摘要
现有的分布式入侵检测系统多采用固定部署的方式,无法与现代网络不断增加的规模和动态性相适应,同时还存在如单点失效,响应延迟大等缺点。要增加可扩展性,缩短响应时间,P2P网络技术可以应用于分布式入侵检测系统的部件间连接。但是单纯依靠P2P网络连接安全部件,安全部件的连接对象过多,相互之间无法有效进行协作。
为了解决这些问题,将一种面向服务的思想引入到分布式IDS的设计中,提出一种基于对等网络的面向服务的分布式IDS自组织模型——SODIDS(Service Oriented Distributed Intrusion Detection System)。
SODIDS使用多域合作的方式使系统能够在大规模的网络环境中部署。在服务信息的表示方面,为了避免建立无效的连接,增强可扩展性和易管理性,对常见入侵检测技术进行了粗粒度、松耦合的服务划分,提出了一种简单服务模型。安全部件根据这一服务模型进行自组织,根据服务信息选择协作伙伴。在服务信息的查找方面,为了加快系统自组织的速度,缩短对入侵的响应时间,使用基于ChordPNS协议的层次型P2P技术。层次型P2P根据节点的索引能力选择部分节点组成服务索引层,其余节点通过服务索引层发布和检索服务信息。引入了层间平衡因子来对层次型P2P的查找性能进行控制。在对入侵的检测方面,为了便于安全部件间的信息交互,使用基于基本安全事件的检测方法,并且给出了一个基于网络的安全事件检测引擎的实现。
对层次型P2P的查找性能仿真评估的结果表明:选择合适的层间平衡因子,可以降低成功查找的平均时延,提高服务查找的效率。这样系统自组织的速度加快,对入侵的响应时间缩短,能够达到设计的目的。
Current distributed intrusion detection systems always be deployed in a settled way, and can not keep up with the increasing size of modern Internet. They also have drawbacks such as single-point failure, high response latency etc. In order to have extensibility and lower response latency, P2P technology can be used to connect security components. But using P2P network to connect all components only will make one node have too many peers to communicate and they can’t cooperate well with each other.
In order to solve these problems, service-oriented concept is used in DIDS, and a service-oriented self-organizing model of DIDS based on P2P network——SODIDS is proposed.
SODIDS can be deployed in a large-scale network by using a multi-domain cooperation method. First, in order to avoid invalid connections and make the cooperation more efficient,we analyze existing intrusion detection technology and use a coarse granularity and loose coupling method to divide security services. A simple service model is proposed. Security components use it to choose cooperators and self-organize a DIDS. Second, in order to make the system be organized more quickly and have lower response latency, a multi-layer P2P network is proposed. Security components use it to search service information. The multi-layer P2P network doesn’t allow all components to build the index layer; instead it calculates all nodes’index capacity and only chooses some of them. A layer-balance factor is used to control the performance of index layer. At last, in order to make it convenient for the interaction of security components, the system’s intrusion detection is based on basic security event. And an implementation of network-based security event detector is given.
The simulation shows that by carefully choosing a layer-balance factor, we can get lower latency of successful lookup, and improve the efficiency of service lookup procedure. According to this, the system can be organized more quickly and have lower response latency, which can reach the designing goal.
引文
[1] 唐正军, 李建华. 入侵检测技术. 北京: 清华大学出版社, 2004. 4: 1-220
[2] Minho Sung, Jun Xu. IP traceback-based intelligent packet filtering: a novel technique for defending against interet DDOS attacks. IEEE Trasactions on Parallel and Distributed Systems, 2003, 14(9): 861-872
[3] Peyman Kabiri, Ali A. Ghorbani. Research on Intrusion Detection and Response: A Survey. International Journal of Network Security, 2005, 1(2): 84-102
[4] 卿斯汉, 蒋建春, 马恒太等. 入侵检测技术研究综述. 通信学报, 2004, 25(7): 19-29
[5] Dorothy E. Denning. An intrusion-detection model. IEEE Transactions on Software Engineering, 1987, 13(2): 222-232
[6] Greenberg, M. S., Byington, L. C., Harper, D. G.. Mobile agents and security. IEEE communications magazine, 1998, 36(7): 76-85
[7] Hochberg J, Jackson K, Stallings C, et al. NADIR: an automated system for detecting network intrusions and misuse. Computers and Security, 1993, 12(3): 253-248
[8] E. H. Spafford, D. Zamboni. Intrusion detection using autonomous agents. Computer Networks, 2000, 34(4): 547-570
[9] 陈海涛, 裴晋泽, 胡华平等. 基于对等网络的自适应安全协作框架研究. 北京航空航天大学学报, 2004, 30(11): 1133-1136
[10] Granville, L. Z., Da Rosa, D. M., Panisson, A et al. Managing computer networks using peer-to-peer technologies. IEEE Communications Magazine, 2005, 43(10): 62-68
