基于智能Agent的分布式入侵检测系统设计
|
摘要
论文以中科院西安网络中心网络安全嵌入式研究项目的研究和开发为背景,分析了当前系统中存在的问题,即检测速度太慢,检测技术的发展跟不上网速的快速发展,在分布性、灵活性、效率等方面还不尽如人意。因此我们开始寻求新的技术,以求提高入侵检测系统的整体性能。本文尝试了在入侵检测系统中引入智能Agent技术,力图使其在实时性、可扩展性、灵活性以及系统的容错能力等方面有较大的改善,使系统具有较好的性能和灵活性。
Agent技术是缘于智能代理的分布式计算技术。与传统的分布式相比,Agent能减轻网络流量,以异步方式自主运行,能动态适应网络变化等。将多Agent系统技术应用到分布式入侵检测系统中,将能实现全局范围内的入侵检测功能,对网络系统和主机资源的占用较低,减少了出现瓶颈的可能,而且易于分发服务。
本文对入侵检测系统作了详细介绍,分析了常用的几种检测方法,对Agent技术及其平台Aglet在IDS中的优点作了介绍,对比分析了检测引擎使用的几种模式匹配算法,采用协议分析与模式匹配结合的方法。通过实验表明该方法具有很好的优点,协议分析技术利用网络协议的高度规则,只检测特定协议的内容,从而减少了搜索空间和计算量,避免了简单模式匹配对内容比较而产生的误报和漏报。
本文对Linux系统下网卡驱动程序和内存管理机制作了深入研究,绕过操作系统对数据包协议栈的解析,减少了数据包拷贝次数,实现了零拷贝,提高了系统捕获数据包的能力,显著改善了系统性能。
This thesis based on the embedded project in Network Center of Chinese Academy of Sciences in Xi’an. Currently the key problem is how to improve the performance of Intrusion Detection System, the development of detection technology can’t keep up with the speed of network technology, the traditional Intrusion Detection System have some shortcomings in certain aspects, such as flexibility, interoperability etc. Therefore, people begin to seek for new technologies to improve the performance of Intrusion Detection System. In this thesis, we try to lead Mobile Agent Technique into Intrusion Detection System to improve their flexibility, interoperability, extensibility as well as their real-time performance. Agent have been proposed for distributed network management. Comparing to the traditional technology it has obvious advantages, such as reducing network traffic greatly, running independent and asynchronous, adapting the network’s change through configuring dynamicly. And use less network traffic and hosts resources to reduce the possible of bottleneck’s occur, furthermore, it is easy to deploy the service.
This dissertation introduced Intrusion Detection System in detail, and analyzed the normal methods of the Intrusion Detection System. It also describes the advantages and the disadvantages of the present system. Point out the strong point of Agent and it’s platform Aglet using in Intrusion Detection System, analyzes some string matching algorithms of detection engine using in Intrusion Detection System, basing on research, we adopt the method of protocol analyze combine with string pattern match. Protocol analyze technology using high integration of network protocol, only match the special fields in data packets, so it decreased the search space and computing complexity, avoid the error message reported by simple pattern match.
We improved the tradition packets capture procedure based on zero copy technology, thoroughly researched driver programming and memeory management mechanism which under the Linux system, reduced the number of data copy, fulfilled zero copy and improved system performance remarkably.
Agent技术是缘于智能代理的分布式计算技术。与传统的分布式相比,Agent能减轻网络流量,以异步方式自主运行,能动态适应网络变化等。将多Agent系统技术应用到分布式入侵检测系统中,将能实现全局范围内的入侵检测功能,对网络系统和主机资源的占用较低,减少了出现瓶颈的可能,而且易于分发服务。
本文对入侵检测系统作了详细介绍,分析了常用的几种检测方法,对Agent技术及其平台Aglet在IDS中的优点作了介绍,对比分析了检测引擎使用的几种模式匹配算法,采用协议分析与模式匹配结合的方法。通过实验表明该方法具有很好的优点,协议分析技术利用网络协议的高度规则,只检测特定协议的内容,从而减少了搜索空间和计算量,避免了简单模式匹配对内容比较而产生的误报和漏报。
本文对Linux系统下网卡驱动程序和内存管理机制作了深入研究,绕过操作系统对数据包协议栈的解析,减少了数据包拷贝次数,实现了零拷贝,提高了系统捕获数据包的能力,显著改善了系统性能。
This thesis based on the embedded project in Network Center of Chinese Academy of Sciences in Xi’an. Currently the key problem is how to improve the performance of Intrusion Detection System, the development of detection technology can’t keep up with the speed of network technology, the traditional Intrusion Detection System have some shortcomings in certain aspects, such as flexibility, interoperability etc. Therefore, people begin to seek for new technologies to improve the performance of Intrusion Detection System. In this thesis, we try to lead Mobile Agent Technique into Intrusion Detection System to improve their flexibility, interoperability, extensibility as well as their real-time performance. Agent have been proposed for distributed network management. Comparing to the traditional technology it has obvious advantages, such as reducing network traffic greatly, running independent and asynchronous, adapting the network’s change through configuring dynamicly. And use less network traffic and hosts resources to reduce the possible of bottleneck’s occur, furthermore, it is easy to deploy the service.
