IPv6网络中入侵检测的分析和研究

【作者】 刘文；

【导师】 张立群；

【作者基本信息】 山东大学 ， 软件工程， 2005， 硕士

【摘要】 近年来,互联网在国际上得到了迅猛的发展,伴随而来的是我们对网络的依赖性也越来越大,这就使网络的安全问题变得非常重要。随着攻击者对网络系统了解的日趋深入,攻击工具与手法的日趋复杂多样,传统的通过简单配置防火墙等的被动防范方法已经显得力不从心。入侵检测技术作为一种主动安全防护技术,及时地检测各种恶意入侵攻击并在网络系统受到危害时进行响应,它是传统安全技术如防火墙的合理补充,是一种新兴的网络安全技术,也是当前计算机网络安全理论研究的一个热点。 在下一代因特网IPv6协议环境下,建立一种高效、实时的网络入侵检测系统具有十分重要的意义。本文深入研究了下一代因特网IPv6各种协议的结构特点,设计了一种新的基于协议分析的网络入侵检测系统框架;根据IPv4和IPv6两种协议的不同,在分析IPv6的包头结构、扩展头、地址和安全机制的基础上,研究并提出了IPv6环境下的协议解码和协议分析的过程;通过协议解码和分析,对于从IPv6网络上收集的数据包,发现其中的不合理代码、恶意代码和不完整的数据包,进而发现入侵行为的特征和规律,并通过行动输出报警和处理。最后,本文在研究Snort系统的基础上,给出了IPv6环境下基于协议分析的网络入侵检测系统的设计方案和实现方法,设计并实现了包捕获模块,协议解码模块,IPv6下的扫描检测和输出模块。和传统的模式匹配算法相比,该系统的主要优点在于:它能为IPv4/IPv6网络的检测引擎同时提供输入,而且提高了检测的有效性和检测效率。更多还原

【Abstract】 Followed with fast developing of Internet in recently years, people more and more depend on the network. So the status of network security becomes very important. With the understanding of attackers to network system more thorough, the tools and the means of attacking more complex, the traditional methods like firewall of passively keeping away from intrusion have many disadvantages. As a kind of active defense technology, intrusion detection technology detects sorts of malicious attacks in time and responds when the net system is endangered. It is a reasonable supplement to traditional security technology such as firewall. As a new network security technology, intrusion detection technology has become the major concern of network security researching field nowadays.It is very important to develop an effective and real time network intrusion detection system in the environment of next generation IPv6 protocols Internet. In this paper, the structure characters of IPv6 protocols in next generation Internet are studied, and a new network intrusion detection system framework is designed based on protocol analysis technology. According to the differences between IPv4 and IPv6protocols, the process of protocol demodulation and analysis is researched and put forward based on the analyzing of IPv6 packet header structure, address, spread header and safety mechanism. The unreasonable codes, malice codes and incomplete data packet can be detected from the collected data packets in IPv6 networks by protocol demodulation and analysis, then the characters and rules of network intrusion can be found and send to action output part to give and process the alarms. In the end, based on the research of the Snort system, a detailed designing scheme and implementation method of the network intrusion detection system based on protocol analysis in the environment of IPv6 networks are presented. The modules of packet capturing, protocol decoding, scan detecting and output are programmed and implemented. Compared to the traditional mode matching arithmetic, the virtues ofthis system are: supplying data to detection engine for IPv4/IPv6 networks, improving the detection validity and efficiency.更多还原