【作者】 王刚；

【导师】 孙济洲；

【作者基本信息】 天津大学 ， 计算机应用技术， 2007， 硕士

【摘要】 随着分布式协同攻击不断出现,网络攻击造成的危害正日益加大,而攻击却越来越难以检测。这些都对网络安全提出了新的挑战。传统的网络安全技术包括防火墙技术、入侵检测技术和访问控制技术等,然而,它们都有各自的缺点,当面对种类繁多的网络攻击时,很难依靠其中的一种技术确保网络的安全。因此,需要研究构建一个动态的网络安全综合防御体系,将各种网络安全技术融入防御体系,通过各个网络安全组件的相互协作,达到优势互补,联动防御。本文旨在构建一个动态的网络入侵综合防御体系。通过对防火墙技术和入侵检测技术的分析,研究入侵检测与防火墙联动技术。通过对P2DR和PDRR网络安全模型的分析,总结出动态的网络入侵综合防御模型。在动态网络安全模型的框架下,具体设计并实现了一个分布式的网络入侵防御系统,从而构建了一个动态防御体系。系统分为网络探测器、主机探测器、策略管理中心、控制台和联动响应模块,采用多级的分布式体系结构。网络探测器布署于受保护网段,主机探测器部署于受保护主机,它们负责监控一个子网或主机。策略管理中心采用集中控制模式,统一接收各个探测器的报警信息,并对探测器进行控制。对于探测器的报警信息,策略管理中心进行综合分析,根据其报警级别生成联动规则,并通过联动响应模块向具体的防火墙中动态添加规则以及时对攻击进行响应。系统综合了入侵检测和防火墙技术、主机检测和网络检测技术、误用检测和异常检测技术,并且为各个组件之间的信息交换定义了统一的接口,从而使系统具有良好的互操作性和可扩展性。实验表明,本文构建的分布式网络入侵防御系统可以有效的检测网络中和主机上的攻击,并能对攻击进行实时响应,分布式的动态防御体系使系统可以检测出单个IDS无法检测出的复杂攻击。更多还原

【Abstract】 As distributed cooperative attacks emerge, the loss resulted from attacks is growing, while attacks are more and more difficult to detect. These are the new challenges of network security. Traditional network security techniques include firewall, intrusion detection and access control, etc. However, they all have disadvantages so that it’s quite difficult to rely on one technique to ensure network security when facing a great variety of network attacks. As a result, a comprehensive network security defense system is needed, which can integrate different network security techniques, to achieve complementary advantages and interactive defense.This paper aims at constructing a comprehensive network security defense system. Based on analysis of firewall and intrusion detection technique, the interaction technique between IDS and firewall is discussed. After analysis of general network security model such as P2DR and PDRR, a comprehensive network intrusion defense model is concluded. Based on the model, a distributed intrusion prevention system is designed and implemented, so that a dynamic network defense system is constructed.The system is divided into network sensor, host sensor, policy management center, console and response module, and is based on multilevel distributed architecture. Network sensor is deployed in the protected subnet, while host sensor is deployed on the protected computer. They are responsible for specific subnet or host. The control server uses the centralized control pattern, receiving alert messages of each sensor while controlling them. The policy management center comprehensively analyzes the alert messages of sensors, and generates linkage rules according to alert level, and then adds the rules into specific firewall through response module.The system is the integration of intrusion detection and firewall technique, host-based detection and network-based detection technique, misused detection and abnormal detection technique, while defining the universal interfaces for information exchange between different modules, so that the system gains excellent interoperability and expansibility. Experiments show that the system can effectively detect network and host attacks, with real-time response. Distributed architecture enables the system to detect complicated attacks which single IDS can’t detect.更多还原