主动式网络安全监控系统的设计与实现
|
摘要
随着Internet的快速发展与日益普及,信息安全越来越受到人们的关注。虽然人们在主机上安装防火墙、入侵检测系统预防网络入侵,但入侵者仍可能通过非法手段盗取或篡改机密信息。因此,及时发现并控制非法行为己成为网络安全的迫切需要。
论文首先分析了现有网络安全监控系统存在的不足,重点对内网防非法接入监控子系统,防恶意下载监控子系统和强制访问控制监控子系统进行了深入研究。在内网防非法接入监控子系统中,研究了加密技术和IP-MAC绑定技术并设计了相应的主动式非法接入防范策略;基于ARP协议,设计并实现了登录验证模块、非法主机检测与处理模块;在防恶意下载监控子系统中,重点分析HTTP协议和FTP协议数据包,研究了流量检测技术,设计并实现了TDI过滤驱动程序,主动拦截每个登录保护主机的用户;强制访问控制监控子系统在研究Bell-Lapadula模型和Biba模型的基础上,结合二者的优点,参与了既满足信息保密性又满足信息完整性的强制访问控制模型的设计工作;实现Windows过滤驱动程序,可主动拦截用户进程对文件的操作。
针对专网的安全问题,实现了主动式网络安全监控系统的三个主要模块。实验结果表明内网防非法接入监控子系统能够有效的检测出非法接入的主机并阻断与网络的连接;防恶意下载监控子系统能够主动阻断下载量超过阈值的下载用户而且可以有效的防止用户下载受保护的文件;强制访问控制监控子系统能够有效地对Windows文件系统实施强制访问控制保护。
As the Internet being highly used, more and more attention has been paid to network and information security. In network security most commonly used methods include installing firewall, or IDS on computer, but hackers still can get into the network by any means. So being able to identify what is happening on the network becomes an important aspect of network security.
This paper firstly discusses about the disadvantage of networks, designs and implements Active Network Security Monitor System (ANSMS) for company network, including the Illegal Connection Monitor Subsystem (ICMS), Malicious Downloading Prevention Monitor Subsystem (MDPMS) and Mandatory Access Control Monitor Subsystem (MACMS). In Illegal Connection Monitor Subsystem (ICMS), researches the encryption technology, binding IP-MAC together and design the active strategy of illegal connection; design and implement authentication module, detection module and closed module based on ARP protocol; In Malicious Downloading Prevention Monitor Subsystem, mainly parsing the packets of HTTP and FTP protocol, detection netflow, design and implement TDI Filter Driver, intercepting the connecting users actively. In Mandatory Access Control Monitor Subsystem, take part in the implementation of a new access control model based on Bell-Lapadula model and Biba model which takes advantage both Bell-Lapadula model and Biba model; implement windows filter driver which intercept the operation for files by process.
According to the characteristics of the special network, implement three modules of the Active Network Security Monitor System. The research results have been used in the network of a certain department as project background for several times, indicate that Illegal Connection Monitor Subsystem could detect the illegal computer and close the connection; Malicious Downloading Prevention Monitor Subsystem could close the users’downloading which download more than threshold and prevent the protection files being download; Mandatory Access Control Monitor Subsystem could intercept I/O request actively, implements Windows mandatory access control.
论文首先分析了现有网络安全监控系统存在的不足,重点对内网防非法接入监控子系统,防恶意下载监控子系统和强制访问控制监控子系统进行了深入研究。在内网防非法接入监控子系统中,研究了加密技术和IP-MAC绑定技术并设计了相应的主动式非法接入防范策略;基于ARP协议,设计并实现了登录验证模块、非法主机检测与处理模块;在防恶意下载监控子系统中,重点分析HTTP协议和FTP协议数据包,研究了流量检测技术,设计并实现了TDI过滤驱动程序,主动拦截每个登录保护主机的用户;强制访问控制监控子系统在研究Bell-Lapadula模型和Biba模型的基础上,结合二者的优点,参与了既满足信息保密性又满足信息完整性的强制访问控制模型的设计工作;实现Windows过滤驱动程序,可主动拦截用户进程对文件的操作。
针对专网的安全问题,实现了主动式网络安全监控系统的三个主要模块。实验结果表明内网防非法接入监控子系统能够有效的检测出非法接入的主机并阻断与网络的连接;防恶意下载监控子系统能够主动阻断下载量超过阈值的下载用户而且可以有效的防止用户下载受保护的文件;强制访问控制监控子系统能够有效地对Windows文件系统实施强制访问控制保护。
As the Internet being highly used, more and more attention has been paid to network and information security. In network security most commonly used methods include installing firewall, or IDS on computer, but hackers still can get into the network by any means. So being able to identify what is happening on the network becomes an important aspect of network security.
