入侵检测系统的分析与实现
|
摘要
随着计算机系统的互联,特别是通过Internet将各种计算机进行互联,大大拓展了信息资源共享空间和时间,提高了其利用率,同时也给计算机网络系统的安全性带来了前所未有的挑战。要实现系统的安全策略,除了防火墙之外,一个有效的方法是利用入侵检测系统IDS(IntrusionDetection System),对用户的网络行为进行监控报警响应。入侵检测技术是继“防火墙”、“数据加密”等传统安全保护措施后新一代的安全保障技术。他对计算机和网络资源上的恶意使用行为进行识别和响应,它不仅检测来自外部的入侵行为,同时也监督内部用户的未授权活动。入侵检测是防火墙的合理补充,帮助系统对付网络攻击,扩展了系统管理员的安全管理能力(包括安全审计、监视、攻击识别和响应),提高了信息安全基础结构的完整性。它从计算机网络系统中的若干关键点收集信息,并分析这些信息,查看网络中是否有违反安全策略的行为和遭到袭击的迹象。入侵检测被认为是防火墙之后的第二道安全闸门,在不影响网络性能的情况下能对网络进行监测,从而提供对内部攻击、外部攻击和误操作的实时保护。
本文介绍了入侵检测系统的相关部件与实现技术,并详细分析了一种基于网络的LINUX下的入侵检测系统Warcher。它具有标准的IDS的结构和功能,提供集成化的检测、报告功能,并有良好的分布性能和一定的可扩展性。在重点分析了入侵检测系统的主管数据采集与分析的agent部件后,提出了相关的改进措施。最后总结了入侵检测系统的现状与发展,并展望了今后的研究工作方向。
在入侵检测技术发展的同时,入侵技术也在更新,一些地下组织已经将如何绕过入侵检测系统(IDS)或攻击IDS系统作为研究重点。交换技术的发展以及通过加密信道传输数据使仅靠共享网段侦听的数据采集方法显得不足,而大通信量对数据采集和分析也提出了新的要求。入侵检测技
术的发展方向作者认为主要有:
1.分布式入侵检测与通用入侵检测架构:传统的IDS局限于单一的
主机或网络架构,对异构系统及大规模的网络检测明显不足,不同的IDS
系统之间不能协同工作。为解决这一问题,需要发展分布式人侵检测技术
与通用入侵检测架构。
2.应用层入侵检测:许多入侵的语义只有在应用层才能理解,而目
前的 IDS仅能检测如 HTTP之类的通用协议,而不能处理如 L。tUS N。ies、
数据库系统等其他的应用系统。
3.智能的人侵检测:入侵方法越来越多样化与综合化,尽管已经有
神经网络与遗传算法在入侵检测领域应用研究,但这只是一些尝试性的研
究工作,仍需对智能化的IDS加以进一步的研究以解诀其自学习与自适应
能力。
4.入侵检测系统的评测方法:用户需对众多的IDS系统进行评价,
评价指标包括IDS检测范围、系统资源占用和IDS系统自身的可靠性。
设计通用的入侵检测测试与评估方法或平台,实现对多种IDS系统的测试
已成为当前IDS的另一重要研究与发展领域。
5.与其他网络安全技术相结合:如结合防火墙、PKI、数据加密等网
络安全措施与安全电子商务技术,提供完整的网络安全保障。
With the interconnecting of computer systems, especially connecting various computers together by Internet, it expands greatly shared space and time of information resource and raises its utilization ratio. At the same time, it brings challenge never existed before to safety of computer network system. To implement the security policy of system,
except the firewall, an effective method is using IDS (Intrusion Detection System) to supervise the network action of users and alert respond. Intrusion detection technology is a new generation safe guarantee technology after the traditional safe protection measures such as "firewall" and "data encryption" etc. It recognizes and responds malice action on hosts and network
resources. It can not only detect the invading action in extranet, but also supervise the unauthorized user's activity in intranet. Intrusion detection system is the reasonable supplement of firewall, and helps computer system deal with the network attack. It has expanded the safe management of system administrator (including safe audit, supervision, attack recognition and response) and has raised the completeness of information security structure. It collects the information from several key spots in computer network system and analyses these information, and checks whether there have the action of violation security policy and attack trace in the network. Intrusion detection is looked upon as the second safe door after the firewall, under the circumstances of not influencing network performance, which provides the real-time protection for checkup internal or external attack, mistake operation etc.
