基于模式匹配的入侵检测系统

详细信息    本馆镜像全文|  推荐本文 |  |   获取CNKI官网全文

作者：李攀 论文级别：硕士 学科专业名称：计算机应用 中文关键词：入侵检测系统 ; 模式匹配 ; 攻击特征 ; 专家知识库 英文关键词：Intrusion Detection System ; Pattern-matching ; Attack Signature ; Expert Knowledge Database 学位年度：2001 导师：武维善 学科代码：081203 学位授予单位：西安建筑科技大学 论文提交日期：2000-11-20 答辩委员会主席：张德运

摘要

针对目前计算机网络安全现状，本文研究和设计了一种基于网络（区别于基于主机）
     的、可用于分布式入侵检测系统的、拥有一个简单专家知识库的计算机网络入侵检测系统
    ──基于模式匹配的入侵检测系统。
     本文介绍了入侵检测系统的分类，比较了两种常用的入侵检测技术：异常检测技术和
    模式检测技术在检测思想和检测效果上的不同之处。引出了与专家知识系统相结合的攻击
    特征模式匹配入侵检测系统。并依据入侵检测系统通用模型(CIDF)将攻击特征模式匹
    配入侵检测系统分为事件产生器、事件分析器、响应单元和事件数据库四个功能模块进行
    分别阐述。还提出了攻击特征模式匹配入侵检测系统的分布式结构，体现入侵检测系统分
    布监控、集中管理的思想。
     攻击特征模式专家知识库是基于攻击特征模式匹配入侵检测系统的核心。文章确立了
    制定攻击特征模式的原则：匹配精度和匹配速度两者的权衡；对HTTP协议和FTP协议的
    攻击特征模式的抽取工作分别举例作了具体说明，并列举了一些攻击特征模式；作者还定
    义了一种攻击特征模式描述语言，将提取得到的攻击特征模式描述为攻击特征模式专家知
    识库中的一条条规则。
     本文系统地提出了一种基于攻击特征模式匹配的入侵检测系统的详细设计方案，为同
    类系统的设计提供了一个思路和方案。针对几个重点模块：协议处理模块、攻击特征模式
    匹配模块、日志记录模块和入侵响应模块做了较为详细的说明。并对攻击特征模式匹配模
    块的匹配算法进行了探讨，提山了一种基于有限状态机的攻击特征模式快速匹配算法，取
    到了较好的效果。
According to current security problems of computer network,
    this dissertation explores a network-based Intrusion Detection System, called Signature-based
    Pattern-matching Intrusion Detection System, which could work on Distributed Intrusion
    Detection Systems and have a sample Expert Knowledge Database of Attack Signature Pattern, and
    studies its design in the domain of intrusion detection on computer networks.
    This dissertation introduces the classes of Intrusion Detection System, and studies the different
    ways in which Anomaly Detection and Pattern Detection detect intrusions. Subsequently,
    Signature-based Pattern-matching Intrusion Detection System, which is Combined with Expert
    Knowledge System, is suggested. According to CIDS (Common Intrusion Detection System)
    standard model, The author divided the Pattern-matching Intrusion Detection System into four
    functional module: Event generators, Event analyzers, Response units and Event databases; and
    explained them respectively. The dissertation also provided a Distributed Intrusion Detection
    System framework to realize distributed detection and centralization.
    The Expert Knowledge Database of Attack Signature Pattern is just the core of Signature-based
    Pattern-matching Intrusion Detection System. The dissertation established the principle for
    specifying the pattern of Attack Signature: the balance between precision and speed of matching;
    And presented examples of distilling Attack Signature Pattern of H1TP and FTP protocols. Also, the
    dissertation introduced a description language to descript the Attack Signature Patterns, which
    compose the Expert Knowledge Database of Attack Signature Pattern.
    The dissertation put forward a detailed design scheme of Signature-based Pattern-matching
    Intrusion Detection System systematically, which would be of some hint to the other systems alike.
    Great emphasis was put in key modules such as Protocols Processing module, Pattern-matching
    module, Log module and Intrusion Response module. In addition, the author discussed matching
    algorithm of Pattern-matching module and presented one based upon finite automata, which is
    applied in some products.

