基于ACE和SSL的Firewall与IDS联动系统研究

J4 ›› 2014, Vol. 36 ›› Issue (08): 1486-1492.

基于ACE和SSL的Firewall与IDS联动系统研究

马占飞1，尹传卓2

(1.内蒙古科技大学包头师范学院,内蒙古包头 014030；2.内蒙古科技大学信息工程学院,内蒙古包头 014010)

收稿日期:2013-01-17 修回日期:2013-04-16 出版日期:2014-08-25 发布日期:2014-08-25
基金资助:
国家自然科学基金资助项目（61163025）；内蒙古自治区自然科学基金资助项目（2010BS0904）；内蒙古自治区高等学校科学研究基金资助项目(重点项目)（NJ10162）；内蒙古自治区高等学校科学研究基金资助项目（NJZY07116）

Research of the linkage system of firewall
and intrusion detection system based on ACE and SSL

MA Zhanfei1,YIN Chuanzhuo2

(1.Baotou Teachers College,Inner Mongolia University of Science and Technology,Baotou 014030；2.School of Information Engineering,Inner Mongolia University of Science and Technology,Baotou 014010,China)

Received:2013-01-17 Revised:2013-04-16 Online:2014-08-25 Published:2014-08-25

摘要/Abstract

摘要：

随着Internet的迅猛发展，网络攻击的方法和技术越来越智能化和多样化，网络安全需求与日俱增。传统的防火墙（Firewall）与入侵检测系统IDS已不能满足网络安全整体化需求。鉴于此，引入ACE网络通信中间件和SSL协议，采用开放接口方式，从网络安全整体性与动态性的需求考虑，设计了一种新型的基于ACE和SSL通信平台的Firewall和IDS协同联动系统模型。该系统模型融合了Firewall和IDS的优点，采用加密信息传输机制、策略管理机制和联动分析算法，确保了传输信息的可靠性、完整性和机密性。实验结果表明，该联动系统不但能够有效地检测和防御攻击，而且具有良好的协作性、通用性和可扩展性。

关键词: 网络安全, 入侵检测系统, 防火墙, 联动, 中间件

Abstract:

With the rapid development of Internet, some intelligent attack methods and techniques are increasing. The network is easily attacked by hackers or malicious software. The safty problem is increasingly outstanding in computer network. The traditional technologies of firewalls and Intrusion Detection Systems (IDSs) own poor security, high false alarm rate, and low level of intelligence. Considering the demands of obtaining integrity and dynamics in network security, a novel linkage system model of firewall and IDS based on open communication platform of ACE (Adaptive Communication Environment) and SSL (Secure Socket Layer) is proposed. This system model combines the advantages of firewall and IDS, and uses the encrypted information transmission mechanism, and the policy management mechanism, and the associated linkage analysis algorithms to ensure the reliability, integrity and confidentiality of the transmitted information. Experimental results show that the linkage system can effectively prevent network from attacks, and possesses better cooperativeness, universalness and expansibility.:

Key words: network security；intrusion detection system；firewall； linkage；middleware

马占飞1，尹传卓2. 基于ACE和SSL的Firewall与IDS联动系统研究[J]. J4, 2014, 36(08): 1486-1492.

MA Zhanfei1,YIN Chuanzhuo2. Research of the linkage system of firewall
and intrusion detection system based on ACE and SSL [J]. J4, 2014, 36(08): 1486-1492.

