intrusions, establish countermeasures, and further improve the security protection of the computer network.
Due to high false negative rate, inefficient detection of unknown attacks and difficulties in accurately determining the occurrence of certain crafty attacks in the current Intrusion Detection System (IDS), this thesis makes a deep research on the intrusion detection technology based on the characteristics of the hacker attack. Firstly, the current situation of the development of the intrusion detection technology is summarized and elaborated in the thesis. It describes the classification measures of the hacker behaviors and the intrusion detection, and establishes references and determining models to assort the hacker behaviors. The thesis then focuses on the characteristics and the severity of the hacker behaviors. It defines the hacker behavior and its characteristics, and provides measures to determine the hacker attack. It disserts on the correlation analysis of the hacker attack and its application. Based on certain experiments, the thesis innovatively studies the main characteristics and the rule of the hackers’communicating behavior, and works out applied detecting measures, assessing models of the severity and their applications. Finally, from the perspective of security protection, the thesis illustrates the classification models of the hacker attack involving systems and technologies, and makes a preliminary forecast of the future development of the intrusion detection. The thesis gives a good reference on how to optimize the measures of detecting intrusions, effectively assess the severity of intrusions, establish countermeasures, and further improve the security protection of the computer network.
引文
[1]普渡大学COAST主页.研究项目.http://www.cerias.purdue.edu/coast/#archive
[2]加州大学戴维斯分校计算机安全实验室网页.概况.http://seclab.cs.ucdavis.edu/
[3]中国教育和科研计算机网紧急响应组网页.中国教育和科研计算机网紧急响应组简介.http://www.ccert.edu.cn/index.htm
[4]信息安全攻击重点实验室网页.实验室概况.http://home.is.ac.cn/index.htm
[5]张怡.一种新的网络攻击危害度定义方法[J].计算机工程.2002 28(8):33~34
[6] Edward G. Amoroso.Fundamentals of Computer Security Technology.Prentice-Hall PTR. NJ.1994
[7] Lindqvist U, Jonsson E, How to systematically classify computer security intrusions. In Proceedings of the 1997 IEEE Symposium on Security and Privacy, Oakland, CA, IEEE Computer Society Press, 1997, 154~163.
[8] Kendall K, A database of computer attacks for the evaluation of intrusion detection systems [Master thesis], Department of Electrical Engineering and Computer Science, Massachusetts Institute of Technology, 1999
[9]连一峰.分布式入侵检测系统研究[M].博士论文.2002.5
[10] Paul E.Proctor著.入侵检测实用手册[M] .北京:中国电力出版社.2002
[11]唐正军.黑客入侵防护系统源代码分析.北京:机械工业出版社.2001
[12] Wenke Lee.A Data Mining Framework for Constructing Features and Models for Intrusion Detection Systems.PhD thesis.Columbia University.1999
[13] Wenke Lee,S. J. Stolfo.Data mining approaches for intrusion detection.In Proceedings of the 7th USENIX Security Symposium.San Antonio.January 1998
[14] Wenke Lee,S. J. Stolfo, K. W. Mok.A data mining framework for building intrusion detection models.In Proceedings of the 1999 IEEE Symposium on Security and Privacy.May 1999
