分布式主动入侵检测系统研究与设计
|
摘要
随着黑客入侵事件的日益猖獗,人们发现只从防御的角度构造安全系统是不够的。入侵检测技术是继“防火墙”、“数据加密”等传统安全保护措施后新一代的安全保障技术。它对计算机和网络资源上的恶意使用行为进行识别和响应,它不仅检测来自外部的入侵行为,同时也监督内部用户的未授权活动。
而分布式主动入侵检测(ODIDS)系统能够满足分布式环境下对入侵检测系统的要求,他具有以下特点;
-基于部件的设计使得系统具有很好的可扩展性。由于系统的各个功能部件独立存在,部件之间的标准的网络接口,因此部件的部署可多可少,完全根据实际网络系统的需要而定。在大致广域网,小到办公室网络都可以灵活部署。
-两级分析结构较好地满足了实时和准确的检测要求。位于主机代理和网络引擎的第一级分析结构强调实时检测,位于分析部件的第二级分析结构深入分析数据地潜在威胁。这种类似于缓存思想的分析结构能够很好的保证检测的实时性和准确性。同时分级的分析结构能够使得多种分析方法同时存在于系统之中,充分发挥各种检测方法的优点。
本文主要介绍了和实现了以下几个方面;
(1)详细介绍了主动式入侵检测系统如何部署,以及系统的结构。
(2)实现了网络引擎的设计,其中包括使用winpcap来实现数据包捕获模块,以及使用协议分析技术来实现协议分析模块。
(3)部分实现了控制台模块,其中包括入侵检测模块的实现,以及运用了联动技术实现了响应模块。
(4)深入探讨了系统自身保护的措施方案。
Invades the event along with the hacker day by day rampant, the people discovered from the defense angle structure safety system is only insufficient. After the invasion examination technology is continues;the firewall; the data encryption; and so on the traditional safekeeping of security measures the new generation of safety control technology.It carries on the recognition and the response to on the computer and the network resources malicious use behavior, not only it examines comes from exterior invasion behavior, simultaneously also supervises internal user not to be authorized the activity.
But the distributional initiative invasion examines the (ODIDS) system to be able to satisfy under the distributed environment to invade the examination system the request, he has following characteristic:
Enables the system based on the part design to have the very good extendibility.As a result of system each function part independent existence, between part standard network connection, therefore the part deployment may many be possible to be few, needs to decide completely according to the actual network system.In WAN, as slightly all may deploy nimbly approximately as the office network.
Two level of analysis structures have satisfied real-time and the accurate examination request well.Is located the main engine proxy and the network engine level analysis structure emphasis real-time examination, is located analyzes the part the second level of analysis structure thorough analysis data latent threat.This kind is similar in the buffer thought analysis structure can very good guarantee examination timeliness and the accuracy. Simultaneously grades the analysis structure can enable many kinds of analysis method simultaneously to exist in the system, displays each examination method fully the merit.
(1) Introduced in detail how the driving-type invasion examination system did deploy, as well as system structure.
(2) Realized the network engine design, including has used winpcap to realize the data packet capture module, as well as the use protocol analysis technology realized the protocol analysis module.
(3) The part has realized the control bench module, including the invasion examination module realization, as well as utilized the linkage technology to realize the response module.
(4) Has thoroughly discussed the system own protection measure plan.
