摘要
入侵检测系统是一种软件与硬件的结合,它通过分析网络或主机上发生的事件来发现其中的安全隐患。随着近几年网络攻击事故频频出现,影响范围越来越广泛,入侵检测系统得到越来越多的重视,成为网络安全方案的重要组成部分。
基于网络的入侵检测系统以网络报文作为原始数据源,实时地分析网络上的通信。与基于主机的入侵检测相比,基于网络的入侵检测系统已经成为入侵检测系统的主流。但是随着网络带宽飞速增长,基于网络的入侵检测系统面临许多的困难。本文设计了一种高速网络环境下的网络入侵检测系统。采用新的设计,克服了以往系统在高速网络环境下的缺陷,提高了入侵检测的速度。
本文将分层抽样理论应用于网络入侵检测系统,系统主要分成异常检测模块和抽样模块两个部分。异常检测模块的检测引擎部分采用基于孤立点发现和字节分布检测的异常检测模型,通过统计网络数据包负载字段中的字节分布规律,得到数据包异常的度量,将其作为抽样模块中的分层特征参数。抽样模块中,根据得到的分层抽样参数抽取出高速网络海量数据包中有价值的样本。通过对样本进行检测反映总体的特征。本文在对入侵检测系统进行概述之后,着重阐述了异常检测模块中的孤立点发现方法和字节分布检测方法,以及抽样模块中的分层策略和层内抽样策略。在此基础上,设计并程序实现了一个完整的入侵检测系统原型,使用MIT林肯实验室开发的DARPA 1999年IDS评测数据集对抽样算法和异常检测算法的性能进行验证和分析,实验表明本方法可以有效地提高检测速度。
Intrusion detection systems (IDS) are combinations of software and hardware systems that automate theprocess of monitoring the events occurring in a computer system or network, analyzing them for signs ofsecurity problems. As network attacks have increased in number and severity over the past few years,intrusion detection systems have become a necessary addition to the security infrastructure of mostorganizations.
Network-based intrusion detection systems(NIDS) uses raw network packets as the data source, andanalyses all traffic in real-time as it travels across the network. Currently, IDS focuses on Network-basedIDS, instead of Host based IDS. NIDS has much difficulty with the rapid development of networkbandwidth. This paper designs a network intrusion detection system for high-speed network. It implementssome new designs so as to overcome faults of pass systems and detects attacks more accurately anefficiently
This paper uses the theory of Stratified Sampling into IDS, which can be divided into two parts:Anomalous Intrusion Detection Module and Sampling Module. Anomalous Intrusion Detection Moduleadopts the detecting model based on Outlier Analysis and Character Distribution algorithm. It firstcomputes the character distribution in network packets payload and leads to an anomalous scale, whichcan be a parameter in Sampling Module for guiding stratifying. In Sampling Module, filter out thevaluable sample from high-speed network packets according to the anomalous scale got before. And thenin Intrusion Detection Module, detect the sample for reflecting the total feature. After the overview ofintrusion detection system, this paper mainly describes Outlier Analysis and Character Distributionalgorithm in Anomalous Intrusion Detection Module and stratified strategy and inside sampling method inSampling Module. Based on those this paper designs and implements a real Intrusion Detection System.Results show that the system can accelerate detecting velocity effectively testing by DARPA 1999 IDSevaluation dataset.
引文
[1] James P Anderson. Computer Security Threat Monitoring and Surveillance, Technical Report, James P. Anderson Company, Fort Washington, Pennsylvania, April 1980.
[2] Stephen Northcut Mark Cooper.入侵特征与分析,北京:中国电力出版社,2002 5-8.
[3] 唐正军等.网络入侵检测系统的设计与实现[M].北京:电子工业出版社,2002.4 1-3.
[4] Rebecca Gurley gace. Intrusion Detection, Macmillan Technical Publishing, June 2001.
[5] Christopher Kruegel, Fredrik Valeur. Stateful Intrusion Detection for High-Speed Networks[J]. Proceedings of the 2002 IEEE Symposium on Security and Privacy, 2002; 285-293
[6] 程光,龚俭,丁伟.基于抽样测量的高速网络实时异常检测模型[J].软件学报,2003;14(3):594-599.
[7] 张峰,雷振明.基于分层抽样的高速网络吞吐率测量[J].吉林大学学报,2004;22(6):557-563.
[8] 徐成,喻飞.高速网络环境下的入侵检测[J].中国安全科学学报,2005 Vol.15 No.1 P.74-78
[9] Wang Yong, Yang Huihua, Wang Xingyu el al. Distributed intrusion detection system based on data fusion method [A] 5th World Congress on Intelligent Control and Automation[c], New Jersey; IEEE Press, 2004, 250 252.
[10] 王丽娜,董晓梅.基于进化神经网络的入侵检测方法[J],东北大学学报,2002,(2);107-110
[11] 李辉,管晓宏,昝鑫等.基于支持向量机的网络入侵检测[J],计算机研究与发展,2003,40(6)799.807
[12] CIDF working group. The Common Intrusion Detection Framework. Architecture, http://www.gidos.org/, 1998
[13] Forrest S, Hofmeyr S A. Computer Immunology. Communications of the ACM, March 1996.
[14] XIN Jiangqing, ICKERSON JohnE, DICKERSON JulieA. Fuzzy Feature Extraction and Visualization for IntrusionDetection[c]. The IEEE International Conference On Fuzzy Systems, 2003. 1249—1254.
