高速网络环境下的网络入侵检测系统设计
|
摘要
入侵检测系统是一种软件与硬件的结合,它通过分析网络或主机上发生的事件来发现其中的安全隐患。随着近几年网络攻击的事故频频出现,影响范围越来越广泛,入侵检测系统得到越来越多的重视,成为网络安全方案的重要组成部分。
基于网络的入侵检测系统以网络数据作为原始的数据源,实时的分析网络上的通信。与基于主机的入侵检测相比,基于网络的入侵检测系统已经成为入侵检测的主流。但是随着网络带宽飞速增长,基于网络的入侵检测系统面临许多的困难。本文设计了一种高速网络环境下的网络入侵检测系统。该系统采用了新的设计,克服了以往系统在高速网络环境下面临的缺陷,提高了入侵检测的速度。
本文用零拷贝的思想改进了传统的“抓包”方式;改进了传统的BM算法,结合AC 算法的思想提出了AC_BM 多模匹配算法来解决上层处理的瓶颈。改进的协议分析技术承接了上下两部分的工作,加快了检测的速度降低了误报率。同时对CVE 规则库的规则分析模块,提出了可行性方案。最后,本文对系统的性能进行了测试和分析,通过与传统系统的性能比较,证明该系统能够适应高速网络环境下入侵检测的要求。
Intrusion detection systems (IDS) are software or hardware systems that automate the process of monitoring the events occurring in a computer system or network, analyzing them for signs of security problems. As network attacks have increased in number and severity over the past few years, intrusion detection systems have become a necessary addition to the security infrastructure of most organizations.
Network-based intrusion detection systems (NIDS) uses raw network packets as the data source, and analyses all traffic in real-time as it travels across the network. Currently, IDS focuses on Network-based IDS, instead of Host-based IDS. NIDS has much difficulty with the rapid development of network bandwidth. This paper designs a network intrusion detection system for high-speed network. It implements some new designs so as to overcome faults of pass systems and detects attacks more accurately an efficiently.
This page we improve the tradition packets acquisition procedure based on zero copy technology. To solve the bottleneck in the environment of high-speed network, we combine the thought of Boyer-Moore algorithm with that of Aho-Corasick algorithm, then we described a faster multi-pattern matching algorithm named AC_BM algorithm. Protocol analysis technology accepted two part’s work, and it greatly improves the performance of IDS and reduces the misapprehensive and transudatory rates. And then, we design a detection rules database based on Common Vulnerabilities and Exposures (CVE), and put forward a possibility's project.
Finally, this paper does some performance tests and analysis of system, and compares it with old system.
基于网络的入侵检测系统以网络数据作为原始的数据源,实时的分析网络上的通信。与基于主机的入侵检测相比,基于网络的入侵检测系统已经成为入侵检测的主流。但是随着网络带宽飞速增长,基于网络的入侵检测系统面临许多的困难。本文设计了一种高速网络环境下的网络入侵检测系统。该系统采用了新的设计,克服了以往系统在高速网络环境下面临的缺陷,提高了入侵检测的速度。
本文用零拷贝的思想改进了传统的“抓包”方式;改进了传统的BM算法,结合AC 算法的思想提出了AC_BM 多模匹配算法来解决上层处理的瓶颈。改进的协议分析技术承接了上下两部分的工作,加快了检测的速度降低了误报率。同时对CVE 规则库的规则分析模块,提出了可行性方案。最后,本文对系统的性能进行了测试和分析,通过与传统系统的性能比较,证明该系统能够适应高速网络环境下入侵检测的要求。
Intrusion detection systems (IDS) are software or hardware systems that automate the process of monitoring the events occurring in a computer system or network, analyzing them for signs of security problems. As network attacks have increased in number and severity over the past few years, intrusion detection systems have become a necessary addition to the security infrastructure of most organizations.
Network-based intrusion detection systems (NIDS) uses raw network packets as the data source, and analyses all traffic in real-time as it travels across the network. Currently, IDS focuses on Network-based IDS, instead of Host-based IDS. NIDS has much difficulty with the rapid development of network bandwidth. This paper designs a network intrusion detection system for high-speed network. It implements some new designs so as to overcome faults of pass systems and detects attacks more accurately an efficiently.