This dissertation introduced Intrusion Detection System in detail, and analyzed the normal methods of the Intrusion Detection System. It also describes the advantages and the disadvantages of the present system. Point out the strong point of Agent and it’s platform Aglet using in Intrusion Detection System, analyzes some string matching algorithms of detection engine using in Intrusion Detection System, basing on research, we adopt the method of protocol analyze combine with string pattern match. Protocol analyze technology using high integration of network protocol, only match the special fields in data packets, so it decreased the search space and computing complexity, avoid the error message reported by simple pattern match.
We improved the tradition packets capture procedure based on zero copy technology, thoroughly researched driver programming and memeory management mechanism which under the Linux system, reduced the number of data copy, fulfilled zero copy and improved system performance remarkably.
引文
[1] J.S.Balasubramaniyan, J.O.Garcia-Fernandez, D. Isacoff, E. Spafford,and D.Zamboni. An Architecture for Intrusion Detection Using Autonomous Agents[C], In 14th IEEE Computer Security Applications Conference, December 1998.
[2] M.Asaka, T.Okazawa, A.Taguchi. An Intrusion Detection agent System[J], The Implementation of IDA.2002, 10(22):65~70.
[3] Slagell, M.The Design and Implementation of MAIDS (Mobile Agents for Intrusion Detection System)[D], Mark Slagell,Iowa State University, May 2001.
[4] J.S.Balasubramaniyan, J.O.Garcia-Fernandez, D. Isacoff, E. Spafford, and D. Zamboni. An Architecture for Intrusion Detection Using Autonomous Agents[C], In 14th IEEE Computer Security Applications Conference, December 1998.
[5] Salvalore Stolfo, Andreas L. Prodromidisy. JAM: Java agents for Meta Learning over Distributed Databases[C], Proc KDD97 and AAAI97 Work on AI Methods in Fraud and Risk Management. 1997.
[6] 肖 建 华 , 张 建 忠 等 .MAIDS 系 统 中 的 检 测 功 能 模 块 [J], 计 算 机 工 程 , 2003,29(13):69~81.
[7] R.Heady,G.Luger,A.Maccabe,and M.Servilla.The architecture of a network evel intrusion detection system[C], Technica report,Computer Science Department,University of New Mexico,August 1990.
[8] Steven E Smaha. Haystack:An Intrusion Detection System. Orlandoed[J], Proceedings of the Fourth Aerospace Computer Security Applications Conference, Washington, IEEE Computer Society Press. December 1988.37~44.
[9] Anderson J.P. Computer security threat monitoring and surveillance. PA 19034, USA 1980.4
[10] Dorothy E. Denning, D.L.Edwards, R.Jagannathan, etc. A Prototype IDES: A Real-Time Intrusion Detection Expert System[C], Technical report, Computer Science Laboratory, SRI International, 1987.
[11] 丁建立.网络安全[M], 武汉:武汉大学出版社, 2007.9
[12] 蒋建春,冯登国.网络入侵检测原理及技术[M], 北京:国防工业出版社, 2001.7:13~42
[13] 徐国爱.网络安全[M], 北京:北京邮电大学出版社, 2004.5
[14] 蔡永泉.计算机网络安全理论与技术教程[M], 北京:北京航空航天大学出版社,:2003.8:156~176
[15] Brian Caswell,Jay Beale,Snort 2.0 入侵检测[M], 北京:国防工业出版社,2004.1
[16] N.Zhu and T.Chiueh.Design, implementation, and evaluation of repairable service[C], In The International Conference on Dependable Systems and Networks, 2003.