This article introduces the relevant modules and implementation technology of intrusion detection system. It also analyses in details one kind of intrusion detection systems "Warcher" based on network working in LINUX. It has the structure and function of standard IDS, provides integrated detection and report functions and has good distribution capability and definite
expandability. After placing stress upon expatiating the data acquiring and analyzing of agent module, relative improvement measure is put forward. Finally the article summarizes present situation and development of the intrusion detection system and forecast the prospect of research work.
With the intrusion detection technology developed, the attack technology is also renewed. Some underground organizations have regarded how to avoid IDS or attacking IDS as emphasis of study. Development of switching technology and communications through encrypt channel make data acquisition methods from a shared medium LAN section insufficient. While large communication traffic put forward new demands to data acquisition and analysis. As far as the author is concerned, there are several main directions of the intrusion detection technology:
1.Framework of distributed intrusion detection and general intrusion detection: Limited to single host or network framework, traditional IDS is obviously insufficient to different operation system and large-scale network. Different IDS do not work consistently. To resolve the problem, there are demands to develop framework of distributed intrusion detection and general intrusion detection.
2. Intrusion detection of the application layer: Much invading data only can be understood at the application layer. The present IDS can only detect the general protocol like HTTP, which can not deal with other application systems such as Lotus Notes and database system etc.
3. Intellect intrusion detection: Invading methods becomes more and more manifold and synthetic. In spite of neural network and the genetic algorithm has applied in intrusion detection technology, it is only some trial research work, still needs to research further to Intellect IDS with the purpose of solving its self-learning and self-adapting ability.
4. The evaluation methods of intrusion detection system: User needs to appraise multitudinous IDS. The appraised parameter includes effective area
of IDS, the system resource occupied and self-
本文介绍了入侵检测系统的相关部件与实现技术,并详细分析了一种基于网络的LINUX下的入侵检测系统Warcher。它具有标准的IDS的结构和功能,提供集成化的检测、报告功能,并有良好的分布性能和一定的可扩展性。在重点分析了入侵检测系统的主管数据采集与分析的agent部件后,提出了相关的改进措施。最后总结了入侵检测系统的现状与发展,并展望了今后的研究工作方向。
在入侵检测技术发展的同时,入侵技术也在更新,一些地下组织已经将如何绕过入侵检测系统(IDS)或攻击IDS系统作为研究重点。交换技术的发展以及通过加密信道传输数据使仅靠共享网段侦听的数据采集方法显得不足,而大通信量对数据采集和分析也提出了新的要求。入侵检测技
术的发展方向作者认为主要有:
1.分布式入侵检测与通用入侵检测架构:传统的IDS局限于单一的
主机或网络架构,对异构系统及大规模的网络检测明显不足,不同的IDS
系统之间不能协同工作。为解决这一问题,需要发展分布式人侵检测技术
与通用入侵检测架构。
2.应用层入侵检测:许多入侵的语义只有在应用层才能理解,而目
前的 IDS仅能检测如 HTTP之类的通用协议,而不能处理如 L。tUS N。ies、
数据库系统等其他的应用系统。
3.智能的人侵检测:入侵方法越来越多样化与综合化,尽管已经有
神经网络与遗传算法在入侵检测领域应用研究,但这只是一些尝试性的研
究工作,仍需对智能化的IDS加以进一步的研究以解诀其自学习与自适应
能力。
4.入侵检测系统的评测方法:用户需对众多的IDS系统进行评价,
评价指标包括IDS检测范围、系统资源占用和IDS系统自身的可靠性。
设计通用的入侵检测测试与评估方法或平台,实现对多种IDS系统的测试
已成为当前IDS的另一重要研究与发展领域。
5.与其他网络安全技术相结合:如结合防火墙、PKI、数据加密等网
络安全措施与安全电子商务技术,提供完整的网络安全保障。
With the interconnecting of computer systems, especially connecting various computers together by Internet, it expands greatly shared space and time of information resource and raises its utilization ratio. At the same time, it brings challenge never existed before to safety of computer network system. To implement the security policy of system,
except the firewall, an effective method is using IDS (Intrusion Detection System) to supervise the network action of users and alert respond. Intrusion detection technology is a new generation safe guarantee technology after the traditional safe protection measures such as "firewall" and "data encryption" etc. It recognizes and responds malice action on hosts and network
