基于TCP/IP协议分析的入侵检测系统的实现
|
摘要
本文提出了一种基于协议分析的入侵检测模型,从系统总体结构、分析检测方法、规则匹配算法几个方面来提高系统效率,改善系统性能。
通过研究和总结目前的先进理论、技术和方法,提出了基于协议分析的入侵检测模型。该模型引入了协议确认模块,在进行模式匹配前对数据进行过滤。在协议确认模块引入了数据过滤和状态分析的检测方法,实现数据缩减的功能,同时屏蔽掉一些针对入侵检测系统本身的攻击,增强系统本身的安全性。其次,将分析与检测部分针对各种协议做成不同的子模块,作为协议树的节点。减少了数据匹配的计算量,也提高了系统检测的针对性,这样使系统具有很好的灵活性和适应性。
In the paper, an intrusion detection model based on protocol analyzing is proposed. It will improve performance of intrusion detection system, through improving system's framework, detection methods and patern matching arithmetic.
First, an improved intrusion detection model based on protocol analyzing is proposed, after researched current advanced theories, techniques and methods, and summarized present intrusion detection models. In the model, protocol verification theory is introduced into the system to make up shotcomings of protocol analyzing method. It can filtrate data before patern matching, which has a great deal of calculations. In the- part of protocol verification, data filtration and state analyzing methods is applied to cut redundancy, it can also shield the intrusion detection system itself from attack,so that the system will be more secure itself. Second, the analyzing and detection part is integrated into a sub-module as a node of protocol tree, Then, the amount of comparation can be cut down, and the performanceof intrusion detection system can be improved.
通过研究和总结目前的先进理论、技术和方法,提出了基于协议分析的入侵检测模型。该模型引入了协议确认模块,在进行模式匹配前对数据进行过滤。在协议确认模块引入了数据过滤和状态分析的检测方法,实现数据缩减的功能,同时屏蔽掉一些针对入侵检测系统本身的攻击,增强系统本身的安全性。其次,将分析与检测部分针对各种协议做成不同的子模块,作为协议树的节点。减少了数据匹配的计算量,也提高了系统检测的针对性,这样使系统具有很好的灵活性和适应性。
In the paper, an intrusion detection model based on protocol analyzing is proposed. It will improve performance of intrusion detection system, through improving system's framework, detection methods and patern matching arithmetic.
First, an improved intrusion detection model based on protocol analyzing is proposed, after researched current advanced theories, techniques and methods, and summarized present intrusion detection models. In the model, protocol verification theory is introduced into the system to make up shotcomings of protocol analyzing method. It can filtrate data before patern matching, which has a great deal of calculations. In the- part of protocol verification, data filtration and state analyzing methods is applied to cut redundancy, it can also shield the intrusion detection system itself from attack,so that the system will be more secure itself. Second, the analyzing and detection part is integrated into a sub-module as a node of protocol tree, Then, the amount of comparation can be cut down, and the performanceof intrusion detection system can be improved.