This paper firstly discusses about the disadvantage of networks, designs and implements Active Network Security Monitor System (ANSMS) for company network, including the Illegal Connection Monitor Subsystem (ICMS), Malicious Downloading Prevention Monitor Subsystem (MDPMS) and Mandatory Access Control Monitor Subsystem (MACMS). In Illegal Connection Monitor Subsystem (ICMS), researches the encryption technology, binding IP-MAC together and design the active strategy of illegal connection; design and implement authentication module, detection module and closed module based on ARP protocol; In Malicious Downloading Prevention Monitor Subsystem, mainly parsing the packets of HTTP and FTP protocol, detection netflow, design and implement TDI Filter Driver, intercepting the connecting users actively. In Mandatory Access Control Monitor Subsystem, take part in the implementation of a new access control model based on Bell-Lapadula model and Biba model which takes advantage both Bell-Lapadula model and Biba model; implement windows filter driver which intercept the operation for files by process.
According to the characteristics of the special network, implement three modules of the Active Network Security Monitor System. The research results have been used in the network of a certain department as project background for several times, indicate that Illegal Connection Monitor Subsystem could detect the illegal computer and close the connection; Malicious Downloading Prevention Monitor Subsystem could close the users’downloading which download more than threshold and prevent the protection files being download; Mandatory Access Control Monitor Subsystem could intercept I/O request actively, implements Windows mandatory access control.
引文
[1]戚文静,刘学.网络安全原理与应用.中国水利水电出版社. 2005.9
[2]万国根.面向内容的网络安全监控模型及其关键技术研究.博士学位论文.电子科技大学.2005
[3] Charlie Kaufman,Radia Perlman,Mike Speciner. Network Security-Private Communication in a Public World.电子工业出版社. 2004.9
[4] Onabuta, T. Asaka. A protection mechanism for an intrusion detection system based on mandatory access control [C].Transactions of the Information Processing Society of Japan, 2001: 2057-2066
[5] William Stallings.网络安全基础.中国电力出版社. 2004.6.
[6] (美) Internet Security Systems公司著.Windows 2OOO安全技术参考.北京:机械工业出版社,200l: 31-96
[7] Stevens W R. TCP/IP详解卷1:协议.北京:机械工业出版社,2000
[8] Socolofsky T, Kale C. RFC1180 A TCP/IP Tutorial. www.sino2000.com.cn, 2003.10
[9]刘桂栋,庄毅,王雷.内网非法接入监控系统的设计与实现. 2006年南京通信年会
[10]杨嵘,张国清,韦卫,等.基于NetFlow流量分析的网络攻击行为发现.计算机工程. 2005,31(13): 137-139
[11]刘文涛.网络安全开发包详解。电子工业出版社,2005
[12] http://www.winpcap.org/
[13] http://www.winpcap.org/windump
[14]李丹,赵刚,刘玲.交换式网络中监听技术的原理及实现.信息安全与通信保密. 2007,6:150-152
[15]胡晓元,史涪山.WinPcap包截获系统的分析及其应用.计算机工程,2005,31(2): 96-98
[16]赵新辉,李祥.捕获网络数据包的方法.计算机应用研究. 2004,8: 242一243,255.
[17]http://www.packetfactory.net/libnet/dist/libnet.tar.gz
[18]鲁士文.计算机网络协议与实现技术.北京:清华大学出版社,2000
[19] http://www.packetfactory.net/Projects/Libnet
[20]王应解,姜凌.高校图书馆如何防范恶意下载.大学图书情报学科.2003,21 (4).
