基于Linux的网络入侵检测系统的研究
摘要
随着计算机信息技术与网络技术的迅猛发展,信息与网络的安全形势也日趋严峻和复杂化。各种计算机安全事件不断发生,如何从技术,管理,法律多方面采取综合措施来保障信息与网络安全已经成为世界各国计算机安全人员的共同目标。计算机网络安全技术主要有:认证授权(Authentication)、数据加密(Encryption)、访问控制(Access Control)、安全审计(Auditing)等。入侵检测技术是安全审计中的核心技术之一,是网络安全防护的重要组成部分。
本文主要介绍网络入侵检测系统(IDS)的起由和发展史,并对网络上流行的几种攻击行为及其攻击原理进行了详细的阐述。在此基础上,对入侵检测系统设计原理和在Linux操作系统(主要以RedHat9.0为设计平台)下,对NIDS的设计进行探讨。入侵检测系统(IDS)的目的是要保障所监控计算机系统及网络的安全,它可以根据配置及时发现并报告系统中未经授权或异常的现象,是一种用于检测计算机网络中违反安全策略行为的技术。自从八十年代Denning提出入侵检测系统这个概念以来,在过去的20多年时间内,入侵检测系统(IDS)得到了飞速的发展,提出了许多的系统设计模型,出现了很多比较成熟的商业化产品。文中对于目前几种比较常见的攻击方法,如缓冲区溢出,拒绝服务攻击,IP欺骗等的攻击原理和具体的攻击方法进行了阐述,并考虑数据源,事件数据库及设计平台等诸多方面的因素,提出了详细的基于Linux的网络入侵检测系统结构设计方案。最后分析了目前网络入侵检测系统的研究条件和局限性,并针对目前网络发展的趋势方向和特点,分析了对应网络发展趋势入侵检测系统今后的几个发展方向。
网络安全问题是伴随网络的产生而产生,由于网络初始设计时对于一些因素没有充分考虑,随着网络的不断发展,涌现出越来越多的安全问题。虽然管理员已经采取了一系列的措施来减少安全问题的发生,如升级操作系统以堵塞某些系统漏洞,将防火墙等应用到各种网络环境中,但仍存在许多安全隐患,特别是内部人员滥用和误用,使得防火墙安全工具基本上不起作用,而入侵检测系统则是解决这些隐患的有效手段。如果说加密和防火墙技术是静态防御措施的话,那么入侵检测就是一种随着当前网络状态变化而动态响应的安全防御手段。
By the development of computer science and network technology, the circumstances on the security of information and network are increasingly rigorous. Since various of events about computer security have happened, it comes to be a common target of computer administrators in the world that how to take some steps in the terms of technology, management, and law to keep the information and security of computers from being destroyed. Computer security technology includes mainly : Authentication, Encryption, Access Control, Auditing and so on. Intrusion Detection technology is one of the core technology of Auditing, and it is an important part of protection of network security.
In this article, the origin and the development of Intrusion Detection technologies is introduced. More than that, the elements and principle of some pop attack in the network at present is analyzed in detail. On the basis of it, the design theorem about NEDS is probed into and a designer about a NEDS based on Linux(design the IDS centrally on Red Hat 9.0 OS) is given.The purpose of the IDS is to safeguard the security of the monitored computes and the network. EDS is one of the technologies, which is used to detect the behavior of disobey safety policy in compute network, and it can find out and report the unauthenticated or abnormal phenomena. During the past more than twenty years, EDS has developed at very fast speed and many system design modules have been brought forward, and besides many a commercial product has come forth since Denning put forward the conception of EDS at 1980's. In this paper, the elements and principle of some pop attack in the network at present, such as buffer overflow, DOS, IP d
isguise is analyzed in detail, and the particular structure design project of NEDS based on linux is discussed, in term of data resource, event database, and design plane. At the end of the paper, the circumstances and the localization of IDS study, feature of computer network is disbated, and the future development orientation of EDS is put forward.
Owing to the appearance of the computer network, the problems about the security of computer network come into ially with the development of network, more and more problems come forth. Although network administrator have taken
network, more and more problems come forth. Although network administrator have taken some steps, such as update operation system in order to wall up the system hole, setup firewall, to resolve the problems, there are still many security hidden troubles, such as caused by misuse of inside people, which can make firewall and so on useless. In this regard, IDS is the valid means to resolve the hidden troubles. On the understanding that the encryption techniques and firewall is static protection measure, IDS is a dynamic protection measure, which changes with the variety of network station.