引文
[1] 卿斯汉. 密码学与计算机网络安全.北京:清华大学出版社,2001.35~47
[2] Stephen Northcutt.网络入侵检测分析员手册(,余青霓).北京:人民邮电出版社,2000.25~34
[3] 刘学波,孟丽荣. 高速网络环境下的网络入侵检测系统的研究.计算机工程与设计,2005,26(5):1236~1238
[4] Anderson JP. Computer Security Threat Monitoring and Surveillance. Fort Washington, Pennsylvania. James P Anderson Co.: Technical Report, 1980.68~83
[5] Dorothy E Denning. An Intrusion Detection Model. IEEE Transactions on Software Engineering, 1987,SE-13(2):222~232
[6] Wenke Lee. A Data Mining Framework for Constructing Features and Models for Intrusion Detection Systems. [PhD thesis of Columbia University], 1999
[7] 蹼青 . 入侵检测系统面临问题与发展趋势研究 . 计算机工程与设计,2004,25(1): 55~57
[8] IDWG. htp://www.IETF.org/html/charters/idwg-chaters.htmL,2004
[9] CIDF working group. The Commonintrusion Detection Framework Architecture. http://www.gidos.org/, 1998
[10] Stanford-Chen S, Tung B, Schnakenberg D. The Common Intrusion Detection Framework (CIDF). The information survivability workshop, 1998,(10):36~41
[11]张然,钱德沛,张文杰等.入侵检测技术研究综述.小型微型计算机系统,2003, 24(7):1113~1118
[12] ISS, Rea] Secure. Internet Security Systems Inc. http://www.iss.net/pord/rs.html, 2004
[13] Cisco,NetRanger WheelGroup Inc. http://www.wheelgroup.com/netranger/interang.html, 2004
[14] Network Associates. CyberCop Network General Corporation. http://www.nge.com/product info/cybercop/-ccdata/ccdatal.htm1,2004
[15] Snort. http://www.snort.org, 2005
[16] iS-One, http://bj.is-one.net/inside/cpxg_rugin-jianc/gaisu.php, 2004
[17] 李信满,赵大哲,赵宏等.基于应用高速网络入侵检测系统研究.通信学报,2002,23(9):1~7
[18] 李佳静,徐辉,潘爱民.入侵检测系统中的协议分析子系统的设计和实现.计算机工程与应用,2003,12:152~155
[19] 李庆华,孟中楼,童建华.基于 TCP/IP 的入侵检测评测技术研究.计算机工程与应用,2004,6:147~149
[20] 杨小平,苏静.基于协议分析的入侵检测技术研究.计算机应用研究,2004,21(2):108~110
[21] IDWG. Intrusion Prevention Systems: the Next Step in the Evolution of IDS[EB/OL].htp://www.ietf.org/html.charters.idwg-charter.html,2004
[22] DARPA. Summary Power Point. http://www.securedesisions.com/darpa.htm, 2003
[23] DARPA. Intrusion Detection Evolution. http://www.11.mit.edu/IST/ideval.index.html, 2003
[24] Debar H, Dacier M. An Experimentation Workbench for Intrusion Detection Systems[R]. IBM Zurich Research Laboratory, 1998:1~15
[25] Cohen F 50 Ways to Defeat Your Intrusion Detection System. http://all.net, 2005
[26] Anti tools and tactics. http://www.sans.org/rr/int-usion/anti-ids.php, 2005
[27] 刘美兰,姚京松.入侵检测预警系统及其性能设计.第一届中国信息和通信安全学术会议论文集,北京:科学出版社,1999.105~111
[28] Axelsson S. The Base-Rate Fallacy and its Implications for the Dificulty of Intrusion Detection. Proceedings of the 6th Conference on Computer and Communication Security. New York: ACM press, 1999.1~7
[29] FAN W, LEE W. A Multiple Model Cost-Sensitive Approach for Intrusion Detection. Proceedings of the Eleventh European Conference on Machine Learning. Barcelona,Spain, 2000.142~153
[30] Theuns Verwoerd, Ray Hunt. Intrusion Detection Techniques and Approaches. Computer Communications, 2002,25:1356-1365
[31] 卿斯汉,蒋建春 . 网络攻防技术原理与实践 . 北京 : 科学出版社,2004.125~132
[32] Spaford E. Crisis and Aftermath. Communication of the ACM, 1989,32(6):678-~687