而分布式主动入侵检测(ODIDS)系统能够满足分布式环境下对入侵检测系统的要求,他具有以下特点;
-基于部件的设计使得系统具有很好的可扩展性。由于系统的各个功能部件独立存在,部件之间的标准的网络接口,因此部件的部署可多可少,完全根据实际网络系统的需要而定。在大致广域网,小到办公室网络都可以灵活部署。
-两级分析结构较好地满足了实时和准确的检测要求。位于主机代理和网络引擎的第一级分析结构强调实时检测,位于分析部件的第二级分析结构深入分析数据地潜在威胁。这种类似于缓存思想的分析结构能够很好的保证检测的实时性和准确性。同时分级的分析结构能够使得多种分析方法同时存在于系统之中,充分发挥各种检测方法的优点。
本文主要介绍了和实现了以下几个方面;
(1)详细介绍了主动式入侵检测系统如何部署,以及系统的结构。
(2)实现了网络引擎的设计,其中包括使用winpcap来实现数据包捕获模块,以及使用协议分析技术来实现协议分析模块。
(3)部分实现了控制台模块,其中包括入侵检测模块的实现,以及运用了联动技术实现了响应模块。
(4)深入探讨了系统自身保护的措施方案。
Invades the event along with the hacker day by day rampant, the people discovered from the defense angle structure safety system is only insufficient. After the invasion examination technology is continues;the firewall; the data encryption; and so on the traditional safekeeping of security measures the new generation of safety control technology.It carries on the recognition and the response to on the computer and the network resources malicious use behavior, not only it examines comes from exterior invasion behavior, simultaneously also supervises internal user not to be authorized the activity.
But the distributional initiative invasion examines the (ODIDS) system to be able to satisfy under the distributed environment to invade the examination system the request, he has following characteristic:
Enables the system based on the part design to have the very good extendibility.As a result of system each function part independent existence, between part standard network connection, therefore the part deployment may many be possible to be few, needs to decide completely according to the actual network system.In WAN, as slightly all may deploy nimbly approximately as the office network.
Two level of analysis structures have satisfied real-time and the accurate examination request well.Is located the main engine proxy and the network engine level analysis structure emphasis real-time examination, is located analyzes the part the second level of analysis structure thorough analysis data latent threat.This kind is similar in the buffer thought analysis structure can very good guarantee examination timeliness and the accuracy. Simultaneously grades the analysis structure can enable many kinds of analysis method simultaneously to exist in the system, displays each examination method fully the merit.
(1) Introduced in detail how the driving-type invasion examination system did deploy, as well as system structure.
(2) Realized the network engine design, including has used winpcap to realize the data packet capture module, as well as the use protocol analysis technology realized the protocol analysis module.
(3) The part has realized the control bench module, including the invasion examination module realization, as well as utilized the linkage technology to realize the response module.
(4) Has thoroughly discussed the system own protection measure plan.
引文
[1]唐正军.网络入侵检测系统的设计与实现[M].北京;电子工业出版社,2002;36-39.
[2]罗守山.入侵检测[M].北京;北京邮电大学出版社,1998;30-31.
[3]罗军舟,黎波涛,杨明,吴俊,黄健.TCP/IP协议及网络编程技术[M].北京;清华大学出版社,2002;20-26.
[4]李旺,吴礼发,胡谷雨.分布式入侵检测系统NetNumen的设计与实现[EB/OL].;CAIDA官方网站,2005-02-3.
[5]江涛,李秀峰.高速入侵检测系统[EB/OL].;维普资讯,2003-6-2.
[6]R.Siamwalla.Discovering Internet Topology[A].In;IEEE.Proceedings-IEEE INFOCOM[C].USA;IEEE,1999;50-66.
[7]宋光农.因特网中的内部路由协议[J].中国数据通信,2001,3(8);13-18.
[8]佚名.DNS如何工作[EB/OL].;CNPAF官方网站,2005-01-25.
[9]宋辉,曲向丽.Visual C++实用培训教程[M].北京;人民邮电出版社,2002;251-261.
[10]佚名.如何利用WinPcap技术捕获数据包[EB/OL].;CPCWEDU官方网站,2006-12-8.
[11]Peter Erik Mellquist.C++ Based Application Programmers Interface for the Simple Network Management Protocol[EB/OL].;HP官方网站,1997-08-23.
[12]谭浩强.C程序设计(第二版)[M].北京;清华大学出版社,2000;309-310.
[13]otto.防黑全攻略之端口扫描技术[EB/OL].;LINUXEDEN官方网站,2005-12-01.
