【作者】 杨正朋；

【导师】 王闵；

【作者基本信息】 西安电子科技大学 ， 计算机系统结构， 2008， 硕士

【摘要】 信息系统的安全越来越引起世界各国的重视,近几年发现由于内部人员造成的泄密或入侵事件占了很大的比例,因而加强对系统内信息资源使用的安全审计有着十分重要的现实意义。安全审计技术是信息安全领域的重要组成部分,它是利用技术手段,不间断地将计算机和计算机网络上发生的一切事件记录下来,用事后追查的方法保证系统的安全和防止个别用户对实际发生的事件否认的抵赖行为。虽然审计措施相对网上的攻击和窃密行为有些被动,但它对追查网上发生的犯罪行为能够起到十分重要的作用,也能够对内部人员犯罪起到威慑作用。因此,计算机安全审计技术的研究具有重大的意义,而且具有良好的应用前景。本文通过分析当前安全审计领域的研究现状,根据安全审计系统的设计原则,并结合实际的项目背景,提出了一个基于Ukey的安全审计系统的体系结构模型。该系统主要包括数据采集、分析引擎、信息发布三大部分。数据采集部分基于分布式设计,可收集多个采集点数据。分析引擎部分基于规则库的方法,对原始审计数据进行匹配和分析,检测出各类入侵安全事件,得到安全审计跟踪记录。信息发布以三种不同的用户角色(普通用户、安全管理员、系统管理员),基于Web方式对审计数据和审计跟踪记录进行发布。更多还原

【Abstract】 As all the countries take the security of the information systems into seriousconsideration, it shows that the leakiness of the secrets and the intrusions from theorganization members always account for a large scale in the security problems. Toprevent this, it is extremely important to enhance the security audit procedure for usingprocess of the inner information in a system.Security audit is one of the most important parts in the field of information security.Firstly, it records everything faithfully and uninterruptedly including users’operationsand other activities happened both in the local computer system and related network.After the event, various means and technologies are used to analyze the data which hasbeen collected automatically. At last, the result can be employed as solid testimony totell the truth whether the information system has been cracked or some users deny theirown activities. Though this method is passive to the attackers in the network, it is agreat help to trace network crimes, and it also deters the stuff from doing the bad things.Therefore it is of great importance to study computer security audit technology.Be carefully analyzing the current accomplishment in the field of security audit, wepresents a possible architecture of security audit system based on Ukey which candeployed in network server in the paper. There are mainly three modules in the system:data collection module, analysis engine module and information publication module.Data collection module is designed for distributed network model, it may have severaldistributed audit collector. Analysis engine module is based on rule libraries to detectpotential security violation, find out the matching pattern, detect the security events, andrecord the security audit trail. Information publication module supplies review andquery of original audit data and audit alert trail to those authorized user. There are threeuser roles including common user, security administrator and system administrator withdifferent priority. Information publication is based on World Wide Web with audit alerttrail.更多还原