[33] Steven E, Smaha. An Intrusion Detection System. Proceeding of the FourthAerospace Computer Security Applications Conference. Haystack. Washington: IEEE Computer Society Precess, 1988:37~44
[34] ELLIS J. State of the Practice of Intrusion Detection Technologies. Fort Washington, Pennsylvania. James P Anderson Co.: Technical Report, 2000:47~102
[35] KUMAR S. Classification and Detection of Computer Intrusions. [Purdue University Masters' Dissertation]. 1995.46~48
[36] R Jain. Congestion Control and Traffic Management in ATM Net-Work: Recent Advanced and a Survey. Computer Networks and ISDN Systems, 1996,28(3):1723~1738
[37] llgun K. A Real-time Intrusion Detection System for Unix. [University of California Santa Barbara, Master's Dissertation]. 1992.98~106
[38] The open source network intrusion detection system. http://www.cs.umn.edu/-forrest/isa_papers.htm, 2005
[39] Lunt T F, Tamaru A, GilhamEA Real-time Intrusion Detection Expert System FinalTechnical Report. Computer Science Laboratory, SRI International, Menlo Park,California, Davis, 1992,(6): 52~57
[40] Heady R, LuGer G Maccabe A. The Architecture of a Network level Intrusion Detection System. [University of New Mexico, Master's Dissertation]. 1990.102~114
[41] Dork J. The Application of Feature Selection-A Comparison of Algorithms, and the Appliction of a Wide Area Network Analyzer. [University of California, Master's Dissertation]. 1992.48~63
[42] Valdes A, Skinner K. Adaptive Model-Based Monitoring for Cyber Attack Detection. http://www.sdl.sri.corn/projects/emeraldladaptbn.htmi, 2002
[43] Teng H S, Chen K, Lu S C. Adaptive Real-Time Anomaly Detection Using Inductively Generated Sequential Paterns. Proceedings of the IEEE Symposium on Research in Security and Privacy. Oakland CA, 1990,12(4):278~284
[44] 何华灿.人工智能导论.西安:西北工业大学出版社,1988.135~143
[45] Carla T L, Brodley E. Temporal Sequence Learning and Data Reduction for Anomaly Detection. ACM Press. Proceeding of the 5th Conference on Computer&Communications Security, New York, 1998.150~158
[46] Lee W, Stolfo S. Data Mining Approaches for Intrusion Detection. USENIX. The Proceedings of the 7th USENIX Security Symposium. Berkeley, 1998. 79~94
[47] 胡侃,夏绍玮.基于大型数据仓库的数据挖掘.软件学报,1998,9(1): 53~63
[48] Lee W Stolfo S, Mok K. Mining in a Data-Flow Environment. Experience in Network Intrusion Detection. ACM. Proceedings of the Fifth ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. San Diego, California, United States,2001
[49] Lee W,stolfo S, Mok K. Mining Audit Data to Build Intrusion Detection Models. New York :The 4th International Conference on Knowledge Discovery and Data Mining,1998.66~72
[50] Kruegel C, Toth T Kirda E. Service Specific Anomaly Detection for Intrusion Detection. Proceeding of the 2002 ACM Symposium on Applied Computing, 2002,(2):201~208
[51] 阮耀平,易江波,赵战生.计算机系统入侵检测模型与方法.计算机工程,1999,25(9):63~65
[52] Liao Vemuriv R Use of Text Categorization Techniques for Intrusion Detection. CA. I lth USENIX Security Symposium. San Francisco, CA, 2002.234~242
[53] KO C, FinkqLevit K. Automated Detection of Vulnerabilities in Privileged Program by Execution Monitoring. FL. Proceedings of the 10th Annual Computer Security Applications Conference. Orlando, IEEE Computer Society Press, 1994.134~144
