Contributions To Several Issues Of Network Security

Many kinds of applications based on computer network are becoming increasingly popular in our information society, such as access to information via the Internet, E-commerce, E-learning, and so on. However, this is accompanied by a corresponding increase in risks, there has been significant increase in Internet attacks, such as DoS, viruses, worms, spyware, and malware, etc, causing huge economical and social damage. Since the network is becoming a more large scale information system, and the attack systems have become more easy-to-use, sophisticated, and powerful, the network security technologies such as firewall, VPN, intrusion detection system, intrusion prevention system etc. is facing more challenge. Under this situation, interest has greatly increased in the network security field of building more effective, intelligent, and comprehensive defense systems. These studies include: comprehensive security solution strategy, such as united threat management (UTM) and self-defending network (SDN); trusted computing which is aimed at enhancing the future security of operating system platforms and the mutual authentication of computers; survivability technology which ensures the network to fulfill its mission, in a timely manner, in the presence of attacks, failures, or accidents.Network security technologies have gone through three generations. The character of the first generation is passive protection and the main technologies include firewall, VPN etc. The second active detection technologies include intrusion detection, intrusion prevention and so on. Now the new generation technologies include united threat management, self-defending network, trust computing and survivability. This dissertation pays more attention to package filter, anomaly detection, network survivability and attack model. The main contributions of this dissertation are summarized as follows:(1) As the network bandwidth and rules continuously increase, the rules checking and conflict detection become the bottleneck of firewall. In this dissertation a fast matching algorithm BSLT (Binary Search in Leafs of Tries) is presented which is based on trie construction and only stores the matching rules in the leaf nodes thus it consumes less memory space. The space complexity is O(NW) where N is the number of filter rules, W is the maximum number of bits specified in the destination or source fields. Binary search is used in finding the matching rule in the leaf nodes, which speeds up matching. The complexities of both searching time and matching time are O(W) and O(N) respectively. Another problem, the rule conflict, is proved and a conflict detection algorithm is given.(2) High false alarm rate is the main reason why anomaly detection methods can not be used practically. In this dissertation anomaly detection algorithms for network intrusion detection system are put forward. Since the heads of network datagrams include almost all the control information and all datagrams can be caught through an efficient method, the description of network behavior relies upon the datagrams. The advantage of adaptive resonance theory ensures that the system can study in real time and in an unsupervised way, which is essential to anomaly-based detection. The modified adaptive resonance theory algorithm improves the efficiency of studying and the datagram missing rate has been reduced from 15% to 10%. Introducing main attribute and interest measure to improve the GSP algorithm, and then applies it to the network intrusion detection. The results of experiments show that the precision and performance of the system are improved by the optimized algorithm. A similar Hamming distance method is adopted in the detection, which is effective in reducing false positive errors and false negative errors; the error rate is less than 10%.(3) As Internet bandwidth is increasing at an exponential rate, it's impossible to keep up with the speed of networks by just increasing the speed of processors. In addition, those complex intrusion detection methods also further add to the pressure on network intrusion detection system (NIDS) platforms, and then the continuous increasing speed and throughput of network poses new challenges to NIDS. In order to make NIDS be used in Gigabit Ethernet, the ideal policy is using a load balancer to split the traffic and forward them to different detection sensors, and these sensors can analyze the splitting data in parallel way. For making each slice contains all the necessary evidence to detect a specific attack, the load balancer has to be designed complicatedly and becomes a new bottleneck of NIDS. To simplify the load balancer this dissertation puts forward a distributed neural network learning algorithm. Using the learning algorithm a large data set can be split randomly and each slice data is handled by an independent neural network in parallel.(4) The perspective directions in evaluating network security are building attack model as attack graphs (trees, nets), and checking of various properties of these graphs, and determining security metrics which can explain possible ways to increase security level. Computer network is a hybrid dynamic system which is constructed by discrete subsystem and continuity subsystem. Since network attack is a kind of behavior based on network, attack behavior shows two characters: one is the behavior changes continuously; another is the changes are driven by some event. This dissertation puts forward a network throughput rate dynamics model and analyzes its stability. The effectiveness of the proposed dynamics model is corroborated using ns-2-based simulations. In the experiments, the evolution of throughput rate under different band width, transporting protocol and queue managing policy are analyzed, the results prove that the dynamics model well represents the changing of throughput rate, and find that UDP's increasing coefficient and competing coefficient are bigger than TCP's; RED's increasing coefficient and competing coefficient are bigger than Drop-tail's. After the increasing coefficient and competing coefficient being computed through statistical and regression method, such as least squares, the model can be used to combine with attack graph method to check network security level and survivability.