【作者】 薛强；

【导师】 孙济洲；

【作者基本信息】 天津大学 ， 计算机应用技术， 2004， 博士

【摘要】 本论文首先概要介绍了入侵检测技术和入侵检测系统,在对入侵检测研究现状进行分析和总结的基础上,提出了入侵检测系统面临的问题和研究发展趋势。 入侵检测所采用的数学模型是入侵检测策略选取和应用的根据与基础。本文从数据流与控制流、入侵状态跃迁等角度,结合对入侵过程的空间分析和时间分析,提出了建立在图论基础上的基于状态跃迁的二维总体模型并对之进行了静态及动态描述和分析。 传统的入侵检测程序对“拆包攻击”等攻击种类无能为力。本文介绍了应用层检测的相关背景知识,以及串行重组检测算法在高速网络上遇到的困难,提出了一种应用于网络入侵检测的应用层协议并行重组算法,介绍了其实现方案并对实验结果进行了初步分析。 蜜罐系统是入侵检测技术中的重要环节。本文给出了利用 UML 构建虚拟蜜罐机的方法。并从攻击者身份识别的角度出发,提出了键盘指纹图谱的思想以完善入侵检测蜜罐系统。 分布式拒绝服务攻击是威胁互联网安全的一种主要攻击方式。本文提出了将端口反弹技术与拒绝服务攻击结合起来的分布式端口反弹攻击的攻击模型并对其进行了研究。给出了针对分布式端口反弹攻击的检测思路并提出了一种基于链路层的分布式拒绝服务攻击源反向追踪的方法。 实时响应是保障网络安全的重要环节。本文介绍了一种基于智能代理的网络入侵检测系统响应模型。它以智能代理为基础,可以与管理员通过无线方式交互,提高了网络入侵检测系统对入侵行为的快速响应能力。 本文最后介绍了融合前述研究成果的软件原型系统——网络入侵检测系统TDNIDS 的设计与实现步骤,阐述了该原型系统在开发流程中的功能需求分析、概要设计和详细设计方案。最后对该系统的未来发展作了展望与评价。更多还原

【Abstract】 This dissertation firstly introduces intrusion detection technology and intrusiondetection system. Then it analyzes and summarizes the current state of research on thetechnologies. At last it presents problems intrusion detection system faced and trendof research. Mathematical model is the basement for selecting and applying intrusiondetection policies, so a 2-dimension collectivity model is proposed after analyzing thespace and time character of intruding activity. Traditional Network Intrusion Detection System (NIDS) scans the incoming IPpackets and judge the attack types by the sensitive information matching. In this paper,we devise and implement a parallel reassembling algorithm (APPRA) in applicationlayer for large-scale network intrusion detection. Experiment result shows thatAPPRA is efficient. This paper describes three classes of honeypots and the building of Trap Networkin detail. User-Mode Linux is used to implement the Virtual Distributed HoneypotSystem. On recording technologies, we give a new thought of Keyboard FingerprintSpectrum (KFS). A method of KFS based on Win32 Global Hook is also introduced. The DDoS attack and Port Recall attack have been great dangers to Internetsecurity. If they are combined together to form a new kind of attack, the effect will bemore serious than any one of them. Therefore, the model called Distributed PortRecall attacks is presented here to draw attention. In addition, some methods ofmisuse detection and anomaly detection are also proposed in this paper. In this paper, we apply intelligent agent technology for purpose of real-timeresponse. The main novelty in this technology is its multi-level agent architecture toperform dynamic policy update in intrusion detection system through wireless netgate. Finally, we present TDNIDS as an archetypal network intrusion detection systemand estimate the future development of this system.更多还原