This page we improve the tradition packets acquisition procedure based on zero copy technology. To solve the bottleneck in the environment of high-speed network, we combine the thought of Boyer-Moore algorithm with that of Aho-Corasick algorithm, then we described a faster multi-pattern matching algorithm named AC_BM algorithm. Protocol analysis technology accepted two part’s work, and it greatly improves the performance of IDS and reduces the misapprehensive and transudatory rates. And then, we design a detection rules database based on Common Vulnerabilities and Exposures (CVE), and put forward a possibility's project.
Finally, this paper does some performance tests and analysis of system, and compares it with old system.
引文
1 Panagiotis Astithas. Intrusion Detection Systems. 1999. www.daemonnews.org
2 Dorothy E. Denning. An intrusion-detection model. IEEE Transactions on Software Engineering, 1987, 13: 222~232
3 Mike Fisk, George Varghese. Fast content-based packet handling for intrusion detection. UCSD Technical Report CS2001-0670,2001:1~6
4 Eugene Schultz, Jim Mellander, Carl F. Endorf. Intrusion Detection And Prevention. McGraw-Hill Osborne Media, December 18, 2003:221~254
5 胡华平,陈海涛等. 入侵检测系统研究现状及发展趋势. 计算机工程与科学,2001,(2):20~25
6 Heberlein, L. et al. A Network Security Monitor. Proceedings of the IEEE Computer Society Symposium, Research in Security and Privacy, May 1990:296~303
7 Seaman. 千兆IDS 中的亮点与谎言. CSDN,2003:2
8 White G. B, Pooch U. Cooperating Security Managers: Distributed Intrusion Detection Systems. Computers & Security, 1996,15(5): 441~450
9 李健. 分布式网络入侵检测系统研究与实现. 西南交通大学研究生论文, 2000: 20~33
10 Kevin Richards. Network Based Intrusion Detection: A Review of Technologies. Computers & Security,1999,(18): 671~682
11 袁林. 报文捕获技术的研究及其性能分析. 哈尔滨工业大学硕士论文, 2001: 3~42
12 Steven M. Christey, David W. Baker, William H. Hill, David E. Mann. The Development of a Common Vulnerabilities and Exposures List. cve.mitre.org,2000:9~18
13 HCNE 认证教材. 构建中小企业网络. 2004:304~325
14 Raven Alder, Jacob Babbin. Snort.2.1.Intrusion.Detection. Stephen Northcutt. Jul 2004 :87~104
15 张少波. IDS 面临高速环境挑战. 赛迪网络,2003:1~2
16 C. Jason Coit, Stuart Staniford, Joseph McAlerney. Towards Faster String Matching for Intrusion Detection. 2001:1~5
17 D. Oppenheimer, M. Welsh. User Customization of Virtual Network Interfaces with U-Net/SLE, UC Berkeley Tech Report CSD-98-995. February, 2000:1~4
18 Mogul JC, Ramakrishnan KK. Eliminating receive livelock in an interrupt-driven kernel. ACM Transactions on Computer Systems, 1999,15(3):217~252
19 田志宏,方滨兴. RTLinux 下基于半轮询驱动的用户级报文传输机制. 软件学报,2004, (15):834~841
20 蒋涛,李秀峰. 高速入侵检测系统. 数据通信,2003,(6):31~34
21 Anindya Basu, Vineet Buch, Werner Vogels, Thorsten von Eicken. U-Net: A User-Level Network Interface for Parallel and Distributed Computing. Department of Computer Science, Cornell University,1997:88~91
22 Raoul A.F.Bhoedjang, Henri E. Bal. Design User-Level Network Interface Protocols. 1998 IEEE. 0018-9162/98:53~60:2~5
