大规模网络误用行为检测技术
|
摘要
政府、企业等机构都纷纷建立了自己的内部局域网,网络建设已经成为提升企事业单位工作效率和核心竞争力的关键因素之一。在网络规模不断增大的同时,因为以错误的方式或为达到错误的目的而使用,所引起的网络安全事件造成的损失也日益引起人们的重视。统计表明,全球80%以上的泄密和网络入侵来自于网络内部,因此内部网络误用行为引起的安全问题已日益成为网络安全管理研究领域中的一个难题。
本文首先介绍了网络误用行为检测系统的实施环境和国内外对网络误用行为检测技术的研究现状,说明了本文所实现的检测系统与传统的检测系统的区别。分析比较了基于主机的误用行为检测技术和基于网络的误用行为检测技术的特点,详细说明了误用行为检测方法的原理和技术。利用IP欺骗原理和ICMP回响功能,借鉴对等网的优点对传统检测系统的C/S架构进行了改进,设计实现了由若干受控子网组成的大规模网络的误用行为检测系统。在检测系统的设计中,对系统的扫描、监测和用户接口这三个子模块的主要功能、程序流程及函数设计等进行了详细的说明。检测系统可以按照用户预先制定的参数配置对本子网内的主机进行扫描,同时监听来自其它子网的误用行为,在发现误用行为情况后进行报警。系统具有及时、准确、灵活、有效的监控能力,能够为用户确定发生误用行为主机的详细信息。
最后,介绍了实验情况,分别对子网与子网之间的误用行为检测、子网与外网之间的误用行为检测及系统性能等情况进行说明分析。
Now many organizations of government and enterprise all build up own local area network in succession. The network construction has become one of the key factors by which enterprises advance work efficiency and core competition ability. When the network scope extends continually, using through mistake mode or for mistake purpose, the network security affaires emerge in endlessly. The loss from the affairs is paid attention by people increasingly. According to the statistic result 80% of told secret and network inbreak come from the inner network. The security problem produced by internal network misuse has become a kind of difficult problem in the research field of network security management.
The paper mainly designes and realizes a type system of misuse and detection. The implement condition of network misuse detection system is introduced and the difference between the system studied in this paper and traditional detection system is given. The principle of misuse detection is analysed, on the basis of which the correlation techniques are introduced. The construction of misuse detection system is illuminated.
The paper mainly designed and realized an antetype system of misuse and detection. The implement condition of network misuse detection system is introduced and the difference between the system studied in this paper and traditional detection system is given. The principle of misuse detection is analysed, on the basis of which the correlation techniques such as the P2P, network program, Libnet, Libpcap, Jsp, Mysql etc are introduced.
The traits of misuse detection technology based on the host and network are presented. The network misuse detection prototype system is realized by principle of IP cheating and the function of ICMP response. In the frame design of detection system, there are major functions, program flow and function design of three sub models bout the scan, monitor and the interface of user. The detection system can scan the hosts in this sub network make use of parameter configures given by the user. At the same time, this system can monitor the lawless connection. And this system can give some hints when the lawless
本文首先介绍了网络误用行为检测系统的实施环境和国内外对网络误用行为检测技术的研究现状,说明了本文所实现的检测系统与传统的检测系统的区别。分析比较了基于主机的误用行为检测技术和基于网络的误用行为检测技术的特点,详细说明了误用行为检测方法的原理和技术。利用IP欺骗原理和ICMP回响功能,借鉴对等网的优点对传统检测系统的C/S架构进行了改进,设计实现了由若干受控子网组成的大规模网络的误用行为检测系统。在检测系统的设计中,对系统的扫描、监测和用户接口这三个子模块的主要功能、程序流程及函数设计等进行了详细的说明。检测系统可以按照用户预先制定的参数配置对本子网内的主机进行扫描,同时监听来自其它子网的误用行为,在发现误用行为情况后进行报警。系统具有及时、准确、灵活、有效的监控能力,能够为用户确定发生误用行为主机的详细信息。
最后,介绍了实验情况,分别对子网与子网之间的误用行为检测、子网与外网之间的误用行为检测及系统性能等情况进行说明分析。
Now many organizations of government and enterprise all build up own local area network in succession. The network construction has become one of the key factors by which enterprises advance work efficiency and core competition ability. When the network scope extends continually, using through mistake mode or for mistake purpose, the network security affaires emerge in endlessly. The loss from the affairs is paid attention by people increasingly. According to the statistic result 80% of told secret and network inbreak come from the inner network. The security problem produced by internal network misuse has become a kind of difficult problem in the research field of network security management.
