Tuyn tp Bo co Hi ngh Sinh vin Nghin cu Khoa hc ln th 7 i hc Nng nm 2010

XY DNG H THNG PHT HIN XM NHP V GIM ST MNG NI B

BUILDING A LAN INTRUSION DETECTION AND MONITOR SYSTEM SVTH: L Vn Hng, Phng Duy Tng
Lp 05T1, Khoa Cng Ngh Thng Tin, i hc Bch khoa

GVHD: ThS. Nguyn Tn Khi

Khoa Cng Ngh Thng Tin, i hc Bch khoa
TM TT Bo co trnh by vic xy dng mt h thng pht hin xm nhp v gim st mng ni b LAN. H thng c thit k nhm gim st mng v cc hot ng ca mng i vi cc hnh vi khng c php v c bin php phn ng li, theo ch thi gian thc ngn chn v phng nga cc hot ng ny. Khi mt cuc tn cng b pht hin, h thng c th b qua nhng gi tin bt hp php v a ra cc thng bo n ngi qun tr mng. ABSTRACT This paper presents an approach in order to build an intrusion detection and monitor system for a local network area (LAN). This system is designed to monitor network and system activities for malicious or unwanted behavior and can react, in real-time, to block or prevent those activities. When an attack is detected, it can drop the offending packets and bring the message to network administrator.

1. t vn Trong mt h thng mng, cc my ch thng l mc tiu chnh trong cc cuc tn cng, truy cp tri php. Mt h thng mng phi c bo v theo nhiu tng tng cng kh nng bo v h thng [1,2,3]. Hin nay, cc chng trnh bo mt, phng chng virus bo v h thng (BKIS, Kaspersky Anti-Virus, BitDefender Antivirus, ...) u c gi thnh cao v ch yu c pht trin nc ngoi. Ngoi ra, cc chng trnh firewall bo v mng hin nay hu ht c tch hp trong cc thit b phn cng ca mng. Bn cnh , cc chng trnh c pht trin ring l vi cc tnh nng tng i c lp vi nhau cho nn vic khai thc cc chc nng ca cc chng trnh ny nhm phc v cng vic gim st v qun tr h thng b hn ch. Xut pht t nhu cu thc tin trn, chng ti tm hiu xy dng mt chng trnh tch hp nhiu chc nng h tr gim st h thng mng v pht hin cc xm nhp tri php c nhm gip cho cng vic qun tr mng c tp trung v t hiu qu cao. Bo co ny trnh by nhng vn ch yu lin quan n h thng ny. 2. Cc phng thc xm nhp mng v cch phng chng 2.1. Cc k thut c bn xm nhp mt h thng mng Mt s hnh thc c bn tn cng xm nhp mng ph bin nh [1]: FootPrinting, Scanning, Enumeration, Gaining Access, Escalating Privileges, Pilfering, Covering Tracks, Denial of Service (DoS). Ngoi ra cn c mt s hnh thc tn cng khc nh: tn cng

191

Tuyn tp Bo co Hi ngh Sinh vin Nghin cu Khoa hc ln th 7 i hc Nng nm 2010

khng qua chng thc (Deauthentication attack), tn cng truyn li (Replay Attack), tn cng da trn s cm nhn sng mang lp vt l, gi mo a ch MAC, ... 2.2. Tn cng t chi dch v v phng chng Tn cng t chi dch v (DoS) l cc cuc tn cng trn h thng mng nhm ngn cn nhng truy xut ti mt dch v bng cch lm trn ngp s lng kt ni, qu ti server hoc chng trnh chy trn server, tiu tn ti nguyn ca server, hoc ngn chn ngi dng hp l truy nhp ti dch v mng. C 3 phng php tn cng DoS ch yu: Smurf hay Fraggle, SYN Flood v DNS attack [1,3,4]. Cc bin php c bn phng nga tn cng DoS nh sau: Phng nga cc im yu ca ng dng (Application Vulnerabilities). Phng nga vic khai thc s dng cc zombie. Ngn nga s dng cng c to cc knh pht ng tn cng. Ngn chn tn cng trn bng thng. Ngn chn tn cng qua SYN. Pht hin v ngn chn tn cng ti hn s kt ni.

Mc tiu ca vic pht hin xm nhp l xc nh cc hot ng tri php, dng sai, lm dng i vi h thng my tnh gy ra bi c ngi dng trong h thng ln ngi xm nhp ngoi h thng. y l mt cng vic y kh khn do nh hng ca s tng trng nhanh chng cc kt ni mng, mi trng my tnh khng ng nht, nhiu giao thc truyn thng, ... Vic pht hin xm nhp c xy dng ch yu da trn s khc bit ng x ca k xm nhp so vi ngi dng hp l. 3. Thit k xy dng chng trnh H thng chng trnh c phn tch, thit k bao gm nhiu mc tiu nh gim st lu thng gi tin IP, theo di cc tin trnh h thng ang hot ng, cc user ng nhp trn h thng, pht hin v cnh bo cc nguy c tn cng hay xm nhp vo h thng trn my ch t c th tc ng ln chng trnh bo v thng tin mng. Ngoi ra, chng trnh cn c cc cng c v tin ch mng gip cho ngi qun tr c th thao tc qun l tp trung. Vi mc tiu nh vy, h thng c nhng chc nng chnh sau: - Gim st gi tin ra/vo trn h thng, Lc gi tin t ngun n ch da theo danh sch t kha cho trc pht hin thng tin khng hp php. Kim sot v phng chng cc cuc tn cng DoS, DDoS, cc hnh vi to ra backdoor vo h iu hnh ca server. Kim tra cc tin trnh, s hiu tin trnh, cng dch v ang hot ng trn Server tm ra cc dch v khng hp php. Qun l cc user h thng. Thng bo email cnh bo cho cc ngi s dng lin quan.
192

Tuyn tp Bo co Hi ngh Sinh vin Nghin cu Khoa hc ln th 7 i hc Nng nm 2010

D liu

Thu nhn d liu vo/ ra trn h thng

Lc gi tin Qun l cng dch v Qun l kt ni

Phn tch d liu

Cnh bo thng tin

Chnh sch x l thng tin

Chnh sch pht hin

Chnh sch cnh bo

Hnh v 1. M hnh thc hin cc chc nng ca h thng.

