1
|
- South China University Of Technology
- ExceedTech Group
- Zhi-Zhuo Zhang
- Zhi-Qiang Zhou
- Mao Lin
|
2
|
-
In an increasingly computerized and networked world, it is
crucial to develop defenses against malicious activity in information
systems. One promising approach is to develop computer algorithms that
detect when someone is inappropriately intruding on the computer of
another person. However, intrusion detection is a difficult problem to
solve . Many Systems have been developed for intrusion detection (IDS)
,Such as Snort ,Bro and BSM
. There two general approaches of detection, Such as misuse detection
and abnormally detection .However ,they both have some unavoidable
disadvantages .Therefore One promising approach is to develop a system
which can make two approaches work together.
|
3
|
- Processor :Pentium III 1G or higher
- Operating System: Win2k ,
.NETFramework
- Memory : 128M minimum ,256M
or more
recommended.
- Hard disk: 10 GB minimum, 50 GB or more for statistic files
recommended.
- User privileges: PowerUser of win2k
- (Server) SuperAdmin of SQL and
IIS
- Network Interfaces: one or more Ethernet Card
|
4
|
- Driver Layer(驱动层)
- Application Layer(应用层)
- Network Layer(网络层)
- DataAccess Layer(数据层)
|
5
|
- Firewall(防火墙基本功能)
- Communication(通信机制)
- Strategy And FeedBack(策略与反馈)
- Misuse Detection(误用检测)
- Anomaly Detection(异常检测)
|
6
|
- [1]Selection, Combination, and Evaluation of Effective Software Sensors
for Detecting Abnormal Computer Usage KDD’04, August 22–25, 2004,
Seattle, Washington, USA.
- [2] Simple, State-Based Approaches to Program-Based Anomaly Detection C.
C. MICHAEL and ANUP GHOSH Cigital Labs
- [3]Documents of Snort
- [4]Documents of Bro
- [5] Analysis and Mathematical Justification of a Fitness Function used
in an Intrusion Detection System, Pedro A. DiazGomez, Dean F. Hougen
- [6] http://www.ll.mit.edu/IST/ideval/index.html
- [7] Immunity-Based Intrusion Detection System Design, Vulnerability
Analysis, and GENERTIA’s Genetic Arms Race, Haiyu Hou, Gerry Dozier
- [8] Characterization of Network-Wide Anomalies in Traffic Flows, Anukool
Lakhina, Mark Crovella, Christophe Diot
- [9] http://www.xfilt.com
- [10] http://www.xfocus.net
- [11] http://www.checkpoint.com
|
7
|
- 1、Communicable(可沟通)
- 2、Self-Determinable(可自主决策)
- 3、Automanual Learning(自动学习)
|
8
|
- Outline
Design Document
- Acceptance
Test Document
- Requirement
Analysis Document
-
Feasibility Analysis Document
-
Client Software
-
Server Software
-
Driver & Plug-in
|
9
|
- Stateful Inspection(状态检测)
- IP-Regulation(IP规则)
- SafeLevel(安全级别)
- Connection Surveillance(连接监视)
|
10
|
- 1、WebService Interface(服务接口)
- 2、AliveMessage(存活信息)
- 3、BlackList(黑名单机制)
- 4、Global Broadcast(全局广播)
- 5、Update(升级)
- 6、Remote Manage(远程管理)
- 7、Multics Alert System(复合报警系统)
- 8、Disaster Recovery(灾难恢复)
|
11
|
- 1、User-defined Strategy Script
- (用户自定义策略脚本)
- 2、User-defined Plugins of Event-Action
- (用户自定事件行为)
- 3、Cooperate with the firewall
- (与防火墙相协作)
|
12
|
- 1、Network Based(基于网络)
- 2、Powerful Signature Matching Facility
- (强大的特征匹配功能)
- 3、Snort & Bro Compatibility Support
- (对Snort & Bro的兼容、支持)
- 4、Custom Scripting Plugins
- (自定义脚本插件)
|
13
|
- 1、State-Based Approaches of Anomaly Detection.
- (基于状态的异常检测方法)
- 2、Custom Scripting Plugins
- (自定义脚本插件)
- 3、Algorithms Model (算法模型)
- 4、Dynamic Script Compiler
- (动态编译脚本)
|
14
|
- 1、NDIS Filter HOOK(NDIS过滤钩子)
- 2、Device IO Control
- (设备输入输出控制)
|
15
|
- 1、.Net Platform(.NET 平台)
- 2、Packet Filter (数据包筛选器)
- 3、C++ Communicate With Driver
- (通过C++与驱动通信)
|
16
|
- 1、.NET Remoting Architecture
- (1)WebService(web服务)
- (2) Remote Object(远程对象调用)
- 2、ASP.NET
- ASP.NET is Microsoft’s upgrade to Active Server Pages (ASP).ASP.NET
architecture is very well woven into the .NET Framework to provide a
powerful event-driven programming model .The new feature of code-behind allows
true separation of code and design. Also, you can write ASP.NET pages in
any of the managed languages, and the code is compiled to give high
performance.
|
17
|
|
18
|
- signature rpc-dcom_servername-overflow
- {
- header ip[9:1] == 6
- header tcp[2:2] == 135
- tcp-state originator, established
- requires-signature rpc-dcom_bind-req
- payload /.*\x05\x00\x00.{100,}\x5c\x00\x5c\x00[^\\]{32,}/
- event "RPC DCOM servername stack overflow attempt"
- eval “RPC_DCOM.dll”
- }
|
19
|
|
20
|
|
21
|
|
22
|
- 1、Build a dynamic state tables
- 2、Manage the HalfOpen connection
- 3、Maintain the UDP connection
- 4、Analyze ICMP State
|
23
|
- 首先,对于一个会话我们使用什么来区分。从最简单的角度出发,我们可以使用源地址、目的地址和端口号来区分是否是一个会话。
当通过使用一个SYN包来建立一个会话时,防火墙先将这个数据包和规则库进行比较。如果通过了这个数据连接请求,它被添加到状态检测表里。这时需要设置一个时间溢出值,参考CHECK-POINT
FW-1的时间值,将其值设定为60秒。然后防火墙期待一个返回的确认连接的数据包(ACK包),当接收到如此的包的时候,防火墙将连接的时间溢出值设定为3600秒。对于返回的连接请求的数据包的类型需要做出判断,已确认其含有SYN/ACK标志。当状态监测模块监测到一个FIN或一个RST包的时候,减少时间溢出值从我们缺省设定的值3600秒减少到50秒。如果在这个周期内没有数据包交换,这个状态检测表项将会被删除,如果有数据包交换,这个周期会被重新设置到50秒。如果继续通讯,这个连接状态会被继续地以50秒的周期维持下去。这种设计方式可以避免一些DOS攻击,例如,一些人有意地发送一些FIN或RST包来试图阻断这些连接。
- (注:对于时间溢出值,是参考国外著名的网络安全公司Check-Point的标准)
|
24
|
|
25
|
|
26
|
|