CHEN Hong-tao,CHEN De-ren,GU Xue-fei

2005-01-01

Abstract:Content filtering is an indispensable important part in the network security field.It analyses the information transported in application layer content protocol and controls the forwarding of the information based on the filtering rules.Network Processor is a new generation programmable processor of high speed for carrying out data processing and transmitting.With its obvious advantages in network data processing,the network processor becomes the essential component in high-speed network equipment which supports network functions,such as operation management、security and network monitoring,etc.Based on the advantage of network processor,this paper presented an implementation of an Intel IXP2400 network processor-based content filtering system.

沈勇,薛文革,李增智,陆建平,陈妍

DOI: https://doi.org/10.3969/j.issn.1001-3695.2002.05.023

2002-01-01

Abstract:With the development of the Internet, network security problem becomes more and more important.How to keep DoS away becomes the focus of secur ity reserch.This paper mainly discuss a security policy of DoS,also introducts the Key knownledge of Netfilter Framework.

LI Jian,WANG Ling,DONG Ke-jun,LI Jun

DOI: https://doi.org/10.3969/j.issn.1000-7180.2006.04.006

2006-01-01

Abstract:As two important technologies in the field of Network Security, there are still some problems of both Intrusion Detection System and Firewall which can't be solved. Based on brief introduction to the framework of the Network Intrusion Detection System and Linux's kernel firewall- Netfilter, this dissertation brings forward the system about the integration of NIDS and iptables, and finally describes every module's realization with analyzing both advantages and disadvantages regarding to this system.

王莉,黄光明,刘志愚

DOI: https://doi.org/10.3969/j.issn.1673-629x.2004.04.023

2004-01-01

Abstract:With the rapid development of Internet, more and more nets began to connect to it which causes the great increasement of information quantity. While people enjoying the freedom of acquiring and promulgating information, they also in face of threats comes from Internet, which calls network security. Firewall, now has been an efficient measure to prevent destruction from Internet.Introduces the development of firewall in Linux kernel, including ipfwadm, ipchains and iptables. Then discusses the latest technology:Netfilter and the concept of Dimilitary Zone. Finally gives an example to implement the DMZ firewall with iptables on Linux.

Xiang-dong QIAO,Tong YANG,Jing-wei ZHANG

DOI: https://doi.org/10.3969/j.issn.1009-3516.2007.04.018

2007-01-01

Abstract:Two different design schemes about firewall IPS module are brought up.In the first scheme snot-inline technique and the QUEUE action of netfilter are used to achieve dropping of attack data packet.In the second one,IPS about Denial of Service attack is achieved with the benefit of combination of synccokies,the new netfilter fuzzy match,PSD match,U32 match with an improvement on the firewall kernel.After comprehensive comparison,the module is developed according to the second scheme.The experiment shows that the designed module works well in defending main DOS attack.

LI Jian,WANG Ling,LI Jun,YAN Baoping

DOI: https://doi.org/10.3969/j.issn.1000-3428.2007.12.025

2007-01-01

Abstract:Based on introduction to the P2P technology and Linux kernel Netfilter framework, this paper brings forward the methods, namely, port recognition method and condition code recognition method to identify P2P network packets. It introduces condition code recognition method and discusses how to get P2P condition codes and lists some known condition codes. It also introduces how to identify and manage P2P by Netfilter framework, and gives a brief analysis and summary.

赵仲孟,饶芳艳,沈均毅,陈剑

DOI: https://doi.org/10.3969/j.issn.1000-7024.2001.06.009

2001-01-01

Abstract:This paper introduces the firewall technology and gives the comparison of various firewalls. It also gives the design and implementation of NetGuard firewall system based on Linux, and point out emphatically the new ideas in the model select and design for NetGuard.

Jia Zongpu,Liu Shufen,Wang Guowei

DOI: https://doi.org/10.1109/SPCA.2006.297482

2006-01-01

Abstract:Firewall has many shortages, such as it cannot keep away interior attacks, it cannot provide a consistent security strategy, and it has a single bottleneck spot and invalid spot, etc. Intrusion Detection System (IDS) also has many defects, such as low detection ability, lack of effective response mechanism, poor manageability, etc. If firewall and IDS are integrated, the cooperation of them can implement the network security to a great extent: on the one hand, IDS monitors the network, provides a real-time detection of attacks from the interior and exterior, and automatically informs firewall and dynamically alters the rules of firewall once an attack is found; on the other hand, firewall loads dynamic rules to hold up the intrusion, controls the data traffic of IDS and provides the security protection of IDS. Based on constructing firewall with Iptables in the environment of Linux OS, the respective characters of firewall and IDS are analyzed. Then, the viewpoint of integrating firewall and IDS to realize the network security is proposed, and the application and algorithm of intrusion detection are systemically analyzed and designed.

CHEN Zhi-xiang,LU Yin,LU Sang-lu,CHEN Dao-xu

2007-01-01

Journal of Computer Applications

Abstract:This paper described the design of a security gateway based on protocol translation in IPv4-IPv6 hybrid network, and implemented a security gateway prototype system based on Linux 2.6 kernel netfilter framework. The prototype system tracks up-layer UDP/TCP connections based on protocol translation and it performs hybrid end-to-end access control policies. Experimental testing results indicate that it has small latency during end-to-end packet transmission and may satisfy the needs of enterprise networking.

