http://www.icst.pku.edu.cn/InfoSecCourse

1
??????????? (?)

• ???,??????????
• http//www.icst.pku.edu.cn/InfoSecCourse

2
??

• ?????????
• ????????
• Libpcap
• WinPcap
• ??????

3
????

• ????????,?????????
• ??????
• ????????????????
• ?????????????????????
• ????????????
• ????????????????,?????(sniffer)

4
?????????

• ????/????(CSMA/CD, carrier sense multiple access
  with collision detection)??
• ???????????????????????,?????????,??????????
• ????,????????
• ???????,???????
• ???????????????????????????????????
• ??????CSMA/CD??,?????????,??,?????????????????????
  ???

5
?????????

• ???MAC??(48?)
• ??ARP???MAC?IP?????
• ?ipconfig/ifconfig????MAC??
• ?????,???????????
• MAC????????????
• ???
• ????????????,??????
• ?????????????????????????,?????
• ???????????????????,???????(??????)
• ??????????,?????????

6
?????????

• ?????
• ?????????????????
• ???????HUB???????
• ?????
• ?????????
• ????????MAC??-?????
• ??????,?????????

7
????????
8
?????????

• UNIX????????API??
• Packet socket
• BPF
• Windows???????????????
• ????
• WinPcap

9
Packet socket

• ??????
• ?ioctl()??????
• ????packet socket
• packet_socket socket(PF_PACKET, int
  socket_type, int protocol)
• ?????,socket(PF_INET, SOCK_PACKET, protocol)
• ???UNIX??Linux?????????????,???
• ????socket(????open??????)
• ??ioctl()??setsockopt()???????

10
BPF(Berkeley Packet Filter)

• BSD???
• BPF?????????,???????
• Network Tap????????
• Kernel Buffer,????????????
• User buffer,???????????
• Libpcap(???????)??BPF
• Libpcap???????????
• Libpcap????????
• BPF????????????
• ????,???????,
• ??,????OS??(?????BSD????)

11
BPF?libpcap
12
??libpcap

• ?????packet capture
• ???????,C????
• ?????0.7??
• ?????
• ??????
• ??????
• ????
• ??????,BPF

13
Libpcap??

• ??????????????
• char pcap_lookupdev(char errbuf)?????????????
  ,????????
• pcap_t pcap_open_live(char device, int snaplen,
  int promisc, int to_ms, char ebuf)??????packet
  capture descriptorsnaplen?????????????
• pcap_dumper_t pcap_dump_open(pcap_t p, char
  fname)????savefile??,??dump
• pcap_t pcap_open_offline(char fname, char
  ebuf)????savefile,???????

14
Libpcapdump????

• ???
• struct pcap_file_header
• bpf_u_int32 magic
• // 0xa1b2c3d4
• u_short version_major
• u_short version_minor
• bpf_int32 thiszone
• bpf_u_int32 sigfigs
• bpf_u_int32 snaplen
• bpf_u_int32 linktype

• ?????????????
• struct pcap_pkthdr
• struct timeval ts bpf_u_int32 caplen
  bpf_u_int32 len
• ??????????caplen

15
Libpcap ??filter

• ??????????
• int pcap_lookupnet(char device, bpf_u_int32
  netp, bpf_u_int32 maskp, char errbuf) 
  ????????????????
• int pcap_compile(pcap_t p, struct bpf_program
  fp, char str, int optimize, bpf_u_int32
  netmask)????str??????????
• int pcap_setfilter(pcap_t p, struct bpf_program
  fp)???????

16
Libpcap ????

• ???????????
• int pcap_dispatch(pcap_t p, int cnt,
  pcap_handler callback, u_char user)  
• int pcap_loop(pcap_t p, int cnt, pcap_handler
  callback, u_char user)  
• ????
• cnt?????????????
• pcap_handler???????
• ??????pcap_loop????read????????
• ?????void pcap_dump(u_char user, struct
  pcap_pkthdr h, u_char sp)  ?????????pcap_dump_o
  pen()??????

17
Windows????????

• ?????????????
• ???????????????????????????????
• ?Windows?????????????
• ??sniffer???????
• WinPcap??????????,??libpcap?Windows??

18
Windows 2000????????
19
WinPcap

• WinPcap??????
• ?????NPF(Netgroup Packet Filter),?????????????????
  ???????,???????????????????,???????????????????
• ?????packet.dll?win32??????????????????Windows????
  ??????????????Packet.dll???????????Packet.dll?????
  ????????Windows???,???????
• ????? Wpcap.dll??????????????????????????
• packet.dll?Wpcap.dll
• packet.dll??????????
• Wpcap.dll???????????????????

20
WinPcap?NPF
21
Windows?????

• NDIS(Network Driver Interface Specification,??????
  ??)???????????????????,?????????????
• NPF??????????????

22
WinPcap???

• ????????????
• ?libpcap??,???????UNIX????????????????
• ????????????
• ???libpcap???????,??
• ???????????????,????NPF???????????
• ??????????
• ???????????

