中国科学院软件研究所机构知识库
Advanced  
ISCAS OpenIR  > 中科院软件所  > 中科院软件所
题名:
基于安全操作系统的网络入侵检测服务研究
作者: 余文卫
答辩日期: 2006-05-29
授予单位: 中国科学院软件研究所
授予地点: 软件研究所
学位: 博士
关键词: 网络入侵检测 ; 规则冲突 ; 报警实时处理 ; 报警分析
其他题名: Network Intrusion Detection Service Based on Security Operation System
摘要: 网络入侵检测系统作为网络安全中一项重要的动态安全技术,用来检测网络系统中的恶意行为,进而发现系统的安全隐患并改善安全性,得到了越来越广泛的应用。但网络入侵检测系统本身也存在漏洞,作为安全组件,它比普通应用更容易受到安全威胁,单纯在网络和应用环境中部署网络入侵检测系统并不一定能提升安全性;另一方面,当前的网络入侵检测系统广泛存在难以部署、管理和维护的问题,在一定程度上影响了它们应用的广度和深度。因此,提供安全可靠、可管理、易于部署和维护的网络入侵检测系统也成为人们关注的焦点。 基于这个背景,本文以Earth Server安全操作系统为基础,以Snort入侵检测系统为核心,从提供安全可靠、可管理并易于使用的角度出发,提出基于安全操作系统的网络入侵检测服务。从部署网络入侵检测服务的基础、检测规则的管理和分析、报警实时处理及报警分析这几个角度出发,分析部署和管理网络入侵检测系统中几个主要方面的技术和实践。 为简化网络入侵检测服务的部署,本文采用分布式三层体系结构,满足复杂多变、具有一定规模应用的需要。详细讨论了安全操作系统提供的安全机制和对网络入侵检测服务的保护以及相关配置。这些工作构成了网络入侵检测服务运行和管理的基础。 网络入侵检测服务包括规则管理、报警实时处理和报警分析。规则描述了网络行为的流量特征,良好的规则是提高检测效率和准确度的先决条件。本文提出发现规则冲突的方法,首先提出通过规则的两两比较来发现冲突的基本算法,它的时间复杂度为指数级。在基本算法的基础提出改进算法,定义规则之间的关系并由策略树表示,由冲突状态转换图描述冲突发现的过程,基于策略树和冲突状态转换图实现了检测算法,改善了时间复杂度。在冲突检测算法的基础上实现了规则编辑算法,为规则编辑提供建议和效验。报警实时处理在检测到恶意行为时,及时采取应对措施来保障应用环境的安全。本文提出报警分级和报警处理方法,它们是报警实时处理的前提,并在这两者的基础上实现灵活、可定制的报警实时处理服务。为了在报警处理中及时阻断攻击,利用防火墙提供的数据包过滤功能,本文通过代理程序协调入侵检测和防火墙软件,从检测结果中获取恶意行为的数据,构建防火墙规则并部署到防火墙中,从而实现了针对攻击的主动、实时响应。最后本文提出分析报警数据的方法,报警数据不仅记录了恶意行为,还包含网络和应用环境安全隐患和威胁的信息,如何获取这些信息,改善应用环境的安全性是报警分析关注的问题。本文通过基于统计和基于聚类的分析技术在报警数据中查找有用信息,为持续改善应用环境的安全指出方向。
英文摘要: As an important dynamic network security technology, Network Intrusion Detection System (NIDS), which is used to detect malicious acts and discover potential security risk, has been deployed more and more widely. However, NIDS also has security leak, and as security component, it is more vulnerable than general application. On the other hand, the cost of installation, maintenance and management of NIDS is high. Therefore, the requirements of providing more safe, reliable, manageable and easier to deploy and maintain NIDS are urgent. According to this background, this paper proposes manageable and easy to use network intrusion detection service that takes the Earth Server security operating system as foundation, and use the Snort as the core of network intrusion detection. From the deployment of NIDS, rule analysis and alarm real time process and analysis, this paper discusses and analyzes the main technology and practice of the deployment and management of NIDS. This paper designs a distributed three layer architecture to simplify the deployment of network intrusion detection services, which is also suitable for variable complicated and large scale network environment. And then the security mechanism of security operating system and the protection and related configuration for network intrusion detection service is introduced. These are essential for the basic environment to run and manage network intrusion detection services. Network intrusion detection service includes rule analysis, alarm real time process and analysis. Firstly, rule describes the characteristics of network traffic, and well defined rule is a precondition to improve efficiency and veracity of intrusion detection. By defining the rule relation and expressing it as policy tree and describing the process of conflict detection by conflict state transition graph, this paper presents the improved rule conflict detection algorithm which has a better performance in comparison with the basic algorithm that is implemented by comparison with every two rules. Secondly, this paper implements the rule edit algorithm for suggestion and validation in terms of conflict detection algorithm. Thirdly, a technique for alarm classification and alarm process method that is the prerequisite for alarm real-time process that takes measure to block malicious act when attack occurs is presented. Fourthly, this paper constructs an agent program to correspond intrusion detection and firewall which acquires attack information from intrusion detection system and then forms and deploys firewall rule to firewall to implement active, real time response to attack. Finally, this paper presents a method to analyze alarm data based on statistic technology and alarm cluster technology. Alarm data not only record the malicious act, but also include the information about the security risk and thread of application environment, so analyzing alarm data can attain this information and make suggestions for improving security and then continue to improve the security in application environment.
语种: 中文
内容类型: 学位论文
URI标识: http://ir.iscas.ac.cn/handle/311060/7478
Appears in Collections:中科院软件所

Files in This Item:
File Name/ File Size Content Type Version Access License
10001_200428015029068余文卫_paper.doc(1767KB)----限制开放-- 联系获取全文

Recommended Citation:
余文卫. 基于安全操作系统的网络入侵检测服务研究[D]. 软件研究所. 中国科学院软件研究所. 2006-05-29.
Service
Recommend this item
Sava as my favorate item
Show this item's statistics
Export Endnote File
Google Scholar
Similar articles in Google Scholar
[余文卫]'s Articles
CSDL cross search
Similar articles in CSDL Cross Search
[余文卫]‘s Articles
Related Copyright Policies
Null
Social Bookmarking
Add to CiteULike Add to Connotea Add to Del.icio.us Add to Digg Add to Reddit
所有评论 (0)
暂无评论
 
评注功能仅针对注册用户开放,请您登录
您对该条目有什么异议,请填写以下表单,管理员会尽快联系您。
内 容:
Email:  *
单位:
验证码:   刷新
您在IR的使用过程中有什么好的想法或者建议可以反馈给我们。
标 题:
 *
内 容:
Email:  *
验证码:   刷新

Items in IR are protected by copyright, with all rights reserved, unless otherwise indicated.

 

 

Valid XHTML 1.0!
Copyright © 2007-2017  中国科学院软件研究所 - Feedback
Powered by CSpace