【作者】 吴希；

【导师】 罗军舟；

【作者基本信息】 东南大学 ， 计算机软件与理论， 2005， 硕士

【摘要】 随着计算机网络的发展,针对网络的攻击日趋多样化,出现了从零碎而简单的攻击形式发展而来的复杂攻击行为。在网络安全实践中,传统入侵检测面临两类漏报问题:第一类问题是由于体系结构和检测方法的局限,复杂攻击行为不能被有效地检测,造成对复杂攻击的漏报;第二类问题是由于工作在IP层的入侵检测系统无法准确审计到达端系统的TCP数据,攻击者可以利用规避技术来逃避检测,导致漏报的发生。本文主要针对这两种漏报问题展开研究,在分析网络攻击的描述理论基础上,明确了复杂攻击相关概念,设计了一种基于有色Petri网的层次化入侵检测模型来检测复杂攻击,同时采用TCP层入侵检测来限制规避技术对入侵检测系统的影响,从体系结构、攻击描述和抗规避技术三个方面增强了入侵检测系统的检测能力,并将其应用到主动式防火墙系统中。主要工作包括以下三部分:1)提出了一种层次化入侵检测模型本文研究使用有色Petri网来建立复杂攻击的攻击模板,针对第一类漏报问题研究了攻击模式和攻击分类,明确了复杂攻击的相关概念,提出一种具备复杂攻击检测能力的层次化检测模型,深入探讨了该模型的基本原理及其层次化构建方法。2)设计实现一种基于有色Petri网的入侵检测原型系统在获得有色Petri网描述的攻击模板后,探讨了将其转化成为入侵检测组件的方式,对变迁与库所进行分类并给出了每一类有色Petri网组件的实现方法;结合对现存的两种有色Petri网实现技术的分析,设计了一种将检测逻辑附着于变迁的实现方案和一个基于有色Petri网的入侵检测原型系统,详细阐述了系统设计方案,详细分析了关键参量的选取,并给出系统特性总结。最后,本文还研究了将原型系统集成到主动式防火墙中的方法,即安全联动的实现技术。3)研究并实现了TCP层入侵检测的相关支撑技术针对第二类漏报问题,通过分析Linux系统对IP分片和TCP数据流的重组方式,研究了TCP层数据分析的相关支撑技术,并将其运用到原型系统中。更多还原

【Abstract】 With the innovation of computer network, there comes out complex attacks evolved from simple and individual ones. But in the network security practice, traditional IDS (Intrusion detection system) become challenged by two false negative drawbacks. On the one hand, limited by present IDS architecture and detection techniques, complex attacks are probably hidden in the large amount of alerts and could not be detected effectively. On the other hand, IDS which audits the IP Layer traffics can not reassemble the application Layer data properly and could be evaded by sophisticated attackers.The research work of this thesis carries out according to these two problems above. After analyzing the description theory of network attacks, a hierarchical ID (Intrusion Detection) model is proposed. And we employ detection techniques at TCP layer to restrict the evasion by sophisticated attacks. IDS has been enhanced in three ways: architecture, attack description theory and anti-evasion technique.The prototype system was implemented and applied in“Active Firewall”project.The main contributions include:1) A hierarchical ID ModelThis intrusion detection model employs CPN (Colored Petri Net) to construct complex attack templates. The principles of the model and its hierarchically constructing method are presented in detail. As a solution to the first false negative problem previous mentioned, the attack patterns and its taxonomy are discussed, and a hierarchical ID model to detect complex attacks is drew in detail.2) Colored Petri Net based IDSWith the attack template drew by CPN model, the techniques of transmitting CPN to IDS component is discussed. Based on the analysis of two available CPN automata techniques, this thesis implemented a CPN based IDS prototype, using the Transitions to express detection logics. This thesis also discusses how to choose the key parameters, and summarizes the characteristics of this prototype system.3) The Implementation of Intrusion Detection at TCP LayerTo counteract the second false negative drawback, the IP defragmentation and TCP Flow Reassembling component are developed based on the analysis of Linux kernel TCP/IP stack behavior. It is also discussed that how to apply this detection technique into the development of the prototype system.更多还原