[15] Stephanie Forrest,S. A. Hofmeyr,A. Somayaji.A sense of self for unix processes.In Proceedings of the 1996 IEEE Symposium on Security and Privacy.IEEE Computer Society Press. Los Alamitos.1996:120~128
[16] S. A. Hofmeyr,S. Forrest,A. Somayaji.Intrusion detection using sequences of system calls.Journal of Computer Security.1998.6:151~180,
[17] Rakesh Agrawal,Ramakrishnan Srikant.Fast algorithms for mining association rules.In Proc. of the 20th Int'l Conference on Very Large Databases.Santiago, Chile.September 1994
[18] M. Chen,J. Han,and P. Yu.Data mining: An overview from database perspective.IEEE Transactions on Knowledge and Data Eng.December 1996
[19] Christian Borgelt的主页.http://fuzzy.cs.uni-magdeburg.de/~borgelt/
[20] Honeynet组织网页.国内镜像.http://honeynet.xfocus.net/
[21] Rebecca Gurley Bace.Intrusion Detection.Macmillan Technical Publishing.1999
[22] Sandeep Kumar . Classification and Detection of Computer Intrusions . Ph.D. Thesis.Purdue University.WestLafayette, Indiana.1995.08
[23] Duane K. Fields .企业级应用中的Applet和Servlet的通信.http://www.neweasier.com/article.html?class=11
[24] Rebecca Bace,Peter Mell.Intrusion detection systems.NIST Special Publication on Intrusion Detection Systems.National Institute of Standards and Technology.2000
[25] Fyodor.使用TCP/IP协议栈指纹进行远程操作系统辨识.译者neko.最后修改:1999-4-10翻译:2000-6-30.http://www.insecure.org
[26] Ofir Arkin . ICMP Usage in Scanning - The Complete Know-How . Version 3.0.http://www.sys-security.com/.June,2001
[27]单蓉胜.基于策略的网络安全模型及形式化描述.计算机工程与应用[J].2003.13:68~71
[28] Marcin Policht著.WMI技术指南[M] .北京:机械工业出版社.2002
[29]苗宏,张建章.创建基于Web的Windows管理器方法[J] .计算机应用研究.2001 18(9):130~133
[30]孟凡二,赵阔,康健,胡亮.入侵检测系统[J].吉林大学学报.2002 20 (4):46~53
[31] Mandy Andress.计算机安全原理[M].Surviving Security How to integrate People, Process and Technology.杨涛杨晓云王建桥高文雅等译.北京:机械工业出版社.2000
[32] William R.Cheswick,Steven M.Bellovin.防火墙与因特网安全.FireWalls and Internet Security repelling the wily hacher.戴宗坤罗万伯等译.北京:机械工业出版社.2000
[33]刘宝旭,许榕生.黑客防范技术揭密.北京:机械工业出版社.2001
[34] John D. Howard.An Analysis Of Security Incidents On The Internet 1989– 1995.Pittsburgh, Pennsylvania.April 7, 1997
[35] Marc Dacier , Andreas Wespi . Towards a taxonomy of intrusion-detection systems.Elsevier Science B.V. .1999
[36] E. Biermann , E.Cloete L.M. Venter . A comparison of Intrusion Detection systems.Elsevier Science Ltd.2001
[37] Steven Noel,Duminda Wijesekera,and Charles Youman.Modern Intrusion Detection,Data Mining and Degrees of Attack Guilt.Center for Secure Information Systems,George Mason University.2001
[38] Eastlake.D.Domain Name System Security Extensions.RFC2535.1999
[2]加州大学戴维斯分校计算机安全实验室网页.概况.http://seclab.cs.ucdavis.edu/
[3]中国教育和科研计算机网紧急响应组网页.中国教育和科研计算机网紧急响应组简介.http://www.ccert.edu.cn/index.htm
[4]信息安全攻击重点实验室网页.实验室概况.http://home.is.ac.cn/index.htm
[5]张怡.一种新的网络攻击危害度定义方法[J].计算机工程.2002 28(8):33~34
[6] Edward G. Amoroso.Fundamentals of Computer Security Technology.Prentice-Hall PTR. NJ.1994
[7] Lindqvist U, Jonsson E, How to systematically classify computer security intrusions. In Proceedings of the 1997 IEEE Symposium on Security and Privacy, Oakland, CA, IEEE Computer Society Press, 1997, 154~163.