本文主要介绍网络入侵检测系统(IDS)的起由和发展史,并对网络上流行的几种攻击行为及其攻击原理进行了详细的阐述。在此基础上,对入侵检测系统设计原理和在Linux操作系统(主要以RedHat9.0为设计平台)下,对NIDS的设计进行探讨。入侵检测系统(IDS)的目的是要保障所监控计算机系统及网络的安全,它可以根据配置及时发现并报告系统中未经授权或异常的现象,是一种用于检测计算机网络中违反安全策略行为的技术。自从八十年代Denning提出入侵检测系统这个概念以来,在过去的20多年时间内,入侵检测系统(IDS)得到了飞速的发展,提出了许多的系统设计模型,出现了很多比较成熟的商业化产品。文中对于目前几种比较常见的攻击方法,如缓冲区溢出,拒绝服务攻击,IP欺骗等的攻击原理和具体的攻击方法进行了阐述,并考虑数据源,事件数据库及设计平台等诸多方面的因素,提出了详细的基于Linux的网络入侵检测系统结构设计方案。最后分析了目前网络入侵检测系统的研究条件和局限性,并针对目前网络发展的趋势方向和特点,分析了对应网络发展趋势入侵检测系统今后的几个发展方向。
网络安全问题是伴随网络的产生而产生,由于网络初始设计时对于一些因素没有充分考虑,随着网络的不断发展,涌现出越来越多的安全问题。虽然管理员已经采取了一系列的措施来减少安全问题的发生,如升级操作系统以堵塞某些系统漏洞,将防火墙等应用到各种网络环境中,但仍存在许多安全隐患,特别是内部人员滥用和误用,使得防火墙安全工具基本上不起作用,而入侵检测系统则是解决这些隐患的有效手段。如果说加密和防火墙技术是静态防御措施的话,那么入侵检测就是一种随着当前网络状态变化而动态响应的安全防御手段。
By the development of computer science and network technology, the circumstances on the security of information and network are increasingly rigorous. Since various of events about computer security have happened, it comes to be a common target of computer administrators in the world that how to take some steps in the terms of technology, management, and law to keep the information and security of computers from being destroyed. Computer security technology includes mainly : Authentication, Encryption, Access Control, Auditing and so on. Intrusion Detection technology is one of the core technology of Auditing, and it is an important part of protection of network security.
In this article, the origin and the development of Intrusion Detection technologies is introduced. More than that, the elements and principle of some pop attack in the network at present is analyzed in detail. On the basis of it, the design theorem about NEDS is probed into and a designer about a NEDS based on Linux(design the IDS centrally on Red Hat 9.0 OS) is given.The purpose of the IDS is to safeguard the security of the monitored computes and the network. EDS is one of the technologies, which is used to detect the behavior of disobey safety policy in compute network, and it can find out and report the unauthenticated or abnormal phenomena. During the past more than twenty years, EDS has developed at very fast speed and many system design modules have been brought forward, and besides many a commercial product has come forth since Denning put forward the conception of EDS at 1980's. In this paper, the elements and principle of some pop attack in the network at present, such as buffer overflow, DOS, IP d
isguise is analyzed in detail, and the particular structure design project of NEDS based on linux is discussed, in term of data resource, event database, and design plane. At the end of the paper, the circumstances and the localization of IDS study, feature of computer network is disbated, and the future development orientation of EDS is put forward.
Owing to the appearance of the computer network, the problems about the security of computer network come into ially with the development of network, more and more problems come forth. Although network administrator have taken
network, more and more problems come forth. Although network administrator have taken some steps, such as update operation system in order to wall up the system hole, setup firewall, to resolve the problems, there are still many security hidden troubles, such as caused by misuse of inside people, which can make firewall and so on useless. In this regard, IDS is the valid means to resolve the hidden troubles. On the understanding that the encryption techniques and firewall is static protection measure, IDS is a dynamic protection measure, which changes with the variety of network station.
