具有主动防御能力的入侵检测系统研究

发布时间：2019-01-02 09:05

【摘要】： 入侵检测系统通常包括事件产生器、事件分析器、响应单元以及事件数据库四部分。其中,事件分析器又是我们入侵检测技术的关键部分。在网络入侵检测系统的事件分析器中,截获网络的每一个数据包,都要进行分析、匹配,这就需要花费大量的时间和系统资源。大部分现有的网络入侵检测只有几十兆的检测速度,随着百兆、甚至千兆网络的大量应用,入侵检测的速度已经远远落后于网络速度。对于这一检测速度的瓶颈,对此我们改进了AC-BM算法以解决这一问题。除了入侵检测系统外,我们的计算机中还可能使用了防火墙、漏洞扫描等其他类别的安全设备,这些安全组件之间如何交换信息,共同协作来发现攻击、作出响应并阻止攻击关系到整个系统的安全性。另外,对间谍软件和广告软件的检测也是一个令人头疼的问题。对此,我们在改进了的AC-BM算法的基础上建立了具有主动防御能力的主动防御模块以解决问题。介绍了一般的入侵检测系统的概念、模型,入侵检测技术的分类。然后,描述了网络入侵检测系统的CIDF模型,以及入侵检测存在的弱点和局限性,从而引出了我们课题研究的意义、现状和背景。阐述了数据采集的原理。因为我是在Linux操作系统下,用Libpcap库函数实现的数据包的捕获,所以就介绍一下Libpcap的有关函数和数据结构。重点阐述了网络数据包的捕获程序,并输出了实验结果。简要介绍了TCP/IP的四层模型、数据报的封装过程,IP、TCP等协议的格式和数据结构。这些是非常重要的,因为它们是进行数据报协议分析、负载分析所必须的。当然,重点还是放在了介绍数据分析的原理、模块设计、程序实现上,最后输出实验数据。我们自己改进了一种算法。重点介绍了怎样改进AC-BM算法,介绍它的工作原理,详细叙述了它的算法实现、测试结果、结果分析。组建主动防御模块,用它来实现多层次的纵深防御,实现了和其它安全设备的互动,探索了检测反扫描、反间谍软件、反广告软件的功能。最后是结论,并介绍了今后需要进一步完善的工作。
[Abstract]:Intrusion detection system usually includes four parts: event generator, event analyzer, response unit and event database. Among them, the event analyzer is the key part of our intrusion detection technology. In the event analyzer of the network intrusion detection system, every packet of the network must be analyzed and matched, which requires a lot of time and system resources. Most of the existing network intrusion detection has only tens of megabytes of detection speed. With a large number of applications, intrusion detection speed has been far behind the network speed. For the bottleneck of detection speed, we improve the AC-BM algorithm to solve this problem. In addition to intrusion detection systems, our computers may also use other types of security devices, such as firewalls, vulnerability scans, etc., how these security components can exchange information and work together to discover attacks. Responding and preventing attacks are related to the security of the entire system. In addition, the detection of spyware and advertising software is also a headache. Based on the improved AC-BM algorithm, we build an active defense module with active defense ability to solve the problem. This paper introduces the concept, model and classification of intrusion detection system. Then, this paper describes the CIDF model of network intrusion detection system, as well as the weakness and limitation of intrusion detection, which leads to the significance, present situation and background of our research. The principle of data acquisition is expounded. Because I was in the Linux operating system, using the Libpcap library function to achieve the capture of data packets, so we introduce the Libpcap functions and data structure. The capture program of network data packet is described in detail, and the experimental results are outputted. This paper briefly introduces the four-layer model of TCP/IP, the encapsulation process of Datagram, the format and data structure of IP,TCP and so on. These are important because they are necessary for Datagram protocol analysis, load analysis. Of course, the emphasis is on the introduction of the principle of data analysis, module design, program implementation, the final output of experimental data. We improved an algorithm ourselves. This paper mainly introduces how to improve AC-BM algorithm, introduces its working principle, and describes its algorithm realization, test result and result analysis in detail. The active defense module is set up, which is used to realize the multi-level defense in depth, to realize the interaction with other security devices, and to explore the functions of detecting anti-scanning, anti-spyware and anti-advertising software. Finally, the conclusion is given, and the further work that needs to be improved in the future is introduced.
【学位授予单位】：江南大学
【学位级别】：硕士
【学位授予年份】：2006
【分类号】：TP393.08

【引证文献】