摘要
通过对目前NIDS的检测技术、IP分片形成以及重组机制的分析,发现常用的NIDS的检测方法不能很好地检测包含在IP分片中的攻击特征,这是由于不同的系统对于分片的处理策略是不同的,不能根据NIDS的处理结果推断终端主机的处理结果,从而包含攻击特征的IP分片可以轻松地逃避NIDS的检测。为此,提出了一种针对于抵抗IP分片攻击的方法,通过在NIDS的前端串行地加入一个流量预处理引擎TPE,对IP分片进行预定的规则处理。实验结果表明,此种方法能够有效地抵御90%以上的IP分片攻击。
Analyzing the detection technology of current NIDS,and the mechanism of formation and reassembly of IP fragmentations,we find that the conventional NIDS detection methods can't detect the attack signatures contained in IP fragmentation very well,which is due to different fragmentation treatment strategies of different systems. Besides,the results of end hosts can't be deduced from the results of NIDS,so the inconsistent behaviors between NIDS and end hosts,which means there may exist attack signatures in IP fragmentation, can easily evade NIDS detection. Therefore, we propose an anti-IP fragmentation-evasion method by adding a TPE in the front of NIDS by serial method, which presets rules for IP fragmentation. Experimental results show that our method can effectively resist the IP fragmentation attack by about 90%.
出处
《计算机工程与科学》
CSCD
北大核心
2015年第2期213-218,共6页
Computer Engineering & Science
基金
国家自然科学基金资助项目(61303264)
国家863计划资助项目(2012AA013002)
关键词
NIDS
IP分片重组
IP分片
逃避
流量预处理引擎
NIDS
IP fragmentation reassemble
IP fragmentation
evasion
Traffic Preproeess Engine
