基于Linux的多路入侵探测系统研究与实现
|
摘要
随着互联网高速发展,计算机网与个人主机受到越来越多的危害。如何解决网络与操作系统安全,是一个关键问题。
针对操作系统防御和网络入侵,首先完成的就是网络和操作系统信息监控和过滤,使得操作系统和网络传输更加安全。现有比较好的措施就是在操作系统端,把监控模块写入内核,以驱动方式加载。而在网络中,则把监控系统放置到网络关键结点,可以更加快速的过滤相关交互信息。而且也是所有防火墙等防病毒软件采取最高效的方法。
而本文在linux下的多路监控技术中的多路指的是网络和操作系统同时监控。从网络和操作系统等多方面进行全面的网络攻击监控,然后针对监控产生的数据,使用文中模型,对于数据进行训练,最后产生规则,可以针对网络DDOS等类型攻击进行防御。
具体在操作系统端,本文是通过改进Linux的Capability模块,实现操作系统监控和安全访问控制。针对POSIX.1e标准的权能(Capability)模块的缺陷进行改进后,在Linux内核安全模块(LSM)框架基础上,加载改进的模块,对操作系统内核层进行监听和控制处理,完成进程信任状特权仲裁、安全i节点(i-node)操作、信息队列反馈等一系列操作,最后调用字符设备反馈监控信息到应用层进行安全控制处理。实验表明,改进方案与其他一些加载权能(capability)模块的内核安全监控方案相比,不仅在系统的运行效率,监控的正确率和系统扫描覆盖率上有一定幅度的提高,而且在系统资源占用率等多项指标中都显示其的监控性能有一定的提高。
而在网络端,本文监听是利用Libpcap库,改进数据包处理方式,使用半轮询方式,计算最优处理值,实现混杂模式下的高流量旁路数据包监听。利用前人研究的攻击规则,如Snort rules,加入进模块,可以检测已知攻击,降低虚报率。在高网络状况下,利用旁路监听原理保证数据运行的正确性和高效性。在Linux操作系统中使用底层抓包函数库libpcap处理高量数据包的监听技术,利用网卡设备在网络的旁路处进行数据捕捉的原理,使用NAPI技术实现设备半轮询机制以加快数据在缓冲区的处理速度,计算最优带宽值并设置相关参数以达到最佳处理效率。同时利用SNORT的入侵检测网络平台基础上,利用libpcap捕捉网络包后进行数据规整化,利用贝叶斯模式进行正常数据和分布式拒绝服务攻击数据的训练,然后利用反向传播神经网络(BPNN)进行前期数据训练,使训练产生的数据对检测模型优化,并且生成防御规则.本系统的主要优势在于:1、在linux系统上实现部分改进,使得现有包过滤效率增强,在攻击target端生效之前可进行攻击拒绝;2、自适应学习模式方便规则的重新制定学习,以防范新的攻击。实验表明,本文改进方案初步形成并防范一些未知攻击,攻击处理效率也有所改进。
computer network and individual hosts suffer more from Internet developed. How to establish the network and operating security system is a key issue for all of users.
From the operating system and network intrusion prevention aspect, the first step is complete network operating system monitoring and filtering information, making more secure for operating system and network transmission. The present good measure is to drive and load the controlling module into the kernel of the operating system. And in internet, the key monitoring system should be placed beside the export nodes of the network in order to quickly filter relevant information. It is also the most efficient way for all the firewalls and other anti-virus software to take.
In this article, we called the linux monitoring technology in the multi-channel means that the host monitoring network and operating systems at the same time. From comprehensive aspects to conduct the monitoring of the network and operating systems attack, it is making the existing network environment more secure with high coverage rate.
The designed system in this Dissertation has two major modules: one is the operating system the operating system kernel monitor module, a method to improve the defection of POSIX.1e standard capability module. In addition, the treatment of monitoring and controlling were performed on the operating system kernel layer after loading improved module at the kernel of Linux Security Module (LSM) framework. Furthermore, a series of operations were completed, which included the process trust-like privileges arbitration, security i-node operation, information feedback, queue operation and series treatment etc. At last, the character devices were used to feedback the monitor information to application layer and performed security control. Comparing some security mointor model loaded with original capability module, the results of the experiments show that the scheme proposed in this paper not only improves efficiency of system operating, correct rate of monitoring, and coverage of system scanning, but also keeps better monitoring performance in system resources occupancy rate and several parameters.
