IPv6环境下异常检测系统的关键技术研究.pdf

华中科技大学博士学位论文IPv6环境下异常检测系统的关键技术研究姓名：黎耀申请学位级别：博士专业：计算机系统结构指导教师：李之棠20060509II的提高异常检测算法的设计目标是提高检测的效率和准确性生物免疫和计算机安全系统所面临及需要解决的问题十分类似，采用生物免疫思想的异常检测技术可以获得更加准确、可靠的结果，大大地提高检测性能通过引入实数编码，精确排挤小生态算法，对遗传算法进行改进，研究了基于背离等级的检测算法（Deviation Levelsbased Detection Algorithm，简称 DLDA） ，同时为了提高检测的准确性，引入了一种生成模糊检测规则的演进算法，使用模糊异常检测算法，对网络中的异常行为进行模糊检测在不同数据集（DARPA1999，DARPA2000）以及实际网络流量上对异常检测原型系统以及开放源码的异常检测系统 snort 进行对比实验，实验结果表明所提出的算法在误报率、漏报率上都有了很大的提高IPv6 环境下异常检测系统的输入对象为全新的协议，地址长度和数据量都有了极大的增长，使得上述算法在新环境下无法高效运转为此对上述算法进行了改进，进行随机实数编码，引入基于亲和度的非我识别方法，使用分段匹配的高效匹配算法，以提高检测效率。

上述研究成果已综合应用到一个面向下一代互联网的异常检测系统中，使用自定义的数据集（构造攻击数据和实际网络流量的结合）以及实际 IPv6 网络流量进行了性能和效能测量，结果证明系统能在 IPv6 环境下运转良好关键词：关键词：网络安全，下一代互联网，人工免疫，否定选择，模糊规则IIIAbstractThe current generation Internet protocol IPv4 is replaced by the new generationInternet protocol IPv6 because of its huge address space and favorable security architecture.However, as the development of the next generation Internet Protocol and thepopularization of new type of applications, security problems of the networks based onIPv6 Protocol should be presented. Traditional anomaly detection algorithms can notdetecte these new types of attack effectively and can not support the new protocol, either.An anomaly detection system must be excogitated that can support IPv6 protocol and doabnormity checking rapidly even under a high-traffic network environment as well. It isnecessary to study anomaly detection algorithms based on NGI, which has theoreticalsignificance and practical importanc. Therefore, it has become a significant internationaltopic that needs to be urgently solved.In order to ensure the security of NGI, we must be able to differentiate and response toits abnormal behavior. The purpose of the research of NGI anomaly detection architectureis to develop a new technology to provide our anomaly detection system to accommodatewith a high bandwidth and high traffic network environment and it must support the newinternet protocol and have the ability of self-study. Then the Internet anomaly detectiontechnology, the structure model of network architecture and the network security controlplatform of NGI can be built up.This paper focuses on the research of security problem of IPv6, high-speed packagecapture model and effective anomaly detection algorithm that is applicable in IPv6environment with the help of computer immunity technology.In order to design and implement the anomaly detetction architecture based on thenext generation Internet, we should know the exactly type security issues existing in thenew Internet carried protocol. This paper analyses the security of IPv6 through thedesigning, implement and disposition phase of the protocol. By analyzing, we found thatsome population operation systems such as Windows and Linux have some problems in theimplement of IPv6 protocol, especially in the implement of the Neighbor Discoveryprotocol. According to the result, we design and actualize some bran-new types of attackunder IPv6 environment utilizing the hiding trouble of IPv6. Moreover, after testing ouranomaly detection algorithm, we also table some security proposals for the design of theIVprotocol.The lossless capture of data package is the basis of anomaly detection. The bandwidthof the backbone of NGI has been extended a lot, and the data stream it carries has also beensharply increased which presents difficult challenges to the fully capturing of data package.This paper researches the high-speed data package capture model, which provides a goodbasic for anomaly detection. By analyzing the disadvantages of existing capture model, werearche and impelte a new Packet Capture Mechanism based on Semi-Polling Driven ZeroCopy（PCMSZ）, introduce a Memory Map (MM) mechanism and solves the bottleneck ofhigh-speed data package capture.The goal of the design of the anomaly detection algorithm is to enhance the efficiencyand the veracity of the detection. The problems that our computer security systems face arevery similar to biology immunity. So anomaly detection technology using artificial immunetheory can obtain more accurate and reliable results and improve the performance of ourdetecting system. By introducing the real valued code, deteminstic crowding nichingalgorithm, improving the genetic algorithm, we present an evolutionary algorithm thatgenerates Hypercube detector - Deviation Levels based Detection Algorithm (DLDA) andan evolutionary algorithm that generates fuzzy rule detectors - Fuzzy Rules based AnomalyDetection Algorithm (FRADA). Finally, we evaluated the protype system and an opensource code anomaly detection system-snort with DARPA 1999, DARPA 2000 data set andthe real network flow. The result shows that the algorithms presented in the paper are moreimproved than snort.Traditional abnormal detection algorithms can not always support a new protocol, andwe must design new algorithms to satisfy this new protocol. Aiming at the characteristics oflong address and high traffic of data that IPv6 has, we improve the。