Research And Application Of Intrusion Detection Key Techniques In The System Of Scientific Instrument State Monitor

The System of Scientific Instrument State Monitor Program was one ofthe principle parts of National Science and Technology Basic ConditionPlatform Program of China (No. 2004DKA10010, No. 2005DKA10103). Thisthesis mainly studied two of the key problems in the program --how toeffectively monitor scientific instrument state and safeguard networkcommunication.Network packets filtering and HOOK were mainly studied, which wererespectively the key techniques for collecting information in Network-basedIntrusion Detection and Host-based Intrusion Detection. The network monitor,IPSec (Internet Protocol Security), and the scientific instrument state recorderwere designed and implemented for resolving the two key problemsabove-mentioned.(1) The methods and techniques of intrusion detection were studied.Instusion detection detected attacks by collecting and analyzing thecorrelative data from host computers and network, and it consisted of threeprocesses: information collection, information analyses, and result disposal.According to information source, intrusion detection could be classified asHost-based Intrusion Detection and Network-based Intrusion Detection.Network packets filtering and HOOK were respectively the key techniques forcollecting information in Host-based Intrusion Detection and Network-basedIntrusion Detection. HOOK was one of the main probes of system actions inHost-based Intrusion Detection. It captured and disposed all kinds of systemmessages by message-handing of Windows operating system (OS), and couldbe used to monitor the state of Windows application. Network packet filteringwas the footstone of Network-based Intrusion Detection, the principal work ofnetwork monitor system, and the groundwork of Internet Protocol Security(IPSec).Therefore, it was viable to research and apply network packets filteringand HOOK to resolve such problems as scientific instrument monitor andnetwork communication security.(2) The network data packet filtering on Windows OS was researched,and the network monitor based on Network Driver Interface Specification(NDIS) intermediate driver (IMD) was developed.Windows network protocol stack was the base of network data filtering,and it was founded on OSI-ISO reference model and TCP/IP Protocol Suite.NDIS was the interface specification of Windows network protocolcomponents, and provided development of kernel mode network driver withplentiful functions. NDIS IMD lied between miniport driver (data link layer)and protocol driver (network layer), and could filter any data passing throughthe network card. NDIS IMD was a satisfactory approach for network monitorand IPSec on Windows OS.A network monitor based on NDIS IMD and Windows Driver Model(WDM) on Windows 2000 platform was designed and implemented. Thenetwork monitor included two modules: the one was the NDIS IMD datapacket filtering program to filter the network data packets, and the other wasthe application data packet processing program to set the conditions of thefiltering, analyzing, and processing the data packets. The monitor couldbasically filter and process IP and its upper network protocols packets onWindows 2000 OS in Local Area Network (LAN) environment.(3) The IP Security (IPSec) was researched, and the NDIS-IMD IPSecbased on NDIS IMD were designed and implemented.IPSec could provide interoperable, high quality, cryptographically-basedsecurity for IP communication. The set of security services offered includesaccess control, connectionless integrity, data origin authentication, protectionagainst replays, content confidentiality, and limited traffic flow confidentiality.The NDIS-IMD IPSec based on the NDIS intermediate driver was designedand implemented. NDIS-IMD IPSec included two modules: IPSec IMD andapplication, which communicate with each other on the basis of WDMmechanism. The IPSec could offer IP security services for end-to-endcommunication of Windows 2000 users. In addition, its design principle andimplement method could be used for reference to develop IPSec based onNDIS driver on Windows 9x/me (VxD,Virtual Device Driver), Windows NT(KMD, Kernel Mode Driver) and Windows XP/2003 (WDM).(4) The method of scientific instrument state monitor based on HOOKwas researched, and the scientific instrument state recorder based on globalHOOK was designed and implemented.As one of the main probes of system actions in Host-based IntrusionDetection, HOOK could captured and disposed all kinds of system messagesby message-handing of Windows operating system (OS), and could monitorthe state of Windows application. For the limited applicable area of hardwaremonitor method, the scientific instrument state recorder based on globalHOOK was researched, implemented, and applied to some mass spectrumsand electron microscopes. The HOOK recorder was composed of mouseHOOK Dynamic Linking Library (DLL) and master application installed onthe computer controlling the scientific instrument. It could monitor instrumentstate and figure out the effective working hours by probing and analyzingusers' actions. HOOK recorder has such excellence as low cost, generalcharacteristic, easy installation and maintenance, so it was suitable to monitormany kinds of high roboticized scientific instruments which state weredirectly controlled by software buttons.The problems of scientific instrument state monitor and networkcommunication security were resolved based on the study and application ofnetwork packet filtering and HOOK in intrusion detection. In addition, thesoftware monitor method and communication security technique researchedwere also used to implement the distributed monitor system of controlsoftware in such areas as industry, waterpower and electric power.The further study was listed as follow:(1) Researching and developing the network monitor in exchangenetwork. (2) Researching and applying arithmetic of signature-based detectionto analyze the scientific instrument control flow and data flow based onEthernet, then monitoring the scientific instruments more accurately. (3) Theencryption and authentication arithmetic should be enriched so as to enlargethe NDIS-IMD IPSec's security and applied areas. (4) Improving HOOKrecorder: researching and applying other kinds of HOOK, WH_CBT etc., soas to collect more comprehensive information of procedures' state. (5)Integrating such techniques as HOOK, data flow monitoring based on serialport and Ethernet, and image recognition etc. to monitor scientific instrumentstate with the software method.