Another is Network Monitoring and defense module. Research the principle of packet monitor to handle high volume packets by using the underlying library Libpcap capture in Linux operation system. Semi-polling with New API(NAPI) was also used to ensure the speeding up of the process of packets in input buffer. Finally, the queuing theory was used to ensure that the optimal bandwidth value and relevant parameters were set to achieve the best efficiency. Use the Bayesian models for normal data, and distribute denial of service attack on the training data and then use back-propagation neural network (BPNN ) for the early data on training, so that the training data can be generated by the detection of model optimization, and the defensive rules can be generated. The main advantages of this system are: firstly,the linux system can make some improvements to enhance the efficiency of the existing packet filtering, in attacking target side before the commencement of attacks is rejected; two rules of self-adaptive learning model facilitate the re-development of learning in order to prevent new attacks.
Experimental results demonstrate that the scheme not only increases the rate of packet capture, but also improves the occupancy rate of system resources in many figures significantly.
针对操作系统防御和网络入侵,首先完成的就是网络和操作系统信息监控和过滤,使得操作系统和网络传输更加安全。现有比较好的措施就是在操作系统端,把监控模块写入内核,以驱动方式加载。而在网络中,则把监控系统放置到网络关键结点,可以更加快速的过滤相关交互信息。而且也是所有防火墙等防病毒软件采取最高效的方法。
而本文在linux下的多路监控技术中的多路指的是网络和操作系统同时监控。从网络和操作系统等多方面进行全面的网络攻击监控,然后针对监控产生的数据,使用文中模型,对于数据进行训练,最后产生规则,可以针对网络DDOS等类型攻击进行防御。
具体在操作系统端,本文是通过改进Linux的Capability模块,实现操作系统监控和安全访问控制。针对POSIX.1e标准的权能(Capability)模块的缺陷进行改进后,在Linux内核安全模块(LSM)框架基础上,加载改进的模块,对操作系统内核层进行监听和控制处理,完成进程信任状特权仲裁、安全i节点(i-node)操作、信息队列反馈等一系列操作,最后调用字符设备反馈监控信息到应用层进行安全控制处理。实验表明,改进方案与其他一些加载权能(capability)模块的内核安全监控方案相比,不仅在系统的运行效率,监控的正确率和系统扫描覆盖率上有一定幅度的提高,而且在系统资源占用率等多项指标中都显示其的监控性能有一定的提高。
而在网络端,本文监听是利用Libpcap库,改进数据包处理方式,使用半轮询方式,计算最优处理值,实现混杂模式下的高流量旁路数据包监听。利用前人研究的攻击规则,如Snort rules,加入进模块,可以检测已知攻击,降低虚报率。在高网络状况下,利用旁路监听原理保证数据运行的正确性和高效性。在Linux操作系统中使用底层抓包函数库libpcap处理高量数据包的监听技术,利用网卡设备在网络的旁路处进行数据捕捉的原理,使用NAPI技术实现设备半轮询机制以加快数据在缓冲区的处理速度,计算最优带宽值并设置相关参数以达到最佳处理效率。同时利用SNORT的入侵检测网络平台基础上,利用libpcap捕捉网络包后进行数据规整化,利用贝叶斯模式进行正常数据和分布式拒绝服务攻击数据的训练,然后利用反向传播神经网络(BPNN)进行前期数据训练,使训练产生的数据对检测模型优化,并且生成防御规则.本系统的主要优势在于:1、在linux系统上实现部分改进,使得现有包过滤效率增强,在攻击target端生效之前可进行攻击拒绝;2、自适应学习模式方便规则的重新制定学习,以防范新的攻击。实验表明,本文改进方案初步形成并防范一些未知攻击,攻击处理效率也有所改进。
computer network and individual hosts suffer more from Internet developed. How to establish the network and operating security system is a key issue for all of users.
From the operating system and network intrusion prevention aspect, the first step is complete network operating system monitoring and filtering information, making more secure for operating system and network transmission. The present good measure is to drive and load the controlling module into the kernel of the operating system. And in internet, the key monitoring system should be placed beside the export nodes of the network in order to quickly filter relevant information. It is also the most efficient way for all the firewalls and other anti-virus software to take.
In this article, we called the linux monitoring technology in the multi-channel means that the host monitoring network and operating systems at the same time. From comprehensive aspects to conduct the monitoring of the network and operating systems attack, it is making the existing network environment more secure with high coverage rate.
The designed system in this Dissertation has two major modules: one is the operating system the operating system kernel monitor module, a method to improve the defection of POSIX.1e standard capability module. In addition, the treatment of monitoring and controlling were performed on the operating system kernel layer after loading improved module at the kernel of Linux Security Module (LSM) framework. Furthermore, a series of operations were completed, which included the process trust-like privileges arbitration, security i-node operation, information feedback, queue operation and series treatment etc. At last, the character devices were used to feedback the monitor information to application layer and performed security control. Comparing some security mointor model loaded with original capability module, the results of the experiments show that the scheme proposed in this paper not only improves efficiency of system operating, correct rate of monitoring, and coverage of system scanning, but also keeps better monitoring performance in system resources occupancy rate and several parameters.