Mt s cc chc nng chnh ca h thng c trnh by sau y. 3.1. Chc nng lc gi tin Chc nng lc gi tin (Packet Filtering) l cho php phn tch cc gi tin lu thng trn my ch (my nm gia mng ni b v mng cng cng) thnh cc thng tin trc quan hn: IP ch, IP ngun, Port ch, Port ngun, giao thc Trn c s ny, chng ta c th kim sot c cc kt ni, nguy c tn cng hay xm nhp vo trong mng ca chng ta thng qua cc tham s lc gi tin. Cc tham s lc gi tin s gip chng ta tnh ton c nhng con s c th t a ra cnh bo v nguy c b tn cng DoS. Chc nng lc gi tin bao gm 2 mun chnh: a. M un Packet: Cho php nh ngha cho gi tin, bao gm cc trng trong cu trc gi tin IP [4] nh VER, IHL, Type of Service, Total Leng, Identification, Gi tin chnh l cc lung bit d liu, m un Packet s phn tch cc lung d liu bit ny thnh cc trng tng ng. T ta s truy cp v x l n cc trng d liu mt cch d dng. b. M un PacketMonitor: Class nh ngha c ch ly d liu cc gi tin i qua cc giao din. 3.2. Chc nng cnh bo kh nng b tn cng DDoS Tn cng t chi dch v DDoS DDOS (Distributed Denial of Service attack) l hnh ng gy qu ti h thng hoc bng thng ca mt my tnh, thng l cc my ch Web, lm cho ti nguyn ca mt my tnh khng th s dng. Da vo cc tham s lc ti tin (giao thc, a ch, tn s gi,... ), ta c th a ra cc qui tc cnh bo my c b tn cng gip cho ngi qun tr mng c nhng bin php i ph kp thi. Gii thut cnh bo tn cng DDoS nh sau: 1. Tnh ton cc tham s lc gi tin. 2. Kim tra cc tham s lc gi tin. 3. Nu cc tham s vt ngng cho php th thc hin cnh bo tn cng DDoS. 4. Ngc li thng bo tnh trng hot ng bnh thng ca h thng. Cc tham s lc gi tin bao gm: tng s gi tin TCP, UDP, ICMP n my ch, lu lng TCP, UDP, ICMP n my trong 1 pht. 3.3. Chc nng gim st dch v mng (Services Monitor) Services Monitor c chc nng qun l cc dch v chy trn Server, cho php

193

Tuyn tp Bo co Hi ngh Sinh vin Nghin cu Khoa hc ln th 7 i hc Nng nm 2010

ngi qun tr gim st, tt / m cc dch v ang chy trn h thng.Qua cho php nhn dng nhng tin trnh hot ng bt hp php. 3.4. Gim st hiu sut mng Vic gim st hiu sut mng thng qua vic o lu lng gi tin vo/ra mng v th hin kt qu dng biu phn nh trc quan. Mt s giao din minh ha cc kt qu thc hin chng trnh nh sau:

Hnh 2: Chc nng lc gi tin.

Hnh 3. Chc nng qun l cc dch v.

Hnh 4. Qun l cc kt ni h thng.

Hnh 5. Gim st lu lng mng.

4. Kt lun Thng thng phi s dng nhiu k thut bo mt i km vi cc mng bo m tnh an ton cho mng. Gim st an ninh mng ni chung, cc hot ng vo ra ca gi tin v kt ni ni ring ng mt khu then cht trong chin lc bo mt ca mt h thng mng my tnh. Cng vi cc thnh phn bo v mng, my ch khc, chng trnh pht hin xm nhp v bo v mng cung cp cc chc nng qun l tp trung, h tr cho cc qun tr mng kh nng gim st gi tin, qun l cc kt ni dch v, cnh bo cc tim nng tn cng DoS, Trojan, .... Chng trnh c xy dng da trn cng ngh lp trnh mng ca .NET Framework, l mi trng tch hp trong cc phin bn Windows hin nay. Trong tng lai, chng trnh s c pht trin theo hng a ra cc phng n pht hin Trojan ti u, a dng ha cc cnh bo tn cng DoS, thit lp cc thng s ti u hiu sut mng da trn tnh hnh thc tin, ...
194

Tuyn tp Bo co Hi ngh Sinh vin Nghin cu Khoa hc ln th 7 i hc Nng nm 2010

TI LIU THAM KHO [1] Kaufman, C., Perlman, R., Speciner, M.. Network security. Private communication in a public worls, Prentice Hall, 2002. [2] Stallings, W., Cryptography and Network Security. Principles and Practice, 3rd edition, Prentice Hall, 2002. [3] S.Bellovin and W.Chesvick. Internet Security and Firewalls, Second Edition, Addison-Wesley, Reading, 1998. [4] Tanenbaum, A.S., Computer Networks, 4th edition, Prentice Hall, 2003. [5] Bach, E., Shallit, J., Algorithmic Number Theory, Vol. I: Efficient Algorithms, 2nd printing, MIT Press, 1997. [6] http://www.codeproject.com

195