基于策略脚本的千兆位入侵检测系统核心技术研究

【作者】 刘旭生；

【导师】 王锋；

【作者基本信息】 昆明理工大学 ， 计算机应用技术， 2008， 硕士

【摘要】 入侵检测技术作为一种动态网络安全防御技术,是目前安全领域的研究热点,近些年来得到快速的发展。然而,目前大多数入侵检测系统在不牺牲检测质量的前提下,尚无法处理百兆网络满负荷时的数据分析,千兆则更是难以企及的目标。着眼于提高IDS的检测速度及精准度,遵循通用入侵检测框架(CIDF)规范,依据基于网络的入侵检测系统(NIDS)的结构要求,论文提出并实现了GIDS(Gigabits IDS)。该系统依据层次化结构设计的思想,自低向上依次分为数据采集模块、事件生成引擎、策略脚本解释器,入侵保护模块四个部分。(1)用Libpcap网络数据采集函数库进行数据采集,同时结合零拷贝与设备轮询机制进一步提高数据采集的效率;(2)事件生成引擎利用动态协议探测技术检测数据包的协议类型,然后根据协议类型判断当前连接的状态,进而产生不同的事件供策略脚本分析处理。此外,GIDS还允许用户把一些典型的攻击特征描述成简单的规则,根据规则匹配网络数据包生成相应的事件。为了提高模式串的描述能力,我们采用正则匹配的方式进行模式匹配;(3)策略脚本解释器解释执行策略脚本,策略脚本是由Flex与Bison实现的一种类C语法的策略脚本语言——GIDS Script编写,脚本允许用户编写更多的处理逻辑,而不是用生硬的字符串匹配来判断攻击的存在。无论是脚本解析还是正则匹配,都是针对一个完整会话重组过的数据来进行,实现了检测的细粒度,提高了入侵检测的精准度;(4)为了减轻管理员负担,减少人为干预,入侵保护模块通过伪造TCP的RST报文及与防火墙ACL联动两种方式实现对入侵的及时阻断,从而有效地降低攻击的危害性。最后,在真实环境中,我们对GIDS的CPU占用率,内存使用率,系统的吞吐量,丢包率等性能指标进行了测试,并对结果数据进行了分析。更多还原

【Abstract】 Intrusion detection systems (IDSs) have become increasingly more sophisticated as an approach for network security protection over the last several decades. However, resent IDSs have been unable to provide proper analysis or an effective security mechanism for defending attacks under mega-bits network environment because of several limitations. Based on Common Intrusion Detection Framework (CIDF) and Network-Based Intrusion Detection System (NIDS) standards, we presents a novel intrusion detection system called Gigabits IDS (GIDS) to improve the detection speed and accuracy which ensures for monitoring high speed network. The GIDS consists of data capture module, event generation engine, policy script interpreter and intrusion prevention module. The paper is organized as follows:(1) Combine Zero-copy and Device Polling mechanism with Libpcap to capture data packet which proven to be more efficiency.(2) Event generator module adopts dynamic protocol detection to determine protocol type and connecting state, this provides policy script analysis for different events. Besides, GIDS permits users to define signature collections with typical attack features, events are generated by comparison of attack signatures to the network data stream, and regular expression is adopted to improve the description ability of signatures.(3) Policy scripts are interpreted and executed by policy script interpreter; the scripts are coded in GIDS Script language which is implemented with Flex and Bison to provide more flexible detection logic. Both policy script analysis and regular expression matching are all aimed at procession of packets reassembled from a whole session to realize fine grit detection which can improve the accuracy of intrusion detection.(4) By sending fake RST packets and linking with firewall access control list (ACL), the intrusion prevention module is constructed to block intrusion activities in time to relieve the workload of administrators and reduce user interactive work.At last, the performance of GIDS is tested through CUP occupancy, memory usage rate, system’ throughput and loss tolerance, results show GIDS is strengthen than other IDSs.更多还原