Another is Network Monitoring and defense module. Research the principle of packet monitor to handle high volume packets by using the underlying library Libpcap capture in Linux operation system. Semi-polling with New API(NAPI) was also used to ensure the speeding up of the process of packets in input buffer. Finally, the queuing theory was used to ensure that the optimal bandwidth value and relevant parameters were set to achieve the best efficiency. Use the Bayesian models for normal data, and distribute denial of service attack on the training data and then use back-propagation neural network (BPNN ) for the early data on training, so that the training data can be generated by the detection of model optimization, and the defensive rules can be generated. The main advantages of this system are: firstly,the linux system can make some improvements to enhance the efficiency of the existing packet filtering, in attacking target side before the commencement of attacks is rejected; two rules of self-adaptive learning model facilitate the re-development of learning in order to prevent new attacks.
Experimental results demonstrate that the scheme not only increases the rate of packet capture, but also improves the occupancy rate of system resources in many figures significantly.
引文
[1]中国计算机网络应急处理协调中心。中国互联网网络安全报告[R/OL]。国家计算机网络应急处理协调中心,2008年,第一期安全报告:P1-5. www.cert.org.cn/UserFiles/File/CISR2008fh.pdf.
[2]李兵元、马新。网络安全之防御DDOS攻击[J];新疆石油科技;2005年第03期。
[3]kingar。三种流行DDOS攻击和防御[R/OL]。http://kingar.com /blog/zj/ DDOSgongji–DDOSdiyu .html
[4]Jelena Mirkovic.A Taxonomy of DDoS Attack and DDoS Defense Mechanisms [J/OL].Computer Science Department Los Angeles,2003. www.cis.udel.edu/ ~ sunshine /publications/ccr.pdf
[5]A. Toledo, M. Pinzolas, J. J. Ibarrola, and G. Lera. Improvement of the Neighborhood Based Levenberg–Marquardt Algorithm by Local Adaptation of the Learning Coefficient[J/OL]. IEEE TRANSACTIONS ON NEURAL NETWORKS, VOL. 16, NO. 4, JULY 2005.
[6]Thomer M. Gil and Massimiliano Poletto.MULTOPS: a data-structure for bandwidth attack detection[J/OL]. IEEE TRANSACTIONS ON NEURAL NETWORKS,VOL.2,NO.2,JAN,2001.
[7]M.Tim Jones.Anatomy of Security-Enhanced Linux(SELinux)[J/OL].Apr 29th 2008. http://www.ibm.com/developerworks/linux/library/l-selinux/?S TACT=105AG X52&S_CMP=cn-a-l.
[8]赵亮,茅兵,谢立。访问控制研究综述[J].计算机工程,2004,vol 30,No2:P1-2.
[9]许平,陆松年,杨树堂。一种基于用户的Capabilities安全模型及其实现[J]。计算机工程, Vol.32 No.21, 2006,11:P162-163.
[10]Ray Spencer Secure Computing Corporation. The Flask Security Architecture: System Support for Diverse Security Policies[J/OL]. Air Force Research Laboratory,2004,Mar 5th::P5-6. http://www.cs.utah.edu/flux/flask/.
[11]汪立东,方滨兴。Linux Shell安全审计机制的扩展[J/OL]。软件学报,2002,vol 13,No1. http://www.jos.org.cn/1000-9825/13/80.pdf
[12]龚育昌,吴明桥,张晔,朱建民。安全操作系统中的权能管理模型[J]。小型微型计算机系统,Jan,2006,Vo l 127,No.1:P127-128.
[13]Stephen Smalley, Chris Vance. Implementing SELinux as a Linux Security Module[M/OL]. 2002.5. http://www.cs.unibo.it/~sacerdot/doc/so/slm/selinux-module.pdf.
[14]Stevens W R. TCP/IP Illustrated[M].Vol 3. Addison-wesley Press, 1998:142-157.
[15]M. Fomenkov, K. Keys,D. Moore and k. claffy.Longitudinal study of internet traffic from 1998-2001: a view from 20 high performance sites[J/OL].Tech. rep.CAIDA,Apr.2003. http://www.sfc.wide.ad.jp/~kaizaki/Paper/files/nlanr_overview.pdf
[16]汪世义,秦品乐。基于Linux的高速网络包捕获技术研究[J/OL]。微型电脑应用, 2006年第22卷第3期。http://www.cqvip.com/qk/96101X/200603/21410737.html.