23
?WinPcap?????sniffer
24
Windows?????sniffer??

• Buttsniffer
• ??,?????,???Windows NT???,???????
• NetMon
• Windows 2000??(Microsoft SMS??)
• ???????,?????
• NetXRay
• ????,???????,?????
• ??WinPcap???
• WinDump
• Analyzer

25
UNIX/Linux??????sniffer??

• dsniff
• linux_sniffer
• Snort
• tcpdump
• sniffit

26
?sniffer???????

• ???????????
• ??????????sniffer

27
???????????

• ??????????????????????????,???????????????????????
  ?
• ??????
• ?????????
• Linux??????????,?????MAC???????????????????,?????
  Linux????? ?????IP?????????IP?????,???????????IP??
  ???ICMP ECHO??,??????????(????),???(?????)?
• Windows 9x/NT??????,??????????????,??MAC????????0
  xff?
• ??????????
• ?????????????????????,??,??????????,?????????????
  ????
• L0pht?AntiSniff??,????????

28
????????????

• ARP?????,???????

1 B??IP????
A
B
2 B?????arp??A,?????GW?IP??
3 A???????,????B
4 B????GW
GW
????dsniff??arpredirect??
29
?????Libnet

• ??Libnet??????????
• ??Libnet
• ??????????
• ???50??C API??,????
• ????(?????)??
• ??????
• ??????????????
• ???????(IP?????)
• ??????,????????????

30
??Libnet?????

• ????????
• ???????
• ????????
• ?????????
• ?????
• ??????
• ???????

libnet_init_packet() libnet_open_raw_sock() li
bnet_build_ip() libnet_build_tcp() libnet_do_c
hecksum() libnet_write_ip() libnet_close_raw_s
ock() libnet_destroy_packet()
31
?????????

• ????????,???????
• P2DR????
• ????????

32
???????

• ????????

??
???Pt gt Dt Rt
33
P2DR????

• ????????
• ????????
• ???????
• ????
• ????
• P2DR?????????
• ???????????????
• ??????????
• ?????/?????????????

34
IDS Intrusion Detection System

• ????????
• ????????
• ?????????????
• ????????????

35
IDS???
????
?? ?? ??
???? ?? ??
????
???? ????
????
????
???
36
???????????

• ????,??
• ????
• ??????
• ????????????
• ??????????
• ????
• ????
• ????
• ?????,????????

37
???????????
???
?????
????????
???
?????
?????
???????
38
?????????

• ????
• ?????????????????,???????????
• ????
• IDS??????????????,??????????????????????
• ????
• ????????????,??LIDS
• ????
• ???????????????

39
IDS???

• ????(anomaly detection)
• ??????????
• ??????????????,????
• ???????????????
• ????(misuse detection)
• ??????????
• ???????????
• ???????????????????

40
????

• ?????????,????????
• ????????????
• ???????????????
• ????
• ????
• ????
• ????

41
????

• ?????????,????????
• ?????????????
• ????????????,???
• ????
• ?????????????
• ???????????
• ?????????????
• ??????????
• ????,???????????

42
IDS?????

• ???
• ????????IDS???
• ???(false alarm rate)
• ?????????????
• ?????????????

43
?????IDS??

• ????????
• ??sniff??
• ?IDS????????????,??????????????????
• ????????
• ???????????
• ?????????????

44
???????IDS snort

• ????????????IDS
• ????,???(C????,?????)
• ??libpcap??????????
• ??
• ????????????
• ????????????????????????????
• ??????????,?????????
• ????????
• ???????,???????sniffer??

45
???????

• ?????????????
• Snort??????TCP/IP?????
• ???????????????
• ???????????????????????????
• ????,????,?????
• ???????,??????,?????????,?????,???????
• ?????????????FDDI

46
Snort???????

• ??????
• ????
• ????????Chain Header
• ??,??????Chain Option
• ??,?????????????????

47
Snort ????????

• ???????????,????????????
• ??????,????
• ???????????
• ?????IP??
• Tcpdump??
• ????????,???tcpdump??,????logging??
• ????,??
• Syslog
• ???alert?????
• ??WinPopup??

48
??snort???

• Snort???????
• ????
• ??? alert tcp !10.1.1.0/24 any -gt 10.1.1.0/24
  any
• ???? (flags SF msg SYN-FIN Scan)
• ???????????,????????????
• ????????
• ?????
• Content option???
• ??cgi?????????????content option
• ???????????

49
Snort????

• ????

50
??snort

• ???
• ????,????????
• ????IDS?????
• ????????????????
• Snort???
• ?????IDS???
• ????IDS?????????
• ??
• ??????
• ????,???????
• ????????
• ??????TCP????????,?

51
???????IDS

• ??????????NIDS???
• ????????????
• ??????,????????,???????
• ?????NIDS???????????
• ?????????????????,?????????????IDS?
• ????????,?????????
• ??,??????????????????IDS???

