【作者】 唐勇；

【导师】 卢锡城；

【作者基本信息】 国防科学技术大学 ， 计算机科学与技术， 2008， 博士

【摘要】 基于特征的入侵检测是当前最行之有效且应用最为广泛的一种攻击检测技术。但是,目前攻击特征主要依靠安全专家以事后分析的方式来提取,缺点是过程长、速度慢,往往是新攻击出现几天甚至几周后相应的特征才被发布。这与当前新攻击层出不穷、蠕虫传播极快破坏极大、攻击变形技术不断发展和完善的安全现状不相适应。为了能够快速准确地提取新攻击的特征,攻击特征自动提取技术应运而生。根据发现攻击的位置不同,攻击特征自动提取可以分为基于网络的攻击特征自动提取(NSG)和基于主机的攻击特征自动提取(HSG)两大类。NSG系统一般部署在网络上,通过分析网络上的可疑数据来提取字符型的特征。HSG系统一般部署在主机上,检测主机的异常并利用在主机上采集的信息来提取攻击特征。本文对NSG技术及其应用开展了系统的研究,特别是对以变形蠕虫为代表的变形攻击的特征提取问题进行了深入的研究。本文的创造性研究成果主要有:(1)提出SRE特征以及NSG的问题模型。作为一种新的特征描述类型,SRE(Simplified Regular Expression Signature)特征不仅可以准确地表达攻击的字符特征,还可以很容易地转化为现有IDS的检测规则。通过定义两个SRE特征之间的更精确比较关系,本文从理论上回答了对于变形攻击“什么是更精确的特征”和“什么是最精确的特征”。本文将NSG方法建模为MSSG(the Most SpecificSignature Generation)问题,即NSG的目标是要提取攻击的“最精确特征“,并证明了MSSG问题是一个NP难(NP-hard)问题。(2)提出攻击样本噪声过滤模型。能够快速有效地捕获到新攻击的样本是特征提取的前提和基础。本文设计和实现了一个分布式Honeypot系统—HonIDS用于捕获新攻击样本。与通常将所有访问Honeypot的数据都当作攻击样本进行特征提取的做法不同,本文首次提出在Honeypot系统中加入攻击样本的噪声过滤模型,以去除来自正常数据的噪声:提出了TFRPP和贝叶斯这两种攻击检测模型,并在这两种检测模型的基础上构建三种攻击样本噪声过滤方法。实验表明,利用这些噪声过滤方法可以有效地过滤掉Honeypot系统产生的一些攻击样本噪声。(3)提出基于多序列联配的特征提取方法。针对现有NSG方法在提取特征准确性上的不足,本文借鉴序列联配算法在生物信息学中的应用,提出了基于多序列联配的特征提取方法。面向不同的特征提取应用情况,本文分别提出了一系列创新性的序列联配算法,包括CSR和ECSR等两种双序列联配算法,以及PDRP_MSA、HP_MSA和T-Coffee+CSR等三种多序列联配算法。实验表明,在没有噪声的情况下,利用PDRP_MSA算法可以提取一种变形攻击的特征,特征准确性优于目前常用的方法;在攻击样本含有噪声的情况下,利用HP_MSA算法和T-Coffee+CSR算法仍然能够准确地提取出变形攻击的特征,具有良好的抗噪能力。(4)提出攻击特征树的概念以及增量式攻击特征树生成方法。现实中攻击之间具有的联系在很多时候会反映为它们特征的相似性。但是当前NSG方法所输出的特征是孤立的,不能通过特征之间的关系来反映攻击之间的联系。针对这一问题,借助于SRE特征之间更精确比较关系,本文提出攻击特征树的概念。也就是,将提取的SRE特征组织成树形结构,使得子节点特征一定比它的父节点特征“精确”。攻击特征树可以反映攻击之间的联系以及攻击如何随时间衍生变化,并且使特征选择、特征库的维护和管理变得简单。NSG应用最复杂的一种情况是,需要进行特征提取的样本混合来自于多个(变形)攻击,其中可能还含有噪声。针对这种情况,本文基于攻击特征树的概念提出一种NSG系统PolyTree,它利用ISTG算法增量生成多种攻击的攻击特征树。PolyTree是当前唯一采用增量式工作的NSG系统。实验结果表明,PolyTree生成的攻击特征树具有良好的性质。首先,来自不同攻击的样本能够在攻击特征树中有效的聚类;其次,如果样本充分,每一个攻击的最精确特征都会被提取出来并包含在攻击特征树中。本文证明了ISTG算法的正确性,并分析了它的抗恶意攻击能力。(5)基于BSCM模型的NSG应用系统设计。为了应用本文的技术和方法,本文最后研究了NSG应用系统的设计,在设计过程中我们重点考虑了安全协作。本文首先从抽象层次上提出了一种通用的网络安全协作模型—基于黑板模型的安全协作模型BSCM;然后在BSCM模型的基础上,设计了一种分布式NSG应用系统。更多还原