[8] Kendall K, A database of computer attacks for the evaluation of intrusion detection systems [Master thesis], Department of Electrical Engineering and Computer Science, Massachusetts Institute of Technology, 1999
[9]连一峰.分布式入侵检测系统研究[M].博士论文.2002.5
[10] Paul E.Proctor著.入侵检测实用手册[M] .北京:中国电力出版社.2002
[11]唐正军.黑客入侵防护系统源代码分析.北京:机械工业出版社.2001
[12] Wenke Lee.A Data Mining Framework for Constructing Features and Models for Intrusion Detection Systems.PhD thesis.Columbia University.1999
[13] Wenke Lee,S. J. Stolfo.Data mining approaches for intrusion detection.In Proceedings of the 7th USENIX Security Symposium.San Antonio.January 1998
[14] Wenke Lee,S. J. Stolfo, K. W. Mok.A data mining framework for building intrusion detection models.In Proceedings of the 1999 IEEE Symposium on Security and Privacy.May 1999
[15] Stephanie Forrest,S. A. Hofmeyr,A. Somayaji.A sense of self for unix processes.In Proceedings of the 1996 IEEE Symposium on Security and Privacy.IEEE Computer Society Press. Los Alamitos.1996:120~128
[16] S. A. Hofmeyr,S. Forrest,A. Somayaji.Intrusion detection using sequences of system calls.Journal of Computer Security.1998.6:151~180,
[17] Rakesh Agrawal,Ramakrishnan Srikant.Fast algorithms for mining association rules.In Proc. of the 20th Int'l Conference on Very Large Databases.Santiago, Chile.September 1994
[18] M. Chen,J. Han,and P. Yu.Data mining: An overview from database perspective.IEEE Transactions on Knowledge and Data Eng.December 1996
[19] Christian Borgelt的主页.http://fuzzy.cs.uni-magdeburg.de/~borgelt/
[20] Honeynet组织网页.国内镜像.http://honeynet.xfocus.net/
[21] Rebecca Gurley Bace.Intrusion Detection.Macmillan Technical Publishing.1999
[22] Sandeep Kumar . Classification and Detection of Computer Intrusions . Ph.D. Thesis.Purdue University.WestLafayette, Indiana.1995.08
[23] Duane K. Fields .企业级应用中的Applet和Servlet的通信.http://www.neweasier.com/article.html?class=11
[24] Rebecca Bace,Peter Mell.Intrusion detection systems.NIST Special Publication on Intrusion Detection Systems.National Institute of Standards and Technology.2000
[25] Fyodor.使用TCP/IP协议栈指纹进行远程操作系统辨识.译者neko.最后修改:1999-4-10翻译:2000-6-30.http://www.insecure.org
[26] Ofir Arkin . ICMP Usage in Scanning - The Complete Know-How . Version 3.0.http://www.sys-security.com/.June,2001
[27]单蓉胜.基于策略的网络安全模型及形式化描述.计算机工程与应用[J].2003.13:68~71
[28] Marcin Policht著.WMI技术指南[M] .北京:机械工业出版社.2002
[29]苗宏,张建章.创建基于Web的Windows管理器方法[J] .计算机应用研究.2001 18(9):130~133
[30]孟凡二,赵阔,康健,胡亮.入侵检测系统[J].吉林大学学报.2002 20 (4):46~53
[31] Mandy Andress.计算机安全原理[M].Surviving Security How to integrate People, Process and Technology.杨涛杨晓云王建桥高文雅等译.北京:机械工业出版社.2000
[32] William R.Cheswick,Steven M.Bellovin.防火墙与因特网安全.FireWalls and Internet Security repelling the wily hacher.戴宗坤罗万伯等译.北京:机械工业出版社.2000
[33]刘宝旭,许榕生.黑客防范技术揭密.北京:机械工业出版社.2001
[34] John D. Howard.An Analysis Of Security Incidents On The Internet 1989– 1995.Pittsburgh, Pennsylvania.April 7, 1997
[35] Marc Dacier , Andreas Wespi . Towards a taxonomy of intrusion-detection systems.Elsevier Science B.V. .1999
[36] E. Biermann , E.Cloete L.M. Venter . A comparison of Intrusion Detection systems.Elsevier Science Ltd.2001
[37] Steven Noel,Duminda Wijesekera,and Charles Youman.Modern Intrusion Detection,Data Mining and Degrees of Attack Guilt.Center for Secure Information Systems,George Mason University.2001
[38] Eastlake.D.Domain Name System Security Extensions.RFC2535.1999