The paper mainly designes and realizes a type system of misuse and detection. The implement condition of network misuse detection system is introduced and the difference between the system studied in this paper and traditional detection system is given. The principle of misuse detection is analysed, on the basis of which the correlation techniques are introduced. The construction of misuse detection system is illuminated.
The paper mainly designed and realized an antetype system of misuse and detection. The implement condition of network misuse detection system is introduced and the difference between the system studied in this paper and traditional detection system is given. The principle of misuse detection is analysed, on the basis of which the correlation techniques such as the P2P, network program, Libnet, Libpcap, Jsp, Mysql etc are introduced.
The traits of misuse detection technology based on the host and network are presented. The network misuse detection prototype system is realized by principle of IP cheating and the function of ICMP response. In the frame design of detection system, there are major functions, program flow and function design of three sub models bout the scan, monitor and the interface of user. The detection system can scan the hosts in this sub network make use of parameter configures given by the user. At the same time, this system can monitor the lawless connection. And this system can give some hints when the lawless
引文
1 Cert.CERT/CCStatistics1988-2003.www.cert.org/stats/cert_stats.html.
2 内 部 网 络 安 全 的 威 胁 分 析 与 对 策 . 上 海 宝 信 软 件 股 分 有 限 公 司 2004.1
3 G.B.Magklaras,S.M.Furnell.Insider Threat Prediction Tool Evaluating the probability of IT misuse.Computers & Security,2002,21(1):21~24
4 晓蕤,颜学雄,王清贤.Modem与局域网安全研究 .计算机工程与应用 . 2003,3:19~22
5 北信源违规联网监控系统. http://www.eroadsafe.com/product/safe1.htm#top
6 B.S.Ang et al.Message Passing Support on StarT-Voyager CSG Memo 387,MIT Laboratory for Computer Science.
7 J.Beecroft,M.Homewood,and M.Mclaren,Meiko CS-2 Interconnect Elanelite Design
8 林瑶.用 TCP/IP 进行网际互连(第 1 卷)[M].电子工业出版社,1998
9 W.J.Dally et al.The Message-Driven Processor:A Multicomputer Processing Node with Efficient Mechaisms.IEEE Micro,Vol.12,No.2,Apr.1993:23-39
10 苍志刚,潘爱民.Windows 平台下的网络监听技术.2004,25(4):248~251
11 潘璠.基于 Linux 的企业网络监测系统.微型机与应用.2001,10:32~33
12 高鑫.企业接入 Internet 的几种选择.中国有线电视.2004,(13):41~43
13 Microsoft Corp . The Microsoft Windows Device Driver Kit(DDK)Documentation[S].2006.6
14 胡道元,闵京华.网络安全.清华大学出版社.2004
15 James F.Causey.TCP/IP 及相关协议.机械工业出版社,1998
16 James Chellis,Charles Perkins,Matthew Serebe.网络基础.电子工业出版社,2000
17 IP 欺骗.http://www.xt.xinneng,com.2003
18 蔡凌.IP 欺骗攻击.网络安全技术与应用.2006,1:28~30
