节点文献
面向IPv6的入侵检测系统实现技术研究
Research on Implementation Technology of IPv6 Intrusion Detection System
【作者】 苗延强;
【导师】 蔡开裕;
【作者基本信息】 国防科学技术大学 , 计算机技术, 2009, 硕士
【摘要】 随着网络技术的发展,网络安全也日益突出,通过网络进行各种攻击并窃取秘密数据等事件频繁发生。虽然防火墙、病毒检测、加密技术等安全机制在网络安全中能够有效防范安全攻击,但都不同程度地存在不足,而入侵检测系统(IDS)可以有效地弥补它们的不足。随着IPv6技术的发展和IPv6网络的部署,在IPv6上采用新型攻击方式的网络入侵事件也不断出现,为此必须研究并开发面向IPv6的入侵检测系统,为下一代网络提供安全保障。IPv6脆弱性分析是IPv6入侵检测系统的基础,IPv6穿透性测试研究对于设计和开发IPv6入侵检测系统是至关重要的。IPv6穿透性测试的目的是为了从理论上发现IPv6的脆弱性,并将已发现的IPv6脆弱性应用到IPv6入侵检测系统规则库中,以增强IPv6入侵检测系统的检测能力。本文首先对IPv6协议脆弱性进行深入分析,参照计算机漏洞分类模型对IPv6脆弱性进行了分类,并对IPv6不同类型的脆弱性进行深入研究;在此基础上,提出了通过穿透性测试这种方法来发现IPv6脆弱性,设计了IPv6脆弱性穿透性测试模型和穿透性测试工具通用结构,以改进IPv6入侵检测系统的检测规则,提高IPv6入侵检测系统的检测效果;本文在Snort入侵检测系统的基础上设计了一个IPv6入侵检测系统,完成了IPv6入侵检测系统总体结构设计,并给出了各功能模块的详细设计;论文还研究了IPv6入侵检测系统各功能模块实现技术,最后实现了IPv6入侵检测系统基本功能并进行了相应的测试。
【Abstract】 With the development of network technology, the security problems of the network have become more and more important. Although we have a lot of security systems, such as network firewall and virus detecting system. There are still a lot of network attacks which can’t be detected in time. Because these security systems are passive defense systems, the intrusion detection system comes out as an active defense system.With the development of IPv6 technology and the deployment of IPv6 networks, the cases that using new attack methods and network intrusion are more and more. The IPv6 Intrusion Detection System should be researched and developed for providing the security to the next generation network.The analysis of IPv6 vulnerability is the basic of IPv6 IDS. IPv6 penetration testing is essential for the design and development of IPv6 intrusion detection system. The purpose of IPv6 penetration testing is to find more security threats and to apply these security threats to the rules library of IPv6 IDS. So, the ability of IPv6 Intrusion Detection System will be more powerful.In this paper, we firstly analyze the vulnerabilities of IPv6 protocol stacks deeply. We divide the vulnerabilities of IPv6 into five areas according the vulnerability classification model.And then, we have presented the method that applies the Penetration testing to the research of IPv6 vulnerability. We have designed the vulnerability model of IPv6 penetration testing and the general model of Penetration testing tools, which can improve the detection results of IPv6 IDS.Based on the research of the Snort system, we have presented architecture and designed various functional modules of IPv6 IDS. Finally, we discuss the implementation technology of IPv6 IDS and test the function and performance of IPv6 IDS.
【Key words】 IPv6; IDS; vulnerability; penetration testing; testing model; attack tree; Snort;