在行動裝置上基於排隊理論之動態入侵防禦機制

Abstract

隨著 NIDS (network intrusion detection systems) 還有 NIPS (network intrusion preven- tion systems) 的出現,例如 Bro (BSD license) 還有 Snort (GPL license),在本地端安裝 NIPS/NIDS 不再是夢想。現在,基於更多層的保護能夠提供更深入的安全性,NIPS 被考 量安裝於擁有 Android/Linux 作業系統的行動裝置上。但是在行動裝置上應用 NIPS 之 前,有一些基於行動裝置而存在的問題必須先解決。行動裝置的運算能力比通用型電腦 的運算能力還要不足,因此,合理地分配運算資源顯得格外重要。有一些研究著重在改善 以誤用偵測 (misuse detection) 為基礎的 NIPS 的相關核心演算法,例如樣式比對 (pattern matching) 演算法,以減少 NIPS 整體的時間複雜度。但是無論 NIPS 的核心演算法的時 間複雜度被降低多少,NIPS 的時間複雜度仍然還是比作業系統核心的網路程序的時間複 雜度還要高。如同一句諺語所說:『一條鐵鍊只跟它最弱的一環一樣強。』當 NIPS 被應用 在行動裝置上時,便造成一個封包流動路徑中的瓶頸。因此,這篇研究論文的貢獻著重 在減少此一瓶頸對行動裝置用戶造成的影響。這篇論文的工作首先為確定 Android/Linux 的網路內部與 NIPS 之間的關聯性,並依照此關聯性,使用一個分析性排隊理論模型來 代表流動於此兩物件間的封包流。根據此一分析性排隊理論模型,此論文提出了兩個方 法:基於排隊理論之入侵防禦機制 —靜態資源分配 (QIP-S) 以及其改良版 —動態資源分 配 (QIP-D)。本論文為提出的方法設計了一系列模擬並且分析模擬結果,結果顯示出,當 排隊系統逼近於飽和的狀態時,本論文提出的兩個方法表現優於基於優先權之非搶先分配 方法 (non-preemptive priority based allocation methods) 。

Along with the emergence of open source software of network intrusion detection sys- tems (NIDS) and network intrusion prevention systems (NIPS) like Bro (BSD license) and Snort (GPL license), installing NIPS/NIDS in localhost is not a dream and can be feasible. Now it is considered to apply NIPS on Android/Linux powered mobile devices in the perspec- tive that more layers of protection provides more security. Before applying NIPS on mobile devices, there exist some problems that needs to be solved first. Computational power of mobile devices is less than that of general purpose computers; therefore reasonably allocating computational power appeals to be particularly important. Some researches target at per- fecting the underlying algorithms of misuse-detection-based NIPS such as pattern matching algorithm in order to reduce the time complexity. But no matter how much the complexity of the underlying algorithm is reduced, the job of NIPS still appears to be more complex than that of operating system kernel network routines. As a proverb goes, “A chain is only as strong as its weakest link.” There exists a bottleneck when the NIPS is applied. Therefore, this research does a work that aims at reducing the influences affected by the bottleneck. This work is to firstly identify the relationship between Android/Linux network internals and NIPS, and use an analytical queueing model to represent packet flows between them. Based on the analytical queueing model, a Queueing-based Intrusion Prevention mechanism—Static resource allocation (QIP-S) and its enhancement—Dynamic resource allocation (QIP-D) are proposed. Simulations for the proposed methods are conducted and it shows that it performs well than non-preemptive priority based allocation methods when the state of the queueing system approaches saturation.