[14]刘昭斌,刘文芝,魏俊颖.基于INTERANET的入侵检测系统模型的研究[EB/OL].;维普资讯,2006-12-2.
[15]张中辉,操家庆,梁意文.基于联动机制的入侵防御系统[EB/OL].;维普资讯,2006-7-12.
[16]李成华,周培源,张新访.基于主机内核的混合型入侵防御系统的设计与研究[EB/OL].;维普资讯,2006-12-2.
[17]聂林,张玉清,王闵.入侵防御系统的研究与分析[EB/OL].;维普资讯,2005-9-3.
[18]梁健.入侵检测关键技术研究与实现[EB/OL].;维普资讯,2004-4-26.
[19]张丽.试析几类常见的网络安全系统[EB/OL].;维普资讯,2006-8-2.
[20]青华平,傅彦.一个自适应网络入侵检测和防御系统的研究与实现[EB/OL].;维普资讯,2005-6-2.
[21]鲁玲.网络安全技术;IDS及IPS概览[EB/OL].;维普资讯,2002-2-21.
[22]张兆心,方滨兴,胡铭曾.支持IDS的高速网络信息获取体系结构[EB/OL].;中国黑客网络之家,2006-7-2.
[23]杨武.入侵检测系统中用户级报文传输机制研究[EB/OL].;中国高等教育网,2005-12-22.
[24]佚名.从入侵检测系统到入侵防御系统[EB/OL].;eNet硅谷动力网站,2004-07-21.
[25]James Stewart.Windows NT Performance Monitor in Depth[EB/OL].;Windows IT Library网站,1999-04-15.
[26]Roberto Battistoni,Emanuele Gabrielli,Luigi V Mancini.A Host Intrusion Prevention System for Windows Operating Systems[EB/OL].;SpringerLink网站,2004-09-21.
[27]Mark Russinovick,Bryce Cogswell.Windows NT system-call hooking[J].Dobbs Journal,1997,8(7);13-18.
[28]Anton Bassov.Hooking the native API and controlling process creation on a system-wide basis[EB/OL].;CodeProject网站,2005-10-18.
[29]Robert Edward Caldecott.How to get a list of installed applications[EB/OL].;CodeProject网站,2004-04-21.
[30]Tan Chew Keong.Win2K Kernel Hidden Process/Module Checker 0.2[CP].;Security and Information InteGrity,2005-5-27.
[31]Grey Hoglund.Loading Rootkit using SystemLoadAndCallImage[EB/OL].;INSECURE网站,2000-08-29.
[32]Anton Bassov.Hooking the native API and controlling process creation on a system-wide basis[EB/OL].;CodeProject网站,2005-10-18.
[33]TanKeong.Microsoft Company.Windows 2000 DDK Documentation[M].2000,28(6).
[34]James Stewart.Windows NT Performance Monitor in Depth[EB/OL].;Windows IT Library网站,1999-04-15.
[35]Roberto Battistoni,Emanuele Gabrielli,Luigi V.Mancini.A Host Intrusion Prevention System for Windows Operating Systems[EB/OL].;SpringerLink网站,2004-09-21.
[2]罗守山.入侵检测[M].北京;北京邮电大学出版社,1998;30-31.
[3]罗军舟,黎波涛,杨明,吴俊,黄健.TCP/IP协议及网络编程技术[M].北京;清华大学出版社,2002;20-26.
[4]李旺,吴礼发,胡谷雨.分布式入侵检测系统NetNumen的设计与实现[EB/OL].;CAIDA官方网站,2005-02-3.
[5]江涛,李秀峰.高速入侵检测系统[EB/OL].;维普资讯,2003-6-2.
[6]R.Siamwalla.Discovering Internet Topology[A].In;IEEE.Proceedings-IEEE INFOCOM[C].USA;IEEE,1999;50-66.
