入侵检测系统研究

【作者】 庞震；

【导师】 王大勇； 孙慰迟；

【作者基本信息】 复旦大学 ， 软件工程， 2010， 硕士

【摘要】 入侵检测技术作为一种重要的安全技术,日益得到广泛的应用和深入的研究。存储级入侵检测是入侵检测体系重要的组成部分之一,是目前具有一定挑战性的研究热点,它通过收集计算机存储器的操作数据,尽可能实时地发现非法入侵。攻击模型和匹配方法是存储级入侵检测系统研究中最重要的两个方面,因此本文主要针对这两方面进行研究工作。研究内容主要包括：基于判定树分类的攻击模式自动生成、基于D-S证据理论的异常检测特征融合算法,以及不同种类IDS之间基于协作的联合防御,从而提高存储级入侵检测系统的检测能力、检测精度和检测效率。本文主要工作如下：1、提出判定树分类生成算法,进而给出攻击模式自动生成的方法。攻击模型是误用检测的重要因素,决定着存储级IDS的检测率和误报率。为获得合理有效的攻击模型,本文将攻击模型化理论应用于存储级IDS攻击模型的建立,扩展判定树模型,使得攻击模型更准确、全面地描述攻击,并能够重用、共享。进而提出判定树分类生成算法,使得模型可以自动产生。为验证模型和算法的有效性,分别以模拟平台收集的存储操作数据进行实验,实验结果表明,模型和算法是有效的,此外,模型还具有可重用、自动生成等优点。2、提出六组计算代价小特征,采用D-S证据理论进行融合,从而做出评判。异常检测的研究核心在于建立完备、准确的正常行为模型。在对系统正常运行和异常运行条件下采集到的数据进行综合分析的基础上,本文提出了六组存储操作数据的计算代价较小的关键特征,并采用D-S证据理论融合在这些特征上得到的观察从而做出综合评判。选取计算代价小的特征以及高效的融合规则,保证了算法的性能满足高速检测的要求。3、提出一种不同层级IDS间联合防御方法。本文提出一种IDS间通过协作进行联合防御的方法,模拟人类社会解决问题的过程。协作分为两种模式：主动防御模式是指入侵受害者所属的管辖IDS将入侵情况发送给入侵者所属的管辖IDS,由后者采取措施阻止攻击行为的继续；通知预警模式是指当一个IDS发现某种攻击行为后,将这种情况通知其熟人IDS,使后者能够提前采取措施,采取预防措施。除此以外,针对入侵检测系统的研究特点,本文进行了存储级入侵检测研究框架的研究、采集和分析了存储操作数据。最后,本文设计实验进一步验证了提出模型、算法等的正确性。存储入侵检测技术还有许多问题值得探讨,本文的工作只是一个探索,还有待今后进一步的深入研究。更多还原

【Abstract】 As an important security technology, Intrusion Detection System (IDS) is used more and more widely. Storage-based Intrusion Detection is one of the most important parts in the intrusion detection field. The aim of Storage-based Intrusion Detection is to detect unauthorized intrusion as quickly as possible by analyzing the operation data collected from storage devices.Attack model and analysis method are two important aspects in storage-based intrusion detection system research and therefore become the focus of this paper. The research mainly involves building attack pattern automatically based on decision classification tree; detecting abnormal behaviors fused multiple data features using the D-S Evidence Theory; and coordinated protection among different types of IDSes to improve the detection ability, accuracy and efficiency of Storage-based IDS.The main achievements of this thesis can be summarized as follows:1. An algorithm of decision classification tree generating algorithm is proposed. Based on the model and the algorithm, the method of attack pattern automatically building is given.Attack model is one of the most important elements in misuse detection, and can decide Storage-based IDS performance. Based on the theory of attack model, the extended attack tree model is presented, aiming at describing attack exactly. Moreover, the model can be reused and shared. Based on the model, the algorithm of decision classification tree generating is presented. Experiments are given using the dataset of storage operation collected from stimulated experiment to verify the effort and efficiency of the model and the algorithm. 2. Six groups of light-computation features of storage operation data are proposed. A storage anomaly detector fusing these features based on Dempster-Shafer (D-S) evidence theory is presented.The detector fuses multiple features of storage operation data to decide whether the flow is normal, and by such fusion it achieves low false alarm rate and missing rate. Furthermore, six light-computation features are used to develop an efficient fusion mechanism to guarantee high performance of the algorithm.3. An inter-IDS at various levels collaboration method is proposed.Collaboration among different IDSes can construct a united defense model and therefore increase the security of whole system. The collaboration method proposed here simulates acquaintance relation in human society. The collaboration can be implemented in two ways. On of them is sending the intrusion information from the victim to the attacker and asking it to stop further attack. The other one is sending alarm from one IDS when it finds some novel intrusion to its acquaintance IDS.In addition, according to characteristics of IDS, the framework and architecture of Storage-based IDS are discussed in this thesis. Experimental data are collected and analyzed. At last, the models, algorithms and methods presented in this thesis have been further verified in designed experiments.There are still many aspects of the storage-based IDS technologies and relevant technologies need to be discussed and researched. The work of this thesis is only simple attempt and further research is needed.更多还原