19 李雷明.ICMP 在 Internet 中的应用以及安全问题.中国人民解放军信息工程大学工学硕士论文.2002,3:4
20 张振国,张楠.基于 ICMP 的网络攻击与防范.微计算机信息.2005,21(7):77~79
21 张基温.计算机网络基础.中国人民大学出版社,2002:59~62
22 徐高潮,胡亮,付晓东.计算机网络.吉林大学出版社,2002:55~58
23 周 斌,李文印.基于 ICMP 的协议的 Intranet 网络监测报警系统的实现.微型电脑应用.2004,20(2):24~26
24 Oram A.Peer-to-Peer.Harnessing the Power of Disruptive Technoligies.Sebastopol CA:O'Reilly and Associates,2001
25 Manoj Parameswaran , Anjana Susarla , Andrew B.Whinston.p2p networking:An information-sharing alternative. computing practices,2001 IEEE
26 Chonggang Wang and Bo Li, “ Peer-to-peer overlay networks: A survey, ” Technical Report,Department of Computer Science, HKUST,Feb.2003
27 Milojicic D S,Kalogeraki V.Peer-to-Peer Computing.Tech Report: H P L - 2 0 0 2 - 5 7 . P a l o A l t o C A : H P L a b s , 2 0 0 2
28 Wallach D S. A Survey of Peer-to-Peer Security Issuer.In: Proceedings of International Symposium on Slftware Security. Berlin Germany:Springer- Verlag,2002.42~57
29 Hoschek W. A Unified Peer-to-Peer Database Framework for XQueries over Dynamic Dictributed Content and Its Application for Scalable Service Discovery:[phD Thesis].Vienna Austria:Technical University of Vienna.2002
30 Agrawal A , Casanova H. Clustering Hosts in P2P and Global Computing Platforms.In:Proceedings of Third IEEE/ACM International Conference on Clustero Computing and Grid.New York:ACM Press,2003.367~343
31 Saroiu S,Gumnmadi P K,Gribble S D.A Measurement Study of Peer-to-Peer File Sharing Systems.In:Proceedings of Multimedia Conputing and Networking.Piscataway NJ:IEEE,2002.50~59
32 Michael M .Space Science Studies Come to the Internet. Aviation Week & Space Technology, 1998,6:59~66
33 Panti M, Penserini L. A P2P Approach to Land Warriors Coordination. In: Proceedings of International Symposium on Collaborative Technolo gies and Systems in Conjunction with the 2003 Westem Multi Conferences. Orlando FL: Kluwer Academic Press,2003.109~117
34 赵恒,陈杰.p2p 技术的应用及其研究现状.电信快报.2004,9:39~41
35 使用 libnet 与 libpcap 构造 TCP/IP 协议软件. http://george3038.blogchina.com/4107849.html
36 张斌,高波.Linux 网络编程.清华大学出版社,2000:162
37 井口信和.TCP/IP 网络工具篇.科学出版社,2003:92~105
38 罗军舟.TCP/IP 协议及网络编程技术.清华大学出版社,2004:258~264
39 范建华.TCP/IP 详解(第 1 卷:协议)[M].机械工业出版社,2000:50~53
40 Relatori Candidato Ing.Development of an architecture for packet capture and network traffic analysis[M].Mario Baldi Loris Degioanni Prof.Marco Mezzalama,Turin,Italy,Mar,2000.
41 钱丽萍,李亚萍.基于 BPF 和 LIBPCAP 库的包捕获应用系统的设计.电脑学习.1999,6:11~13
42 陈志坚,常佶.基于Libpcap和Libnids的网络入侵检测系统设计与实现.福建电脑.2005,5:56~57
43 Ulvio Risso,Loris Degioanni.An architecture for high performance network analysis[C].Proceedings of the 6th IEEE Symposium on Computers and Communications(ISCC 2001),Hammamet,Tunisia,July,2001.