[21]安娜·勒帕热.数字环境下版权例外和限制概况.版权公报,2O03
[22]薛虹.网络时代的知识产权法.法律出版社. 2000
[23] RFC 4169. Hypertext Transfer Protocol (HTTP) Digest Authentication Using Authentication and Key Agreement (AKA) Version-2, 2005
[24] RFC 4229. HTTP Header Field Registrations, 2005
[25] RFC1986. Experiments with a Simple File Transfer Protocol for Radio Links using Enhanced TrivialFile Transfer Protocol (ETFTP), 1996
[26] RFC2585. Internet X.509 Public Key Infrastructure Operational Protocols: FTP and HTTP, 1999
[27] RFC414. File Transfer Protocol (FTP) status and further comments
[28]网络驱动设计指南. http://www.netyi.net/training/b3adf3a3-8e00-4af3-9c59-a138a4df3c93
[29]雷震甲.网络工程师教程.北京:清华大学出版社,2004
[30] Zhang Dong,Zhan Xue, Yong Sheng. An extended mandatory access control model for XML [A]. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), v 3818 LNCS, Advances in Computer Science - ASIAN 2005: 10th Asian Computing Science Conference, Proceedings, 2005: 280-281
[31]张毓森,慎键.安全操作系统研究[J].解放军理工大学学报.2004,5(3):1-4
[32] Thomas, T. A mandatory access control mechanism for the Unix file system[R]. Fourth Aerospace Computer Security Applications Conference, 1988: 173-175
[33] Nakazato, H., Tsutsumi, R. Access control on object-oriented telecommunications systems[R].2nd Asia-Pacific Conference on Communications, 1995: 375-379
[34]刘伟.基于角色的访问控制模型在安全操作系统中的实现.中国科学院软件研究所,2003:15-30
[35]张曙光.基于角色的访问控制在工作流系统中的应用研究.武汉大学,2004:30-32
[36] D. E. Bell, L. LaPadula. Secure Computer Systems: Mathematical Foundations and Model[R] .Technical Report, Mitre Corp, Bedford, MA, 1973: 74-244
[37]庄毅,潘龙平,刘坤.分布式资源安全监控系统模型的研究.南京航空航天大学学报.2006,38(1):90-94
[38]潘龙平,庄毅,吴学成.基于强制访问控制的安全Linux系统设计与实现.计算机工程与应用.2006,42(5):142-145
[39] Guo Jinhong, Johnson Stephen, Park Pyung. An operating system security method for integrity and privacy protection in consumer electronics. 2006 3rd IEEE Consumer Communications and Networking Conference, 2006: 610-614
[40] Cai Yi, Zheng Zhirong, Shen Changxiang. Design and implementation MAC in security operating system. 2002 IEEE Region 10 Conference on Computer, Communications, Control and Power Engineering, 2002: 216-219
[41] Art Baker, Jerry Lozano.Windows2000设备驱动程序设计指南.施诺等.北京:机械工业出版社, 2001: 36-125
[42] Rajeev Nagar. Windows NT File System Internals. O'REILLY 1997:20-115
[43] David A Solomon, Mark E Russinovich. Inside Microsoft Windows 2000. Microsoft Press, 2000: 32-87
[2]万国根.面向内容的网络安全监控模型及其关键技术研究.博士学位论文.电子科技大学.2005
[3] Charlie Kaufman,Radia Perlman,Mike Speciner. Network Security-Private Communication in a Public World.电子工业出版社. 2004.9
[4] Onabuta, T. Asaka. A protection mechanism for an intrusion detection system based on mandatory access control [C].Transactions of the Information Processing Society of Japan, 2001: 2057-2066
[5] William Stallings.网络安全基础.中国电力出版社. 2004.6.