resources. It can not only detect the invading action in extranet, but also supervise the unauthorized user's activity in intranet. Intrusion detection system is the reasonable supplement of firewall, and helps computer system deal with the network attack. It has expanded the safe management of system administrator (including safe audit, supervision, attack recognition and response) and has raised the completeness of information security structure. It collects the information from several key spots in computer network system and analyses these information, and checks whether there have the action of violation security policy and attack trace in the network. Intrusion detection is looked upon as the second safe door after the firewall, under the circumstances of not influencing network performance, which provides the real-time protection for checkup internal or external attack, mistake operation etc.
This article introduces the relevant modules and implementation technology of intrusion detection system. It also analyses in details one kind of intrusion detection systems "Warcher" based on network working in LINUX. It has the structure and function of standard IDS, provides integrated detection and report functions and has good distribution capability and definite
expandability. After placing stress upon expatiating the data acquiring and analyzing of agent module, relative improvement measure is put forward. Finally the article summarizes present situation and development of the intrusion detection system and forecast the prospect of research work.
With the intrusion detection technology developed, the attack technology is also renewed. Some underground organizations have regarded how to avoid IDS or attacking IDS as emphasis of study. Development of switching technology and communications through encrypt channel make data acquisition methods from a shared medium LAN section insufficient. While large communication traffic put forward new demands to data acquisition and analysis. As far as the author is concerned, there are several main directions of the intrusion detection technology:
1.Framework of distributed intrusion detection and general intrusion detection: Limited to single host or network framework, traditional IDS is obviously insufficient to different operation system and large-scale network. Different IDS do not work consistently. To resolve the problem, there are demands to develop framework of distributed intrusion detection and general intrusion detection.
2. Intrusion detection of the application layer: Much invading data only can be understood at the application layer. The present IDS can only detect the general protocol like HTTP, which can not deal with other application systems such as Lotus Notes and database system etc.
3. Intellect intrusion detection: Invading methods becomes more and more manifold and synthetic. In spite of neural network and the genetic algorithm has applied in intrusion detection technology, it is only some trial research work, still needs to research further to Intellect IDS with the purpose of solving its self-learning and self-adapting ability.
4. The evaluation methods of intrusion detection system: User needs to appraise multitudinous IDS. The appraised parameter includes effective area
of IDS, the system resource occupied and self-
引文
[1] R.Agrawal and R. Srikant. Fast algorithms for mining association rules. In Proceedings of the 20th VLDB Conference, Santiago, Chile, 1994.
[2] Atkins, R. Buis, C.Hare, R.Kelley, C.Nachenberg, A.B.Nelson, RPhillips, T. Ritchey, and W. Steen.Internet Security Professional Reference. New Riders Publishing, 1996.
[3] S.M.Bellovin. Security problems in the TCP/IP protocol suite. Computer Communication Review, 19(2): 32"C48, April 1989..170
[4] K. H. at. onen, M. Klemettinen, H.Mannila, and P.Ronkainenand H.Toivonen.TASA: Telecomm -unication alarm sequence analyzer, In Proceedings of the IEEE/IFIP 1996 Network Operations and Management Symposium, April 1996.