23 李善平,刘文峰. Linux 内核2.4 版源代码分析大全. 机械工业出版社, 2002:231~264
24 毛德超,胡希明. linux 内核情景分析.浙江大学出版社,2001:175~192
25 可向民,龚正虎,夏建东. 零拷贝技术及其实现的研究. 计算机工程与科学, 2000,22(5):17~21
26 Thomas H Ptacek, Timothy N Newsham. Insertion, Evasion,and Denial of Service: Eluding Network Intrusion Detection[J]. Secure Networks, 1998:14~25
27 梁健. 零拷贝技术研究与实现. Xfocus Team,2003:4~7
28 翟建宏. 网络入侵检测与对抗的技术及实现. 计算机工程,2004,3:131~140
29 W.Richard Stevens. TCP/IP 详解卷1:协议. 范建华等译. 机械工业出版社,2000:3~134
30 王玉峰. 包嗅探与协议解析技术在NIDS 中的应用与研究. 成都理工大学研究生论文. 2004:35~46
31 韩东海,王超等. 入侵检测系统实例剖析. 清华大学出版社, 2002:97~124
32 杨小平,舒静.基于协议分析的入侵检测技术研究. 计算机应用研究研究生论文,2004:31~50
33 田捷,李恒华等. 基于特征分析的网络入侵检测技术比较. 计算机工程与应用,2003,(2) :44~56
34 严蔚蓝,吴伟民. 数据结构. 清华大学出版社,2001:67~85
35 喻飞,朱妙松. 入侵检测系统中特征匹配的改进. 计算机工程与应用, 2003:34~36
36 李健. 分布式网络入侵检测系统研究与实现. 西南交通大学研究生论文,2000:12~22
37 Anja Feldmann. BLT: Bi-layer Tracing of HTTP and TCP/IP. Computer Networks,2000,33:321~335
38 王晓东. 计其机算法设计与分析. 电子工业出版社,2002:44~57
39 Alfred V. Aho, Margaret J. Corasick. Efficient string matching: An aid to bibliographic search. Communications of the ACM. June 1975,18(6):333~340
40 姜火文,徐新爱. 模式匹配问题BM 算法探讨. 江西教育学院学报, 2002,(23) :6~7
41 Herve Debar, Mare Dacier and Andreas Wespi. Towards a taxonomy of intrusion-detection systems. Computer Networks,1999,(31):805~822
42 李晓秋,孙学涛等. 入侵检测系统中的快速多模式匹配算法. 计算机应用与软件,2004,(2):84~87
43 R. Sekar. A High-Performance Network Intrusion Detection System. Iowa State University, Ames, IA,2003: 3
44 邹海明. 计算机算法基础. 华中理工大学出版社,1975:247~264
45 谭浩强. C 语言设计. 清华大学出版社,2001:55~79
46 程文. 网络入侵检测系统检测方法的分析、比较与改进. 西南交通大学研究生论文,2000:20~42
47 Kumar K, Spafford E. A Pattern Matching Model for Misuse Intrusion Detection. In Proceedings of the 17th National Computer Security Conference, 1994,(10):11~12
48 乔佩利,张世斌. 基于CVE 的入侵检测系统规则库的实现. 网络安全技术与应用,2004,(4):38~51
49 赵文军,赵妍. CVE 数据库及其在入侵检测中的应用. 哈尔滨理工大学学报,2004,(6):3~5
50 李先通. Banner 分布式入侵检测系统设计. 哈尔滨工业大学研究生论文. 2002:31~50
2 Dorothy E. Denning. An intrusion-detection model. IEEE Transactions on Software Engineering, 1987, 13: 222~232
3 Mike Fisk, George Varghese. Fast content-based packet handling for intrusion detection. UCSD Technical Report CS2001-0670,2001:1~6
4 Eugene Schultz, Jim Mellander, Carl F. Endorf. Intrusion Detection And Prevention. McGraw-Hill Osborne Media, December 18, 2003:221~254
5 胡华平,陈海涛等. 入侵检测系统研究现状及发展趋势. 计算机工程与科学,2001,(2):20~25
6 Heberlein, L. et al. A Network Security Monitor. Proceedings of the IEEE Computer Society Symposium, Research in Security and Privacy, May 1990:296~303
7 Seaman. 千兆IDS 中的亮点与谎言. CSDN,2003:2
8 White G. B, Pooch U. Cooperating Security Managers: Distributed Intrusion Detection Systems. Computers & Security, 1996,15(5): 441~450
9 李健. 分布式网络入侵检测系统研究与实现. 西南交通大学研究生论文, 2000: 20~33
10 Kevin Richards. Network Based Intrusion Detection: A Review of Technologies. Computers & Security,1999,(18): 671~682
11 袁林. 报文捕获技术的研究及其性能分析. 哈尔滨工业大学硕士论文, 2001: 3~42
12 Steven M. Christey, David W. Baker, William H. Hill, David E. Mann. The Development of a Common Vulnerabilities and Exposures List. cve.mitre.org,2000:9~18