参考文献［11］

［1］	Balthrop J, Forrest S, Newman M E J, et al. Technological networks and the spread of computer viruses［J］. Science, 2004, 304(5670):527529.
［2］	Werlinger R,Muldner K,Hawkey K,et al.Preparation, detection, and analysis:The diagnostic work of IT security incident response ［J］. Information Management & Computer Security, 2010, 18(1):2642.
［3］	Papadogiannakis A, Vasiliadis G, Antoniades D, et al. Improving the performance of passive network monitoring applications with memory locality enhancements［J］. Computer Communications, 2012, 35(1):129140.
［4］	Aguirre I, Alonso S. Improving the automation of security information management:A collaborative approach［J］. Security & Privacy, 2012, 10(1):5559.
［5］	Aydin M A, Zaim A H K, Ceylan G A. Hybrid intrusion detection system design for computer network security ［J］. Computers and Electrical Engineering, 2009, 35(3):517526.
［6］	Manning W.Check point certified security administrator(Ccsa) certification exam preparation course in a book for passing the check point certified security administrator (Ccsa) exam:The how to pass on your first try certification study guide［M］. London:Emereo Pty Ltd, 2010.
［7］	Zhang Ying, Deng Fachao, Chen Zhen. UTMCM:A practical control mechanism solution for UTM system［C］∥Proc of International Conference on Communications and Mobile Computing, 2010:8690.
［8］	Myungkeun Y, Chen Shigang, Zhang Zhan. Minimizing the maximum firewall rule set in a network with multiple firewalls［J］. IEEE Transactions on Computers, 2010, 59(2):218230.
［9］	Shahrestani S A.Employing artificial immunology and approximate reasoning models for enhanced network intrusion detection［J］. WSEAS Transactions on Information Science and Applications, 2009, 6(2):190200.
［10］	Wang Baoyi, Yang Haipeng, Zhang Shaomin. Research on application of interaction Firewall with IDS in distribution automation system［C］∥Proc of 2011 International Conference on Electronic Engineering, Communication and Management, 2012:527532.
［11］	Tan Wei. The research of firewall and IDS interaction architecture ［D］. Wuhan:Wuhan University of Technology, 2010. (in Chinese)
［12］	Vukobratovic D, Senk V. Transactions papers evaluation and design of irregular LDPC codes using ACE spectrum ［J］. IEEE Transactions on Communications, 2009, 57(8):22722279.
［13］	KhalilHani M, Nambiar V P, Marsono M N. Hardware acceleration of OpenSSL cryptographic functions for highperformance internet security ［C］∥Proc of International Conference on Intelligent Systems, Modelling and Simulation, 2010:374379.
［14］	Kurundkar G D,Naik N A, Khamitkar S D. Network intrusion detection using Snort［J］. International Journal of Engineering Research and Applications, 2012, 2(2):12881296.
［15］	Rovniagin D, Wool A. The geometric efficient matching algorithm for firewalls ［J］. IEEE Transactions on Dependable and Secure Computing, 2011, 8(1):147159.
［16］	Chao C S, Yang S J H. A novel threetiered visualization approach for firewall rule validation［J］. Journal of Visual Languages & Computing, 2011, 22(6):401414.
［17］	Shiravi A, Shiravi H, Tavallaee M, et al. Toward developing a systematic approach to generate benchmark datasets for intrusion detection ［J］. Computers and Security, 2012, 31(3):357374.
［18］	Salah K, Kahtani A. Performance evaluation comparison of Snort NIDS under Linux and Windows server ［J］. Journal of Network and Computer Applications, 2010, 33(1):615.
	附中文参考文献：
［11］	谭伟. 防火墙与入侵检测系统联动架构的研究［D］. 武汉：武汉理工大学, 2010.

[1]	白坚镜, 顾瑞春, 刘清河. SDN环境中基于Bi-LSTM的DDoS攻击检测方案[J]. 计算机工程与科学, 2023, 45(02): 277-285.
[2]	朱世松，巴梦龙，王辉，申自浩. 基于NBSR模型的入侵检测技术[J]. 计算机工程与科学, 2020, 42(03): 427-433.
[3]	刘世文1,5，马多耀2,4，雷程1,3,5，尹少东2,4，张红旗1,5. 基于网络安全态势感知的主动防御技术研究[J]. 计算机工程与科学, 2018, 40(06): 1057-1061.
[4]	刘强，蔡志平，殷建平，董德尊，唐勇，张一鸣. 网络安全检测框架与方法研究[J]. 计算机工程与科学, 2017, 39(12): 2224-2229.
[5]	吴果，陈雷，司志刚，白利芳. 网络安全态势评估指标体系优化模型研究[J]. 计算机工程与科学, 2017, 39(05): 861-869.
[6]	赵宁1,谢淑翠2. 基于dpdk的高效数据包捕获技术分析与应用[J]. 计算机工程与科学, 2016, 38(11): 2209-2215.
[7]	徐爱萍，宋先明，徐武平. 分布式异构数据库集成系统研究与实现[J]. J4, 2015, 37(10): 1909-1916.
[8]	刘红霞,陆文迪. 改进的MVC设计模式的研究与应用[J]. J4, 2015, 37(09): 1688-1691.
[9]	任方. Ad Hoc网络的自适应分布式PKG机制[J]. J4, 2015, 37(07): 1272-1279.
[10]	陈宏亮，刘莉平，赵明，陈志刚. 认知无线网络中基于信誉度管理的动态频谱接入研究[J]. J4, 2015, 37(03): 498-502.
[11]	唐湘滟, 程杰仁, 殷建平, 龚德良. 基于NP模式的报文检测方法[J]. 计算机工程与科学, 2014, 36(11): 2128-2131.
[12]	陈大乾，任广伟. 对社区电子政务网络安全和数据共享问题的思考[J]. J4, 2014, 36(09): 1705-1710.
[13]	王建军,刘玉林. 基于强化学习的自适应中间件在线更新机制研究[J]. J4, 2014, 36(08): 1462-1468.
[14]	张令通1，2，罗森林2. 基于TCP协议首部的网络隐蔽通道技术研究[J]. J4, 2014, 36(06): 1072-1076.
[15]	王林，姜杰. 无线传感器网络中间件技术研究综述[J]. J4, 2014, 36(02): 244-249.