摘要
随着计算机网络的迅速发展,有关网络的安全问题也变得日益突出。入侵检测作为新一代的计算机安全技术,是对防火墙、病毒检测等传统计算机安全机制的有效补充。而检测引擎是入侵检测系统中的核心部分,其性能直接决定了检测系统的优劣。一般而言,检测引擎采用的检测方法可分为误用和异常两种,其中误用检测的效率较高,但只能发现规则库中已知的攻击,而异常检测却能发现未知的入侵行为。因此可以采用目前检测引擎的常见作法,将这两类检测结合使用,这样有利于降低入侵检测的漏报率。
进一步研究,在误用检测方面,BM模式匹配算法相对于简单的模式匹配己有很大的改进,然而面对目前快速发展的大流量网络,仍然还需更快的检测速度。针对目前常用的模式匹配算法进行分析,可以设计一个更加适用的BM模式匹配改进算法,将该改进算法应用到入侵检测系统中,能够更进一步地提高入侵检测的效率。
在异常检测方面,根据一个经典的统计模型,对当前网络流量进行异常检测,能够及时发现规则库中未定义的入侵。同时采用一种基于滑动窗口的流量更新策略,使异常检测更加准确。
并且,针对某些对入侵检测系统本身的攻击,还可以设计一个报警过滤算法,减少某些滥报现象,提高报警的合理性,使系统具有一定的抗攻击能力。
综合考虑,构建一种结合模式匹配、网络流量统计及报警过滤等多种技术的检测引擎,为入侵检测系统检测引擎的设计提供一个思路和方案。
With the rapid development of the compute network, the security problem is geting more and more important. Intrusion detection as a new generation computer security technique, is a kind of helpful reinforce for firewall, virus detection etc. Detection engine is the core of IDS, whose performance directly determines the quality of IDS.
Generally speaking, detection engine’s detection methods can be divided into misuse detection and anomaly detection. The misuse detection has high efficiency, but it only can discove known attacks of the rules. whereas, the anomaly detection can discove unknown attacks.
Further, in the misuse detection module, compared to the simple model of matching algorithm, BM algorithm has been greatly improved, but facing current rapid development of large network flows need faster detection algorithms. In view of the current commonly used BM algorithm analysis, could design a more applicable BM algorithm. This improved BM algorithm can improve the efficiency of IDS. At the same time, apply the known protocol analysis into pattern matching ,which could reduce the quantum of matching, and enhance the efficiency of detection.
In the anomaly detection module, according to a classical statistical models, IDS make full use of statistical information to detect current network flow whether anomaly or not of unknown attacks. In order to make the anomaly detection more accurate, IDS could adopt a traffic update policy based on glide window.
Owing to the attacks of IDS itself, an optimized alert algorithm could decrease the occurrence of abusive alert, the rationality of alert are improved, and the IDS itself becomes more secure.
Finally, for the synthesis consider, a detection engine based on pattern matching, network flow statistic, optimized alert etc for the detection engine could be put forwarded, which provides a thoutht and idea for the detection engine of IDS.
引文
[1] Richardson R. 2003 CSI/FBI Computer Crime and Security Survey. Computer Security Issues and Trends, 2003, 9 (1): 11~12
[2] 陈荣胜.基于支撑矢量机的入侵检测:[硕士学位论文].西安:西安电子科技大学,2005.
[3] WENKE LEE,SALVATORE J. STOLFO.A Framework for Constructing Features and Models for Intrusion Detection Systems.ACM Transactions on Information and System Security,2000, 3(4):227~261
[4] 冯姗.入侵检测中数据采集技术的研究:[硕士学位论文].武汉:武汉理工大学,2005.
[5] 戴英侠,连一峰,王航.系统安全与入侵检测.第一版.北京:清华大学出版社, 2002.8~10
[6] Molva R. Internet security architecture. Computer Networks, 1999, 31:787~804
[7] 刘文涛.基于 TCP/IP 协议分析的网络入侵检测系统研究与设计:[硕士学位论文]武汉:武汉理工大学,2005.