[17]McCanne S, Jacobson V. The BSD Packet Filter: A New Architecture for User-level Packet Capture[J/OL]. Proceedings of the 1993 Winter USENIX Technical Conference, USENIX, 1993-01. http://www.tcpdump.org/papers/bpf-usenix93.pdf
[18]G. Iannaccone, C. Diot, I. Graham and N. McKeown, Monitoring very high speed links[J/OL].Proc ACM SIGCOMM Internet Measurement Workshop.Nov. 2001. http://tiny-tera. stanford.edu /~nickm/ papers/imw 2001.pdf.
[19]libpcap[CP/OL]. http://sourceforge.net/projects/libpcap/.
[20]Jonatban Corbet,Alessandro Rubini G.Linux device driver program[M].Jun,2003:65-66.
[21]TCPDUMP/LIBPCAP[CP/OL].http://www.tcpdump.org/.
[22]王发琪。网络监听技术在Linux系统下的实现[J/OL].科技资讯:2006年29期. http://www.cqvip.com/qk/87241X/200629/23158722.html
[23]杨建华,谢高岗,李忠诚。基于Linux内核的流量分析方法[J/OL].计算机工程:2006年第32卷第8期. http://www.ict.ac.cn/grope/down/07-09/1189321719.pdf
[24]杨武,方滨兴,云晓春,张宏莉。基于linux系统的报文捕获技术研究[J/OL].计算机工程与应用:2003年第39卷第26期. http://scholar .ilib. cn/A-jsjgcyyy200326008.html
[25]刘玮,郭莉。半轮询方式提高Linux以太网桥性能[J/OL]。计算机应用:第25卷2005年12月. http://www.ict.ac.cn/grope/images/478162256.pdf
[26]C. Estan and G. Varghese.New directions in traffic measurement and accounting[R/OL]. Proc ACM SIGCOMM’02, Aug,2002. http://pages.cs.wisc.edu / ~estan /publications /newdirs.pdf
[27]施永益,黄忠东。基于排队论和QoS的电力系统主干网带宽估算[J/OL]。电力系统自动化,2002年9月第26卷第18期.http://scholar.ilib.cn/A-dlxtzdh200218011.html.
[28]阮俊虎。遗传神经网络[J].。河北工业大学学报,2001年3月第21卷第5期:P32.
[29]Mithat G?nen. Receiver Operating Characteristic (ROC) Curves[R/OL]. Paper 210-31. http://www2.sas.com/proceedings/sugi31/210-31.pdf
[30]http://www.wildlist.org/WildList/[CP/OL]
[31]http://www.virusbtn.com/[CP/OL]
[32]http://www.clamav.net/[CP/OL]
[33]http://www.kernel.org/pub/linux/kernel/people/rml/inotify/v2.6/ 0.16/[CP/OL]
[34] MIT Lincoln Laboratory [CP/OL].http://www.ll.mit.edu /mission/communications/list/index .html
[2]李兵元、马新。网络安全之防御DDOS攻击[J];新疆石油科技;2005年第03期。
[3]kingar。三种流行DDOS攻击和防御[R/OL]。http://kingar.com /blog/zj/ DDOSgongji–DDOSdiyu .html
[4]Jelena Mirkovic.A Taxonomy of DDoS Attack and DDoS Defense Mechanisms [J/OL].Computer Science Department Los Angeles,2003. www.cis.udel.edu/ ~ sunshine /publications/ccr.pdf
[5]A. Toledo, M. Pinzolas, J. J. Ibarrola, and G. Lera. Improvement of the Neighborhood Based Levenberg–Marquardt Algorithm by Local Adaptation of the Learning Coefficient[J/OL]. IEEE TRANSACTIONS ON NEURAL NETWORKS, VOL. 16, NO. 4, JULY 2005.
[6]Thomer M. Gil and Massimiliano Poletto.MULTOPS: a data-structure for bandwidth attack detection[J/OL]. IEEE TRANSACTIONS ON NEURAL NETWORKS,VOL.2,NO.2,JAN,2001.
[7]M.Tim Jones.Anatomy of Security-Enhanced Linux(SELinux)[J/OL].Apr 29th 2008. http://www.ibm.com/developerworks/linux/library/l-selinux/?S TACT=105AG X52&S_CMP=cn-a-l.
[8]赵亮,茅兵,谢立。访问控制研究综述[J].计算机工程,2004,vol 30,No2:P1-2.
