【作者】 赵阔；

【导师】 胡亮；

【作者基本信息】 吉林大学 ， 计算机软件与理论， 2008， 博士

【摘要】 随着网络安全的问题日益严重,入侵检测系统(IDS: Intrusion Detection System)和入侵防御系统(IPS: Intrusion Prevention System)已经成为计算机安全中的关键组成部分。但是,高速网络技术的发展和普及,为IDS和IPS的应用带来严峻的挑战。本文针对高速网络环境下入侵检测和入侵防御进行了一定的研究,主要工作有以下四个方面:1.本文设计并实现了一个网络入侵防御原型系统——DXIPS。该系统可提供实时、主动的防护能力,能够有效的阻断攻击,还可以针对不同的应用环境采取较为灵活的部署策略,具有较好的可扩展性。2.本文将统计学的抽样技术引入IDS/IPS的数据收集过程中,提出了基于抽样的数据收集模型。实验结果表明,该模型可增强网络IDS/IPS的处理性能,对于其抵御洪泛式拒绝服务攻击也具有一定的参考价值。3.本文提出了一个可用于入侵检测/防御的基于FPGA的可扩展流量抽样平台——STAMP。该平台可为网络IDS/IPS的入侵检测提供较为有效的网络数据源,并能灵活地调整抽样策略,支持未来的Tbps高速网络。4.本文引入了可信通信的概念,设计并实现了基于XML的可信通信协议。该协议可以扩展支持各种网络安全产品(如防火墙,IDS,IPS等)和网络管理设备,对于实现这些设备之间的数据融合,检测复杂的分布式网络攻击具有一定的参考价值。更多还原

【Abstract】 With the development of Internet, the world economy has been deeply communed together. The nation is just like a huge network computer, and computer network has been the foundation and life vein of a nation’s economy. As the entire society increasingly relies on network infrastructures, network security also changes for the worse seriously. It is very difficult for traditional security policies or mechanisms (such as authentication, cryptography and firewall) to prevent network attacks, and Intrusion Detection System (IDS) has been an important component of a network’s security system. However, IDSs are fundamentally passive and fail–open. Because their primary task is classification, they do nothing to prevent an attack from succeeding. While Intrusion Prevention System (IPS) integrates traditional firewall with IDS, and provides the capability to stop attacks. But IDS/IPS can’t keep pace with the development of high speed networking technique. Especially in the large-scale high-speed work, the incoming rates of packets heavily exceed the processing capabilities of IDS/IPS, which leads to packets drop. The performance of IDS/IPS will be compromised seriously, which may cause the failures of themselves.In this paper, we investigate intrusion detection and intrusion prevention in high speed network and the main research work is as follows:1. Based on the investigation on the recent trends of network security techniques, such as firewall and IDS, we propose a intrusion prevention scheme based on the correlation between IDS and firewall. This scheme complements the fundamental flaws of IDS and firewall, and it may provide real-time, active prevention and attempts to stop attacks, which contributes to normal transmission of legal network traffic. In this paper, we present the design and implementation of a prototype system of network IPS——DXIPS, based on the correlation between Snort_inline and Netfilter configured by IPtables. The hierarchical architecture of this system includes intrusion prevention layer, server layer and control layer, in which intrusion prevention layer monitors the traversing traffic and conducts intrusion detection and prevention; server layer collects log data and translate them into readable formats; control layer is administrational console and perform data display. The system is design with modularization, which includes intrusion prevention module, log recording module, central control module and communication module, and the concrete implementations of these modules are presented. The deployment policies are discussed according to various applications environment. Netfilter is a built-in firewall in the kernel of Linux, which belongs to the latest fifth generation firewall. It has the capability to directly filter malicious packets in the TCP/IP stack in kernel, which improves the response performance. What’s more, DXIPS provides better scalability according to various applications environment.2. Data collection mechanism is a key factor that affects the performance of IDS/IPS. The most current products execute per-packet detection. However, with the development and widespread of high speed networking technique, the application of IDS/IPS has been faced with serious challenges. In this paper, the sampling technique in statistics is introduced into the procedure of data collection for IDS/IPS, and the new data collection module based on sampling is proposed. Three typical sampling strategies, such as systematic sampling, Poisson sampling and stratified sampling, are applied to network traffic collection. The packet length and type serve as the measure of anomaly detection, and simulation results show that the sample traffic is still characterized as the whole network traffic, and it may provide efficient data source for anomaly detection with the lower overhead. In a short, this method exceedingly strengthens the processing performance of IDS/IPS by the means of replacing dropping packets passively with sampling packets actively with the minor degradation of detection rates, and may improve resistant to Denial of Service attacks.3. With the ever increasing deployment and usage of gigabit networks, traditional networks Intrusion Detection/Prevention Systems (IDS/IPS) have not scaled accordingly. More recently, researchers have been looking at hardware based solutions that use FPGA’s to assist network IDSs/IPSs, and some proposed systems have been developed that can be scaled to achieve a high speed over 10Gbps. However, these solutions available have inherent limitations and unable to be applied to future high speed network (Tbps). In this paper, we present a scalable traffic sampling platform for intrusion detection/prevention on FPGA, called STAMP. The methodology is when the proposed platform is unable to capture the whole network traffic; it will initiate elephant flow sampling other than merely randomly dropping packets. Meanwhile, sampling rate is adaptive to the traffic load of elephant flow. All the captured packets are forward from STAMP to IDS via PCI bus. The noteworthy features of STAMP include: it takes the self similarity of network traffic into account with the attempts to collect malicious traffic, and improve the efficiency of network traffic sampling for IDS/IPS; it employs adaptive elephant flow sampling (AEFS) to retain inherent characteristics of network traffic, which contributes to anomaly detection; it provides a flexible and scalable platform for network IDSs/IPSs that will be faced the challenge of future high-speed network.4. To achieve the secure and reliable transmission for the interactive data between IDS and firewall, the concept of trusted communication is introduced in this paper. We give the design and implementation of a trusted communication protocol based on XML. The design and implementation of trusted communication mechanism between firewall and IDS is presented considering each functional unit of common intrusion detection framework. The CORBA middleware is applied to data transmission, and TLS secure protocol is applied to trusted transmission between IDS and firewall. The hierarchical architecture of this protocol includes application layer, XML resolution layer and message transaction layer, in which application layer consists of client and server used to capture and analyze packets; XML resolution layer translates the data into uniform XML format and provide the base for data exchange; message transaction layer employs TLS security protocol to achieve secure and trusted communication. The data type between IDS and firewall of the proposed prototype system is composed of event data, rule data, analysis result data and response action data, and the concrete descriptions of these data based on XML DTD are also provided. The proposed trusted communication protocol has the scalability to support various network security products (such as firewall, IDS, IPS, etc.) and management facilities, and may contribute to the data fusion of these facilities and detect sophisticated distributed network attacks.更多还原