基于移动代理的分布式入侵检测系统的研究
|
摘要
随着对计算机网络安全需求的日益增长,传统的防火墙技术和单机入侵检技术已经不能完全满足人们对入侵防御的需求,分布式入侵检测技术成为一个重要的研究方向。但是传统分布式入侵检测模型不同程度上存在网络负载大、响应时延长、扩宽性差和单点失效等问题。另一方面,移动代理(Mobile Agent )技术作为目前计算机科学领域的一门新兴技术,其独特的迁移性和自治性给分布式计算带来了巨大的革新,随着入侵检测技术的发展和应用,移动代理技术也被引入到分布式入侵检测技术的研究中。
本文首先总结了入侵检测技术的一些研究现状和成果,介绍了相关分布式系统及关键技术、移动代理基本概念与体系结构,以及移动代理技术在入侵检测方面的优势,最后分析了现有典型的移动代理系统。本文将网络划分为域,在此基础上提出了一种基于移动代理的分布式入侵检测模型。在模型中,静止代理和移动代理的划分保证了审计数据源的计算减少了额外的网络负载;域的划分解决了系统单点失效问题并且容易扩展;将整个系统的协作检测任务划分到各个域管理服务器,避免了集中计算的负载高的缺点;在系统容错方面,本文提出了一种改进的容错模型及算法,当一个管理域服务器失效,静止代理和移动代理可以加入其他的管理服务器继续执行任务,使得系统具有较高的可靠性。
本文还研究了现有基于规则推理的FPN(Fuzzy Petri Net)误用入侵检测算法。为提高推理计算的性能提出了一种新的算法,并对该算法和现有的算法进行了分析比较,本算法提高了推理的通用性与计算速度。在此基础上,针对入侵检测报警阈值,本文提出了一种基于阈值的FPN改进算法并对改进算法进行了分析。为验证所提出算法的有效性,对MYCIN算法和本章的两个算法编程实现进行了比较实验,实验结果表明所提出的算法性能较MYCIN有一定的提高,基于基于阈值的FPN改进算法的性能较FPN算法也有一定的提高。
最后,本文采用Snort进行网段数据提取,采用IBM Aglets移动代理平台实现了基于所提出算法与移动代理的分布式入侵检测原型系统,并对该原型系统进行了测试,运行结果表明本系统能检测分布式的扫描,域管理服务器失效后,静止代理能加入另外的域管理服务器继续工作。
With the increasing demand on Internet security, traditional firewall and intrusion detection technology based on single computer can not meet the demand on intrusion defense, and distributed intrusion detection technology will become a critical research direction. However, traditional distributed intrusion detection models have some disadvantages, such as higher network bandwidth comsumed by transferring data, longer response time, poorer scalability and single point failure problem. On the other hand, as the newly rising technology in current computer science field, mobile agent technology bring revolution to distributed calculation because of its character of transfer and autonomy. With the development and application of intrusion detection technology, mobile agent technology will be increasingly applied in the distributed intrusion detection technology.
Firstly, some researchment conclusions are reviewed in this thesis. Relevant distributed system, some key technologies and the basic conceptions and system configuration of mobile agent are introduced. The advantages of mobile agent technology introdued in intrusion detection are concluded, and current typical mobile agent system is analyzed. In the model proposed in this thesis, network is divided into domains. A mobile agent-based distributed intrusion detection model based on domains is put forward. In this model, the division of static agent and mobile agent reduces the extra network load of calculation auditing data; the division of the domain eliminates the proplem of single-point failure of the system and make the system easy to extend; the cooperaration detection of the whole system divided into each domain management server avoids the disadvantages of intensive calculation load. Based on the detection model, fault-tolerant model and algorithm are improved .when a domain management server is fail, static agents and mobile agents of this domain will join management server in other domain to carry out there mission. It improved the reliability of the system.
Current misuse intrusion detection algorithm based on principle inferring FPN is also discussed. To improve the performance of inferring calculation, a new algorithm is proposed. Compared with the current algorithm, it has more popularity and speed. On the base of the algorithm, a improved algorithm based on intrusion alarming threshold value is proposed and analynized.
