網路入侵偵測系統的叢集式架構

Abstract

網路入侵偵測系統可以偵測網路上的異常行為或攻擊，但是在高速網路環境底下，網路入侵偵測系統無法處理如此高速的流量而可能會遺失封包，因而降低偵測能力。在本篇論文中，我們提出了一個適用於高速網路環境下的網路入侵偵測系統的叢集式架構，此叢集式架構以網路連線為單位將封包分派到每個網路入侵偵測系統上。由於分配器可以將雙向網路封包分配到同一個網路入侵偵測系統，此方式可以使得網路入侵偵測系統保持監測真實網路流量的能力。另外由於以連線為單位的分派方式，可以使得每台網路入侵偵測系統維持IP 碎片重組與TCP封包重組的能力。某些跨連線的攻擊，像是網路掃瞄，SYN洪水攻擊，因為這類攻擊是由正常的許多封包或連線所組成，跨連線的封包或連線將會被分派到不同的網路入侵偵測系統，可能會導致此叢集式架構有偵測上的困難。我們可以經由一個中央系統收集各網路入侵偵測系統上的必要資訊而達到偵測此類攻擊的目的。經由分析我們發現此叢集式架構可以偵測到許多種類的攻擊。

Network intrusion detection system (NIDS) can detect anomaly behaviors and attacks over the networks. In a high speed network, NIDS cannot handle the large amount of packets, and will eventually drop packets and fail to detect intrusions. In this thesis, we propose the cluster NIDS architecture for high-speed networks. The clustered architecture uses session dispatching schemes to distribute packets to its cluster nodes, where each node runs the intrusion detection system. The dispatcher in the high-speed network segment can balance the bi-directional traffic to the cluster nodes so that the NIDS can keep the TCP stateful inspection ability. The session-based approach also keeps the IP fragment reassembly and TCP reassembly abilities of each cluster node. The cross-session attacks, like Portscan or SYN Flooding, make intrusion detection very difficult in clustered architectures. These types of attacks are normally detected by anomaly behaviors which deviate from user normal behaviors. Distributing sessions to different nodes of NIDS makes each node difficult to discover the anomaly statistics. To cope with the problem, a master node is designated to collect and analyze the collected statistics from all nodes. As the analysis showed, the clustered architecture is able to detect various kinds of attacks.