44 W.Richard Stevens. UNIX 网络编程(第 2 版) 第 1 卷:套接口 API 和X_Open 传输接口 API.1999,7:599~619
45 张炯.Unix 网络编程实用技术与实例分析.清华大学出版社,2002,11:255~264
46 胡雅娟.基于 Linux 下的IP包捕获及解析.网络技术.2004,13(2):32~35
47 Steven M. Bellovin. Packets Found on Internet. Computer Communication Review. 1993, (6):1~6
48 刘荫铭,李金海,刘国立.计算机网络.吉林大学出版社,2002:66~69
49 郇迪,使用 ICMP 协议来进行主机控测.http://www.20cn.net/ns/wz
50 廖若雪.JSP 高级编程.机械工业出版社,2001:9
51 鲁夫创意工作室.JSP 网络程序设计.人民邮电出版社,2000:2
52 张金涛.基于 Linux 的 Apache+JSP+Oracle. 清华大学出版社,2002:10~11
53 刘志勇.Linux+PHP+MySQL 案例教程教程.中科多媒体电子出版社,2001:24
54 卢湘江.MySQL 高级配置和管理. 清华大学出版社,2001:4~5,174~180
55 王军.MySQL 4 从入门到精通.电子工业出版社,2003:594~611
56 清宏计算机工作室.MySQL 编程技巧·编程和数据库管理篇.机械工业出版社,2002:35~40
57 黄习福.JSP、Servlets 与 MySQL 开发指南.电子工业出版社,2002: 31~49
2 内 部 网 络 安 全 的 威 胁 分 析 与 对 策 . 上 海 宝 信 软 件 股 分 有 限 公 司 2004.1
3 G.B.Magklaras,S.M.Furnell.Insider Threat Prediction Tool Evaluating the probability of IT misuse.Computers & Security,2002,21(1):21~24
4 晓蕤,颜学雄,王清贤.Modem与局域网安全研究 .计算机工程与应用 . 2003,3:19~22
5 北信源违规联网监控系统. http://www.eroadsafe.com/product/safe1.htm#top
6 B.S.Ang et al.Message Passing Support on StarT-Voyager CSG Memo 387,MIT Laboratory for Computer Science.
7 J.Beecroft,M.Homewood,and M.Mclaren,Meiko CS-2 Interconnect Elanelite Design
8 林瑶.用 TCP/IP 进行网际互连(第 1 卷)[M].电子工业出版社,1998
9 W.J.Dally et al.The Message-Driven Processor:A Multicomputer Processing Node with Efficient Mechaisms.IEEE Micro,Vol.12,No.2,Apr.1993:23-39
10 苍志刚,潘爱民.Windows 平台下的网络监听技术.2004,25(4):248~251
11 潘璠.基于 Linux 的企业网络监测系统.微型机与应用.2001,10:32~33
12 高鑫.企业接入 Internet 的几种选择.中国有线电视.2004,(13):41~43
13 Microsoft Corp . The Microsoft Windows Device Driver Kit(DDK)Documentation[S].2006.6
14 胡道元,闵京华.网络安全.清华大学出版社.2004
15 James F.Causey.TCP/IP 及相关协议.机械工业出版社,1998
16 James Chellis,Charles Perkins,Matthew Serebe.网络基础.电子工业出版社,2000
17 IP 欺骗.http://www.xt.xinneng,com.2003
18 蔡凌.IP 欺骗攻击.网络安全技术与应用.2006,1:28~30
19 李雷明.ICMP 在 Internet 中的应用以及安全问题.中国人民解放军信息工程大学工学硕士论文.2002,3:4
20 张振国,张楠.基于 ICMP 的网络攻击与防范.微计算机信息.2005,21(7):77~79
21 张基温.计算机网络基础.中国人民大学出版社,2002:59~62
22 徐高潮,胡亮,付晓东.计算机网络.吉林大学出版社,2002:55~58
23 周 斌,李文印.基于 ICMP 的协议的 Intranet 网络监测报警系统的实现.微型电脑应用.2004,20(2):24~26
24 Oram A.Peer-to-Peer.Harnessing the Power of Disruptive Technoligies.Sebastopol CA:O'Reilly and Associates,2001
25 Manoj Parameswaran , Anjana Susarla , Andrew B.Whinston.p2p networking:An information-sharing alternative. computing practices,2001 IEEE
26 Chonggang Wang and Bo Li, “ Peer-to-peer overlay networks: A survey, ” Technical Report,Department of Computer Science, HKUST,Feb.2003
27 Milojicic D S,Kalogeraki V.Peer-to-Peer Computing.Tech Report: H P L - 2 0 0 2 - 5 7 . P a l o A l t o C A : H P L a b s , 2 0 0 2
