Active Network Security System_免费下载

2024年2月8日发(作者：)

DesignandImplementationofaHigh-PerformanceActiveNetworkSecuritySystemWenOuyang1,Kun-MingYu2,Wen-PingLee3paperdescribesthedesign,implementationandperformanceofahigh-performancesecuritysystem-ActiveNetworkSecurityImmuneSystem(ANSIS)–sacompatible,ectivetechniqueimplementedinANSIScanhandleanytypeofDoSattacks,er,ANSISnotonlyimprovethesecurityofnetworksystemsubstantially,erms—ActiveNetwork,DoS,ct—This(DDoS)mple,itcancopythepacket,modifythecontextofpacketorrerouteitwithoutfollowing the packet’s header. Thus, anagenerationofnetworksecuritysystemshouldbeabletotackleeverypartofsecuritywork,anrtocopeDoSattacksandtosolvetheproblemsofcurrentnetworksecuritysystem,weproposedandimplementedActiveNetworkSecurityImmuneSystem(ANSIS)whichisanewhigh-detection-ratetechnique,anewresponsemechanism,izesnetworkbehaviorcharacteristics,individual-drivensecurityrule,tectiontechniqueenablesANSIStocopewithanytypeofDoS,otheractivenetworkresearches,ANSISadoptsthehybridore,n6UCTIONThegrowingdemandoftheInternetperformancehasgreeoftheconveniencebroughtbynetworks,manysecurityproblemssuchasfilchingcomputerdocument,sniffingnetworkdata,computervirus,sereasons,r,noneofthesemechanismscanhandletheDenialofService(DoS)ueisthatDoSattacksarehardtoprevent,hardtodetect,evolvedtoDistributedDenialofServiceManuscriptreceivedMarch12,rkwassupportedinpartbytheNationalScienceCounciloftheRepublicofChinaunderGrantNSC93-2213-E-216-031.1Correspongauthorandpresenter1WenOuyangiswiththeDepartmentofComputerScienceandInformationEngineering,ChungHuaUniversityatHsinChu,Taiwan,R.O.C300.;phone:886-3-5186403;fax:886-3-518-6416;e-mail:ouyang@.2Kun-MingYuiswiththeDepartmentofComputerScienceandInformationEngineering,ChungHuaUniversityatHsinChu,Taiwan,R.O.C300,phone:886-3-5186412;fax:886-3-518-6416;e-mail:yu@.3Wen-PingLeeiswiththeComputerScienceCenter,ChungHuaUniversityatHsinChu,Taiwan,R.O.C300,phone:886-3-518-6235;fax:886-3-518-6416;e-mail:luke@DWORKTherearemanytypesofsecuritythreatsinthenetwork,forexample,DoS,DDoS,portscanning,Sniffer,withthosethreats,ldmakevictimornetworktakenoutofcommissionbysendingflurrypacketstovictimand

causevictimtoconsumetheirsystemresourceslikeCPU,odingandSYN-FINattack[1]evolvedtoDistributedDenialofService(DDoS)rscanscomputersoverInternetrandomlybyrobotprogramtosentermediaryattackerswillstartupDoSattacksatpredefinedtimeorwhenreceiving cracker’s command.

y,thereareonlyafewwormdoDoSitself,butwormspreadinway,w,anrackerlearnstargetcomputerbeingwithsomespecialports,acrackeris able to know the target computer’s OS and there may

opularityofInternet,questscannotbeofferedorhandledwellbytoday’snetworktechnologiesdueto,forexample, TCP protocol’s

er,rtospeedupthenetworkevolutionandtoletindividualbeabletodevelopindividual-drivenservices,activenetworks[2,3,4,5,6,7,8,9]houseandWetherallarethefirsttoproposeactivenetworkat1996[10].Themaindifferencebetweenactivenetworkandlegacynetworknetwork,alsocalledpassivenetwork,dualsusingactivenetworkcandevelopanewnetworkserviceorprotocolthatcanbesetupandusedimmediatelywithoutcoordinatingwithotherindividicalresearchesofactivenetworkareANEP[2],ActiveIP[11],ANTS[12],andPLAN[4].AnIDS(IntrusionDetectionSystem)eclassifiedintomisuseIDSandanomalyIDS[13,14,15][16]yIDSdefinesnormalpacketandassumesthatapackestatistic,fuzzy[17]orneuralnetwork[18]ghanomalyIDScandetectnovelattack,mple,ifthedefinitionofnormalnetworkbehaviormodelistooloose,therhand,ifthedefinitionofnormalnetworkbehaviormodelistoorestrict,,-virussystemisbasedonsignaturedatabasesoitcan’t detect novel viruses or worms. Another drawback