宋舜宏,杨寿保,张焕杰

DOI: https://doi.org/10.3969/j.issn.1002-137X.2004.11.011

2004-01-01

Computer Science

Abstract:The resources of network must be used and managed securely and efficiently. So this paper prompts a method based on netfilter/iptables frame in Linux OS to control the network resources,and introduces how to design and implement a Smart-gateway with perfect function,stable performance,high scalability,easy to manage and update.

Wu Qingtao,Shao Zhiqing,Ding Zhiyi,Liu Gang

DOI: https://doi.org/10.1007/bf02829250

2006-01-01

Abstract:Distributed denial of service (DDoS) attacks exploit the availability of Web servers, resulting in the severe loss of their connectivity. We present a robust IP packets filtering mechanism which combines the detection and filtering engine together to protect Web Servers from DDoS Attacks. The mechanism can detect DDoS attacks by inspecting inbound packets with an IP address database, and filter out lower priority IP addresses to preserve the connection for valid users by monitoring the queués status. We use the Netfilter's technique, a framework inside the Linux 2. 4. X, to implement it on a Web server. Also, we evaluate this mechanism and analyze the influence of some important parameters on system performance. The experimental results show that this mechanism is effective against DDoS attacks.

Zheng Chang

2008-01-01

Abstract:This paper introduces Honeynet based on proactive defence, discusses its conception, implement and character. The Honeynet based on proactive defence can trap and track the hack and record his intrusion.

RAO Ming,DU Zhonghui,HAN Qi,LI Qiong

DOI: https://doi.org/10.3969/j.issn.2095-2163.2011.05.009

2011-01-01

Abstract:In this paper,a project is designed and tested for embedded Linux firewall.Firstly,a system framework of embedded Linux firewall based on ARM processor is proposed and a scheme of Linux kernel reducing is designed.Secondly,considering the poor performance of Netfilter/Iptables in large number rules set,a method of Iptables combining with NF-hipac and Ipset is introduced,and it is transplanted successfully.Finally,with the accomplished system,the integrated and detailed function and performance tests are provided.The function experiments show the rationality and efficiency of the system design and the performance tests indicate the key parameters influencing the system performance,which provides the reference and basis for further optimizing the system.

Yan Chen,Zhichun Li

2009-01-01

Abstract:In this thesis, I propose and develop a network-based attack defense system, RAIDM. I focus on network based defense because of the following reasons: (i) network gateways/routers are the vantage points for detecting large scale attacks; (ii) only host based detection/prevention is not enough for modern networks. RAIDM has four components: sketch-based monitoring and detection, polymorphic worm signature generation, signature matching engines and network situational awareness.The first module is sketch-based monitoring and detection. In this thesis, leveraging data streaming techniques such as reversible sketch, we design HiFIND [1], a High-speed Flow-level Intrusion Detection system. We also propose a two-dimensional sketch for attack differentiation. HiFIND (i) is scalable to flow-level detection on high-speed networks; (ii) is DoS resilient; (iii) can distinguish SYN flooding and various port scans (mostly for worm propagation) for effective mitigation; (iv) enables aggregate detection over multiple routers/gateways; and (v) separates anomalies to limit false positives in detection. Both theoretical analysis and evaluation with several router traces show that HiFIND achieves these properties. To the best of our knowledge, HiFIND is the first online DoS resilient flow-level intrusion detection system for high-speed networks (e.g. OC192), even for the worst case traffic of 40-byte-packet streams with each packet forming a flow.The second module is polymorphic worm signature generation. Recently, worms and remote exploits sent by botnets have become the major tools for launching Internet attacks. It is critical to quickly generate signatures in response to those fast propagating threats. To this end, I have developed two types of automated worm signature generation approaches (token-based signature generator and length based signature generator) with different information availability requirement and underlying assumptions. Beside token based signature generator, we design a network-based Length-based Signature Generator (LESG) for worms exploiting buffer overflow vulnerabilities. We further prove the attack resilience bounds even under the worst case attacks with deliberate noise injection. Moreover, LESG is fast and noise-tolerant and has efficient signature matching.The third module is signature matching engines. In this thesis, we design NetShield, a vulnerability signature based NIDS/NIPS which achieves high throughput comparable to that of the state-of-the-art regex-based systems while offering much better accuracy. This is accomplished because of the following contributions: (i) we propose a candidate selection algorithm that efficiently matches thousands of vulnerability signatures simultaneously using a small amount of memory; (ii) we propose a parsing transition state machine that achieves fast protocol parsing; (iii) we implement the NetShield prototype, including rewriting the ruleset of Snort to vulnerability signatures. Experimental results show that the core engine of NetShield achieves 1.9Gbps signature matching throughput for 794 HTTP vulnerability signatures on a 3.8GHz PC.Finally, the fourth module is network situational awareness for botnet probings. Botnets dominate today's attack landscape. In this thesis, we investigate ways to analyze collections of malicious probing traffic in order to understand the significance of large-scale "botnet probes". In such events, an entire collection of remote hosts together probes the address space monitored by a sensor in some sort of coordinated fashion. Our goal is to develop methodologies by which sites receiving such probes can infer—using purely local observation—information about the probing activity: What scanning strategies does the probing employ? Is this an attack that specifically targets the site, or is the site only incidentally probed as part of a larger, indiscriminant attack? Our analysis draws upon extensive honeynet data to explore the prevalence of different types of scanning, including properties such as trend, uniformity, coordination and darknet avoidance. In addition, we design schemes to extrapolate the global properties of scanning events (e.g., total population and target scope) as inferred from the limited local view of a honeynet. (Abstract shortened by UMI.)

