

Study and Implementation of Intelligent Packet-filtering Firewall

【作者】 吴清锋

【导师】 王培东;

【作者基本信息】 哈尔滨理工大学 , 计算机应用技术, 2003, 硕士

【摘要】 随着网络技术的迅猛发展和因特网的广泛普及,网络安全问题变得日益突出。防火墙(Firewall)是网络安全的第一道屏障。合理的使用防火墙有利于提高网络抵抗黑客攻击的能力和系统的安全性。近年来,网络攻击技术在规模与方法上都发生了较大变化,传统的包过滤防火墙在应对现代网络攻击时,却存在着许多的缺陷:1、传统的包过滤防火墙都是根据一些事先规定好的过滤规则对网络的数据流进行过滤,从而阻止不合法的访问,同时允许合法的访问顺利通过。这就很难适应现代网络攻击技术综合化和复杂化的特点。2、网络安全策略的制定,过滤规则的设置,需要专家级的全面、深入的专业领域知识。而在现实中,网络安全专家极其匮乏,这一方面造成普通的网络管理人员在设置防火墙时由于经验或知识上的不足,不能有效地制定网络安全策略,从而导致许多网络安全隐患的存在;另一方面使得包过滤防火墙的推广应用存在很多的误区。3、传统的防火墙在发现网络攻击时,或只是简单的做包拒绝,或只是通过电子邮件通知网络管理人员,缺乏在第一时间对网络攻击的应变机制。网络攻击技术的演变与发展对传统的网络防火墙提出了挑战,因此必须对防火墙做技术上的改进以适应网络安全不断发展的要求。本文的研究任务是将智能化技术应用于网络安全管理任务中,提出一种具有智能特征的包过滤防火墙系统,并在实验室环境中实现了该系统模拟验证。本文首先描述了智能型包过滤防火墙系统的体系结构。该体系结构把防火墙系统的功能分为四层来实现。这四层分别是数据包截获/协议分析解码层、过滤分析层、决策执行层和审计数据离线分析层;其次对智能型包过滤防火墙系统的过滤规则作了形式化定义,并在关系数据库的基础上建立了知识库。在对规则作了形式化定义后,提出了推理机的模型,并设计和实现了推理算法;接着分析了在网络审计数据离线分析中引入数据挖掘的必要性,并使用Apriori关联规则算法对模拟数据作了挖掘分析。挖掘实验结果分析表明,将数据挖掘智能技术应用到审计数据的离线分析中,能较好的识别未知类型的网络攻击,并可为网络安全专家提取网络攻击特征模式提供有效信息,最终增强防火墙系统抵御网络攻击的能力。最后,提出了课题下一步的研究目标。

【Abstract】 With the rapid development of network technology and the wide spread of Internet, the security of network becomes more and more important. Firewall is the first barrier to protect the security of network. Proper application of firewall can improve the defense ability against the attack of hackers and the security of system.In the last few years, the network attack technology has greatly changed from the scale to method, while the traditional packet-filtering firewall has many limitations to the modern network attack:1.The traditional packet-filtering firewall filters the data flow according to the rules established beforehand to reject illegal access and accept the legal access. So it is hard to adapt to the comprehensive and complex technology of modern network attack. 2.The establishment of network security strategy and the configuration of filtering rules need the profound and rich domain knowledge as experts hold. But in reality, the expert of network security is very scarce. This leads to the inefficient configuration of firewall set by ordinary network managers because they lack the experience and knowledge, so there exist many security vulnerabilities; on the other hand, this also leads to many mistakes in the spread and application of packet-filtering firewall.3.Traditional firewalls just simply reject the data packets or inform the administrator of network via e-mail when recognizing the network attack, so they lack the mechanism of responding to the attack in real time. The evolvement and development of network attack technology is now challenging the traditional firewall, so the technology of firewalls must be improved to meet the demand of the continuously development of network security.<WP=8>The study in this thesis is focused on applying intelligence technology to security administration of network. And a new kind of packet-filtering firewall system with intelligent character is presented and the verification by simulation is also realized under the lab environment. In this thesis, the architecture of intelligent packet-filtering firewall is described first. In this architecture the function of firewall is divided into four layers, which is data packet capture/analysis and decoding, filtering and analysis, decision execution and offline analysis for audit data respectively; then the filtering rules in intelligent packet-filtering firewall system are formalized, and the knowledge base on the basis of relational database is established. Then the model of reasoning machine is brought forward and the algorithm is designed and realized; after that, the necessity of the introduction of data mining into offline analysis for audit data is discussed, and Apriori, one of the algorithm of association rules, is adopted to the analysis of experimental data. The experiment result shows that the introduction of data mining into offline analysis for audit data can discover unknown type of network attack, and this will provide valuable information for network security experts to extract the characteristic of attack models, so that the defense ability of firewalls to network attack will be enhanced; at last further research objectives are presented.

【关键词】 网络安全防火墙推理机知识库数据挖掘
【Key words】 Network SecurityFirewallReasoning MachineData Mining
  • 【分类号】TP393.08
  • 【下载频次】284