13 HCNE 认证教材. 构建中小企业网络. 2004:304~325
14 Raven Alder, Jacob Babbin. Snort.2.1.Intrusion.Detection. Stephen Northcutt. Jul 2004 :87~104
15 张少波. IDS 面临高速环境挑战. 赛迪网络,2003:1~2
16 C. Jason Coit, Stuart Staniford, Joseph McAlerney. Towards Faster String Matching for Intrusion Detection. 2001:1~5
17 D. Oppenheimer, M. Welsh. User Customization of Virtual Network Interfaces with U-Net/SLE, UC Berkeley Tech Report CSD-98-995. February, 2000:1~4
18 Mogul JC, Ramakrishnan KK. Eliminating receive livelock in an interrupt-driven kernel. ACM Transactions on Computer Systems, 1999,15(3):217~252
19 田志宏,方滨兴. RTLinux 下基于半轮询驱动的用户级报文传输机制. 软件学报,2004, (15):834~841
20 蒋涛,李秀峰. 高速入侵检测系统. 数据通信,2003,(6):31~34
21 Anindya Basu, Vineet Buch, Werner Vogels, Thorsten von Eicken. U-Net: A User-Level Network Interface for Parallel and Distributed Computing. Department of Computer Science, Cornell University,1997:88~91
22 Raoul A.F.Bhoedjang, Henri E. Bal. Design User-Level Network Interface Protocols. 1998 IEEE. 0018-9162/98:53~60:2~5
23 李善平,刘文峰. Linux 内核2.4 版源代码分析大全. 机械工业出版社, 2002:231~264
24 毛德超,胡希明. linux 内核情景分析.浙江大学出版社,2001:175~192
25 可向民,龚正虎,夏建东. 零拷贝技术及其实现的研究. 计算机工程与科学, 2000,22(5):17~21
26 Thomas H Ptacek, Timothy N Newsham. Insertion, Evasion,and Denial of Service: Eluding Network Intrusion Detection[J]. Secure Networks, 1998:14~25
27 梁健. 零拷贝技术研究与实现. Xfocus Team,2003:4~7
28 翟建宏. 网络入侵检测与对抗的技术及实现. 计算机工程,2004,3:131~140
29 W.Richard Stevens. TCP/IP 详解卷1:协议. 范建华等译. 机械工业出版社,2000:3~134
30 王玉峰. 包嗅探与协议解析技术在NIDS 中的应用与研究. 成都理工大学研究生论文. 2004:35~46
31 韩东海,王超等. 入侵检测系统实例剖析. 清华大学出版社, 2002:97~124
32 杨小平,舒静.基于协议分析的入侵检测技术研究. 计算机应用研究研究生论文,2004:31~50
33 田捷,李恒华等. 基于特征分析的网络入侵检测技术比较. 计算机工程与应用,2003,(2) :44~56
34 严蔚蓝,吴伟民. 数据结构. 清华大学出版社,2001:67~85
35 喻飞,朱妙松. 入侵检测系统中特征匹配的改进. 计算机工程与应用, 2003:34~36
36 李健. 分布式网络入侵检测系统研究与实现. 西南交通大学研究生论文,2000:12~22
37 Anja Feldmann. BLT: Bi-layer Tracing of HTTP and TCP/IP. Computer Networks,2000,33:321~335
38 王晓东. 计其机算法设计与分析. 电子工业出版社,2002:44~57
39 Alfred V. Aho, Margaret J. Corasick. Efficient string matching: An aid to bibliographic search. Communications of the ACM. June 1975,18(6):333~340
40 姜火文,徐新爱. 模式匹配问题BM 算法探讨. 江西教育学院学报, 2002,(23) :6~7
41 Herve Debar, Mare Dacier and Andreas Wespi. Towards a taxonomy of intrusion-detection systems. Computer Networks,1999,(31):805~822
42 李晓秋,孙学涛等. 入侵检测系统中的快速多模式匹配算法. 计算机应用与软件,2004,(2):84~87
43 R. Sekar. A High-Performance Network Intrusion Detection System. Iowa State University, Ames, IA,2003: 3
44 邹海明. 计算机算法基础. 华中理工大学出版社,1975:247~264
45 谭浩强. C 语言设计. 清华大学出版社,2001:55~79
46 程文. 网络入侵检测系统检测方法的分析、比较与改进. 西南交通大学研究生论文,2000:20~42
47 Kumar K, Spafford E. A Pattern Matching Model for Misuse Intrusion Detection. In Proceedings of the 17th National Computer Security Conference, 1994,(10):11~12
48 乔佩利,张世斌. 基于CVE 的入侵检测系统规则库的实现. 网络安全技术与应用,2004,(4):38~51
49 赵文军,赵妍. CVE 数据库及其在入侵检测中的应用. 哈尔滨理工大学学报,2004,(6):3~5
50 李先通. Banner 分布式入侵检测系统设计. 哈尔滨工业大学研究生论文. 2002:31~50