陈丽丽,李卫,管晓宏,祝春华

DOI: https://doi.org/10.3969/j.issn.1000-7180.2004.06.035

2004-01-01

Abstract:NIDS (Network Intrusion Detection System) as an important security protection tool has become a hotspot for research. We introduce the basic concept of IDS and its primary components and common classification first, then we present the framework of a net-based IDS and its implementation in detail. We put forward our views about the current research of IDS and its prospect last.

Ke CHEN,Zhi-tang Li

DOI: https://doi.org/10.3969/j.issn.1007-130X.2001.02.007

2001-01-01

Abstract:At first,this paper analyzes the we aknesses of firewalls and network intrusion detection systems which are widely used today.Then,an integrated framework model is presented,and the security enhanc ement enabled by the integration is also discussed.Finally,this paper puts forwa rd suggestions on future work.

QING Hua-ping,FU Yan

DOI: https://doi.org/10.3969/j.issn.1671-1742.2005.06.013

2005-01-01

Abstract:A self-adaptive active response network intrusion detection and prevention system model called anidp is proposed to overcome the problems existing in the current network intrusion detection systems such as the inaccuracy in the intrusion detection and lack of the active response to the attacks.The system architecture,feature and implementation methods of the model are discussed in detail.

YANG Tong,QIAO Xiang-dong,ZHENG Lian-qing

DOI: https://doi.org/10.3969/j.issn.1009-3516.2008.02.021

2008-01-01

Abstract:Snort,one of the best Open Source Network Intrusion Detection Systems,is analysed in detail,in this paper,for the sake of searching network intrusion detection system.Then a solution is proposed to eliminate the redundancy of snort's rule chain.Experiments are done,which show that the solution proposed is correct and effective.Finally,on the basis of ARP technology approach,NIDS is developed with the improved snort as kernel module.Its excellent performance proves the solution to be valid once again.

Zhen Chen,Fa-Chao Deng,An-An Luo,Xin Jiang,Guo-Dong Li,Run-hua Zhang,Chuang Lin

DOI: https://doi.org/10.1109/wcins.2010.5541863

2010-01-01

Abstract:Traditional NAC system in enterprise network is in coarse granularity (e.g. IP or MAC address) and lack of flexibility. Recently the demand in tight control of the enterprise network to defense the misuse and security issues become more and more urgent. Based on the TCG TNC standard, an application level network access control mechanism is proposed and implemented. With TNC client/server model in hand, a client is designed to enhance TNC client with the function of host flow controller (HFC), and intercepts each application network access request(ANAR) and transfer it to PDP server to authorize the access request. When a sensor (i.e. intrusion detection system) detects any malicious traffic, host flow controller and network flow controller can identify the application that origins this traffic by querying Metadata Access Point (MAP) server and block this application's network access. A prototype system is implemented to demonstrate the design and can be used to defense the anomaly network behaviors. The prototype system demonstrates that the hosts, switches, firewalls and IDS can work together to detect, diagnose and protect enterprise network from the malicious applications attack initiated inside or outside of an enterprise network, quarantine unhealthy hosts and make the enterprise network more reliable and trustworthy.

Yang Yang,Wang Yonggang

DOI: https://doi.org/10.1109/WCSE.2010.124

2010-01-01

Abstract:We are developing an embedded hybrid firewall prototype which combines an embedded CPU (MPC8260) with a specifically designed FPGA-based packet classification coprocessor. The packet header matching between the input packets and a pre-defined rule set is fully achieved by the hardware coprocessor on-line. The embedded CPU under Linux operation system takes charge of the remaining data-path processing and the management of the firewall, including receiving input packets, sending them to the coprocessor, forwarding the packet according to the classifying results from the coprocessor, and the rule set updating and management. After a brief introduction to our hybrid firewall, we will focus on the software implementation of the firewall. The Linux-2.4.4 has been ported into out system. By modifying the Linux kernel to utilize the hook functions of Linux net filter, input packets are intercepted and their headers are sent to the coprocessor meanwhile the packets are queued in a buffer until the classifying results come out from the coprocessor. A daemon process running at the embedded CPU was designed for updating the filter rule sets so that a remote computer as a client can visit the firewall and manipulate the running of the firewall. A simple demo program running on a PC (under windows OS) was also designed to demonstrate the proper operations of the firewall.