【作者】 罗宁；

【导师】 喻莉；

【作者基本信息】 华中科技大学 ， 通信与信息系统， 2005， 硕士

【摘要】 随着Internet 的迅猛发展和网络社会的到来,网络将会无所不在地影响社会的政治、经济、文化、军事和社会生活等方面,信息安全已成为世界各国共同关注的焦点。除了要进行信息的安全保护外,还应该重视提高系统的入侵检测能力、系统的事件反应能力以及系统遭到入侵破坏后的快速恢复能力。至此,入侵检测已成为网络安全中极为重要的一个课题,也是一个迅速发展的领域。作为信息安全保障中的重要环节,入侵检测很好解决了访问控制、身份认证等传统保护机制所不能的问题。网络系统结构的不断复杂化和大型化,给入侵检测领域带来了许多新的挑战和问题,主要体现为:(1)系统的弱点或漏洞分散在网络中各个主机上,这些漏洞可能被入侵者利用一起来攻击网络,而依靠唯一的为单机或小规模网络环境设计的传统的IDS难于胜任检测任务。(2)互联网的蠕虫事件和分布式拒绝服务攻击充分表明攻击行为正加速朝分布式发展,入侵行为不再是单一的行动,而表现为彼此协作入侵的特征。(3)入侵检测所依靠的数据来源分散化,收集原始检测数据变得困难。(4)网络速度传输加快,网络的流量也越来越大,集中处理原始数据的方式往往造成检测瓶颈,导致漏报。这些都促进了学者对入侵检测中攻击告警信息关联技术的积极研究。本论文从全局视点出发,首先对入侵检测技术进行能够了较全面的分类,并介绍了其原理及应用,再深入地对告警信息的关联技术进行分析研究和比较,利用各攻击的前提与结果间隐含的因果关系,提出了间接发起和发起约束条件的概念,探讨了警报间遗漏攻击的分析发现的方法。在此基础上提出了一种重构攻击场景的方法。克服了同一攻击计划因为一些漏报,攻击场景被支离,从而不能准确判断攻击意图并做出相应的反应的缺陷。实验结果表明本文提出的基于因果关联技术的发现遗漏攻击、重构攻击场景方法提高了关联技术的价值,也间接提高了入侵监测系统的检测率,证明了该方法具有较好的效果。更多还原

【Abstract】 With the fast development of Internet and the network society coming, network has deeply influenced the politics, economy, culture, military domain and people’s life. People focus on information security and also pay more attention to improve the detection, response, recover ability of IDS besides protecting information. Intrusion detection is a new and fast developing field. Intrusion detection solves some problems,which couldn’t be solved by tradition technology (visiting control, identity demonstrate etc.). Since the extreme complexity and wideness of network system structure, intrusion detection faces many trouble, mainly including the following:(1) System vulnerabilities and bugs used to attack are spread around different host, which may result in mis-detection by tradition IDSs that are designed to deal with simple hosts or small-scale network environments. (2) Worm attacks and DOS attacks indicate that intrusions aren’t simple actions, but multiple actions with deliberately cooperation. (3) Collecting original data become difficult because of distributing data source. (4) Quicker transfer speed and much more network flux result in the appearance of bottle-neck when the original data is centralized to deal with, which leads to missing alarm. So many people focus on discovering relationship between data in attack. This paper first classify intrusion detection technology comprehensively and introduce their principles, deeply analyze and compare it with related technology principles, the concepts of indirect preparation and preparation constraint, which are based on casual correlation algorithm and hidden relationships between prerequisites and consequences of attacks are proposed. Secondly a reasoning method is introduced to recover and to integrate attack scenarios, for improving the quality of recovering results and reducing the false positive and false negative rate. Experiments demonstrate the effectiveness of our method to discover the missed attacks and to recover the attack scenarios, which improve the qualities of alerts correlation scenarios and the intrusion detection rate indirectly.更多还原