引文
[1]Rebecca Gurley Bace,入侵检测,陈明奇等译,人民邮电出版社。2001年,P50~203。
[2]蒋建春,冯登国著,网络入侵检测原理与技术,国防工业出版社。2001年,P22~84。
[3]Northcutt,S等著,网络入侵检测分析员手册,余青霓等译,人民邮电出版社。2000年,P64~103。
[4][美]Cathy Crankhite,Jack McCullough著,拒绝恶意访问,纪新元,谭保东译,人民邮电出版社。2002年,P31~58。
[5]曹汉平,冯启明,吴春蕾著,Linux防火墙技术研究,武汉理工大学学报(交通科学与工程版),2002年,第1期,120~122。
[6]Terry Escamilla,Intruder Detection[美],电子工业出版社。1999年,P55~76。
[7](韩)卢勇焕,郑海光,崔吉俊,杨俊娟著,黑客与安全,中国青年出版社。2001年,P100~121。
[8]郭志峰编著,阻止黑客进攻防卫技术,机械工业出版社.2002年,P54~104。
[9]濮青著,DoS(拒绝服务)攻击技术及其防范,China Data Communications,2002年,第8期,P17~20。
[10]韩东海,王超,李群著,入侵检测系统及实例分析,清华大学出版社。2002年,P19~210。
[11]熊平,王先培,张爱菊著,网络入侵检测方法,中国数据通信,2002年,第2期,P38~40。
[12]宋献涛,芦康俊,李祥和著,入侵检测系统的分类学研究,计算机工程与应用,2002年,第8期,P32~35。
[13]李镇江,戴英侠,陈越著,IDS入侵检测系统研究,计算机工程,2001年,第2期,P22~24。
[14]斯海飞,赵国庆著,入侵检测技术分析概述,电子对抗技术,2002年,第2期,P41~44。
[15][美]斯肯克(Schenk,T.)等著,Red Hat Linux系统管理大全,熊志辉等译,机械工业出版社。2001年,P114~158。
[16]D.Hellen,Motif Progamming Manual.Oreilly and Associates, 1991年,623 Petaluma Avenue,Sebastopol,California 95472,OSF/Motif Version 1.1 edtion。
[17]周端,张惠娟,杨银堂著,入侵检测及网络层安全的研究,微电子学与计算机,2002年,第2期,P34~37。
[18]怀石工作室著,LINUX上的C编程,中国电力出版社。2000年,P30~108。
[19]张斌,高波,Linux网络编程,清华大学出版社。2000年,P1~197。
[20]Wing, Tools and Countermeasure of Sniffer Detect, http://www. linuxaid.com.
cn/articles/8/2/823308284.shtml。
[21]Wing,A Tool of Network Watch: IPTraf, http://www.linuxaid.com.cn/articles/3/4/347992474.shtml。
[22]书生著,入侵检测之日志检测,http://www.linuxaid.com.cn/articles/5/5/552769963.shtml。
[23]彭晓明,王强著,Linux核心源代码分析,人民邮电出版社。2000年,P14~108。
[24]欧阳毅,周立峰,史以兵,黄皓著,网络入侵检测系统结构模型的探讨,计算机工程与应用,2002年,第11期,P20~22。
[25]孙海彬,徐良贤,杨怀银著,针对网络入侵检测系统的攻击及防御,计算机工程与应用,2002年,第13期,P21~23。
[26]David Elson, Linux-ids, http://www.securityfocus.com/focus/linux/articles/linux-ids.html。
[27]张铭来,金成飚,赵文耘著,网络型入侵检测系统存在的漏洞及其对策研究,计算机工程,2002年,第1期,P14~16。
[28]陈敏时,阳振坤,潘爱民著,一种分布式入侵检测系统结构,计算机应用研究,2002年,第4期,P8~10。
[29]赵萍,殷肖川,刘旭辉著,防火墙和入侵检测技术分析,计算机测量与控制2002年,第5期,P11~14。
[30]黄允聪,严望佳著,网络安全基础,清华大学出版社.1999年,P3~70。
[31]林曼筠,钱华林著,入侵检测系统:原理、入侵隐藏与对策,微电子学与计算机,2002年,第1期,P14~17。
[32]吴新民著,基于网络的入侵检测系统和基于主机的入侵检測系统的比较分析,微型电脑应用,2002年,第6期,P4~7。
[33]单征,刘铁铭,楚蓓蓓著,基于网络状态的入侵检测模型,信息工程大学学报,2002年,第3期,P24~27。
[34]梁意文,潘海军,郭学理著,基于UNIX进程的入侵检測模型,计算机工程与应用,2001年,第15期,P10~12。
[35]www.chinawill.net,Intrusion Detection Method and Limitation, http://www.chinawill.net/jiaoxue/jiaoS/jiaoc955.htm。
[36]Uyless Black, TCP/IP 及相关协议,机械工业出版社。1998年, P67~128。
[37]Tim Bass, Multisensor Data Fusion for Next Generation Distributed Intrusion Detection Systems, http://www.silkroad.com/papers/。
