零拷贝与扫描检测技术在入侵检测系统中的应用
摘要
在实现网络安全的同时,入侵检测系统(IDS)是防火墙的合理补充,近来备受人们青睐。它帮助系统对付网络攻击,扩展了系统管理员的安全管理能力(包括安全审计、监视、进攻识别和响应),提高了信息安全基础结构的完整性。它从计算机网络系统中的若干关键点收集信息,并分析这些信息,看看网络中是否有违反安全策略的行为和遭到袭击的迹象。入侵检测被认为是防火墙之后的第二道安全阀门,在不影响网络性能的情况下能对网络进行监测,从而提供对内部攻击、外部攻击和误操作的实时保护。然而,在该领域内依然存在一系列尚未解决的问题—如何实现外围设备和主存之间直接传输I/O数据,如何减少数据包从网络设备到用户程序空间传递过程中的拷贝次数,如何运用UDP扫描模块提高抓包率等。
本文从改善现有网络入侵检测系统性能的角度出发,将零拷贝与改进的扫描检测技术应用于网络入侵检测系统,本文所做的主要工作主要有以下三点:
●总结了目前网络入侵检测系统(NIDS)存在的主要问题,以及研究者在解决这些问题时所使用技术和方法的发展。通过这个总结性回顾,能够基本把握NIDS的现状。
●零拷贝技术的设计及实现。零拷贝技术能让网络数据从网络设备到用户程序空间传递的过程中,避免CPU的参与,同时通过在用户空间建立缓存,并将其映射到内核空间,从而减少系统内核向用户空间的内存拷贝,同时减少了系统调用的开销。
●针对目前主流UDP扫描模块抓包率低下的缺点,本文提出了UDP扫描模块的进一步改善措施。通过改变数据结构,同时根据统计响应方的数据流中ICMP端口不可到达数据包,可以大大提高抓包率。
During realization network security, Intrusion Detection system (IDS) is the firewall reasonable supplement, recently prepares the people is favored. It helps the system to cope with the network attack, expanded system manager's safety control ability (including safe audit, surveillance, attack has distinguished and responds), enhanced the information security foundation structure integrity. It from the computer network system certain key point collection information, and analyzes these information, has a look in the network whether has violates the security policy the behavior and encounters the attack the sign. The intrusion detection system is considered as second security valve after the firewall, in does not affect the network performance in the situation to be able to carry on the monitor to the network, thus provides to the internal attack, exterior attack and the disoperation real-time protection. However, how still has the problem in this domain which a series of not yet solves - to realize between the auxiliary equipment and the main memory direct transmission I/O data, how reduce the data packet from the network equipment to user program space transmission process in copy number of times, how to enhance the efficiency of catching data packet by using the UDP scanning module enhancement and so on.
This article embarked from the improvement existing network intrusion detection system performance angle, proposed the zero-copy and the improvement scanning examination technology unified the network invasion examination model, this article did the prime task mainly had following three points:
·Summarized the present network intrusion detection system existence main question, as well as the researcher when solves these problems uses technical and the method development. Through this summary review, can grasp NIDS basically the present situation.
·Zero-copy technology design and realization. The zero-copy technology can let the network data from the network equipment to in the user program space transmission process, avoids CPU the participation, simultaneously through in the user space establishment buffer, and maps it the essence space, thus the reduced system essence to the user space memory copy, simultaneously reduced the system call expenses.
·Stresses a package of rate low shortcoming in view of the present mainstream UDP scanning module, this project proposed the UDP scanning module further improvement measure. Through the change construction of data, simultaneously according to counts the response side in the data stream the ICMP port not to be possible to arrive the data packet, may greatly enhance greatly grasps the package rate.
本文从改善现有网络入侵检测系统性能的角度出发,将零拷贝与改进的扫描检测技术应用于网络入侵检测系统,本文所做的主要工作主要有以下三点:
●总结了目前网络入侵检测系统(NIDS)存在的主要问题,以及研究者在解决这些问题时所使用技术和方法的发展。通过这个总结性回顾,能够基本把握NIDS的现状。
●零拷贝技术的设计及实现。零拷贝技术能让网络数据从网络设备到用户程序空间传递的过程中,避免CPU的参与,同时通过在用户空间建立缓存,并将其映射到内核空间,从而减少系统内核向用户空间的内存拷贝,同时减少了系统调用的开销。
●针对目前主流UDP扫描模块抓包率低下的缺点,本文提出了UDP扫描模块的进一步改善措施。通过改变数据结构,同时根据统计响应方的数据流中ICMP端口不可到达数据包,可以大大提高抓包率。
During realization network security, Intrusion Detection system (IDS) is the firewall reasonable supplement, recently prepares the people is favored. It helps the system to cope with the network attack, expanded system manager's safety control ability (including safe audit, surveillance, attack has distinguished and responds), enhanced the information security foundation structure integrity. It from the computer network system certain key point collection information, and analyzes these information, has a look in the network whether has violates the security policy the behavior and encounters the attack the sign. The intrusion detection system is considered as second security valve after the firewall, in does not affect the network performance in the situation to be able to carry on the monitor to the network, thus provides to the internal attack, exterior attack and the disoperation real-time protection. However, how still has the problem in this domain which a series of not yet solves - to realize between the auxiliary equipment and the main memory direct transmission I/O data, how reduce the data packet from the network equipment to user program space transmission process in copy number of times, how to enhance the efficiency of catching data packet by using the UDP scanning module enhancement and so on.
