Research On Key Technologies Of Network Security Language

With fast development of Internet technologies and its application, network security has become more and more sensitive and important. The network attack methods are double-quick changing which forces the period of network security tools development is more and more short. The complex, secret and distributed attacks also make it difficult to develop a security application.To describe the complex security rules and extend the security functions, a large number of security-oriented languages are presented, such as Snort script and RUSSEL language in IDS, NASL in Nessus scanner, AVDL and VulnXML about vulnerability, LAMBDA, JIGSAW and CISL about attack description. But these languages have many shortages at this stage. They are single-functional and diverse syntax and semantic. They describe the same security event in complete different manner. As well as, it's very difficult to exchange the information or interactive between them. The expression ability and detection strength of a language are also lacking the uniform standard.Therefore, The NSL (Network Security Language) is presented. After analyzing all kinds of security applications, the model composed of Feature, Event, Filter, Constraint and Scenario is gained. Based on this model, the complete syntax and semantic of NSL is defined and the compiler and virtual machine of NSL is also designed. The NSL provides a common security programming environment.The two levels syntax of Rule and Scenario is the core structure of NSL language. The expressions, statements and functions of NSL are compatible with C/C++, which reduces the study curve and provides the ability to depict complex structures. The Rule is signature-based detection concerned, and the Scenario is able to automatically deduct attack state transform which is used to detect complicated security events.The implement of signature-based detection uses the dynamic Filters loading method. The method combined with Filter Cache provides the powerful detection ability and convenient extendable mechanism. The Boyer-Moore algorithm of content match is also optimized by concatenating the two heuristic steps of the algorithm. The new approach reaches faster speed in Web attack content match. There are four interactive methods between Rules, included rule start or stop, rule variables access, rule method calling and rule event exchange. This feature is more powerful than normal security-oriented language,and it enriches the expression ability and simplifies the description of security policies. The complex attack is detected by automatic state machine. A Scenario includes many states and every state defines one step of the attack, when the Event object reaches, current state will transform to next state. The Event is also the bridge between Rule and Scenario, to provide the distributed security detection which is lack in normal IDS system.To adapt the high speed network environment, several optimization technologies are used to improve the efficiency of NSL running. These methods include peephole optimization, fast instruction dispatch, neural network based garbage collection and fast Just-In-Time optimization. The neural network based garbage collection is innovated in the paper and other technologies are improved in some details. The optimization technologies of NSL break the restriction of normal interpreter language.The return address protection method to prevent buffer overflow is also presented. The remote buffer overflow attacks in untrusty network are big threat to NSL runtime environment. So, NSL uses return address protection method to build the read-only return address area and encode the return address to avoid these attacks and enhance the security of NSL itself.The NSL compiler, virtual machine and runtime environment are implemented completely and which are the basis of Open Multi-Function Security Platform. The platform is an extendable, distributed and integrated security tool. The development of OMSP verifies the performance and ability of NSL. The functions of Sniffer,Firewall and IDS in the platform are working effectively in real environment. Consequentially, the whole project is passed the acceptable test of sponsors.