To verify the algorithm, experiments to compare MYCIN algorithm and the proposed algorithms are made. The results show that the algorithms put forward in this thesis have better performance than MYCIN algorithm, and that the improved algorithm based on intrusion alarming threshold value has better performance than FPN algorithm.
Finally, through the application of Snort, network data are extracted. Through IBM Aglets mobile agent platform, the prototype system based on the proposed algorithms is carried out and tested. The excution results show that the system can detect distributed scanning ,and that static agents and mobile agents of this domain can join management server in other domain to carry out there mission when a domain management server is fail.
本文首先总结了入侵检测技术的一些研究现状和成果,介绍了相关分布式系统及关键技术、移动代理基本概念与体系结构,以及移动代理技术在入侵检测方面的优势,最后分析了现有典型的移动代理系统。本文将网络划分为域,在此基础上提出了一种基于移动代理的分布式入侵检测模型。在模型中,静止代理和移动代理的划分保证了审计数据源的计算减少了额外的网络负载;域的划分解决了系统单点失效问题并且容易扩展;将整个系统的协作检测任务划分到各个域管理服务器,避免了集中计算的负载高的缺点;在系统容错方面,本文提出了一种改进的容错模型及算法,当一个管理域服务器失效,静止代理和移动代理可以加入其他的管理服务器继续执行任务,使得系统具有较高的可靠性。
本文还研究了现有基于规则推理的FPN(Fuzzy Petri Net)误用入侵检测算法。为提高推理计算的性能提出了一种新的算法,并对该算法和现有的算法进行了分析比较,本算法提高了推理的通用性与计算速度。在此基础上,针对入侵检测报警阈值,本文提出了一种基于阈值的FPN改进算法并对改进算法进行了分析。为验证所提出算法的有效性,对MYCIN算法和本章的两个算法编程实现进行了比较实验,实验结果表明所提出的算法性能较MYCIN有一定的提高,基于基于阈值的FPN改进算法的性能较FPN算法也有一定的提高。
最后,本文采用Snort进行网段数据提取,采用IBM Aglets移动代理平台实现了基于所提出算法与移动代理的分布式入侵检测原型系统,并对该原型系统进行了测试,运行结果表明本系统能检测分布式的扫描,域管理服务器失效后,静止代理能加入另外的域管理服务器继续工作。
With the increasing demand on Internet security, traditional firewall and intrusion detection technology based on single computer can not meet the demand on intrusion defense, and distributed intrusion detection technology will become a critical research direction. However, traditional distributed intrusion detection models have some disadvantages, such as higher network bandwidth comsumed by transferring data, longer response time, poorer scalability and single point failure problem. On the other hand, as the newly rising technology in current computer science field, mobile agent technology bring revolution to distributed calculation because of its character of transfer and autonomy. With the development and application of intrusion detection technology, mobile agent technology will be increasingly applied in the distributed intrusion detection technology.
Firstly, some researchment conclusions are reviewed in this thesis. Relevant distributed system, some key technologies and the basic conceptions and system configuration of mobile agent are introduced. The advantages of mobile agent technology introdued in intrusion detection are concluded, and current typical mobile agent system is analyzed. In the model proposed in this thesis, network is divided into domains. A mobile agent-based distributed intrusion detection model based on domains is put forward. In this model, the division of static agent and mobile agent reduces the extra network load of calculation auditing data; the division of the domain eliminates the proplem of single-point failure of the system and make the system easy to extend; the cooperaration detection of the whole system divided into each domain management server avoids the disadvantages of intensive calculation load. Based on the detection model, fault-tolerant model and algorithm are improved .when a domain management server is fail, static agents and mobile agents of this domain will join management server in other domain to carry out there mission. It improved the reliability of the system.
Current misuse intrusion detection algorithm based on principle inferring FPN is also discussed. To improve the performance of inferring calculation, a new algorithm is proposed. Compared with the current algorithm, it has more popularity and speed. On the base of the algorithm, a improved algorithm based on intrusion alarming threshold value is proposed and analynized.
To verify the algorithm, experiments to compare MYCIN algorithm and the proposed algorithms are made. The results show that the algorithms put forward in this thesis have better performance than MYCIN algorithm, and that the improved algorithm based on intrusion alarming threshold value has better performance than FPN algorithm.
