中国科学院软件研究所机构知识库
Advanced  
ISCAS OpenIR  > 中科院软件所  > 中科院软件所
题名:
入侵检测若干关键技术的研究与实践
作者: 张新宇
答辩日期: 2007-01-16
授予单位: 中国科学院软件研究所
授予地点: 软件研究所
学位: 博士
关键词: 入侵检测 ; 协同隐藏 ; 自传播 ; 检测框架 ; 特洛伊木马 ; 网络蠕虫 ; 蜜罐
其他题名: Research and Practice on Key Technologies of Intrusion Detection
摘要: 入侵检测是信息安全防护研究领域中的一个重要环节。本文重点对入侵检测中的木马检测、蠕虫检测、主动欺骗防御、检测防御框架关键技术进行了研究,并以LINUX系统为平台实现了若干系统原型。本文取得的成果有: (1)通过对木马隐藏特性的研究,提出了木马协同隐藏思想,对木马协同隐藏进行了形式化描述。在LINUX系统上实现了一个体现协同隐藏思想的原型木马。该木马原型从可行性测试上可以避过两种主流入侵检测系统和三种木马扫描检测系统的检测,验证了实时检测对抗技术和网络隐蔽通道技术的有效性。 (2)提出了一个木马多级检测防御框架(a Multi-level Protection Framework for Detecting and Defending against Trojan Horse)。木马检测没有通用算法,因此MPFD2TH将木马攻击对象进行分级保护,有针对性地检测各个对象的活动情况。MPFD2TH融合多种技术,涵盖了木马攻击的整个生存期。MPFD2TH的针对性强、覆盖面广的特性使其具有良好的应用前景。 (3)从主动防御的角度,系统地研究了蜜罐技术。提出了一个特征提取算法,实现了一个能够自动获得入侵模式的蜜罐。这一蜜罐体现了积极防御思想,能够模拟网络拓扑结构和多种操作系统,扰乱黑客攻击;应用模式匹配技术,对协议的多个部分进行检测,自动生成入侵检测特征;支持简单网络管理协议,可以融入到已有的安全防护体系中,为联合防御提供支持。 (4)在分析蠕虫传播特点的基础上提出了一种新的使用本地网协同检测蠕虫的算法。该算法注重分析扫描蠕虫在本地网的行为,针对不同的行为特性使用不同的处理方法。通过协同这些方法,给出预警信息揭示蠕虫在本地网络中的活动情况。预警信息的级别反映报警信息可信度的高低。实验证明该方法可以准确快速地检测出入侵本地网络的扫描蠕虫,其抽取出的蠕虫行为模式可以为协同防御提供未知蠕虫特征。 (5)提出了一个主动的深度检测框架。它以大规模网络为检测对象;拥有多级监控中心,采用分布式体系结构;设有蜜网,采用主动防护技术,能够深入研究黑客攻击,识别未知的入侵行为;利用攻击树表示入侵,减少了协同部件间的信息传输量,提高了系统效率。 总之,本文对入侵检测中的若干关键问题进行了研究,为今后的积极安全防御和高效检测恶意代码的工作提供了理论基础和指导依据。
英文摘要: Intrusion detection is an important area of computer security. This thesis focuses on some key technologies in intrusion detection which are Trojan horse detection, worm detection, defense using active deception and detection framework, and develops several prototypes on LINUX platform. The five principal achievements have been obtained: First, through the study of the concealing technology of Trojan horses, the idea of cooperative concealment between Trojan horses is presented and its formal model is also given and explained. The kernel Trojan horse prototype taking the LINUX as the platform can evade the detection of two mainstream intrusion detection systems and three Trojan horse detection tools. It is the embodiment of the idea of cooperative concealment. The experiment results show it has verified the validity of the techniques of real-time detection evasion and network covert channels. Second, a Multi-level Protection Framework for Detecting and Defending against Trojan horse (MPFD2TH) is proposed. There is no general detection method for Trojan horse, so MPFD2TH deals with different objects which are prone to Trojan horse attacks respectively, protects them in different levels, and covers the entire lifetime of Trojan horses. With the above characteristics MPFD2TH has a promising future. Third, the honeypot technology is studied systemically from the point of view of active defense, and a signature extraction algorithm is presented. A honeypot prototype is implemented which can automatically pick up intrusion signatures. This honeypot embodies the idea of active defense, can disturb attacks by simulating networks and operating systems, automatically generates attack signatures after checking multiple parts of protocol packets using pattern match method, and can integrate itself into the existent security protection system with the simple network management protocol interface. Fourth, a new cooperative approach to automatic detection of worms using local nets is presented. This algorithm pays attention to scanning worm characteristics in local nets and uses different methods to cope with different worm behaviors. It coordinates these methods to give graded alarms to notify worm attacks. The grades reflect reliability of alarms. Experiments show this approach is promising for it can quickly find worm intrusion in local nets and extract unknown worm signatures that can be used for IDS or firewall to prevent more worm threats. Fifth, an active and detection-in-depth framework is presented. It collects the information from large-scale nets, and has multiple level monitor consoles which are distributed in networks. It can recognize unknown intrusion pattern for it is equipped with honeynets that are suitable to analyze invasion behaviors thoroughly using initiative defense technology. By utilizing attacking trees to express detection goals, it can reduce the information exchanged between components and enhance the efficiency of detection. In brief, this thesis has explored several important problems in intrusion detection, the results can provide guidelines and foundations for positive security defense and detection of malicious code with good performance.
语种: 中文
内容类型: 学位论文
URI标识: http://ir.iscas.ac.cn/handle/311060/6736
Appears in Collections:中科院软件所

Files in This Item:
File Name/ File Size Content Type Version Access License
10001_200218015003343张新宇_paper.pdf(1383KB)----限制开放-- 联系获取全文

Recommended Citation:
张新宇. 入侵检测若干关键技术的研究与实践[D]. 软件研究所. 中国科学院软件研究所. 2007-01-16.
Service
Recommend this item
Sava as my favorate item
Show this item's statistics
Export Endnote File
Google Scholar
Similar articles in Google Scholar
[张新宇]'s Articles
CSDL cross search
Similar articles in CSDL Cross Search
[张新宇]‘s Articles
Related Copyright Policies
Null
Social Bookmarking
Add to CiteULike Add to Connotea Add to Del.icio.us Add to Digg Add to Reddit
所有评论 (0)
暂无评论
 
评注功能仅针对注册用户开放,请您登录
您对该条目有什么异议,请填写以下表单,管理员会尽快联系您。
内 容:
Email:  *
单位:
验证码:   刷新
您在IR的使用过程中有什么好的想法或者建议可以反馈给我们。
标 题:
 *
内 容:
Email:  *
验证码:   刷新

Items in IR are protected by copyright, with all rights reserved, unless otherwise indicated.

 

 

Valid XHTML 1.0!
Copyright © 2007-2017  中国科学院软件研究所 - Feedback
Powered by CSpace