This article embarked from the improvement existing network intrusion detection system performance angle, proposed the zero-copy and the improvement scanning examination technology unified the network invasion examination model, this article did the prime task mainly had following three points:
·Summarized the present network intrusion detection system existence main question, as well as the researcher when solves these problems uses technical and the method development. Through this summary review, can grasp NIDS basically the present situation.
·Zero-copy technology design and realization. The zero-copy technology can let the network data from the network equipment to in the user program space transmission process, avoids CPU the participation, simultaneously through in the user space establishment buffer, and maps it the essence space, thus the reduced system essence to the user space memory copy, simultaneously reduced the system call expenses.
·Stresses a package of rate low shortcoming in view of the present mainstream UDP scanning module, this project proposed the UDP scanning module further improvement measure. Through the change construction of data, simultaneously according to counts the response side in the data stream the ICMP port not to be possible to arrive the data packet, may greatly enhance greatly grasps the package rate.
引文
1 Alessandor,jon.Linux设备驱动程序.北京:中国电力出版社,2002
2 蔡方萍.基于数据分流实现高速网入侵检测的研究与实现.萍乡高等专科学校学报.2003(04):117-120
3 Eleazar Eskin.Anomaly Detection over Noisy Data Using Learned Probability Distributions.Proceedings of the Seventeenth International Conference on Machine Learning(ICML-2000).Palo Alto.California.2000
4 Anup K.Ghosh,James Wanken,Frank Charron.Detecting Anomalous and Unknown Intrusions Against Programs.Annual Computer Security Applications Conference(ACSAC' 98).Seottsdale.Arizona.
5 Jiaei Han,Micheline Kamber.数据挖掘概念与技术.第一版.北京:机械工业出版社,2004
6 倪继利.Linux内核分析及编程.北京:电子工业出版社,2005以及Joshua_yu.Linux内核内存池管理技术实现分析.http://www.csdn.net.2006
7 jiangyb.Linux的内核空间和用户空间通过内存共享来进行通信的实现.http://www.csdn.net.2005
8 Jonathan Bartlett.Linux下的内存管理.IBM网站Linux专题.2004
9 刘文涛.Linux网络入侵检测系统.北京:电子工业出版社,2004
10 Terran Lane and Carla E.Brodley.An Application of Machine Learning to Anomaly Detection.20~(th)Annual National Information Systems Security Conference.1997(1):366-380
11 梁健.零拷贝技术研究与实现.http://www.csdn.net.2003.
12 Mark Handley,Vern Paxson,ChristianKreibich.Network Intrusion Detection:Evasion,Traffic Normalization,and End-to-End Protocol Semantics.10~(th)USENIX Security Symposium.Washington.2001(10)13-17
13 Rebecca Gurley Bace.入侵检测.北京:人民邮电出版社,2001
14 Scott Maxwell.Linux内核源代码分析.北京:机械工业出版社,2000
15 唐正军,李建华.入侵检测技术.第一版.北京:清华大学出版社,2004
16 Cande Vampiro.Sys Admin-Essential Reference Series.UNIX Security R&D Books.系统管理.核心参考系列:Unix安全研发丛书.1997
17 Wenke Lee,Christopher T.Park,Salvatore J.Stolfo Automated Intrusion Detection Methods Using NFR.Proceedings of the Workshop on Intrusion Detection and Network Monitoring.Santa Clara.California.1999.