Finally, through the application of Snort, network data are extracted. Through IBM Aglets mobile agent platform, the prototype system based on the proposed algorithms is carried out and tested. The excution results show that the system can detect distributed scanning ,and that static agents and mobile agents of this domain can join management server in other domain to carry out there mission when a domain management server is fail.
引文
[1] Tsang-Long Pao, Po-Wei Wang. NetFlow Based Intrusion Detection System[C]. Networking, Sensing and Control, 2004 IEEE International Conference on Volume 2, 2004:731~736.
[2]钱玉文,王飞.基于多Agent协同的快速入侵检测系统[J].计算机科学. 2008,35(12):51~53.
[3]冉占军.基于模式匹配和协议分析的入侵检测系统研究[D].西安理工大学硕士论文.2008.5.
[4]孔芳,徐汀荣,周丽琴.入侵检测技术的分析研究[J].计算机与现代化.2003(2):58~61.
[5]姚玉献.网络安全与入侵检测[J].计算机安全.2007,27(5):69~72.
[6] Yi Deng, Jiacun Wang, Jeffery J.P.Tsai, Konstantin Beznosov. An Approach for Modeling and Analysis of Security System Architectures[J]. Knowledge and Data Engineering, IEEE Transactions on Volume 15. 2003:1099-1119.
[7]陈宏伟,王汝传.移动代理在网格中的应用[J].计算机时代.2004(12):37~39.
[8] Suzhen Wang, Jianli Hu, Aizhen Liu, Jiazhen Wang. Security Frame and Evaluation in MobileAgent System[C]. Mobile Technology, Applications and Systems, 2005 2nd International Conference on 15-17 Nov. 2005:1~6
[9] Bemichi,M., Mourlin,F.. Java Mobile Agents for Monitoring Mobile Activities[C]. Computer as a Tool, 2005. The International Conference on Volume 1, 21-24 Nov. 2005:52~55.
[10] Cheung-Leung Lui,Tak-Chung Fu, Ting-Yee Cheung. Agent-based Network Intrusion Detection System Using Data Mining Approaches[C]. Information Technology and Applications 2005.Third International Conference on Volume 1,2005:131-136
[11]唐正军,李建华.入侵检测技术[M].清华大学出版社,2004.
[12]卿斯汉,蒋建春.网络攻防技术原理与实战[M].北京科学出版社,2004.
[13]豆小成.入侵检测技术的研究和实现[D].成都理工大学硕士学位论文,2005.
[14]伍慧.基于移动代理与协议分析的分布式入侵检测系统[D].暨南大学硕士学位论文,2007.
[15] Kahn c, Ponas P, Staniford-chen S, et al. Common Intrusion Detection Framework[J]. Journal of computer Security, 1998-07.
[16] CIDF Specification Documents [EB/OL]URL:http://www.isi.edu/gost/cidf.
[17]张岳公.基于代理的对等分布式入侵检测系统研究[D],山东大学博士学位论文,2006.10.
[18]张岩.分布式入侵检测模型研究[D].合肥工业大学硕士学位论文,2004.
[19] S. R.Snapp, J. Brentano, G. V. Dias, T. L. Goan, L. T. goan..“DIDS(Distributed Intrusion Detection )– Motivation, Architecture, and an early Prototype”[C]. in proceedings of the 14th National Computer Security Conference, pp. 167-176, October 1991.
[20] Jai Sundar Balasubrarnnaniyan, Joe Omar Garcia-Fernandz,David Isacoff,et al. ,”Anarchitecture for intrusion detection using autonomous agents”[R]. Technical Reprot 98-05, COAST Laboratory, Purdue University. May 1998.
[21] Porras P A,Neumann P G. EMERALD: Event monitoring enabling responses to anomalous live disturbances[C]. In National Information Systems Security Conference, Baltimore MD,October 1997.
[22] Mark Slagell.“The design and implementation of MAIDS(mobile agent intrusion detection system)”[R]. Technical Report TR01-07,Iowa State University Department of Computer Science,Ames, IA,USA,2001.