dnotworkif the worm or virus doesn’t

ghtherehavebeenmanysecurityresearchorsystems,chesucudiesequiptheirnetworkdeviceswithcomputinsiverouttivenetworkresearchersusingmobilefilterservicehaveproblemstomigrchsearchesonlydetect,log,iresthenetworkSresearchesarefocusedonthesituatioewbasedonSNMP[19]orkbasedonSNMP[19]whichdeter,SNMP can’t xistsaomputersuchasanimportantserverneedstoconnecttonetworkround-the-clock,s,mostresearcharebased on misuse IDS that they can’t detect novel attack

rtosolvethesesecurityproblems,wepresentanewdetectivetechnologyandanactivenetworkbased

EDDETECTIONMECHANISMAnewhighdetectionratetechniquetodetermineifapacketisnormalormaliciousisrequiredtocompensategetmaliciouspacketsunderdetectionincludesniffer,portscanning,DoS,section,wefirstexpandthemodelsofnormalpacketsandmaliciouspackets,andthenwepresentouranoofnormalandmaliciouspacketsThepercentageoouspacketslikeportscanning,DoS,andwormspreadingusuallysignificantlyincreasethesonisthatnormalpacketsareusedtotransmitdaouspacketswhichsendhdetectionratetechniqueThedetectioncanbeclassifiedintotwophases:tocoltocolphasedetectioncanbeprocuredbypredefininblemsduetoSYN-FINpacket,Nullscan,Xmastreescan,mple,ptowatchandrecordeveryhost’s stat to determine if it is v worms like “Nimda” and “Netsky” or

“Melissa” are spreading by ormsreadOutlook’s address book and send mails which the worms

attahanismuurityservicesetuponactivedevicewillblockSYNpacketsenttoport25(SMTPport)temporarilyandsendemailsendingauthenticationagentreceivestheauthenticationpacket,urityservicewillpasstheSYNpacketsenttoport25forapredefral,nesomebasicsecurityrulesandourdetectionserviceallowsindividualdualcanextendormodifytherulesby themselves. All network behaviors that don’t obey the

inchanismnotoackresponsemechanismthemadvertisetefficientandcostlyinmanagementarwayistoletslessagekers,thesemessagesims,thesemessagesnotifythefairtothevictimsthatsecuritysy,securitysystemsFRAMEWORKWepresentansdesignedtodetectalltypesofDoSattackfectivewhenoutgoingbandwidthisengagedackresponsemechanismsofANSISincludingfilteringmaliciouspacketsout,updatingsignaturedatabase,andsystem

restitutionarealldoneautomaticallyjustlikecreature’previousresearch,ANSISfiltersoutonlymaliciouspacketsaghANSISisactivenetworkbased,it’anaccommononsistsoffirewall,agroupofIDSs,managerserver,activerouter,activeswitch,passiveswitch,omponentsprovidenetworkserviceslikefilterservice,backbonefilterservice,alertservice,detectionservice,ll:Anupdateserviceisonfirewalltoupdatethesignaturerouter:switch:Anactiveswitchwithfilterservice,eswitch:rportlinksters:ThemanagerserverwillsetupfiofIDSs:AgroupofIDSsconsistsofmisuseandanoanomalyIDSfoundnovelattackpacket,itanalyzesitssignIDSssetupupdateservicetoupdatetheirsignaturerserver:Themanagerserverisresponsibleforthesecurityeventresponseservice,SNMPservice,setupservice,eventloggingservice,alertservice,urityeventresponseservicesendsmessagetofilterserviceonactivedevicetonotifythemthepacketstobeblttackerisattachedonpassiveswitch,thenthesecurityeventresponseservicewillclosenetworkportusedbyattackerwithSNMPservice,oraskfilterservurityeventresponseservicewillalsoggingservicelogseverysrmore,themanagerserverwillauthenticateandsetupthedetectionserviceorfiltersery,alllinksamongactivedevicservice:Thefilterserviceislocatedonactiveswitch,activerouter,agerserverautomaticallyseysteminstallstheservicewhenthenetworkisunderattack,nefilterservice:Thedifferencebetweenthebackbonefilterserviceandfilterserviceisthatthebackbonefilterservice is setup on ISP’s border router in