[54] 边肇棋.模式识别.北京:清华大学出版社,1998.73~74
[55] Grundschober S. Sniffer Detector Report. IBM Research Devison Zurich Research Laboratory Global Security Analysis lab, 1998.1~3
[56] Ning P, Cui Y, Reeves D S. Constructing Attack Scenarios through Correlation of Intrusion Alerts. ACM Press. Proceedings of the 9th ACM Conference Computer & Communications Security. Washington USA. ACM Press, 2002.245~254
[57] Valdes A, Skinner K. Probabilistic Alert Correlation. Proceeding of the 4th International Symposium on Recent Advances in Intrusion Detecton. Springer-Verlag, 2001.54~68
[58] 李晓莺,曾启铭.利用协议分析提高入侵检测效率计算机工程与应用,2003,(6): 169~170
[59] DARPA. Internert Protocol (RFC0791). DARPA Internet Program Protocol Specification, 1981.1~40
[60] DARPA. Intemert Protocol (RFC0791). DARPA Internet Program Protocol Specification, 1981.1~78
[61] W Richard Stevens. TCP/IP 详解 1:协议(,范建华).北京:机械工业出版社,2000.6~8
[62] R.S. Boyer, J.S Moore. A Fast String Searching Algorithm. Comm.of the ACM,1977,20(10):762~772
[63] Daniel M Sunday. A Very Fast Sunstring search algorithm [J]. Communications of the ACM, 1990,33(3):132~142
[64] 严蔚敏,吴伟民.数据结构(第二版).北京:清华大学出版社,1992.80~84
[65] 钱屹,候义斌 .一种快速的字符串匹配算法 .小型微型计算机系统,2004,25(3):410~413
[66] Geoge C Sacket. Cisc.路由器手册(,前导工作室).北京:机械工业出版社,2001.89~92
[67] Syngress Media. Cisco 路由器高级配置技术.北京:机械工业出版社,2003.58~72
[68] Kendall. A Database of Computer Attacks for the Evaluation of Intrusion Detection Systems. [MIT, Master's Dissertation]. 1999.40~98
[2] Stephen Northcutt.网络入侵检测分析员手册(,余青霓).北京:人民邮电出版社,2000.25~34
[3] 刘学波,孟丽荣. 高速网络环境下的网络入侵检测系统的研究.计算机工程与设计,2005,26(5):1236~1238
[4] Anderson JP. Computer Security Threat Monitoring and Surveillance. Fort Washington, Pennsylvania. James P Anderson Co.: Technical Report, 1980.68~83
[5] Dorothy E Denning. An Intrusion Detection Model. IEEE Transactions on Software Engineering, 1987,SE-13(2):222~232
[6] Wenke Lee. A Data Mining Framework for Constructing Features and Models for Intrusion Detection Systems. [PhD thesis of Columbia University], 1999
[7] 蹼青 . 入侵检测系统面临问题与发展趋势研究 . 计算机工程与设计,2004,25(1): 55~57
[8] IDWG. htp://www.IETF.org/html/charters/idwg-chaters.htmL,2004
[9] CIDF working group. The Commonintrusion Detection Framework Architecture. http://www.gidos.org/, 1998
[10] Stanford-Chen S, Tung B, Schnakenberg D. The Common Intrusion Detection Framework (CIDF). The information survivability workshop, 1998,(10):36~41
[11]张然,钱德沛,张文杰等.入侵检测技术研究综述.小型微型计算机系统,2003, 24(7):1113~1118
[12] ISS, Rea] Secure. Internet Security Systems Inc. http://www.iss.net/pord/rs.html, 2004
[13] Cisco,NetRanger WheelGroup Inc. http://www.wheelgroup.com/netranger/interang.html, 2004
[14] Network Associates. CyberCop Network General Corporation. http://www.nge.com/product info/cybercop/-ccdata/ccdatal.htm1,2004
[15] Snort. http://www.snort.org, 2005
[16] iS-One, http://bj.is-one.net/inside/cpxg_rugin-jianc/gaisu.php, 2004
[17] 李信满,赵大哲,赵宏等.基于应用高速网络入侵检测系统研究.通信学报,2002,23(9):1~7
[18] 李佳静,徐辉,潘爱民.入侵检测系统中的协议分析子系统的设计和实现.计算机工程与应用,2003,12:152~155