[23]李宏斌,仝武宁,向麟海.基于移动代理的入侵检测系[J].电子科技,2006, 15(6):83-86.
[24]张伟.基于移动代理的分布式入侵检测系统的研究[D].武汉理工大学硕士学位论文,2006
[25] Holger Peine: Security concepts and implementation in the ara of mobile agent systems[J]. In: Proc of IEEE WETICE’98. PaloAlto,1998.
[26] ObjectSpace Inc. Voyager CorPackage: Technical Overview. Technical White Paper,1997.
[27]慈鹏.移动代理系统迁移策略及系统平台的设计与实现[D]东北大学信息工程学院硕士学位论文, 2005.12.
[28] White J.: Telesecript technology: An introduction to the language[M]. General Magic White Paper GM-M-TSW P3-0495-V-1,General Magic Incorporated,Sunny Vale,California 1995.
[29] Lange D B.: Java Aglet application programming interface (J-APPI) [EB/OL].IBM Tokyo Research Laboratory, 1997. http://www.trl.ibm.co.jp/aglets.
[30] Karjoth G,Lange D B.: A security model for Aglets[J]. IEEE Internet Computer, 1997,1(4) pp.68 - 77 .
[31]张白一,崔尚森.基于规则推理的FPN误用入侵检测方法[J].计算机工程, 2006, 32(14):119-121.
[32]危胜军,,胡昌振,谭慧明.模糊Petri网知识表示方法在入侵检测中的应用[J].计算机工程, 2005 31(2):130-132.
[33] Rong Yang, Wing shan Leung, Pheng Ann Hen, Kwong Sak Leung .Improved Aglorithm on Rule-Based Reasoning Systems Modeled[C] By Furry Nets.Proceedings of the IEEE International Conference on Fuzzy Systems,2002-05-12,2:1204-1209.
[34] Chen S M, Ke J S, Chang J F. Knowledge representation using fuzzy Petri nets[J]. IEEE Trans.on Knowledge and Data Engeering,7990,2(3):311-319.
[35]盛志伟.入侵检测算法及体系结构研究[D].电子科技大学硕士学位论文.2006.10.
[36]危胜军,胡昌振,孙明谦.基于模糊Petri网的误用入侵检测方法[J].北京理工大学学报2007,27(4):312-317.
[37]袁崇义,Petri网原理及应用[M].电子工业出版社,2005.3.
[2]钱玉文,王飞.基于多Agent协同的快速入侵检测系统[J].计算机科学. 2008,35(12):51~53.
[3]冉占军.基于模式匹配和协议分析的入侵检测系统研究[D].西安理工大学硕士论文.2008.5.
[4]孔芳,徐汀荣,周丽琴.入侵检测技术的分析研究[J].计算机与现代化.2003(2):58~61.
[5]姚玉献.网络安全与入侵检测[J].计算机安全.2007,27(5):69~72.
[6] Yi Deng, Jiacun Wang, Jeffery J.P.Tsai, Konstantin Beznosov. An Approach for Modeling and Analysis of Security System Architectures[J]. Knowledge and Data Engineering, IEEE Transactions on Volume 15. 2003:1099-1119.
[7]陈宏伟,王汝传.移动代理在网格中的应用[J].计算机时代.2004(12):37~39.
[8] Suzhen Wang, Jianli Hu, Aizhen Liu, Jiazhen Wang. Security Frame and Evaluation in MobileAgent System[C]. Mobile Technology, Applications and Systems, 2005 2nd International Conference on 15-17 Nov. 2005:1~6
[9] Bemichi,M., Mourlin,F.. Java Mobile Agents for Monitoring Mobile Activities[C]. Computer as a Tool, 2005. The International Conference on Volume 1, 21-24 Nov. 2005:52~55.
[10] Cheung-Leung Lui,Tak-Chung Fu, Ting-Yee Cheung. Agent-based Network Intrusion Detection System Using Data Mining Approaches[C]. Information Technology and Applications 2005.Third International Conference on Volume 1,2005:131-136
[11]唐正军,李建华.入侵检测技术[M].清华大学出版社,2004.