18 严蔚敏,吴伟民.数据结构.第二版.北京:清华大学出版社,2006
19 张静,张瑞.一个基于哈希表的端口扫描检测算法.计算机时代.2005(2):41-42
20 詹荣开.Linux对ISA总线DMA的实现.http://chinaitpower.com.2002
21 张玉清,戴祖锋.安全扫描技术.第一版。北京:清华大学出版社,2004
22 Charles P.Pfleeger.计算机安全(英文版).第三版。北京:机械工业出版社,2004
23 刘建伟.网络安全.技术与实践.第一版。北京:清华大学出版社,2007
24 杨勇.微型计算机接口技术.第三版。北京:电子工业出版社,2005
25 许兴存.微型计算机接口技术.第一版。北京:电子工业出版社,2003
26 周荷琴.微型计算机原理与接口技术.第一版。北京:中国科学技术大学出版社,2004
27 徐勇.计算机硬件技术基础.第一版。北京:北方交通大学出版社,2004
28 WiRichand Stevens.UNIX网络编程第2卷:进程间通信.第一版。北京:清华大学出版社,2000
29 王华.Visual c++6.0编程实例与技巧.第一版。北京:机械工业出版社,1999
30 John chirillo.黑客攻击防范篇.第二版。北京:机械工业出版社,2003
31 林涛.网络安全与管理.第一版。北京:电子工业出版社,2005
32 曹庆华.网络测试与故障诊断实验教程.第一版。北京:清华大学出版社,2006
33 宋劲松.网络入侵检测(分析报告和报告攻击).第一版。北京:国防工业出版社,2004
34 李逢元.Cisco安全入侵检测系统-Cisco职业认证培训系列.第一版。北京:人民邮电出版社,2003
35 张凤琴.数据结构.第一版。北京:清华大学出版社,2005
36 陈媛.算法与数据结构.第一版。北京:清华大学出版社,2005
2 蔡方萍.基于数据分流实现高速网入侵检测的研究与实现.萍乡高等专科学校学报.2003(04):117-120
3 Eleazar Eskin.Anomaly Detection over Noisy Data Using Learned Probability Distributions.Proceedings of the Seventeenth International Conference on Machine Learning(ICML-2000).Palo Alto.California.2000
4 Anup K.Ghosh,James Wanken,Frank Charron.Detecting Anomalous and Unknown Intrusions Against Programs.Annual Computer Security Applications Conference(ACSAC' 98).Seottsdale.Arizona.
5 Jiaei Han,Micheline Kamber.数据挖掘概念与技术.第一版.北京:机械工业出版社,2004
6 倪继利.Linux内核分析及编程.北京:电子工业出版社,2005以及Joshua_yu.Linux内核内存池管理技术实现分析.http://www.csdn.net.2006
7 jiangyb.Linux的内核空间和用户空间通过内存共享来进行通信的实现.http://www.csdn.net.2005
8 Jonathan Bartlett.Linux下的内存管理.IBM网站Linux专题.2004
9 刘文涛.Linux网络入侵检测系统.北京:电子工业出版社,2004
10 Terran Lane and Carla E.Brodley.An Application of Machine Learning to Anomaly Detection.20~(th)Annual National Information Systems Security Conference.1997(1):366-380
11 梁健.零拷贝技术研究与实现.http://www.csdn.net.2003.
12 Mark Handley,Vern Paxson,ChristianKreibich.Network Intrusion Detection:Evasion,Traffic Normalization,and End-to-End Protocol Semantics.10~(th)USENIX Security Symposium.Washington.2001(10)13-17
13 Rebecca Gurley Bace.入侵检测.北京:人民邮电出版社,2001
14 Scott Maxwell.Linux内核源代码分析.北京:机械工业出版社,2000
15 唐正军,李建华.入侵检测技术.第一版.北京:清华大学出版社,2004
16 Cande Vampiro.Sys Admin-Essential Reference Series.UNIX Security R&D Books.系统管理.核心参考系列:Unix安全研发丛书.1997
17 Wenke Lee,Christopher T.Park,Salvatore J.Stolfo Automated Intrusion Detection Methods Using NFR.Proceedings of the Workshop on Intrusion Detection and Network Monitoring.Santa Clara.California.1999.
18 严蔚敏,吴伟民.数据结构.第二版.北京:清华大学出版社,2006
19 张静,张瑞.一个基于哈希表的端口扫描检测算法.计算机时代.2005(2):41-42
20 詹荣开.Linux对ISA总线DMA的实现.http://chinaitpower.com.2002
21 张玉清,戴祖锋.安全扫描技术.第一版。北京:清华大学出版社,2004
22 Charles P.Pfleeger.计算机安全(英文版).第三版。北京:机械工业出版社,2004
23 刘建伟.网络安全.技术与实践.第一版。北京:清华大学出版社,2007
24 杨勇.微型计算机接口技术.第三版。北京:电子工业出版社,2005
25 许兴存.微型计算机接口技术.第一版。北京:电子工业出版社,2003
26 周荷琴.微型计算机原理与接口技术.第一版。北京:中国科学技术大学出版社,2004
27 徐勇.计算机硬件技术基础.第一版。北京:北方交通大学出版社,2004
28 WiRichand Stevens.UNIX网络编程第2卷:进程间通信.第一版。北京:清华大学出版社,2000
29 王华.Visual c++6.0编程实例与技巧.第一版。北京:机械工业出版社,1999
30 John chirillo.黑客攻击防范篇.第二版。北京:机械工业出版社,2003
31 林涛.网络安全与管理.第一版。北京:电子工业出版社,2005
32 曹庆华.网络测试与故障诊断实验教程.第一版。北京:清华大学出版社,2006
33 宋劲松.网络入侵检测(分析报告和报告攻击).第一版。北京:国防工业出版社,2004
34 李逢元.Cisco安全入侵检测系统-Cisco职业认证培训系列.第一版。北京:人民邮电出版社,2003
35 张凤琴.数据结构.第一版。北京:清华大学出版社,2005
36 陈媛.算法与数据结构.第一版。北京:清华大学出版社,2005