[19] 李庆华,孟中楼,童建华.基于 TCP/IP 的入侵检测评测技术研究.计算机工程与应用,2004,6:147~149
[20] 杨小平,苏静.基于协议分析的入侵检测技术研究.计算机应用研究,2004,21(2):108~110
[21] IDWG. Intrusion Prevention Systems: the Next Step in the Evolution of IDS[EB/OL].htp://www.ietf.org/html.charters.idwg-charter.html,2004
[22] DARPA. Summary Power Point. http://www.securedesisions.com/darpa.htm, 2003
[23] DARPA. Intrusion Detection Evolution. http://www.11.mit.edu/IST/ideval.index.html, 2003
[24] Debar H, Dacier M. An Experimentation Workbench for Intrusion Detection Systems[R]. IBM Zurich Research Laboratory, 1998:1~15
[25] Cohen F 50 Ways to Defeat Your Intrusion Detection System. http://all.net, 2005
[26] Anti tools and tactics. http://www.sans.org/rr/int-usion/anti-ids.php, 2005
[27] 刘美兰,姚京松.入侵检测预警系统及其性能设计.第一届中国信息和通信安全学术会议论文集,北京:科学出版社,1999.105~111
[28] Axelsson S. The Base-Rate Fallacy and its Implications for the Dificulty of Intrusion Detection. Proceedings of the 6th Conference on Computer and Communication Security. New York: ACM press, 1999.1~7
[29] FAN W, LEE W. A Multiple Model Cost-Sensitive Approach for Intrusion Detection. Proceedings of the Eleventh European Conference on Machine Learning. Barcelona,Spain, 2000.142~153
[30] Theuns Verwoerd, Ray Hunt. Intrusion Detection Techniques and Approaches. Computer Communications, 2002,25:1356-1365
[31] 卿斯汉,蒋建春 . 网络攻防技术原理与实践 . 北京 : 科学出版社,2004.125~132
[32] Spaford E. Crisis and Aftermath. Communication of the ACM, 1989,32(6):678-~687
[33] Steven E, Smaha. An Intrusion Detection System. Proceeding of the FourthAerospace Computer Security Applications Conference. Haystack. Washington: IEEE Computer Society Precess, 1988:37~44
[34] ELLIS J. State of the Practice of Intrusion Detection Technologies. Fort Washington, Pennsylvania. James P Anderson Co.: Technical Report, 2000:47~102
[35] KUMAR S. Classification and Detection of Computer Intrusions. [Purdue University Masters' Dissertation]. 1995.46~48
[36] R Jain. Congestion Control and Traffic Management in ATM Net-Work: Recent Advanced and a Survey. Computer Networks and ISDN Systems, 1996,28(3):1723~1738
[37] llgun K. A Real-time Intrusion Detection System for Unix. [University of California Santa Barbara, Master's Dissertation]. 1992.98~106
[38] The open source network intrusion detection system. http://www.cs.umn.edu/-forrest/isa_papers.htm, 2005
[39] Lunt T F, Tamaru A, GilhamEA Real-time Intrusion Detection Expert System FinalTechnical Report. Computer Science Laboratory, SRI International, Menlo Park,California, Davis, 1992,(6): 52~57
[40] Heady R, LuGer G Maccabe A. The Architecture of a Network level Intrusion Detection System. [University of New Mexico, Master's Dissertation]. 1990.102~114
[41] Dork J. The Application of Feature Selection-A Comparison of Algorithms, and the Appliction of a Wide Area Network Analyzer. [University of California, Master's Dissertation]. 1992.48~63
[42] Valdes A, Skinner K. Adaptive Model-Based Monitoring for Cyber Attack Detection. http://www.sdl.sri.corn/projects/emeraldladaptbn.htmi, 2002
