计算机工程与应用 ›› 2011, Vol. 47 ›› Issue (26): 103-106.

• 网络、通信、安全 • 上一篇    下一篇

通过有效匹配TCP/IP数据包检测黑客入侵

张永忠1,赵国庆2,叶春明1   

  1. 1.上海理工大学 商业管理系,上海 200433
    2.北京石油化工学院 计算机科学与技术系,北京 100076
  • 收稿日期:1900-01-01 修回日期:1900-01-01 出版日期:2011-09-11 发布日期:2011-09-11

Stepping-stone intrusion detection through efficient TCP/IP packet matching

ZHANG Yongzhong1,ZHAO Guoqing2,YE Chunming1   

  1. 1.Department of Business Management,University of Shanghai for Science and Technology,Shanghai 200433,China
    2.Department of Computer Science and Technology,Beijing Institute of Petrochemical Technology,Beijing 100076,China
  • Received:1900-01-01 Revised:1900-01-01 Online:2011-09-11 Published:2011-09-11

摘要: 基于估算下游TCP/IP交互式会话长度方式来检测跳脚石入侵是计算机网络安全中的热门课题。计算连接链长度的关键是匹配TCP/IP交互式会话的发送和响应的数据包,SDC算法就是基于这个目的而提出的,但是SDC算法由于需要大量的计算而不是很有效。分析了引起SDC低效的原因,给出解决方案,提出了一种使用滑动窗口的算法SWAM。通过有效性分析,说明SWAM算法能减少99.99%的计算量。给出了两种决定滑动窗口大小的方法:一种方法利用了匹配结果的收敛特性,另一种利用TCP/IP协议本身的一些特性。相比而言第二种方法的计算量要相对小一些。

关键词: 跳脚石入侵, 入侵检测, TCP包, 匹配, 网络安全

Abstract: Estimating the length of a downstream TCP/IP interactive session to detect stepping-stone has been a hot topic in computer network security.The key idea of computing the length of a connection chain is to match TCP/IP send and echo packets.The SDC algorithm is proposed for this intention.Unfortunately SDC is not efficient in terms of time complexity.The reason that causes SDC inefficient is analyzed,and an improvech algorithm SWAM(Sliding Window Packet Matching Algorithm) using sliding window is proposed.The efficiency analysis shows that SWAM can reduce computation up to 99.99%.Two ways have been proposed to determine the size of a sliding window.One exploits matching result convergence feature,another way takes advantage of the features of TCP/IP protocol.The intention of the second way is to reduce the computation further because the first way still incurs some computations.

Key words: stepping-stone intrusion, intrusion detection, TCP packet, matching, network security