【Abstract】 A signature-based detection is the most common and effective way to detect attacks due to its simplicity and online response. The efficient and accurate signature generation is critical in the signature-based detection systems. So far, the signatures that used by signature-based intrusion detection systems (IDSs) are produced manually by security experts, a process too slow. In this way, signatures can be only provided by security experts after a worm has already attacked systems and caused damages, which will miss the best defending time. So, they do not fit for the requirements for the Internet safety, since the new attacks nowdays are produced timely and the spread speed of worms is extraordinarily faster than human beings can respond. Besides, the polymorphism techniques can be used by attackers to evade detections. To support the automatic and speedy generation of signatures, a number of automatic signature generation approaches and systems has been proposed. These approaches and systems can be broadly classified as either the host-based or network-based. The Network-based signature generation (NSG) systems produce the content-based signatures only through analyzing the suspicious network traffics. And the host-based signature generation (HSG) systems generate the signatures based on the informations get from the protected hosts. Our researches systematically study NSG techniques and their applications. Especially we deeply study the signature generation for polymorphic attacks, such as polymorphic worms. The main contributions of this paper are summarized as follows.(1) A new signature type—SRE (Simplified Regular Expression) signature is proposed and the NSG problem is modeled. SRE signatures can be easily transformed to the rules in current IDSs to accurately detect attacks. Based on SRE, we provide formal definitions of what is "a more specific signature" and what is "the most specific signature" of a polymorphic attack such that we can compare the accuracy of two SRE signatures. We prove that the most specific signature generation of a polymorphic attack is NP-hard.(2) Noise filtering methods for attack sample collection are proposed. To capture the samples of new attacks for signature generation, we design and implement a distributed Honeypot system—HonIDS. In contrast to the traditional approaches, which take all traffics visiting the honeypot as attack samples, we propose to filter the noisy attack samples out of the traffics visiting the honeypot, where a noisy attack sample means a network flow from a benign user instead of an attacker. Two detection models are proposed and integrated in HonIDS, TFRPP model and Bayes model. Based on these two detection model, we propose three methods for filtering noises from attack samples.(3) Signature generation methods based on multiple sequence alignment are proposed. The generated signatures by previous NSG systems are not accurate enough since two kinds of information are lost. First, some invariant parts in polymorphic worms can not be extracted, like one-byte invariant parts. Second, all distance restrictions between invariant parts are neglected. Referring to some related algorithms in bioinformatics, we propose a signature generation approach based on multiple sequence alignment (MSA). Motivated by different signature generation applications, we propose a series of sequence alignment algorithms, including the CSR algorithm and the ECSR algorithm for pairwise sequence alignment, the MSA algorithm HP_MSA for noise-sensitive signature generation, and two MSA algorithms HP_MSA and T-Coffee+CSR for noise-tolerant signature generation. Experiment results show that our signature generation approaches based on multiple sequence alignment can produce more accurate and precise signatures for polymorphic attacks, comparing to previous approaches.(4) The idea of signature tree and an incremental signature tree generation approach are proposed. We observe that signatures from worms and their variants are relevant and a tree structure can properly reflect their polymorphism relationship. Rather than generating isolated signatures for multiple polymorphic worms in current NSG approaches, we propose to use the "more specific than" relation to organize generated signatures hierarchically into a tree, so-called signature tree. In this signature tree, each node is labeled with a signature and a signature of a child node must be "more specific than" the one of its parent node. The signature tree gives insight on how the worm variants evolve in time, and makes it simpler to balance the false positive rate and generalization ability of signatures and makes it easier to organize and maintain the generated signatures. The most complicated situation of signature generation is when the suspicious flows captured by an NSG system contain mixed samples of multiple polymorphic attacks (perhaps accompanied by noises). Based on the idea of signature tree, we propose an NSG system—PolyTree, which uses the ISTG algorithm to incrementally generate a signature tree for multiple attacks. Upon encountering a new suspicious flow, the ISTG algorithm will be called to generate more specific signatures using the PDRP_MSA algorithm in a fixed signature tree and to update this signature tree. Experiment results show that the generated signature tree through the ISTG algorithm has two significant properties. First, the samples from the same attack can be well clustered into one node in the signature tree; second, the final generated signature tree contains the most specific signature for each encountered polymorphic attack given adequate worm samples collected from it. This thesis proves the correctness of ISTG algorithm and analyzes potential malicious attacks on ISTG algorithm.(5) In order to integrate the algorithms and techniques presented in this thesis, an NSG application system is designed. In this design, we focus on security collaboration. Since there is no unified model to ensure interoperability and collaboration within different security components and systems, we first propose an abstract-level security collaboration model BSCM (Blackboard based Security Collaboration Model). In this model, network security components don’t directly communicate with each other, but via a common blackboard which serves as the platform of information-sharing and events-responding. Based on BSCM model, a distributed NSG application system is designed.更多还原