【作者】 马博；

【导师】 袁丁；

【作者基本信息】 四川师范大学 ， 计算机软件与理论， 2010， 硕士

【摘要】 随着互联网高速发展,计算机网与个人主机受到越来越多的危害。如何解决网络与操作系统安全,是一个关键问题。针对操作系统防御和网络入侵,首先完成的就是网络和操作系统信息监控和过滤,使得操作系统和网络传输更加安全。现有比较好的措施就是在操作系统端,把监控模块写入内核,以驱动方式加载。而在网络中,则把监控系统放置到网络关键结点,可以更加快速的过滤相关交互信息。而且也是所有防火墙等防病毒软件采取最高效的方法。而本文在linux下的多路监控技术中的多路指的是网络和操作系统同时监控。从网络和操作系统等多方面进行全面的网络攻击监控,然后针对监控产生的数据,使用文中模型,对于数据进行训练,最后产生规则,可以针对网络DDOS等类型攻击进行防御。具体在操作系统端,本文是通过改进Linux的Capability模块,实现操作系统监控和安全访问控制。针对POSIX.1e标准的权能(Capability)模块的缺陷进行改进后,在Linux内核安全模块(LSM)框架基础上,加载改进的模块,对操作系统内核层进行监听和控制处理,完成进程信任状特权仲裁、安全i节点(i-node)操作、信息队列反馈等一系列操作,最后调用字符设备反馈监控信息到应用层进行安全控制处理。实验表明,改进方案与其他一些加载权能(capability)模块的内核安全监控方案相比,不仅在系统的运行效率,监控的正确率和系统扫描覆盖率上有一定幅度的提高,而且在系统资源占用率等多项指标中都显示其的监控性能有一定的提高。而在网络端,本文监听是利用Libpcap库,改进数据包处理方式,使用半轮询方式,计算最优处理值,实现混杂模式下的高流量旁路数据包监听。利用前人研究的攻击规则,如Snort rules,加入进模块,可以检测已知攻击,降低虚报率。在高网络状况下,利用旁路监听原理保证数据运行的正确性和高效性。在Linux操作系统中使用底层抓包函数库libpcap处理高量数据包的监听技术,利用网卡设备在网络的旁路处进行数据捕捉的原理,使用NAPI技术实现设备半轮询机制以加快数据在缓冲区的处理速度,计算最优带宽值并设置相关参数以达到最佳处理效率。同时利用SNORT的入侵检测网络平台基础上,利用libpcap捕捉网络包后进行数据规整化,利用贝叶斯模式进行正常数据和分布式拒绝服务攻击数据的训练,然后利用反向传播神经网络(BPNN)进行前期数据训练,使训练产生的数据对检测模型优化,并且生成防御规则.本系统的主要优势在于:1、在linux系统上实现部分改进,使得现有包过滤效率增强,在攻击target端生效之前可进行攻击拒绝;2、自适应学习模式方便规则的重新制定学习,以防范新的攻击。实验表明,本文改进方案初步形成并防范一些未知攻击,攻击处理效率也有所改进。更多还原

【Abstract】 computer network and individual hosts suffer more from Internet developed. How to establish the network and operating security system is a key issue for all of users.From the operating system and network intrusion prevention aspect, the first step is complete network operating system monitoring and filtering information, making more secure for operating system and network transmission. The present good measure is to drive and load the controlling module into the kernel of the operating system. And in internet, the key monitoring system should be placed beside the export nodes of the network in order to quickly filter relevant information. It is also the most efficient way for all the firewalls and other anti-virus software to take.In this article, we called the linux monitoring technology in the multi-channel means that the host monitoring network and operating systems at the same time. From comprehensive aspects to conduct the monitoring of the network and operating systems attack, it is making the existing network environment more secure with high coverage rate.The designed system in this Dissertation has two major modules: one is the operating system the operating system kernel monitor module, a method to improve the defection of POSIX.1e standard capability module. In addition, the treatment of monitoring and controlling were performed on the operating system kernel layer after loading improved module at the kernel of Linux Security Module (LSM) framework. Furthermore, a series of operations were completed, which included the process trust-like privileges arbitration, security i-node operation, information feedback, queue operation and series treatment etc. At last, the character devices were used to feedback the monitor information to application layer and performed security control. Comparing some security mointor model loaded with original capability module, the results of the experiments show that the scheme proposed in this paper not only improves efficiency of system operating, correct rate of monitoring, and coverage of system scanning, but also keeps better monitoring performance in system resources occupancy rate and several parameters.Another is Network Monitoring and defense module. Research the principle of packet monitor to handle high volume packets by using the underlying library Libpcap capture in Linux operation system. Semi-polling with New API(NAPI) was also used to ensure the speeding up of the process of packets in input buffer. Finally, the queuing theory was used to ensure that the optimal bandwidth value and relevant parameters were set to achieve the best efficiency. Use the Bayesian models for normal data, and distribute denial of service attack on the training data and then use back-propagation neural network (BPNN ) for the early data on training, so that the training data can be generated by the detection of model optimization, and the defensive rules can be generated. The main advantages of this system are: firstly,the linux system can make some improvements to enhance the efficiency of the existing packet filtering, in attacking target side before the commencement of attacks is rejected; two rules of self-adaptive learning model facilitate the re-development of learning in order to prevent new attacks.Experimental results demonstrate that the scheme not only increases the rate of packet capture, but also improves the occupancy rate of system resources in many figures significantly.更多还原