28 Wallach D S. A Survey of Peer-to-Peer Security Issuer.In: Proceedings of International Symposium on Slftware Security. Berlin Germany:Springer- Verlag,2002.42~57
29 Hoschek W. A Unified Peer-to-Peer Database Framework for XQueries over Dynamic Dictributed Content and Its Application for Scalable Service Discovery:[phD Thesis].Vienna Austria:Technical University of Vienna.2002
30 Agrawal A , Casanova H. Clustering Hosts in P2P and Global Computing Platforms.In:Proceedings of Third IEEE/ACM International Conference on Clustero Computing and Grid.New York:ACM Press,2003.367~343
31 Saroiu S,Gumnmadi P K,Gribble S D.A Measurement Study of Peer-to-Peer File Sharing Systems.In:Proceedings of Multimedia Conputing and Networking.Piscataway NJ:IEEE,2002.50~59
32 Michael M .Space Science Studies Come to the Internet. Aviation Week & Space Technology, 1998,6:59~66
33 Panti M, Penserini L. A P2P Approach to Land Warriors Coordination. In: Proceedings of International Symposium on Collaborative Technolo gies and Systems in Conjunction with the 2003 Westem Multi Conferences. Orlando FL: Kluwer Academic Press,2003.109~117
34 赵恒,陈杰.p2p 技术的应用及其研究现状.电信快报.2004,9:39~41
35 使用 libnet 与 libpcap 构造 TCP/IP 协议软件. http://george3038.blogchina.com/4107849.html
36 张斌,高波.Linux 网络编程.清华大学出版社,2000:162
37 井口信和.TCP/IP 网络工具篇.科学出版社,2003:92~105
38 罗军舟.TCP/IP 协议及网络编程技术.清华大学出版社,2004:258~264
39 范建华.TCP/IP 详解(第 1 卷:协议)[M].机械工业出版社,2000:50~53
40 Relatori Candidato Ing.Development of an architecture for packet capture and network traffic analysis[M].Mario Baldi Loris Degioanni Prof.Marco Mezzalama,Turin,Italy,Mar,2000.
41 钱丽萍,李亚萍.基于 BPF 和 LIBPCAP 库的包捕获应用系统的设计.电脑学习.1999,6:11~13
42 陈志坚,常佶.基于Libpcap和Libnids的网络入侵检测系统设计与实现.福建电脑.2005,5:56~57
43 Ulvio Risso,Loris Degioanni.An architecture for high performance network analysis[C].Proceedings of the 6th IEEE Symposium on Computers and Communications(ISCC 2001),Hammamet,Tunisia,July,2001.
44 W.Richard Stevens. UNIX 网络编程(第 2 版) 第 1 卷:套接口 API 和X_Open 传输接口 API.1999,7:599~619
45 张炯.Unix 网络编程实用技术与实例分析.清华大学出版社,2002,11:255~264
46 胡雅娟.基于 Linux 下的IP包捕获及解析.网络技术.2004,13(2):32~35
47 Steven M. Bellovin. Packets Found on Internet. Computer Communication Review. 1993, (6):1~6
48 刘荫铭,李金海,刘国立.计算机网络.吉林大学出版社,2002:66~69
49 郇迪,使用 ICMP 协议来进行主机控测.http://www.20cn.net/ns/wz
50 廖若雪.JSP 高级编程.机械工业出版社,2001:9
51 鲁夫创意工作室.JSP 网络程序设计.人民邮电出版社,2000:2
52 张金涛.基于 Linux 的 Apache+JSP+Oracle. 清华大学出版社,2002:10~11
53 刘志勇.Linux+PHP+MySQL 案例教程教程.中科多媒体电子出版社,2001:24
54 卢湘江.MySQL 高级配置和管理. 清华大学出版社,2001:4~5,174~180
55 王军.MySQL 4 从入门到精通.电子工业出版社,2003:594~611
56 清宏计算机工作室.MySQL 编程技巧·编程和数据库管理篇.机械工业出版社,2002:35~40
57 黄习福.JSP、Servlets 与 MySQL 开发指南.电子工业出版社,2002: 31~49