摘要
讨论了一种在Linux操作系统内核防火墙的攻击防御机制,提出了检测网络攻击的机制和总体架构。在Linux操作系统防火墙的基础上构建了攻击防御框架,针对不同的攻击模式,该框架提供相应的状态检测方法判定攻击的发生并使攻击不能成功。提出的攻击防御体系具有通用、可扩展的特点,可以有效克服传统包过滤防火墙在抗攻击和入侵检测方面的局限性。结果表明:该攻击防御机制可以显著改善防火墙系统的IP安全性。
The principle of attack defense realized in a firewall embedded in Linux kernel has been discussed. Based on the analysis of characteristic of network attack, the mechanism and architecture of attack defense are built in accordance. Through the introduce of stateful detection, the attack defense framework is built to determine and prevent the deportment of various attack. Thereafter, the architecture of attack-removed system can be expected to be general-purpose and easy to be extended. The performance of the whole firewall system is enhanced because the attack defense system effectively overcomes the limitation of conventional packet-filtering firewall. The experiments for validating the improvement of IP security are given as well as the research work.
出处
《电子科技大学学报》
EI
CAS
CSCD
北大核心
2005年第4期509-512,共4页
Journal of University of Electronic Science and Technology of China
