基于数据流管理平台的网络安全事件监控系统

:2004-11-03:(60273016);(2001AA142110).:,,1980,,、;,,1971,,、.1,2,11(,100080)2(,100049)E-mail:shenxingxing@software.ict.ac.cn:.、..,,.CQL,,.,、、,.:;;;:TP393:A:1000-1220(2006)02-0237-04InternetSecurityEventMonitorBasedonDataStreamManagementSystemSHENXing-xing1,2,CHENGXue-qi11(SoftwareDivision,InstituteofComputingTechnology,ChineseAcademyofSciences,Beijing100080,China)2(GraduateUniversityofTheChineseAcademyofScience,Beijing100049,China)Abstract:Complexandnumerousnetworkattacksrequiremonitoringsystemtodetectallkindsofsecurityeventsunderhighspeedinternettraffic.Datastreammanagementsystemisastreamdatabasemodelwhichcanrespondtoqueriesonhighspeed,hugevolumestreamingdataonrealtime.Thispaperproposesamodelframeworkwhichappliesdatastreamtechniquetonet-worksecuritymonitoring.Inthismodel,datastreammanagementsystemactsasaplatformtosupporttheefficientqueryandanalysisofhighspeednetworktraffic.Thisguaranteesthehighperformanceofthemonitoringsystembasedonit.CQLlan-guagecandescribenumeroussecurityeventrulesandmonitoringqueriesexactlyandflexibly.Suchmonitoringsystemcaninte-gratethefunctionofintrusiondetection,wormdetectionandnetworktrafficmanagement,etc,whichiswellscalable.Keywords:datastreammanagementsystem;networksecurity;intrusiondetection;monitoring1、dos、.(),,.,.,,,.,、、,.,-[1].,,、、、,,,.,:·;·;·,,.,-[2].,,.,,,(,sum、countavg),[3].[4],,.,StanfordSTREAM、BerkeleyTelegraphCQAurora27220062MINI-MICROSYSTEMSVol.27No.2Feb.2006.STREAM[1](Da-taStreamManagementSystem),,,.CQL(continousquerylanguage)[4].SQL,.,.、,.,,.DrisM(DataRiverIn-ternetSecurityMonitor).,,、、,,,.2DrisM1.DrisM,(libpcap).,.3:Packet-Stream,KeywordStreamFlowStream.3,..,.CQL,IDS,,.DrisM,.,,,.1Drism3:,,()..2.1.,createstream(streamschema).(tableschema),,.,,.3:PacketStream(),KeywordStream(),Flow-Stream()...2.1.1PacketStreamip,ip,ip.TCP/IP,.,PacketStream.,.,,,,,.,,.Packet-Stream:CREATESTREAMPacketStream(PacketStreamIDlong;//TOSint;//PacketLengthint;//IP,Dsizeint;//ipTTLint;//Protocolchar;//ip.SourceIPlong;//DestIPlong;//TCPFlagschar;//tcpFlagsSEQint;//tcpSEQACKint;//tcpACKSourcePortint;//DestPortint;//TimeStampdate;//RelationWithTcpFlowint;//FlowStream//FlowiD.FlowStream)2.1.2KeywordStream,,.IDS,Snortcontent.DNSexploitnamedoverflowattempt,tcp|CD80E8D7FFFFFF|/bin/sh,|CD80E8D7FFFFFF|/bin/sh.,,.,,.IDS.,.,.ip8322006,TCP/IP,.,,id(),KeywordStream.,(),.,,,,.,,.KeywordStream:CREATESTREAMKeywordStream(KeywordStreamIDint;//KeyIdint;//,ip//,//.IdInPacketStreamint;//PacketStreamTimeStampdate;//)2.1.3FlowStream,,FlowStream.tcpudp,.tcp,(connection);udp,,udp.,ip,,;,.FlowStream:CREATESTREAMFlowStream(FlowStreamIDint;//FlowStartTimedate;//FlowEndTimedate;//(udp,//)SourceIplong;//ipDestIplong;//ipSourcePortint;//DestPortint;//PacketCountint;//TotalBytesdouble;//ProtocolTypeint;//tcporudpTimeStampdate;//)3,,.5%ip,ipiphttp.2.2.-FastDB,,,.SQL,.FastDB(se-lect),(project),(join),(ag-gregate).,(push-based),,.,2,..,,,.,,.2.2.3,.Drism-,ODBC.,Drism,.,.,,.,.,,,,,IDS.,,.3Drism.CQL.IDS,CQL,.IDS,,,9322:CQL.CQLSQL.stream[now]stream,stream[2minute]stream.Drism.3.1IDS,:、、CGI,DrismCQL,.SnortFINGERbombattempt:tcp,79,@@,(@@20).cql:SELECTSourceIpFROMPacketStream[now],KeywordStream[now]WHEREPacketStream.PacketStreamId=KeywordStream.IdInPacketStreamandPacketStream.DestPort=21andKeyWordStream.KeyId=203.2,,CQL.sqlslammerwormUDPflowsofsize404bytestoport1434,cql:SELECTSourceIpFROMFlowStream[now]WHEREDestPort=1434andTotalBytes=404andProtocolType=udp3.3.,.20,tcp,,5%IP.cql:SELECTSourceIp,DestIp,TotalBytesFROMFlowStream[20minute]asL1WHEREL1.ProtocolType=tcpAND(SELECTCount(*)FROMFlowStream[20minute]asL2WHEREL2.ProtocolType=tcpANDL2.TotalBytesL1.TotalBytes)(SELECT0.95*Count(*)FROMFlowStream[20minute]WHEREProtocolType=tcp)OrderByTotalBytes4Drism,.(CPUP41.3G,256M,Linux6.2),(CPUP41.3G,256M,WinXP),.SnortCQL.,.Snort,tcpdump,,.DrismSnort.1(MB/s)CPU()(k)Snort3.00%60%3609636.828%100%3832669.360%100%38569Drism3.00%40%4201336.816%60%4786569.330%70%48534,,.,Snort,Drism,CPUSnort,.Snort,.,.,.5.,.、,IDS,,,.,.,,,,.References:[1]BabcockB,BabuS,DatarM.Modelsandissuesindatastreamsystems[C].In:ProceedingsofPODS,2002:1-16.[2]ChenY,DongG,HanJ.Multi-dimensionalregressionanalysisoftime-seriesdatastreams[C].In:Proc.28thInt.Conf.onVeryLargeDataBases,2002:323-328.[3]WilschutA,ApersP.Dataflowqueryexecutioninaparallelmain-memoryenvironment[C].In:Proc.1stInt.Conf.ParallelandDistributedInformationSystems,1991:68-77.[4]ArasuA,BabuS,WidomJ.Anabstractsemanticsandconcretelanguageforcontinuousqueriesoverstreamsandrelations[EB/OL].