

Design and Implementation of Active Network Security Monitor System

【作者】 刘桂栋

【导师】 庄毅;

【作者基本信息】 南京航空航天大学 , 计算机应用技术, 2008, 硕士

【摘要】 随着Internet的快速发展与日益普及,信息安全越来越受到人们的关注。虽然人们在主机上安装防火墙、入侵检测系统预防网络入侵,但入侵者仍可能通过非法手段盗取或篡改机密信息。因此,及时发现并控制非法行为己成为网络安全的迫切需要。论文首先分析了现有网络安全监控系统存在的不足,重点对内网防非法接入监控子系统,防恶意下载监控子系统和强制访问控制监控子系统进行了深入研究。在内网防非法接入监控子系统中,研究了加密技术和IP-MAC绑定技术并设计了相应的主动式非法接入防范策略;基于ARP协议,设计并实现了登录验证模块、非法主机检测与处理模块;在防恶意下载监控子系统中,重点分析HTTP协议和FTP协议数据包,研究了流量检测技术,设计并实现了TDI过滤驱动程序,主动拦截每个登录保护主机的用户;强制访问控制监控子系统在研究Bell-Lapadula模型和Biba模型的基础上,结合二者的优点,参与了既满足信息保密性又满足信息完整性的强制访问控制模型的设计工作;实现Windows过滤驱动程序,可主动拦截用户进程对文件的操作。针对专网的安全问题,实现了主动式网络安全监控系统的三个主要模块。实验结果表明内网防非法接入监控子系统能够有效的检测出非法接入的主机并阻断与网络的连接;防恶意下载监控子系统能够主动阻断下载量超过阈值的下载用户而且可以有效的防止用户下载受保护的文件;强制访问控制监控子系统能够有效地对Windows文件系统实施强制访问控制保护。

【Abstract】 As the Internet being highly used, more and more attention has been paid to network and information security. In network security most commonly used methods include installing firewall, or IDS on computer, but hackers still can get into the network by any means. So being able to identify what is happening on the network becomes an important aspect of network security.This paper firstly discusses about the disadvantage of networks, designs and implements Active Network Security Monitor System (ANSMS) for company network, including the Illegal Connection Monitor Subsystem (ICMS), Malicious Downloading Prevention Monitor Subsystem (MDPMS) and Mandatory Access Control Monitor Subsystem (MACMS). In Illegal Connection Monitor Subsystem (ICMS), researches the encryption technology, binding IP-MAC together and design the active strategy of illegal connection; design and implement authentication module, detection module and closed module based on ARP protocol; In Malicious Downloading Prevention Monitor Subsystem, mainly parsing the packets of HTTP and FTP protocol, detection netflow, design and implement TDI Filter Driver, intercepting the connecting users actively. In Mandatory Access Control Monitor Subsystem, take part in the implementation of a new access control model based on Bell-Lapadula model and Biba model which takes advantage both Bell-Lapadula model and Biba model; implement windows filter driver which intercept the operation for files by process.According to the characteristics of the special network, implement three modules of the Active Network Security Monitor System. The research results have been used in the network of a certain department as project background for several times, indicate that Illegal Connection Monitor Subsystem could detect the illegal computer and close the connection; Malicious Downloading Prevention Monitor Subsystem could close the users’downloading which download more than threshold and prevent the protection files being download; Mandatory Access Control Monitor Subsystem could intercept I/O request actively, implements Windows mandatory access control.