[9]许平,陆松年,杨树堂。一种基于用户的Capabilities安全模型及其实现[J]。计算机工程, Vol.32 No.21, 2006,11:P162-163.
[10]Ray Spencer Secure Computing Corporation. The Flask Security Architecture: System Support for Diverse Security Policies[J/OL]. Air Force Research Laboratory,2004,Mar 5th::P5-6. http://www.cs.utah.edu/flux/flask/.
[11]汪立东,方滨兴。Linux Shell安全审计机制的扩展[J/OL]。软件学报,2002,vol 13,No1. http://www.jos.org.cn/1000-9825/13/80.pdf
[12]龚育昌,吴明桥,张晔,朱建民。安全操作系统中的权能管理模型[J]。小型微型计算机系统,Jan,2006,Vo l 127,No.1:P127-128.
[13]Stephen Smalley, Chris Vance. Implementing SELinux as a Linux Security Module[M/OL]. 2002.5. http://www.cs.unibo.it/~sacerdot/doc/so/slm/selinux-module.pdf.
[14]Stevens W R. TCP/IP Illustrated[M].Vol 3. Addison-wesley Press, 1998:142-157.
[15]M. Fomenkov, K. Keys,D. Moore and k. claffy.Longitudinal study of internet traffic from 1998-2001: a view from 20 high performance sites[J/OL].Tech. rep.CAIDA,Apr.2003. http://www.sfc.wide.ad.jp/~kaizaki/Paper/files/nlanr_overview.pdf
[16]汪世义,秦品乐。基于Linux的高速网络包捕获技术研究[J/OL]。微型电脑应用, 2006年第22卷第3期。http://www.cqvip.com/qk/96101X/200603/21410737.html.
[17]McCanne S, Jacobson V. The BSD Packet Filter: A New Architecture for User-level Packet Capture[J/OL]. Proceedings of the 1993 Winter USENIX Technical Conference, USENIX, 1993-01. http://www.tcpdump.org/papers/bpf-usenix93.pdf
[18]G. Iannaccone, C. Diot, I. Graham and N. McKeown, Monitoring very high speed links[J/OL].Proc ACM SIGCOMM Internet Measurement Workshop.Nov. 2001. http://tiny-tera. stanford.edu /~nickm/ papers/imw 2001.pdf.
[19]libpcap[CP/OL]. http://sourceforge.net/projects/libpcap/.
[20]Jonatban Corbet,Alessandro Rubini G.Linux device driver program[M].Jun,2003:65-66.
[21]TCPDUMP/LIBPCAP[CP/OL].http://www.tcpdump.org/.
[22]王发琪。网络监听技术在Linux系统下的实现[J/OL].科技资讯:2006年29期. http://www.cqvip.com/qk/87241X/200629/23158722.html
[23]杨建华,谢高岗,李忠诚。基于Linux内核的流量分析方法[J/OL].计算机工程:2006年第32卷第8期. http://www.ict.ac.cn/grope/down/07-09/1189321719.pdf
[24]杨武,方滨兴,云晓春,张宏莉。基于linux系统的报文捕获技术研究[J/OL].计算机工程与应用:2003年第39卷第26期. http://scholar .ilib. cn/A-jsjgcyyy200326008.html
[25]刘玮,郭莉。半轮询方式提高Linux以太网桥性能[J/OL]。计算机应用:第25卷2005年12月. http://www.ict.ac.cn/grope/images/478162256.pdf
[26]C. Estan and G. Varghese.New directions in traffic measurement and accounting[R/OL]. Proc ACM SIGCOMM’02, Aug,2002. http://pages.cs.wisc.edu / ~estan /publications /newdirs.pdf
[27]施永益,黄忠东。基于排队论和QoS的电力系统主干网带宽估算[J/OL]。电力系统自动化,2002年9月第26卷第18期.http://scholar.ilib.cn/A-dlxtzdh200218011.html.
[28]阮俊虎。遗传神经网络[J].。河北工业大学学报,2001年3月第21卷第5期:P32.
[29]Mithat G?nen. Receiver Operating Characteristic (ROC) Curves[R/OL]. Paper 210-31. http://www2.sas.com/proceedings/sugi31/210-31.pdf
[30]http://www.wildlist.org/WildList/[CP/OL]
[31]http://www.virusbtn.com/[CP/OL]
[32]http://www.clamav.net/[CP/OL]
[33]http://www.kernel.org/pub/linux/kernel/people/rml/inotify/v2.6/ 0.16/[CP/OL]
[34] MIT Lincoln Laboratory [CP/OL].http://www.ll.mit.edu /mission/communications/list/index .html