[17] 张云勇,刘锦德.移动 agent 技术.北京:清华大学出版社, 2003.9
[18] O. Esparza, M. Soriano, J. L. Mu?oz, J. Forné. A protocol for detecting malicious hosts based on limiting the execution time of mobile agents[J], 8th IEEE Symposium on Computers and Communications. 1, 2003.251~256.
[19] D. Dasgupta, F. Gonzalez, K. Yallapu, J. Gomez. CIDS: An agent-based intrusion detection system[J], Computers & Security, 2005(24):387~398
[20] Robert Love 著,陈莉君译.Linux 内核设计与实现[M], 北京:机械工业出版社, 2006.1
[21] Michael Beck 等著,张瑜译.Linux 内核编程指南(第三版)[M].北京:清华大学出版社, 2004.10
[22] Daniel P. Bovet, Marco Cesati. Understanding the Linux Kernel, 3rd Edition[M], O'Reilly Media, Inc., November 2005
[23] A.Biswas, P Sinha. A high performance packet capturing support for alarm management systems[C], Proce. of the 17th IASTED International Conference on Parallel and Distributed Computing and Systems, 2005.
[24] 杨小平,舒静.基于协议分析的入侵检测技术研究[J], 计算机应用, 2004.7 :31~50
[25] 谢希仁. 计算机网络(第四版)[M], 北京:电子工业出版社,2003
[26] Behrouz A.Forouzan,Sophia Chung Fegnan,谢希仁译.TCPITP 协议族[M], 北京:清华大学出版社,2001
[27] 戴英连,连一峰.系统安全与入侵检测[M], 北京:清华大学出版社, 2003.3
[28] 王佰玲,方滨兴,云小春.零拷贝报文捕获平台的研究与实现[J], 计算机学报, 2005.1:46~52
[29] 严蔚敏,吴伟民,数据结构(c 语言版)[M], 北京:清华大学出版社.1997
[30] D.E.Knuth, J.H.Morris Jr and V. R. Pratt, Fast Pattern Matching in Strings[J], SIAM J.Comput. 1977, 6(1):323~350
[31] RobertS.Boyer,J.Strother Moore. A Fast String Searching Algorithm[J], Communications of the ACM,1977, 20(10):762~772.
[32] Nigel Horspool R. Practical Fast Searching in Strings[J], Software Practice and Experience, 1980, 10 (6):501~506.
[33] Aho AV,Corasick MJ. Efficient String Matching: An Aid to Bibliographic Search[J], Communications of the ACM, 1975,18 (6):333~340
[34] Sun Wu,Udi Manber. A Fast Algorithm For Multi-Pattern Searching[C], Technical Report TR-94-17, University of Ari-zona,May 1994
[35] 刘萍.面向网络内容筛选的串匹配技术研究 [D], 北京:中国科学院研究生院, 2005.4
[36] 韩东海,王超.入侵监测系统实例剖析[M], 北京:清华大学出版社, 2003.5
[37] 薛强.网络入侵检测系统NIDS的新技术研究[D], 天津:天津大学, 2004.6
[2] M.Asaka, T.Okazawa, A.Taguchi. An Intrusion Detection agent System[J], The Implementation of IDA.2002, 10(22):65~70.
[3] Slagell, M.The Design and Implementation of MAIDS (Mobile Agents for Intrusion Detection System)[D], Mark Slagell,Iowa State University, May 2001.
[4] J.S.Balasubramaniyan, J.O.Garcia-Fernandez, D. Isacoff, E. Spafford, and D. Zamboni. An Architecture for Intrusion Detection Using Autonomous Agents[C], In 14th IEEE Computer Security Applications Conference, December 1998.
[5] Salvalore Stolfo, Andreas L. Prodromidisy. JAM: Java agents for Meta Learning over Distributed Databases[C], Proc KDD97 and AAAI97 Work on AI Methods in Fraud and Risk Management. 1997.
[6] 肖 建 华 , 张 建 忠 等 .MAIDS 系 统 中 的 检 测 功 能 模 块 [J], 计 算 机 工 程 , 2003,29(13):69~81.
[7] R.Heady,G.Luger,A.Maccabe,and M.Servilla.The architecture of a network evel intrusion detection system[C], Technica report,Computer Science Department,University of New Mexico,August 1990.