[43] Teng H S, Chen K, Lu S C. Adaptive Real-Time Anomaly Detection Using Inductively Generated Sequential Paterns. Proceedings of the IEEE Symposium on Research in Security and Privacy. Oakland CA, 1990,12(4):278~284
[44] 何华灿.人工智能导论.西安:西北工业大学出版社,1988.135~143
[45] Carla T L, Brodley E. Temporal Sequence Learning and Data Reduction for Anomaly Detection. ACM Press. Proceeding of the 5th Conference on Computer&Communications Security, New York, 1998.150~158
[46] Lee W, Stolfo S. Data Mining Approaches for Intrusion Detection. USENIX. The Proceedings of the 7th USENIX Security Symposium. Berkeley, 1998. 79~94
[47] 胡侃,夏绍玮.基于大型数据仓库的数据挖掘.软件学报,1998,9(1): 53~63
[48] Lee W Stolfo S, Mok K. Mining in a Data-Flow Environment. Experience in Network Intrusion Detection. ACM. Proceedings of the Fifth ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. San Diego, California, United States,2001
[49] Lee W,stolfo S, Mok K. Mining Audit Data to Build Intrusion Detection Models. New York :The 4th International Conference on Knowledge Discovery and Data Mining,1998.66~72
[50] Kruegel C, Toth T Kirda E. Service Specific Anomaly Detection for Intrusion Detection. Proceeding of the 2002 ACM Symposium on Applied Computing, 2002,(2):201~208
[51] 阮耀平,易江波,赵战生.计算机系统入侵检测模型与方法.计算机工程,1999,25(9):63~65
[52] Liao Vemuriv R Use of Text Categorization Techniques for Intrusion Detection. CA. I lth USENIX Security Symposium. San Francisco, CA, 2002.234~242
[53] KO C, FinkqLevit K. Automated Detection of Vulnerabilities in Privileged Program by Execution Monitoring. FL. Proceedings of the 10th Annual Computer Security Applications Conference. Orlando, IEEE Computer Society Press, 1994.134~144
[54] 边肇棋.模式识别.北京:清华大学出版社,1998.73~74
[55] Grundschober S. Sniffer Detector Report. IBM Research Devison Zurich Research Laboratory Global Security Analysis lab, 1998.1~3
[56] Ning P, Cui Y, Reeves D S. Constructing Attack Scenarios through Correlation of Intrusion Alerts. ACM Press. Proceedings of the 9th ACM Conference Computer & Communications Security. Washington USA. ACM Press, 2002.245~254
[57] Valdes A, Skinner K. Probabilistic Alert Correlation. Proceeding of the 4th International Symposium on Recent Advances in Intrusion Detecton. Springer-Verlag, 2001.54~68
[58] 李晓莺,曾启铭.利用协议分析提高入侵检测效率计算机工程与应用,2003,(6): 169~170
[59] DARPA. Internert Protocol (RFC0791). DARPA Internet Program Protocol Specification, 1981.1~40
[60] DARPA. Intemert Protocol (RFC0791). DARPA Internet Program Protocol Specification, 1981.1~78
[61] W Richard Stevens. TCP/IP 详解 1:协议(,范建华).北京:机械工业出版社,2000.6~8
[62] R.S. Boyer, J.S Moore. A Fast String Searching Algorithm. Comm.of the ACM,1977,20(10):762~772
[63] Daniel M Sunday. A Very Fast Sunstring search algorithm [J]. Communications of the ACM, 1990,33(3):132~142
[64] 严蔚敏,吴伟民.数据结构(第二版).北京:清华大学出版社,1992.80~84
[65] 钱屹,候义斌 .一种快速的字符串匹配算法 .小型微型计算机系统,2004,25(3):410~413
[66] Geoge C Sacket. Cisc.路由器手册(,前导工作室).北京:机械工业出版社,2001.89~92
[67] Syngress Media. Cisco 路由器高级配置技术.北京:机械工业出版社,2003.58~72
[68] Kendall. A Database of Computer Attacks for the Evaluation of Intrusion Detection Systems. [MIT, Master's Dissertation]. 1999.40~98