[15] 王汝传,王华,徐小龙.基于移动代理的入侵检测系统模型的研究[J].通信学报,2004,25(1),22-29.
[16] Agyemang M. Local Sparsity Coefficient-Based Mining of Outliers. Windsor, Ontario Canada: University of Windsor, 2002.
[17] 蒋建春,马恒太.网络安全入侵检测:研究综述.软件学报,2000,11(11):1460~1466.
[18] 周凯.基于统计聚类RBF神经网络的孤立点检测研究.计算机科学,2006,33(10):196-197,271.
[19] Jiawei Han.数据挖掘:概念与技术[M].北京:机械工业出版社,2001:355-362
[20] Edwin M Knorr, Raymond T Ng, Vladimir Tucakov. Distance-based outliers: Algorithms and applications[C]. The VLDB Journal 2002(8), 237-253.
[21] Markus M Breunig, Hans-Peter Kriegel, Raymond T Ng, Jorg Sander. LOF: Identifying Density-Based Local Outliers. Proc. ACM SIGMOD 2000 Int[C]. On Management of Data, Dalles, TX, 2000.
[22] 闰光辉,何瑞春.基于神经网络、网格和密度的聚类方法的设计.兰州铁道学院学报(自然科学版),2003(1),94-97.
[23] 胡映,陈刚.一种有效的基于网格和密度的聚类分析算法.计算机应用,2003(12),64-67.
[24] Bollobas B Random. Cambridge Studies in Advanced Mathematics. Cambridge University Press, Cambridge, 2001.
[25] Dembo D A, Zeitouni O. Large deviations techniques and applications, Springer, 1998.
[26] Krishna K, Murty M. Genetic K-Means Algorithm. IEEE Transactions on Systems, Man and Cybernetics(PartB), 1999, 29(3):433-439.
[27] Amol Ghoting. IEEE International Conference on Data Mining(ICDM'04)[C]. 387-390
[28] 张尧庭,方开泰.多元统计分析引论[M].北京:科学出版社,1982.
[29] Wang K, Stolfo SJ. Anomalous payload-based network intrusion detection[C]. In: Jonsson E, Valdes A, Almgren M, eds. Proc. of the 7th Int'l Symp. on Recent Advances in Intrusion Detection (RAID 2004). LNCS 3224, Heidelberg: Springer-Verlag, 2004. 203-222.
[30] Richard Barber. The Evolution of Intrusion Setection Systems-The Next Step, Computers & Security, 2001(加) 132-145.
[31] J Hoagland, SPADE, Silican Defense, http://www.silicondefense.com/software/spice, 2000.
[32] H S Javits, A Valdes. The NIDES statistical component: Description and justification. Technical report, SRI International, Computer Science Laboratory, 1993.
[33] M Mahoney, P K Chan. Learning Nonstationary Models of Normal Network Traffic for Detecting Novel Attacks, Proc. SIGKDD 2002, 376-385.
[34] M Mahoney. Network Traffic Anomaly Detection Based on Packet Bytes. Proc. ACM-SAC 2003.
[35] C Kruegel, T Toth, E Kirda. Service Specific Anomaly Detection for Network Intrusion Detection. In Symposium on Applied Computing (SAC), Spain, March 2002.
[36] K Dhandere, Hyang Ah Kim. Application of sampling methodologies to network traffic characterization[J]. ACM SIGCOMM Computer Communication Review, 1993; 23(4):194-203.
[37] Edwin A Hemandez, Mathew C Chidester, Alan D George. Adaptive Sampling for Network Management[J]. Journal of Network and Systems Management, 2001, 9(4): 409-434.
[38] T Zseby, M Molina, F Raspa Jl, et al. Sampling and Filtering Techniques for IP Packet Selection[J]. http://www.ietf.org/internet-drafts/draft-ietf-psamp-sample-tech-06.txt, 2005.
[39] N G Duffield. Sampling for Passive Internet Measurement: A Review[J]. Statistical Science, 2004;19(3):472-498.
[40] TANJA ZSEBY. Stratification Strategies for Sampling-based Non-intrusive Measurements of One-way Delay[J]. http://moat.nlanr.net/PAM2OO3/PAM2003papers/3748.pdf, 2003.
[41] Paxson V, Almes G, Mahdavi J, Mathis M. Framework for IP performance metrics. IETF RFC 2330, 1998.
[42] Cozzani I, Giordano S. A passive test and measurement system: traffic sampling for QoS evaluation. In: IEEE Communications Society, ed. Proceedings of the Global Telecommunications Conference (GLOBECOM' 98). Sydney: IEEE Press, 1998. 1236-1241. [8]
[43] Duffield N, Grossglauser M. Trajectory sampling for direct traffic observation. In: Gunningberg P, Pink S, eds. Proceedings of the ACM SIGCOMM 2000. Stockholm: ACM SIGCOMM, 2000. 271-282.
[44] McHugh J. Testing intrusion detection systems: A critique of the 1998 and 1999 DARPA offline intrusion detection system evaluation as performed by lincoln laboratory. ACM Trans. on Information and System Security, 2000, 3(4):262-294.
[45] http://www.tcpdump.org
[46] http://www.zhuoda.org/weiking/44017.html
[47] 诸葛建伟,王大为.基于D-S证据理论的网络异常检测方法.软件学报,2006,3(17),463-471.