[12]卿斯汉,蒋建春.网络攻防技术原理与实战[M].北京科学出版社,2004.
[13]豆小成.入侵检测技术的研究和实现[D].成都理工大学硕士学位论文,2005.
[14]伍慧.基于移动代理与协议分析的分布式入侵检测系统[D].暨南大学硕士学位论文,2007.
[15] Kahn c, Ponas P, Staniford-chen S, et al. Common Intrusion Detection Framework[J]. Journal of computer Security, 1998-07.
[16] CIDF Specification Documents [EB/OL]URL:http://www.isi.edu/gost/cidf.
[17]张岳公.基于代理的对等分布式入侵检测系统研究[D],山东大学博士学位论文,2006.10.
[18]张岩.分布式入侵检测模型研究[D].合肥工业大学硕士学位论文,2004.
[19] S. R.Snapp, J. Brentano, G. V. Dias, T. L. Goan, L. T. goan..“DIDS(Distributed Intrusion Detection )– Motivation, Architecture, and an early Prototype”[C]. in proceedings of the 14th National Computer Security Conference, pp. 167-176, October 1991.
[20] Jai Sundar Balasubrarnnaniyan, Joe Omar Garcia-Fernandz,David Isacoff,et al. ,”Anarchitecture for intrusion detection using autonomous agents”[R]. Technical Reprot 98-05, COAST Laboratory, Purdue University. May 1998.
[21] Porras P A,Neumann P G. EMERALD: Event monitoring enabling responses to anomalous live disturbances[C]. In National Information Systems Security Conference, Baltimore MD,October 1997.
[22] Mark Slagell.“The design and implementation of MAIDS(mobile agent intrusion detection system)”[R]. Technical Report TR01-07,Iowa State University Department of Computer Science,Ames, IA,USA,2001.
[23]李宏斌,仝武宁,向麟海.基于移动代理的入侵检测系[J].电子科技,2006, 15(6):83-86.
[24]张伟.基于移动代理的分布式入侵检测系统的研究[D].武汉理工大学硕士学位论文,2006
[25] Holger Peine: Security concepts and implementation in the ara of mobile agent systems[J]. In: Proc of IEEE WETICE’98. PaloAlto,1998.
[26] ObjectSpace Inc. Voyager CorPackage: Technical Overview. Technical White Paper,1997.
[27]慈鹏.移动代理系统迁移策略及系统平台的设计与实现[D]东北大学信息工程学院硕士学位论文, 2005.12.
[28] White J.: Telesecript technology: An introduction to the language[M]. General Magic White Paper GM-M-TSW P3-0495-V-1,General Magic Incorporated,Sunny Vale,California 1995.
[29] Lange D B.: Java Aglet application programming interface (J-APPI) [EB/OL].IBM Tokyo Research Laboratory, 1997. http://www.trl.ibm.co.jp/aglets.
[30] Karjoth G,Lange D B.: A security model for Aglets[J]. IEEE Internet Computer, 1997,1(4) pp.68 - 77 .
[31]张白一,崔尚森.基于规则推理的FPN误用入侵检测方法[J].计算机工程, 2006, 32(14):119-121.
[32]危胜军,,胡昌振,谭慧明.模糊Petri网知识表示方法在入侵检测中的应用[J].计算机工程, 2005 31(2):130-132.
[33] Rong Yang, Wing shan Leung, Pheng Ann Hen, Kwong Sak Leung .Improved Aglorithm on Rule-Based Reasoning Systems Modeled[C] By Furry Nets.Proceedings of the IEEE International Conference on Fuzzy Systems,2002-05-12,2:1204-1209.
[34] Chen S M, Ke J S, Chang J F. Knowledge representation using fuzzy Petri nets[J]. IEEE Trans.on Knowledge and Data Engeering,7990,2(3):311-319.
[35]盛志伟.入侵检测算法及体系结构研究[D].电子科技大学硕士学位论文.2006.10.
[36]危胜军,胡昌振,孙明谦.基于模糊Petri网的误用入侵检测方法[J].北京理工大学学报2007,27(4):312-317.
[37]袁崇义,Petri网原理及应用[M].电子工业出版社,2005.3.