[5] 《Building Into The Linux Network Layer》 kossak, lifeline Phrack Magazine Vol. 9, Issue 55, 09.09.99, 12 of 19
[6] 《State of the Practice of Intrusion Detection Technologies》 Julia Allen, Alan Christie, William Fithen, John McHugh, Jed Pickel, Ed Stoner等 January 2000
[7] 《Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection》 Thomas H. Ptacek tqbf@securenetworks.com Timothy N. Newsham newsham@securenetworks.com Secure Networks, Inc. January, 1998
[8] 《Remote OS detection via TCP/IP Stack FingerPrinting》 Fyodor (www.insecure.org) October 18, 1998
[9] Derek Atkins等,Internet网络安全专业参考手册,北京:机械工业出版社,1998
[10] 阮耀平、易江波、赵战生,计算机系统入侵检测模型与方法,计算机工程,1999,25(9):63~65.
[11] 刘美兰、姚京松,入侵检测预警系统及其性能设计,见:卿斯汉、冯登国编,信息和通信安全CCICS'99:第1届中国信息和通信安全学术会议论文集,北京:科学出版社,2000.105~111。
[12] 樊爱华、陈火旺,网络环境下的智能检测系统OSMIS[J],计算机研究与发展,1995,33(5):369~400
[13] 《The Common Intrusion Detection Framework Architecture》 Phil Porras, SRI Dan Schnackenberg, Boeing Stuart Staniford-Chen, UC Davis, editor Maureen Stillman, Oddysey Research Felix Wu, NCSU
[14] 《A Common Intrusion Detection Framework》Clifford Kahn, Phillip A. Porras, Stuart Staniford-Chen, Brian Tung 15 July 1998
[15] 《UNIX network programming》W. Richard Stevens ISBN 7-302-02942-3
[16] 《Developing linux application with GTK+ and GDK》 Eric Harlow ISBN 7-5053-5680-1
[2] Atkins, R. Buis, C.Hare, R.Kelley, C.Nachenberg, A.B.Nelson, RPhillips, T. Ritchey, and W. Steen.Internet Security Professional Reference. New Riders Publishing, 1996.
[3] S.M.Bellovin. Security problems in the TCP/IP protocol suite. Computer Communication Review, 19(2): 32"C48, April 1989..170
[4] K. H. at. onen, M. Klemettinen, H.Mannila, and P.Ronkainenand H.Toivonen.TASA: Telecomm -unication alarm sequence analyzer, In Proceedings of the IEEE/IFIP 1996 Network Operations and Management Symposium, April 1996.
[5] 《Building Into The Linux Network Layer》 kossak
[6] 《State of the Practice of Intrusion Detection Technologies》 Julia Allen, Alan Christie, William Fithen, John McHugh, Jed Pickel, Ed Stoner等 January 2000
[7] 《Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection》 Thomas H. Ptacek tqbf@securenetworks.com Timothy N. Newsham newsham@securenetworks.com Secure Networks, Inc. January, 1998
[8] 《Remote OS detection via TCP/IP Stack FingerPrinting》 Fyodor
[9] Derek Atkins等,Internet网络安全专业参考手册,北京:机械工业出版社,1998
[10] 阮耀平、易江波、赵战生,计算机系统入侵检测模型与方法,计算机工程,1999,25(9):63~65.
[11] 刘美兰、姚京松,入侵检测预警系统及其性能设计,见:卿斯汉、冯登国编,信息和通信安全CCICS'99:第1届中国信息和通信安全学术会议论文集,北京:科学出版社,2000.105~111。
[12] 樊爱华、陈火旺,网络环境下的智能检测系统OSMIS[J],计算机研究与发展,1995,33(5):369~400
[13] 《The Common Intrusion Detection Framework Architecture》 Phil Porras, SRI Dan Schnackenberg, Boeing Stuart Staniford-Chen, UC Davis, editor Maureen Stillman, Oddysey Research Felix Wu, NCSU
[14] 《A Common Intrusion Detection Framework》Clifford Kahn, Phillip A. Porras, Stuart Staniford-Chen, Brian Tung 15 July 1998
[15] 《UNIX network programming》W. Richard Stevens ISBN 7-302-02942-3
[16] 《Developing linux application with GTK+ and GDK》 Eric Harlow ISBN 7-5053-5680-1