ordertoervice:Thealertservicewillsendwarningmessagetomaliciouspacketsearningmessagesincludeinformationlikesourceaddress,destinationaddress,racker,thesemessagesictim,thesemionservice:viceissetuponectionservicewillsendcommandtofilterservicetoblockthemaliciouspacketswhichwasdionservicealsosendsthesignatureofthesemaliciouspacketstothemservice:agerserveralsoupdatessignaturedatabaseonfirewallanterpreterservice:NodeOSwillpassactivepacketsoENTATIONWeimplementanactiveswitch,activeagent,andsomesecurityservicesinordertotchingfunctionsincludingforwardingandmaintainingMACaddremesthroughtheactiveswitchwillbe

acketisactive,acketispassivethenitwirotocolservice,tyservicesWeimplementedfoursecurityservicesincludingdetectionservice,filterservice,alertservice,ectionserviceusesthemodelsofmaliciousbehaviidershostthatsendctiveswitchthroughputisconcerned,the detection service doesn’t build in detection

r,ketmatchingthedeterservicemaineinstallationinterfaceAserviceinstaementedaninterfacetohelpusertoautomaticallyloadalldependent services in terms of service’s profile, to

protectotherservices,andtocompileandliagentSincethedetectionservicesendswarningmessageandmail-sending-authenticationmessage,thereshouldbeanagenttoreceivethewarningmessageandpromptusertodotheprocedureofmailsendingauthentication;hence,eitreceivedwarningmessagesentbydetectionservice,itwillpopupawinMENTAsimulationenvironmentissetuptoexperimenhroughputexperiment,weusedanApdersendsburstUDPpacketstoreceiverwithdifferentpacketsizesthroughouractiveswitchandHogwash[20].dwareofactiveswitch/etectionrateexperiment,wepreparedawormspreadingcomputerrunningMicrosoftWindows2000ServerandinfectedbyCodeRed,Nimda,Blaster,Netsky,preparedeightcompucpdump[21]onactiveswitchtocountthenumberofpacketsthatwormspreadingcompBMcompatiblePCthatrunningMicrotem had been patched; therefore, they wouldn’t be

hemtos,hputInthethroughputexperiment,thesendercomputersendsburstUDPpacketstoreceiverwithdifferentframesizesthroughouractiveswitchandHogwash,experiment,obtainpracticalthroughputdatare1,there2,theframesizeaffectingtheforwardrategreatlyandouractiveswitchhas100%ituation,hputActiveswitchHogwash121Framesize(bytes)Figure1:ThroughputofActiveswitchandHogwash

ForwardrateActiveswitchHogwash120.00%100.00%80.00%60.00%40.00%20.00%0.00%641282565121Framesizes(bytes)Figure2:stoneistherateofwormpacketspassingthrougeforHogwashisabove50%.ItisbecauseHogwashisamisusedIDSandthereisnosignatureofBlasterandNachi; therefore, it can’t detect hertest,weconnecteightcomputers,whicharewithoutanypatch,toouractiveswitchwithfilterservice,alertservice,mailservice,,eightcomputersareallinfecteeusedtoperformdailyworksuchasbrowsingwebandconnectingtoFTPserver,BBSserver,sthewarningmessagetoboththeinfectedcomputerandnetworkadministrators;therefore,usersarecapableofknowinkers,thesemeims,thesemessagesnotifythemthechanismcan3:TherateofwormpacketsthroughactiveswitchandHogwashNumberofcomputersinfectedbywormswithoutsecurityservicewithsecurityservice9876543211MinutesFigure4:SIONSInthepaper,wepresentanewhighdetectionratetechnique,newresponsemechanism,andanactivenetworkbasedsystem:ActiveNetworkSecurityImmuneSystem(ANSIS).Ouranomaly-baseddetectivetechniquecombinesthecharacteristicsofnetworkbehavior,individual-drivensecurityrule,ctsnovelattacksincludingnovelwormspreadingaswellasresolvesthetypicalproerimentalresultsshowthatourdetectionsiveswitchcanproducethethroughpuervicewarnsuserthathiscomputereproceduresofANSIS,suchasinvolveblockingoverallattacksandattackresponse,andpostprocesses,,ANSISisacompatible,scalable,nlysubstantiallyimprovesthesecurityofnetworksystem,butalsoreducesthecostofmanagementandmaintenancebyawidemargin