[38]李文嘉,张大方,谢高岗著,一种基于数据包分析的网络入侵检测探针,同济大学学报(自然科学版),2002年,第10期,P14~16。
[39][美]Jim Keogh著,轻松学用Linux编程,王崧等译,电子工业出版社。2001年,P1~120。
[40]www.hacker.com.cn, A Good IDS Test Outline, http://www.hacker.com. cn/article/list.asp?id=1057。
[41] iamafan, In-depth Study of Network Watch Technology Based on Linux, http://www.linuxaid.com.cn/articles/5/6/561145415.shtml。
[42] Black,U.D, McGraw-Hill, TCP/IP and Related protocols, 1992年。
[43] Julien Palardy, Trusted Data Integrity Auditing, http://www.xfocus.orgo
[44] Charles L.Forgy.Rete, A Fast Alogorithm for the Many Pattern/Many Object Pattern Match Problem. Technical report, Carnegie-Mellon University, Pittsburgh, Pennsylvania, 1982。
[45] T.F.Lunt,A.F.Tamaru,F.M.Gilham,R.Jaggannathan,C.F.Jalali,H.S.Javitz,A.Valdes,and P.G.Neumann,A Real-Time Instrusion Detection Expert System,In-terim Report.Technical report,1990,Computer Sciences Laboratory, SRI International,Menol Park, Califomia。
[46] CERTCoordinationCenter, Intruder Detection Checklist, http://www.cert.org/tech_tips/intruder_detection_checklist.html。
[47] Julien Palardy, jpalardy@pgci.ca,Trusted Data Integrity Auditing, http://www.qiker.com/jiaocheng/xfocus/%C8%EB%C7%D6%BC%EC%B2%E2/20.html。
[2]蒋建春,冯登国著,网络入侵检测原理与技术,国防工业出版社。2001年,P22~84。
[3]Northcutt,S等著,网络入侵检测分析员手册,余青霓等译,人民邮电出版社。2000年,P64~103。
[4][美]Cathy Crankhite,Jack McCullough著,拒绝恶意访问,纪新元,谭保东译,人民邮电出版社。2002年,P31~58。
[5]曹汉平,冯启明,吴春蕾著,Linux防火墙技术研究,武汉理工大学学报(交通科学与工程版),2002年,第1期,120~122。
[6]Terry Escamilla,Intruder Detection[美],电子工业出版社。1999年,P55~76。
[7](韩)卢勇焕,郑海光,崔吉俊,杨俊娟著,黑客与安全,中国青年出版社。2001年,P100~121。
[8]郭志峰编著,阻止黑客进攻防卫技术,机械工业出版社.2002年,P54~104。
[9]濮青著,DoS(拒绝服务)攻击技术及其防范,China Data Communications,2002年,第8期,P17~20。
[10]韩东海,王超,李群著,入侵检测系统及实例分析,清华大学出版社。2002年,P19~210。
[11]熊平,王先培,张爱菊著,网络入侵检测方法,中国数据通信,2002年,第2期,P38~40。
[12]宋献涛,芦康俊,李祥和著,入侵检测系统的分类学研究,计算机工程与应用,2002年,第8期,P32~35。
[13]李镇江,戴英侠,陈越著,IDS入侵检测系统研究,计算机工程,2001年,第2期,P22~24。
[14]斯海飞,赵国庆著,入侵检测技术分析概述,电子对抗技术,2002年,第2期,P41~44。
[15][美]斯肯克(Schenk,T.)等著,Red Hat Linux系统管理大全,熊志辉等译,机械工业出版社。2001年,P114~158。
[16]D.Hellen,Motif Progamming Manual.Oreilly and Associates, 1991年,623 Petaluma Avenue,Sebastopol,California 95472,OSF/Motif Version 1.1 edtion。
[17]周端,张惠娟,杨银堂著,入侵检测及网络层安全的研究,微电子学与计算机,2002年,第2期,P34~37。
[18]怀石工作室著,LINUX上的C编程,中国电力出版社。2000年,P30~108。
[19]张斌,高波,Linux网络编程,清华大学出版社。2000年,P1~197。
[20]Wing, Tools and Countermeasure of Sniffer Detect, http://www. linuxaid.com.