[11] S. Androutsellis-Theotokis, D. Spinellis. A Survey of Peer-to-Peer Content Distribution Technologies. ACM Comp. Surveys, 2004, 36(4): 335-371
[12] Keromytis A. D., Misra V., Rubenstein D. SOS: an architecture for mitigating DDoS attacks. IEEE Journal, 2004, 22(1): 176-188
[13] Janakiraman R., Waldvogel M., Qi Zhang. Indra: a peer-to-peer approach to network intrusion detection and prevention. In: Kotsis G ed. Proceedings of IEEE WETICE2003. Linz, Austria. 2003. NW Washington: IEEE Computer Society, 2003. 226-231
[14] Wang Xiuqin, Hua Bei, Xong Yan et al. Research and design of network management system based on mobile agent. Computer Engineering, 2001, 27(11): 126-128
[15] 熊焰, 苗付友, 张泽明. 一个基于移动代理的分布式入侵检测系统. 小型微型计算机系统, 2004, 25(2): 192-194
[16] 蔡莎莎. 对等网络协同入侵的研究: [硕士学位论文]. 保存地点: 华中科技大学图书馆, 2005
[17] 贺龙涛, 方滨兴, 云晓春. 自组织层次式大规模网络入侵检测系统. 通信学报, 2004, 25(7): 82-92
[18] Castro M., Druschel P., Kermarrec A. -M, et al. Scribe: a large-scale and decentralized application-level multicast infrastructure. IEEE Journal, 2002, 20(8): 1489-1499
[19] Huhns M. N., Singh M. P., Burstein M. Research directions for service-oriented multiagent systems. IEEE internet computing, 2005, 9(6): 65-70
[20] 李之棠, 王阜东, 祝幼菁. 面向服务的分布式 IDS 自组织模型研究. 计算机工程与科学, 2006(12)(已录用)
[21] Damiani, E., De Capitani di Vimercati S., Samarati P. Managing multiple and dependable identities. IEEE Internet Computing, 2003, 7(6): 29-37
[22] B. Feinstein, CipherTrust Inc., G. Matthews et al. The Intrusion Detection Exchange Protocol (IDXP). IETF Internet-Draft, Oct 2002: 1-32
[23] H. Debar, France Telecom, D. Curry et al. The Intrusion Detection Message Exchange Format. IETF Internet Draft, Mar 2006: 1-167
[24] G. Koutepas, F. Stamatelopoulos, B. Maglaris. Distributed Management Architecture for Cooperative Detection and Reaction to DDoS attacks. Journal of Network and Systems Management, 2004, 12(1): 73-93
[25] Peng Ning, Yun Cui, Douglas S. Reeves, et al. Techniques and tools for analyzing intrusion alerts. ACM Transactions on Information and System Security, 2004, 7(2): 274-318
[26] 高峻, 吕述望. 入侵检测系统(IDS)及其通信协议. 计算机工程, 2002, 28(6): 132-134
[27] Stern, R. Napster: a walking copyright infringement? IEEE Micro, 2000, 20(6): 4-5
[28] Matei Ripeanu, Ian Foster. Mapping the Gnutella Network. IEEE Internet Computing, 2002, 6(1): 50-57
[29] I. Clarke, S. G. Miller, T. W. Hong. Protecting free expression online with Freenet. IEEE Internet Computing, 2002, 6(1): 40-49
[30] Stoica I., Morris R., Liben-Nowell D. et al. Chord: a scalable peer-to-peer lookup protocol for Internet applications. IEEE/ACM Transactions, 2003, 11(1): 17-32
[31] Brian F. Cooper, Hector Garcia-Molina. Ad Hoc, self-supervising peer-to-peer search networks. ACM Transactions on Information Systems (TOIS), 2005, 23(2): 169-200
[32] Sean Rhea, Chris Wells, Patrick Eaton et al. Maintenance-Free Global Data Storage. IEEE Internet Computing, 2001, 5(5): 40-49
[33] Jia Wang. A survey of web caching schemes for the Internet. ACM SIGCOMM Computer Communication Review, 1999, 29(5): 36-46
[34] P. Cheng, IBM, R. Glenn et al. Test Cases for HMAC-MD5 and HMAC-SHA-1. RFC2202, Sep 1997: 1-9
[35] Frank Dabek, Jinyang Li, Emil Sit et al. Designing a DHT forlow latency and high throughput. In: Robert Morris ed. Proc. NSDI '04. San Francisco, CA, USA. 2004. New York: ACM Press, 2004. 85-98
[36] Zhang, Z., Chen, S., Ling, Y. et al. Capacity-aware multicast algorithms on heterogeneous overlay networks. IEEE Transactions on Parallel and Distributed Systems, 2006, 17(2): 135-147
[37] Banerjee S, Bhattacharjee B, Kommareddy C. Scalable application layer multicast. ACM SIGCOMM Computer Communication Review, 2002, 32(4): 205-217
[38] M. Rose. The Blocks Extensible Exchange Protocol Core. RFC3080, Mar 2001: 1-58
[39] M. Rose. Mapping the BEEP Core onto TCP. RFC3081, Mar 2001: 1-8
[40] 陈德伟, 许斌, 蔡月茹等. 服务部署与发布绑定的基于 P2P 网络的 Web 服务发现机制. 计算机学报, 2005, 28(4): 615-626
[41] Snoeren A. C., Partridge C., Sanchez L. A et al. Single-packet IP traceback. IEEE/ACM Transactions, 2002, 10(6): 721-734