REFERENCES[1][2]W. Richard Stevens, “TCP/IP Illustrated, Vol. 1”,

Addison-Wesley,1stedition(January1,1994),ISBN:lexander,bobBraden,,n,tis,andDavidWetherall. “Active Network Encapsulation Protocol (ANEP)”,t,SamratBhattacharjee,EllenZegura,andJamesSterbenz,"DirectionsinActiveNetworks",IEEECommunicationsMagazine,Volume:36,Issue:10,Oct.1998,Pages:72–78MichaelHicks,,DavidWetherall,andScottNettles,"ExperienceswithCapsule-basedActiveNetworking",DARPAActiveNEtworksConferenceandExposition,dings,29-30May2002Pages:16–24Patel,A.,"ActiveNetworktechnology:Athroughoverviewofitsapplicationsanditsfuture",Potentials,IEEE,Volume:20,Issue:1,Feb-March2001,Pages:5–10BeverlySchwartz,n,yStrayer,WenyiZhou,Rockwell,andCraigPartridge,“SmartPacketsforActiveNetworks”,OpenArchitecturesandNetworkProgrammingProceedings,CH'99.1999IEEESecondConferenceon,26-27March1999,Pages:90–97SushildaSilva,YechiamYemini,andDaniloflorissi,“TheNetScriptActiveNetworkSystem”,SelectedAreasinCommunications,IEEEJournalon,Volume:19,Issue:3,March2001,Pages:538–,t,,,on,"ActivatingNetworks:AProgressReport",Computer,IEEE,Volume:32,Issue:4,April1999,Pages:32–house,,incoskie,all,,"ASurveyofActiveNetworkResearch",CommunicationsMagazine,IEEE,Volume:35,Issue:1,Jan.1997,Pages:80–all,“TowardsanActiveNetworkArchitecture”.imediaComputingandNetworking96,SanJose,CA, J. Wetherall and David L. tennenhouse. “TheACTIVEIPOption”,Inproceedingsofthe7thACMSIGOPSEuropeanWorkshop,Connemara,Ireland,September1996.D. Wetherall, J. Guttag, and D.L. Tennenhouse, “ANTS: A

toolkitforbuildingandynamicallydeployingnetworkprotocols”,InIEEEOpenArch'98,SanFrancisco,CA,April1998DavidEndler,“IntrusionDetectionApplyingMachineLearningtoSolarisAuditData”,ComputerSecurityApplicationsConference,1998,Proceedings.,14thAnnual,7-11Dec.1998,Pages:268–ndandStuartStaniford,“ViewingIDSalerts:LessonsfromSnortSnarf”,DARPAInformationSurvivabilityConference&ExpositionII,'dings,Volume:1,12-14June2001,Pages:ch,“Buildingatrueanomalydetectorforintrusiondetection”,MILCOM2000.21stCenturyMilitaryCommunicationsConferenceProceedings,Volume:2,22-25Oct.2000,Pages:1171-1175vol.2Patel,A.,"ActiveNetworktechnology:Athroughoverviewofitsapplicationsanditsfuture",Potentials,IEEE,Volume:20,Issue:1,Feb-March2001,Pages:5–son,“FuzzyNetworkProfilingforIntrusiondetection”,FuzzyInformationProcessingSociety,.19thInternationalConferenceoftheNorthAmerican,13-15July2000,Pages:301–ch,“TrainingaNeural-NetworkBasedIntrusionDetectortoRecognizeNovelAttacks”,IEEETRANSACTIONSONSYSTEMS,MAN,ANDCYBERNETICS-PARTA:SYSTEMSANDHUMANS,VOL.31,NO.4,JULY2001[19]&t,“EssentialSNMP”,O’REILLY,1stededition(October15,2001),ISBN:[20]/[21]/[3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18]