引文

[01] D. Denning, An Intrusion Detection Model, Proc. 1986 IEEE Symp. on Security and Privacy, Apr. 7-9, pp.118-31
    [02] Bartek, R.J.; Sanders, A.H.; Jackson, J.S., Adaptive real-time training strategies for a trainable multi-sensor perimeter intrusion detection system, Security Technology, 1988． Crime Countermeasures, Proceedings. IEEE 1988 International Carnahan Conference on, pp, 99-103
    [03] Smaha, S.E., Haystack: an intrusion detection system, Aerospace Computer Security Applications Conference, 1988． , Fourth, 1988, pp. 37-44
    [04] Lunt. T.F et.al., Knowledge-based intrusion detection, AI Systems in Government Conference, 1989, Proceedings of the Annual, pp. 102-107
    [05] Lunt, T.F. et.al., IDES: a progress report (Intrusion-Detection Expert System), Computer Security Applications Conference, 1990． , Proceedings of the Sixth Annual, 1990, Page(s): 273-285
    [06] L.T Hebelein, K.N. Levitt, and B. Mukherjee, A Method to Detect intrusive Activity in a Networked Environment, Proc. 14th National Comp. Security Conf., Oct. 1991, pp. 362-71
    [07] Shieh, S.W.; Gligor, V.D. A pattern-oriented intrusion-detection model and its applications. Research in Security and Privacy, 1991． Proceedings., 1991 IEEE Computer Society Symposium on pp. 327-342
    [08] Debar, H.; Dorizzi, B. An application of: a recurrent network to an intrusion detection system, Neural Networks, 1992． IJCNN., International Joint Conference on, 1992, pp. 478-483 vol.2
    [09] J.Hochberg etal, NADIR: An Automated System for Detecting Network Intrusion and Misuse, Comp. & Security, Vol. 12, no. 3,1993, pp. 235-88
    [10] Mukherjee, B.; Heberlein, L.T.; Levitt, K.N., Network intrusion detection, IEEE Network, May-June 1994 Vol. 8 3 , pp. 26-41
    [11] Proctor, P., Audit reduction and misuse detection In heterogeneous environments: framework and application, Computer Security Applications Conference, 1994． Proceedings., 10th Annual, pp. 117-125
    [12] M. Crosbie and E.H. Spafford. Active defense of a computer system using autonomous agents. Technical report, Department of Computer Science, CSD-TR-95-008, Purdue University, West Lafayette IN, 1995
    [13] Mounji, A.; Le Charlier, B.; Zampunieris, D.; Habra, N., Distributed audit trail analysis, Network and Distributed System. Security, 1995． , Proceedings of the Symposium on, pp. 102-112
    
    
    [14] Esmaili, M.; Balachandran, B.; Safavi-Naini, R.; Pieprzyk, J., Case-based reasoning for intrusion detection, Computer Security Applications Conference, 1996., 12th Annual, 1996, pp. 214-223
    [15] Bishop, M.; Cheung, S.; Wee, C. The threat from the net[Internet security], IEEE Spectrum, Aug. 1997, vol. 34 8, pp. 56-63
    [16] Kosoresow, A.P.; Hofmeyer, S.A., Intrusion detection via system call traces, IEEE Software, Sept.-Oct. 1997, Vol. 14 5, pp. 35-42
    [17] P.A. Porras and P.G. Neumann, Emerald: Event Monitoring enabling response to anomalous live disturbanoe, National Information System Security Conference, Baltimore, MD, Oct. 1997 pp.353-65
    [18] Shiuh-Pyng Shieh; Gligor, V.D., On a pattern-oriented model for intrusion detection, Knowledge and Data Engineering, IEEE Transactions on, July-Aug. 1997 Volume: 94, pp. 661-667
    [19] Venkatesan, R.M.; Bhattacharya, S., Threat-adaptive security policy, Performance, Computing, and Communications Conference, 1997. IPCCC 1997., IEEE International, 1997, pp. 525-531
    [20] Bonifacio, J.M.et. al., Neural networks applied in intrusion detection systems, Neural Networks Proceedings, 1998. IEEE World Congress on Computational Intelligence. The1998 IEEE International Joint Conference on, 1998, Page(s): 205-210 vol. 1
    [21] Helmer, G.G.; Wong, J.S.K.; Honavar, V.; Miller, L., Intelligent agents for intrusion detection, Information Technology Conference, 1998. IEEE, pp. 121-124
    [22] Nong Ye; Giordano,J.; Feldman, J.; Qiu Zhong, Information fusion techniques for network intrusion detection, Information Technology Conference, 1998. IEEE, pp. 117-120
    [23] Reilly, M.; Stillman, M. Open infrastructure for scalable intrusion detection, Information Technology Conference, 1998. IEEE, 1998, pp. 129-133
    [24] Ptacek and Newsham, Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection, Secure Networks, Inc. 1998
    [25] D. Frinke, T.Johnson, J. Marconi, and D. Polla, Towards a distributed architecture for cooperative intrusion detection, 1999
    [26] (美)匿名著，计算机网络安全技术内幕，机械工业出版社，1998
    [27] (美)匿名著，网络安全技术内幕，机械工业出版社，1999
    [28] 张小斌、严望佳著，黑客分析与防范技术，清华大学出版社，1999
    [29] (美)Terry Escamllla著，入侵者检测，电子工业出版社，1999
    [30] (美)Donn B.Parker著，反计算机犯罪，电子工业出版社，1999
    [31] (美)Stephen Northcutt著，网络入侵检测分析员手册，人民邮电出版社，2000
    [32] (美)Thomas A,Wadlow著，网络安全实施方法，人民邮电出版社，2000
    [33] (美)McClure,Secmbray,Kurtz著，黑客大嚗光，2000