【作者】 王宇；

【导师】 刘文予；

【作者基本信息】 华中科技大学 ， 通信与信息系统， 2005， 硕士

【摘要】 随着Internet 的飞速发展,计算机网络已经在社会、经济、文化与人们生活的方方面面中扮演了越来越重要的角色。在这一背景下,网络安全的重要性逐渐引起人们的注意,各种网络安全措施与技术都应运而生,其中,入侵检测技术在整个网络安全体系中处于核心地位。尽管人们曾对入侵检测抱有许多的期望,随着这一技术日渐成熟,入侵检测真正的功能范畴与未来发展方向逐渐变得清晰起来。首先,入侵检测的研究重点应该放在对未知攻击的检测上; 其次,入侵检测系统应该增强自身的分析能力,应该作为各种网络设备与网络安全设备收集到的数据的汇聚点,消除冗余数据,发现数据间的相关性。不过,在目前的技术条件下,入侵检测的第一项与第二项功能存在一定的矛盾。目前发现数据间相关性的方法建立在已知攻击的前提和后果的基础上,而目前的未知攻击检测方法(即异常检测方法)通常是无法给出攻击的前提和后果的。本文的工作试图消除这两项功能之间的矛盾,这主要包括: 1)深入分析了各种基于系统调用的异常检测算法的工作原理,探讨了它们原理上存在的固有优缺点和它们在各种环境下的工作情况。经过仔细的分析比较,发现基于自动机的异常检测算法在入侵检测中具有较明显的优势,所以最终被选为后续改进工作的基础; 2)根据基于自动机的异常检测算法存在的固有缺点,有针对性地提出了引入文件访问分布模型和系统调用频率统计这两项改进,增强了这种算法检测拒绝服务攻击的能力,也极大地提高了算法的检测率,降低了算法的误报率; 3)根据各种攻击的特性和过去对攻击分类的研究成果,提出了一种适用于入侵检测的攻击分类方法。随后以经过改进的基于自动机的异常检测算法为基础,结合误用检测的思想,提出了一套对异常检测结果的后续分析过程,即深度分析算法,能区分更多还原

【Abstract】 With the fast development of Internet, computer network has played the more and more important role in the society, economy, culture and people’s life. Under this circumstance, people are aware of the importance of network security. As a result, many network security technologies have been invented. Among all of them, intrusion detection technology has grown to be the core of network security infrastructure. However, in spite of a lot of expectations people have held, as this technology gradually become mature, the real functions it should cover and the future directions it will follows become clearer. First, the research of intrusion detection should focus on detection of unknown attacks; second, intrusion detection system should behave as a accumulation point of data produced by all kinds of network devices and network security devices, enhance the analytic ability, reduce redundancy data and discover relationship between data. But under current technology states, the first requirement somewhat contradict with the second requirement, for current methods of discovering data relationship are based on knowledge of the preconditions and outcomes of attacks, but current methods of detecting unknown attacks can not provide such information. This paper tries to alleviate such contradictions between the two requirements mentioned above, mainly include the following works: 1) The paper deeply analyze principles of several popular system call based anomaly detection algorithms, discuss the innate advantages and disadvantages of them due to their principles and compare their effects under different working condition. After serious analysis and compare, automaton based anomaly detection algorithm is considered to be effective in intrusion detection, so it is selected as the base of following improvements; 2) To solve the innate disadvantages of automation based anomaly detection algorithm, the paper proposes several ways that improve the detection rate and the ability of detecting DoS attacks, reduce the false positive and false negative rate; 3) According to the characteristics of attacks and past research on attack taxonomies, the paper first proposed an attack taxonomy that fits intrusion detection research. Then, based on detection results of improved automaton anomaly detection algorithm and principles of misuse detection, a further analytic process is proposed which can rank attacks through their importance and risks, make current methods of discovering data relations possible to be applied in the detection results of anomaly detection algorithms, and make the two main future directions of intrusion detection possible to cooperate with each other. The research in the paper has definite theoretic and practical value in the field of intrusion detection; it is a useful reference for designing the intrusion detection system.更多还原