[7]宋光农.因特网中的内部路由协议[J].中国数据通信,2001,3(8);13-18.
[8]佚名.DNS如何工作[EB/OL].;CNPAF官方网站,2005-01-25.
[9]宋辉,曲向丽.Visual C++实用培训教程[M].北京;人民邮电出版社,2002;251-261.
[10]佚名.如何利用WinPcap技术捕获数据包[EB/OL].;CPCWEDU官方网站,2006-12-8.
[11]Peter Erik Mellquist.C++ Based Application Programmers Interface for the Simple Network Management Protocol[EB/OL].;HP官方网站,1997-08-23.
[12]谭浩强.C程序设计(第二版)[M].北京;清华大学出版社,2000;309-310.
[13]otto.防黑全攻略之端口扫描技术[EB/OL].;LINUXEDEN官方网站,2005-12-01.
[14]刘昭斌,刘文芝,魏俊颖.基于INTERANET的入侵检测系统模型的研究[EB/OL].;维普资讯,2006-12-2.
[15]张中辉,操家庆,梁意文.基于联动机制的入侵防御系统[EB/OL].;维普资讯,2006-7-12.
[16]李成华,周培源,张新访.基于主机内核的混合型入侵防御系统的设计与研究[EB/OL].;维普资讯,2006-12-2.
[17]聂林,张玉清,王闵.入侵防御系统的研究与分析[EB/OL].;维普资讯,2005-9-3.
[18]梁健.入侵检测关键技术研究与实现[EB/OL].;维普资讯,2004-4-26.
[19]张丽.试析几类常见的网络安全系统[EB/OL].;维普资讯,2006-8-2.
[20]青华平,傅彦.一个自适应网络入侵检测和防御系统的研究与实现[EB/OL].;维普资讯,2005-6-2.
[21]鲁玲.网络安全技术;IDS及IPS概览[EB/OL].;维普资讯,2002-2-21.
[22]张兆心,方滨兴,胡铭曾.支持IDS的高速网络信息获取体系结构[EB/OL].;中国黑客网络之家,2006-7-2.
[23]杨武.入侵检测系统中用户级报文传输机制研究[EB/OL].;中国高等教育网,2005-12-22.
[24]佚名.从入侵检测系统到入侵防御系统[EB/OL].;eNet硅谷动力网站,2004-07-21.
[25]James Stewart.Windows NT Performance Monitor in Depth[EB/OL].;Windows IT Library网站,1999-04-15.
[26]Roberto Battistoni,Emanuele Gabrielli,Luigi V Mancini.A Host Intrusion Prevention System for Windows Operating Systems[EB/OL].;SpringerLink网站,2004-09-21.
[27]Mark Russinovick,Bryce Cogswell.Windows NT system-call hooking[J].Dobbs Journal,1997,8(7);13-18.
[28]Anton Bassov.Hooking the native API and controlling process creation on a system-wide basis[EB/OL].;CodeProject网站,2005-10-18.
[29]Robert Edward Caldecott.How to get a list of installed applications[EB/OL].;CodeProject网站,2004-04-21.
[30]Tan Chew Keong.Win2K Kernel Hidden Process/Module Checker 0.2[CP].;Security and Information InteGrity,2005-5-27.
[31]Grey Hoglund.Loading Rootkit using SystemLoadAndCallImage[EB/OL].;INSECURE网站,2000-08-29.
[32]Anton Bassov.Hooking the native API and controlling process creation on a system-wide basis[EB/OL].;CodeProject网站,2005-10-18.
[33]TanKeong.Microsoft Company.Windows 2000 DDK Documentation[M].2000,28(6).
[34]James Stewart.Windows NT Performance Monitor in Depth[EB/OL].;Windows IT Library网站,1999-04-15.
[35]Roberto Battistoni,Emanuele Gabrielli,Luigi V.Mancini.A Host Intrusion Prevention System for Windows Operating Systems[EB/OL].;SpringerLink网站,2004-09-21.