cn/articles/8/2/823308284.shtml。
[21]Wing,A Tool of Network Watch: IPTraf, http://www.linuxaid.com.cn/articles/3/4/347992474.shtml。
[22]书生著,入侵检测之日志检测,http://www.linuxaid.com.cn/articles/5/5/552769963.shtml。
[23]彭晓明,王强著,Linux核心源代码分析,人民邮电出版社。2000年,P14~108。
[24]欧阳毅,周立峰,史以兵,黄皓著,网络入侵检测系统结构模型的探讨,计算机工程与应用,2002年,第11期,P20~22。
[25]孙海彬,徐良贤,杨怀银著,针对网络入侵检测系统的攻击及防御,计算机工程与应用,2002年,第13期,P21~23。
[26]David Elson, Linux-ids, http://www.securityfocus.com/focus/linux/articles/linux-ids.html。
[27]张铭来,金成飚,赵文耘著,网络型入侵检测系统存在的漏洞及其对策研究,计算机工程,2002年,第1期,P14~16。
[28]陈敏时,阳振坤,潘爱民著,一种分布式入侵检测系统结构,计算机应用研究,2002年,第4期,P8~10。
[29]赵萍,殷肖川,刘旭辉著,防火墙和入侵检测技术分析,计算机测量与控制2002年,第5期,P11~14。
[30]黄允聪,严望佳著,网络安全基础,清华大学出版社.1999年,P3~70。
[31]林曼筠,钱华林著,入侵检测系统:原理、入侵隐藏与对策,微电子学与计算机,2002年,第1期,P14~17。
[32]吴新民著,基于网络的入侵检测系统和基于主机的入侵检測系统的比较分析,微型电脑应用,2002年,第6期,P4~7。
[33]单征,刘铁铭,楚蓓蓓著,基于网络状态的入侵检测模型,信息工程大学学报,2002年,第3期,P24~27。
[34]梁意文,潘海军,郭学理著,基于UNIX进程的入侵检測模型,计算机工程与应用,2001年,第15期,P10~12。
[35]www.chinawill.net,Intrusion Detection Method and Limitation, http://www.chinawill.net/jiaoxue/jiaoS/jiaoc955.htm。
[36]Uyless Black, TCP/IP 及相关协议,机械工业出版社。1998年, P67~128。
[37]Tim Bass, Multisensor Data Fusion for Next Generation Distributed Intrusion Detection Systems, http://www.silkroad.com/papers/。
[38]李文嘉,张大方,谢高岗著,一种基于数据包分析的网络入侵检测探针,同济大学学报(自然科学版),2002年,第10期,P14~16。
[39][美]Jim Keogh著,轻松学用Linux编程,王崧等译,电子工业出版社。2001年,P1~120。
[40]www.hacker.com.cn, A Good IDS Test Outline, http://www.hacker.com. cn/article/list.asp?id=1057。
[41] iamafan, In-depth Study of Network Watch Technology Based on Linux, http://www.linuxaid.com.cn/articles/5/6/561145415.shtml。
[42] Black,U.D, McGraw-Hill, TCP/IP and Related protocols, 1992年。
[43] Julien Palardy, Trusted Data Integrity Auditing, http://www.xfocus.orgo
[44] Charles L.Forgy.Rete, A Fast Alogorithm for the Many Pattern/Many Object Pattern Match Problem. Technical report, Carnegie-Mellon University, Pittsburgh, Pennsylvania, 1982。
[45] T.F.Lunt,A.F.Tamaru,F.M.Gilham,R.Jaggannathan,C.F.Jalali,H.S.Javitz,A.Valdes,and P.G.Neumann,A Real-Time Instrusion Detection Expert System,In-terim Report.Technical report,1990,Computer Sciences Laboratory, SRI International,Menol Park, Califomia。
[46] CERTCoordinationCenter, Intruder Detection Checklist, http://www.cert.org/tech_tips/intruder_detection_checklist.html。
[47] Julien Palardy, jpalardy@pgci.ca,Trusted Data Integrity Auditing, http://www.qiker.com/jiaocheng/xfocus/%C8%EB%C7%D6%BC%EC%B2%E2/20.html。