[6] (美) Internet Security Systems公司著.Windows 2OOO安全技术参考.北京:机械工业出版社,200l: 31-96
[7] Stevens W R. TCP/IP详解卷1:协议.北京:机械工业出版社,2000
[8] Socolofsky T, Kale C. RFC1180 A TCP/IP Tutorial. www.sino2000.com.cn, 2003.10
[9]刘桂栋,庄毅,王雷.内网非法接入监控系统的设计与实现. 2006年南京通信年会
[10]杨嵘,张国清,韦卫,等.基于NetFlow流量分析的网络攻击行为发现.计算机工程. 2005,31(13): 137-139
[11]刘文涛.网络安全开发包详解。电子工业出版社,2005
[12] http://www.winpcap.org/
[13] http://www.winpcap.org/windump
[14]李丹,赵刚,刘玲.交换式网络中监听技术的原理及实现.信息安全与通信保密. 2007,6:150-152
[15]胡晓元,史涪山.WinPcap包截获系统的分析及其应用.计算机工程,2005,31(2): 96-98
[16]赵新辉,李祥.捕获网络数据包的方法.计算机应用研究. 2004,8: 242一243,255.
[17]http://www.packetfactory.net/libnet/dist/libnet.tar.gz
[18]鲁士文.计算机网络协议与实现技术.北京:清华大学出版社,2000
[19] http://www.packetfactory.net/Projects/Libnet
[20]王应解,姜凌.高校图书馆如何防范恶意下载.大学图书情报学科.2003,21 (4).
[21]安娜·勒帕热.数字环境下版权例外和限制概况.版权公报,2O03
[22]薛虹.网络时代的知识产权法.法律出版社. 2000
[23] RFC 4169. Hypertext Transfer Protocol (HTTP) Digest Authentication Using Authentication and Key Agreement (AKA) Version-2, 2005
[24] RFC 4229. HTTP Header Field Registrations, 2005
[25] RFC1986. Experiments with a Simple File Transfer Protocol for Radio Links using Enhanced TrivialFile Transfer Protocol (ETFTP), 1996
[26] RFC2585. Internet X.509 Public Key Infrastructure Operational Protocols: FTP and HTTP, 1999
[27] RFC414. File Transfer Protocol (FTP) status and further comments
[28]网络驱动设计指南. http://www.netyi.net/training/b3adf3a3-8e00-4af3-9c59-a138a4df3c93
[29]雷震甲.网络工程师教程.北京:清华大学出版社,2004
[30] Zhang Dong,Zhan Xue, Yong Sheng. An extended mandatory access control model for XML [A]. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), v 3818 LNCS, Advances in Computer Science - ASIAN 2005: 10th Asian Computing Science Conference, Proceedings, 2005: 280-281
[31]张毓森,慎键.安全操作系统研究[J].解放军理工大学学报.2004,5(3):1-4
[32] Thomas, T. A mandatory access control mechanism for the Unix file system[R]. Fourth Aerospace Computer Security Applications Conference, 1988: 173-175
[33] Nakazato, H., Tsutsumi, R. Access control on object-oriented telecommunications systems[R].2nd Asia-Pacific Conference on Communications, 1995: 375-379
[34]刘伟.基于角色的访问控制模型在安全操作系统中的实现.中国科学院软件研究所,2003:15-30
[35]张曙光.基于角色的访问控制在工作流系统中的应用研究.武汉大学,2004:30-32
[36] D. E. Bell, L. LaPadula. Secure Computer Systems: Mathematical Foundations and Model[R] .Technical Report, Mitre Corp, Bedford, MA, 1973: 74-244
[37]庄毅,潘龙平,刘坤.分布式资源安全监控系统模型的研究.南京航空航天大学学报.2006,38(1):90-94
[38]潘龙平,庄毅,吴学成.基于强制访问控制的安全Linux系统设计与实现.计算机工程与应用.2006,42(5):142-145
[39] Guo Jinhong, Johnson Stephen, Park Pyung. An operating system security method for integrity and privacy protection in consumer electronics. 2006 3rd IEEE Consumer Communications and Networking Conference, 2006: 610-614
[40] Cai Yi, Zheng Zhirong, Shen Changxiang. Design and implementation MAC in security operating system. 2002 IEEE Region 10 Conference on Computer, Communications, Control and Power Engineering, 2002: 216-219
[41] Art Baker, Jerry Lozano.Windows2000设备驱动程序设计指南.施诺等.北京:机械工业出版社, 2001: 36-125
[42] Rajeev Nagar. Windows NT File System Internals. O'REILLY 1997:20-115
[43] David A Solomon, Mark E Russinovich. Inside Microsoft Windows 2000. Microsoft Press, 2000: 32-87