[8] Steven E Smaha. Haystack:An Intrusion Detection System. Orlandoed[J], Proceedings of the Fourth Aerospace Computer Security Applications Conference, Washington, IEEE Computer Society Press. December 1988.37~44.
[9] Anderson J.P. Computer security threat monitoring and surveillance. PA 19034, USA 1980.4
[10] Dorothy E. Denning, D.L.Edwards, R.Jagannathan, etc. A Prototype IDES: A Real-Time Intrusion Detection Expert System[C], Technical report, Computer Science Laboratory, SRI International, 1987.
[11] 丁建立.网络安全[M], 武汉:武汉大学出版社, 2007.9
[12] 蒋建春,冯登国.网络入侵检测原理及技术[M], 北京:国防工业出版社, 2001.7:13~42
[13] 徐国爱.网络安全[M], 北京:北京邮电大学出版社, 2004.5
[14] 蔡永泉.计算机网络安全理论与技术教程[M], 北京:北京航空航天大学出版社,:2003.8:156~176
[15] Brian Caswell,Jay Beale,Snort 2.0 入侵检测[M], 北京:国防工业出版社,2004.1
[16] N.Zhu and T.Chiueh.Design, implementation, and evaluation of repairable service[C], In The International Conference on Dependable Systems and Networks, 2003.
[17] 张云勇,刘锦德.移动 agent 技术.北京:清华大学出版社, 2003.9
[18] O. Esparza, M. Soriano, J. L. Mu?oz, J. Forné. A protocol for detecting malicious hosts based on limiting the execution time of mobile agents[J], 8th IEEE Symposium on Computers and Communications. 1, 2003.251~256.
[19] D. Dasgupta, F. Gonzalez, K. Yallapu, J. Gomez. CIDS: An agent-based intrusion detection system[J], Computers & Security, 2005(24):387~398
[20] Robert Love 著,陈莉君译.Linux 内核设计与实现[M], 北京:机械工业出版社, 2006.1
[21] Michael Beck 等著,张瑜译.Linux 内核编程指南(第三版)[M].北京:清华大学出版社, 2004.10
[22] Daniel P. Bovet, Marco Cesati. Understanding the Linux Kernel, 3rd Edition[M], O'Reilly Media, Inc., November 2005
[23] A.Biswas, P Sinha. A high performance packet capturing support for alarm management systems[C], Proce. of the 17th IASTED International Conference on Parallel and Distributed Computing and Systems, 2005.
[24] 杨小平,舒静.基于协议分析的入侵检测技术研究[J], 计算机应用, 2004.7 :31~50
[25] 谢希仁. 计算机网络(第四版)[M], 北京:电子工业出版社,2003
[26] Behrouz A.Forouzan,Sophia Chung Fegnan,谢希仁译.TCPITP 协议族[M], 北京:清华大学出版社,2001
[27] 戴英连,连一峰.系统安全与入侵检测[M], 北京:清华大学出版社, 2003.3
[28] 王佰玲,方滨兴,云小春.零拷贝报文捕获平台的研究与实现[J], 计算机学报, 2005.1:46~52
[29] 严蔚敏,吴伟民,数据结构(c 语言版)[M], 北京:清华大学出版社.1997
[30] D.E.Knuth, J.H.Morris Jr and V. R. Pratt, Fast Pattern Matching in Strings[J], SIAM J.Comput. 1977, 6(1):323~350
[31] RobertS.Boyer,J.Strother Moore. A Fast String Searching Algorithm[J], Communications of the ACM,1977, 20(10):762~772.
[32] Nigel Horspool R. Practical Fast Searching in Strings[J], Software Practice and Experience, 1980, 10 (6):501~506.
[33] Aho AV,Corasick MJ. Efficient String Matching: An Aid to Bibliographic Search[J], Communications of the ACM, 1975,18 (6):333~340
[34] Sun Wu,Udi Manber. A Fast Algorithm For Multi-Pattern Searching[C], Technical Report TR-94-17, University of Ari-zona,May 1994
[35] 刘萍.面向网络内容筛选的串匹配技术研究 [D], 北京:中国科学院研究生院, 2005.4
[36] 韩东海,王超.入侵监测系统实例剖析[M], 北京:清华大学出版社, 2003.5
[37] 薛强.网络入侵检测系统NIDS的新技术研究[D], 天津:天津大学, 2004.6