52
??????(ANN)??????

• ANN????????????
• ???????????????
• ???????????????
• ??
• ?????????????
• ????????
• ??????
• MLP????????
• CMAC????????

53
MLP????????

• ?????????,????????????????
• ????
• ???????,?????
• 9???
• 2???
• ????
• ??????????,???????????????
• ???????????,????????????

54
MLP????
Sigmoid??
N1
w
w
N2
w
O1
O2
N9
55
MLP??

• 9???
• Protocol ID
• Source Port
• Destination Port
• Source Address
• Destination Address
• ICMP Type
• ICMP Code
• Raw Data
• Raw Data Length

• 2???
• (0.0,1.0)??????
• (1.0,0.0)?????
• ?????
• sigmoid1/(1exp(-x))

56
MLP???????

• ???????????
• ????????
• ???????????????
• ?????ANN??ID??????
• ?????????
• ??????????

57
CMAC????????????

• CMAC(Cerebellar Model Articulation Controller)
• 1975?Albus??
• ????????
• ????
• ??????
• ??
• ???????
• ?????????

58
CMAC??
N1
w
N2
?
O
????
????
59
CMAC????DOS??

• CMAC??????
• ????s,??0.0, 1.0
• 0.0????????,????
• 1.0??????
• ??O,??0.0, 1.0
• 0.0??????
• 1.0????
• ???????,?????
• CMAC?????????
• ??
• wi1 wi b(Od - Oa)
• wi1 wi b((1-s) - Oa)
• wi1 wi (1-s)((1-s) - Oa)

60
CMAC?????????????

• ?????
• On-line??????
• ?????????????????
• ????????,????????
• ????ping flood??,??UDP packet storm??????2.2
• ????????
• ??????????????????????75,????????????,???????????
  ??????
• ?????????????????

61
?????IDS??

• ????
• ????
• ??????
• ??OS??
• ???????
• ????
• ??????
• ????

62
STAT

• STAT A state transition analysis tool for
  intrusion detection
• ???????Santa Barbaba????
• ???????????????
• ?????????????
• ??????????????
• ??????????????????
• ????????????????????
• ?????????????????

S1
S2
S3
Assertions
Assertions
Assertions
63
STAT????

• ??
• ????????????????????????????????????????
• ??????,????????????????????
• ????????????????????????,?????????????????????????
  
• ????????????????????,????????????
• ?????????????
• ??
• ??(assertions)???????????
• Assertions???????????????????????
• STAT??????,??????????????????
• STAT????????

64
STATUSTAT

• USTAT??UNIX???STAT??
• ?????
• ???????????,????????????????
• ????????????????????????????????????????????????
  ???????????????
• ?????????????????????????????,???????????????????
  ???????,??????
• ??????????????,???????????????

65
??STAT?IDS

• USTAT
• NSTAT
• ?USTAT???????,????????????????????????????
• NetSTAT
• ????????IDS,????????,????????????
• WinSTAT
• ?????IDS,??Windows NT?????
• WebSTAT
• ?????IDS,?Apache Web Server???????
• AlertSTAT
• ???????????,?????????????,???????????????

66
IDS??????

• ????????????
• ??IDS???
• ?????sensor
• ??Agent?IDS??
• Purdue??????????AAFID(Autonomous agents for
  intrusion detection)?IDS??
• SRI?EMERALD(Event Monitoring Enabling Response to
  Anomalous Live Disturbances)

67
??IDS?? ISS RealSecure??
RealSecure OS Sensor
RealSecure Console
RealSecure Network Sensor
RealSecure Server Sensor
68
IDS???

• ???????????????
• NIDS???
• ????????
• ???????????????VLAN??????????,???????
• ????????
• ???????????
• IPSec???????????

69
IDS????????

• IDS???????,???????????,?????????,??????????
• IDS?????,?????????????,???????????,?????????????,?
  ????
• ????????,IDS?DRP(Disaster Recovery
  Planning)??????????
• DRP??
• ??????(BIA, Business Impact Analysis)
• ????????
• ?????????????????
• ????
• ?????

70
IDS??????

• IDS?????
• ?????????
• ???IDS??
• ????????????
• ??????????
• IDS?????
• IDS??????????
• IDS?????
• IDS?????
• IDS?
• IDS??????
• CIDF ???????Davis???????,?????????????????????IDS
  ?????????
• IDEF IETF IDWG?????,??????????,?XML????????

71
????

• ?
• ????,?????????,???????,2002
• ??
• Fulvio Risso and Loris Degioanni, An Architecture
  for High Performance Network Analysis
• Web??
• UNIX/Linux Programmers Manual
• WinPcap, http//winpcap.polito.it/default.htm
• Libnet, http//www.packetfactory.net/Projects/Libn
  et/
• STAT, http//www.cs.ucsb.edu/rsg/STAT
• Snort, http//www.snort.org/