【作者】 蔡沈欣；

【导师】 许占文；

【作者基本信息】 沈阳工业大学 ， 计算机技术， 2005， 硕士

【摘要】 随着互联网的普及和网络技术的发展,网络的安全问题也越来越突出,在众多的网络安全技术中,入侵检测是非常重要且被计算机应用人员广泛关注的技术。入侵检测技术是一种主动发现网络隐患的安全技术。作为防火墙的合理补充,入侵检测技术能够帮助对付网络攻击,扩展了系统管理员的安全管理能力,提高了信息安全基础结构的完整性。 论文首先分析了TCP/IP协议族层次结构,概述了协议格式,分析了网络不安全因素及黑客们的攻击手段。接着介绍了入侵检测的关键技术。在基于协议分析的检测方法中,分析了IP包的分片重组技术;在基于模式匹配的检测方法中,分析了多种模式匹配算法:KMP、BM、BM的改进算法以及多模式匹配算法,并分析了这些技术在IDS应用中的优势,针对入侵检测系统的安全性进行了分析。最后详细介绍了IDS的设计,阐述了符合CIDF体系结构,基于协议分析的IDS的设计思想和实现方案,针对一些攻击手段提出了相应的解决方法。 系统设计了既具有异常检测功能,又具有误用检测功能的混合式检测系统。实现了基于Libpcap的网络数据包的捕获,对于入侵的行为特征进行了分析,定义了入侵规则库。 在协议分析的基础上,采用IP数据包分片重组、TCP数据流还原等技术,降低漏报率,减少误报率。管理特点上,采用集中管理,管理员在中央控制台可以直接控制各个模块的行为。 整体设计创新引入了模型分析引擎和密钥分配管理中心。模型分析引擎旨在检测新入侵,提高系统的自适应性;密钥分配管理中心旨在对所有通信进行加密,提高了密码技术在保证信息安全传输中的应用,增强了IDS本身的安全性。更多还原

【Abstract】 With the popularization of Internet and the development of network technology, the security problem of network is more and more prominent. In many network security technologies, intrusion Detection is the most important and attractive technology for many computer operators. Intrusion Detection is one kind of security technologies to find network hidden trouble. As a reasonable makeup to firewall, it can help deal with the attack from network, extend the administrators’ ability to protect the system, and make the structure of the security system more integral.First, the thesis analyzes the hierarchy of TCP/IP protocols, and summarizes the format of them, analyzing the factor leading to unsafe network and the means of attack of Crackers. Second, introduces the key technology of intrusion detection. In the detection of protocol analysis model, mainly study the fragment reassembly of IP packet .In the detection of pattern match model, analyze several kinds of pattern match algorithms such as KMP, BM, BMH and multiple pattern match algorithms. Analyze the advantage of the technology in the IDS application and the security of intrusion detection system. Last, introduce the design of IDS basing on the system of CIDF and the protocol analyze. Provide the corresponding methods according the attacks.A composite detect system is designed that can not only misuse detection, but also anomaly detection. The system realizes the capture of network data package based on the Libpcap, analyzes the character of the intrusion behavior, and defines the lib of intrusion rule.On the base of protocol analysis, the system uses the technology of the fragment reassembly of IP packet, TCP data flow reverting, etc. It reduces leak and mistake alert of the intrusion. On the side of the management, the system introduces the center management to directly control every module.The innovation of the design is introducing the model analyse engine and the management center to distribute and manage the secret key. The model analyse engine is to detect the new intrusion, increase the self-adaptability. The management center to distribute and manage thesecret key is to encrypt all the communications, applying the code technology to ensure safe transfers of de data, increasing the security of IDS itself.更多还原