[8] 薛静锋,宁宇鹏,阎慧.入侵检测技术.第一版.北京:机械工业出版社,2004.6~7
[9] 董玉格,金海,赵振.攻击与防护.第一版.北京:人民邮电出版社,2002.389
[10] 潭良,周明天.信息安全评估标准研究.小型微型计算机,2006,27(4):634~637
[11] Tener W T. Discovery: an expert system in the commercial data security environment. Computer Security Journal, 1990,6(1):45~53
[12] Dorothy Denning E. An intrusion-detection model. IEEE Transactions on Software Engineering, 1987,13(2):222~232
[13] Bauer David, Koblentz Michel, NIDX: An Expert System for Real-Time Network Intrusion Detection.In: Macdougall D B, Gelenbe G,eds. Proceedings of the Computer Network symposium. New York: IEEE Press,1988, 98~106
[14] Michael M, Sebring et al. Expert Systems in Intrusion Detection: A case study. In: Kumar R,ed. Proceedings of 11th National Computer Security Conference. Baltimore: ACM Press, 1988. 74~81
[15] Smaha Stephen. Haystack: An Intrusion Detection System.In:Foley R,ed. proceedings of 4th Aerospace Computer Security Applications Conference. Orlando: IEEE Press,1988: 37~44
[16] Heberlein L T. A network security monitor. In: McLean T,ed.Proceedings of the IEEE Symposium on Research in Security and Privacy. Oakland.CA: IEEE Press, 1990. 296~304
[17] Paxson V.Bro:A system for detecting network intruders in real-time. Computer Networks,1999,31(23):2435~2463
[18] Lee W, Stolfo S. Data mining approaches for intrusion detection. In: San Antonio,ed. Proceedings of the 7th USENIX Security Symposium(SECURITY'98). San Antonio,TX: INSPEC Press, 1998.79~94
[19] Lee W, Stolfo S, Mok K. Mining audit data to build intrusion detection models. In: Kim H,ed. Proceedings of the 4th International Conf on Knowledge Discovery and Bata Mining(KDI)'98), New York City NY: INSPEC Press, 1998.66~72
[20] Jackson K,Dubois D,Stallings C. An expert system application for network intrusion detection.In: Gregory B White, ed. Proceedings of the 14th National Computer Security Conference. Washington. DC: ACM Press, 1991. 1823~1833
[21] Deborah A, Frincke a, Ming-Yun Huang. Recent advances in intrusion detection systems. Computer Networks, 2000,21: 541~545
[22] 王小玲,李凌,赵可.基于分布式网络入侵检测系统的研究及其实现.中南大学学报,2005,36(6):1074~1078
[23] 史 志 才 , 季 振 洲 , 胡 铭 曾 . 分 布 式 网 络 入 侵 检 测 技 术 研 究 . 计 算 机 工程,2005,31(13):112~114
[24] 赵生慧,陈桂林,杨寿保.基于代理的入侵检测系统的设计与实现.计算机应用研究,2004,(12):102~104
[25] 周建国,曹庆国,赵庆军.计算机网络入侵检测系统的研究.计算机工程,2003,29(2):9~12
[26] 张然,钱德沛,张文杰等.入侵检测技术研究综述.小型微型计算机系统,2003,24(7):1113~1118
[27] 陆 骏 , 丁 剑 , 吕 志 军 等 . 主 动 攻 击 响 应 技 术 研 究 . 计 算 机 应 用 与 软件,2005,22(1):15~17
[28] 尚明磊,许峰,卢静等.抗攻击的基于移动代理的分布式入侵检测模型.计算机应用与软件,2005,22(1):15~17
[29] 纪祥敏,连一峰,许晓利等 . 入侵检测技术的研究与进展.计算机仿真,2004,21(11):129~132
[30] 吴庆涛,邵志清.入侵检测研究综述.计算机应用研究,2005,(12):11~14
[31] 朱敏,朱之平.网络入侵检测技术.计算机应用与软件,2004,21(6):95~98
[32] 胡华平,刘波,钟求喜等.网络安全脆弱性分析与处置系统的研究与实现.国防科技大学学报,2004,26(1):36~40
[33] 刘宝旭,吴海燕,许榕生.网络隐患扫描系统的研究与实现.计算机工程与应用,2002,38(1):11~13
[34] Lippmann R, Haines J. The 1998 DARPA off-line intrusion detection evaluation. Computers Network, 2000, 34: 579~595
[35] Knuth D E, Morris J. Fast pattern matching in strings, SIAM J. Comput, 1977,6(1):323~350
[36] R S Boyer, J S Moore. A fast string searching algorithm., Communications of ACM,1977, 20(10):762~772
[37] R N HORSPOOL. Practical fast searching in strings. Software Practice and Experience, 1980, 10 (6): 501~506
[38] 杨薇薇,廖翔.一种改进的 BM 模式匹配算法.计算机应用,2006,26(2):318~319.
[39] 李庆华,孟中楼,童健华.基于 TCP/IP 的入侵检测评测技术研究.计算机工程与应用,2004,40(6):147~149
[40] Richard Stevens W. TCP/IP 详解 卷 1:协议.第一版.范建华.北京:机械工业出版社,2000.174~197
[41] 王展青,连一峰.概率论与数理统计.第一版.武汉:科学出版社,2001.162~179
[42] 刘浩.基于异常模式的入侵检测系统的研究:[硕士学位论文].长沙:中南大学,2004.
[43] 徐雅静.网络入侵检测系统的设计与实现:[硕士学位论文].北京:北京邮电大学,2003.
[44] 唐谦,张大方.基于 Snort 的入侵检测引擎比较分析.计算机工程与设计,2005,26(11):2884~2886
[45] 李晓芳,姚远.入侵检测工具 snort 的研究与使用.计算机应用与软件,2006,23(3):123~125