摘要
Internet是信息时代的特征,它的迅猛发展在给社会带来大量财富的同时,也带来了日益严重的安全问题。特别是电子商务的广泛应用,使得网络攻击已经成为影响网络安全中重要的一环,而且最难防范的DDOS攻击已经越来越受到计算机研究人员的重视。
面对DDOS攻击,防火墙只能静态禁止访问,入侵检测系统(IntrusionDetection System)虽然可以动态地检测出入侵行为,但是它无法对检测到的攻击行为进行阻断。因此产生了入侵防御系统IPS(Intrusion PreventionSystem),它将防火墙和入侵检测系统结合起来,能主动阻断检测到的入侵行为。传统的IPS系统串联在网络中,DDOS攻击时会增加网络的单点故障率,并且其自身性能对网络性能的影响较大。特别是在千兆位高速网络上,性能已经成为IPS系统的首要瓶颈。
本文在参考了国内外网络安全技术研究最新发展动态的基础上,提出了一个基于流牵引的大流量DDOS入侵防御系统。此系统对传统IPS概念中防火墙和入侵检测系统结合的模型进行了扩展,将IPS由串联变为并联,采用流量牵引,使得即使IPS出现问题,也不会影响网络。流量牵引减少系统压力,提高系统性能。它不仅具有IPS的网络入侵防御功能,还有取证能力。分布式的系统设计,可以满足高速网络入侵检测的处理能力需要。
论文在阐述分布式高速网络入侵防御系统结构的同时,还详细介绍了相关的实现技术和入侵防御系统各部分的实现。系统采用专用高速网卡和通用操作系统软件相结合的实现方案,在保证可扩展性的前提下,解决了IPS系统常见的性能问题。
最后,本文对基于流牵引的DDOS高速网络入侵防御系统进行了总结,对进一步工作提出了建议并展望了入侵防御系统以至安全技术的发展。
The evolution of Internet has brought wealth to human community, along with security problems. Network attack had become one of the most important fields in computer technology because of the popularization of E-Commerce. the most prevent attack is DDOS attack, so Researchers are putting more focus on security technologies.
Faced DDOS attack, Most security-related products are passive. Firewalls only block access statically. Intrusion Detection Systems could detect intrusions dynamically, but fail to block the intrusion detected. Thus a new concept IPS, known as Intrusion Prevention System, was introduced. Integrated with a firewall and an IDS, the IPS could block the intrusion detected actively. However, the IPS serier-linked with system in traditonal , when ddos attack start with high stream attack in high-speed network it is has more error in node, the performance of IPS impacts network performance greatly. Especially on gigabit high-speed networks, performance is the major bottleneck of IPS systems.
Based on current research work on security, this thesis extended current concept of IPS system, presented a IPS that prevent DDOS attack which based-stream tractor high-speed networks. Different from traditional IPS, it is more than a firewall integrated with an IDS system, with different of general IPS, This IPS parrlar-linked with system . use stream tractor to decrease the system presser and improve the performance. as soon as IPS is wrong , it's not expect the network. it has the probe collection.
The thesis introduced the architecture of stream-tractor IPS system on high-speed networks, presented implementation details and related techniques. Integration of specially designed hardware and general operating system software provides maximum scalability and interoperability without impact of network performance. this system solved DDOS attack.
Finally, the thesis summaried of based-stream tractor IPS and suggestions on future work were presented.
引文
[1]CNCERT/CC2007年上半年网络安全工作报告[EB/OL],cncert@cert.org.cn.
[2]林梅琴.李志蜀,分布式拒绝服务攻击及防范研究[J],计算机应用研究,2006年08期.
[3]卿昊.袁宏春,入侵防御系统(IPS)的技术研究及其实现[J],通信技术,2003年06期.
[4]National Computer Security Center.Trusted Computer System Eva]uation Criteria.DoD,DoD 5200.28-STD,1985-12.
[5]康晓宁.蒋东兴,分布式高速网络入侵防御系统研究[J],小型微型计算机系统,2005年11月.
[6]Denning,D.E.An intrusion-detection model,IEEE Transactions on Software Engineering,1987,13(2):222-232.
[7]Carla.T.L.Brodley,E.Detecting the abnormal:machine learning in computer security[J],Technical Report,TR-ECE 97-1.Purdue,West University Lafayette,1997.
[8]Wenke Lee.Stolfo S.J..Mok K.W,A data mining framework for building intrusion detectionmode]s[J],Proceedings of the 1999 IEEE Symposium,1999:120-132.
[9]吴庆涛.邵志清.钱夕元,基于网络连接分析的DDoS攻击检测模型[J],计算机工程,2006年5月.
[10]金晓燕.张来顺,基于网络状态的入侵行为描述及存储方法[J],计算机工程与设计,2006年2月.
[11]郝桂英.赵敬梅,一种基于主动防御网络安全模型的设计与实现[J],微计算机信息,2006年第22卷.
[12]杨宏宇.谢丽霞,网络入侵诱骗技术—蜜罐系统的应用[J],计算机工程,2006年7月.
[13]周四伟.敬华.蔡勇,Hamm ing网络的入侵检测技术的研究[J],算机应用与软件,2006年5月.
[14]M.Roesch,Snort-Lightweight Intrusion Detectionfor Networks,In Proceedings of the USENIX LISA' 99 Conference,November 2003.
[15]Jay Beale.James C.Foster.Jeffrey Posluns.Ryan Russell.Brian Caswell,Snort 3.0 Intrusion Detection,Syngress 2006.
[16]Libpcap,TCPDump[EB/OL].org,http://www.tcpdump.org/.
[17]WinPCap,Loris Degioanni[EB/OL],http://winpcap.polito.it/.
[18]吴庆涛.志清,网络连接分析的DDoS攻击检测模型[J],计算机工程,2006年5月.
[19]王伟.主机系统安全[D],清华大学计算机科学与技术系硕士学位论文,2005.
[20]邓新颖.杨庚,基于多阶段网络攻击的网络风险评估方法研究[J],计算机工程与应用,2006.(18).
[21]张兵.乃琦,用可编程网络处理器防范拒绝服务攻击[J],计机应用与软件,2005年11月.
[22]Plasmoid,Solaris Loadable Kernel Modules-Attacking Solaris with loadab]e kernel modules[BOL],http://www.infowar.co.uk/thc/.
[23]STREAMSM,UNIX系统V第5版程序员指南[M],北京:电子工业出版社,1996.
[24]夏春和.李肖坚.赵沁平,基于入侵诱骗的网络动态防御研究[J],计算机学报,2004年12月.
[25]陈凌.黄皓,网络诱捕式入侵防御模型的设计[J],计算机应用,2005年9月.