ITAOI2005第四屆離島資訊與應用研討會論文範例

advertisement
Building Network Response System of Real Time in E-Learning System
Lin Yu Da
Institute of Information, Computer and Education, National Kaohsiung Normal
University
f1239marklin@icemail.nknu.edu.tw
the school or a company, its superior in-time
Abstract
Along with the rapid development of
internet, internet security becomes more and
more important. In this study, we adopt Snort to
build a protection system which integrates
E-learning platform in order to detect the
invaders from the internet. In addition to that,
through the convenience and in-time property
that the internet possesses, we are able to
provide services such as immediate notification
and trouble shooting, etc., in order to facilitate
the knowledge on internet security and maintain
the normal operation of E-learning platform.
Keyword: E-learning, NIDS, network security
Preface
In Jan. 2003, the OECD-APEC Global
Forum on Policy Frameworks for the Digital
Economy held at Honolulu, its security agenda
has pointed out the importance of internet
security and its related policies(OECD2003);
the key infrastructure protection center under
FBI, USA, has issued a report named “National
policy concerning the security in the Cyber
Space ”,it promotes precisely for the first time
the internet security to a military strategy level
related to national security, it encloses for the
first time the internet security into the overall
thinking regarding to national security .Some
internet experts think, behind the internet
security fever, there are still lots of people that
are equipped with immature recognition or still
in the infant stage understanding on internet
security, the leader Barbara Fraser of IP security
protocol task force of IETF pointed out that the
insecurity of internet is because of the lack of
professional knowledge on internet security and
the bias on the recognition of internet, internet
security should start from each person .
The software of the detection and response
system of internet invasion we developed is a
software in the application layer, the advantage
of this system is on its real time function, this
system can fully detect the internet access
condition from the connection of the learner’s
computer to the teaching system, the system
automatically provides a solution to the learners
on the computer security issues, it aspires the
learners attention on the internet security. This
system can also be used by the web managers in
property make the web managers know better
about the learner’s internet access situation, the
overall working efficiency is therefore enhanced
and inappropriate information can be prevented .
Background knowledge
1. Provide safe platform for the internet
learner
No matter it’s personal operation platform
or traditional Client/Server architecture, or
multiple layer architecture, Internet platform,
etc., Anti-virus software and fire wall play an
important role here; however, the study shows
internet learner usually has low alertness and no
computer related knowledge and is thus under
the attacking risk by the invasion of virus or
hacker, some learners even don’t know they are
invaded by hacker or are infected by internet
virus, the virus then is passed to internet learning
platform or other learner’s computer which
could further leads to the malfunction of
teaching platform .If we take an overview on the
current E-learning platform, system manager
usually uses fire wall and anti-virus software to
stop the internet danger, it is however a passive
prevention and cure.
Here the researchers think that E-learning
platform, in addition to providing E-learning
service, should have the responsibility to inform
the learning condition that the learners might
encounter and the procedures to handle it,
internet virus and internet hacker is not
formidable, the formidable thing is to let it
spread without stopping it which could lead to
serious result . Therefore, internet safety
notification mechanism is important in the
teaching platform, it allows the learner to
understand the current computer situation and
awake the learner’s alertness(As shown in Figure
1).
Figure 1. Internet notification and access mode
2.
Winpcap
Winpcap is a function base which could be
used to acquire internet packet under Windows
environment. It allows simultaneously the user
to use higher level application software to
execute some lower level functions, therefore
Winpcap function base is the most important
basic tool in this detection system.
As shown in Figure 2, Winpcap has a basic
architecture which can be divided into three
parts, they are display layer, core layer and
hardware layer.
The lowest level hardware layer is network
interface card, it is used to acquire the packet
transferred in the internet. This layer provides
packet acquisition without losing it, it uses the
lowest amount of network resources, it is also
universal and flexible and can be used by
different kinds of application software.
The last layer is core layer, its main job is
to transfer the acquired internet packet by
hardware layer to the application layer, the
program can therefore handle the data, it can be
read and written in as a file.
The usage layer can process the transferred
packet and convert it into useful output
information to the user; therefore, it is easy to
use and to be modularized, it is also expandable
and supports multiple protocols.
Figure 2. Winpcap basic architecture
The packet.dll in the usage layer is a
dynamic link function base, it allows the
Windump program to execute under Windows
environment without any re-coding. However,
libpcap is a static function base in the acquisition
program, the function it provides is not related to
the hardware or operation system, it provides a
high level and convenient path for performing
low level work such as packet acquisition, it is
therefore suitable for the network software
development of other system, for example,
TcpDump program can Libpcap to acquire
packet under Unix .
3.
Snort detection principle
Snort is a convenient network invasion
detection system, this system is developed based
on Libpcap, it can record and analyze the
network flow rate immediately, it also performs
testing on the IP packet registration in the
internet, it can complete deal analysis, content
search/match, it can be used to probe multiple
attacks and detections ( such as buffer zone
overflow, CGI attack, SMB detection, etc.).
There are five main reasons we use Snort as
the invasion detection system, first is its low
load : Although Snort is powerful, it is very neat
and compact in the source code, the source code
compression file has a size of only 110KB. The
second is its high transplantation property:Snort
has high cross-platform function, meanwhile, it
currently supports systems such as Linux,
Solaris, BSD, IRIX,HP-UX, WinY2K, etc., it is
thus suitable for all kinds of E-learning system
platform .The third is it is powerful: It has the
capability to analyze the flow rate and the IP
network data packet . It can rapidly detect
network attack .The fourth is its excellent
expandability, it responds rapidly to new attack
and threat : Snort can analyze protocols such as :
TCP, UDP and ICMP. In the future, it can
provide support for protocols such as: ARP,
ICRP,GRE, OSPF, RIP, IPX, etc. The fifth is it
complies with universal permission : Snort
follows GPL, therefore, general company,
enterprise, person or organization can use it as
its own NIDS ( Network invasion detection
system)for free.
Figure 3 shows three major parts of Snort,
the first is packet decoder:It takes charge of
packet collection and decoding; the second is
detection engine: It detects if the packet is
abnormal according to the rule database; the
third is logging and alerting subsystem: it
records the related content of the abnormal
packet and output it in appropriate format.
Therefore, after the packet is received, Snort
performs packet decoding immediately, it detects
according to rule database to see if any abnormal
packet exists, if it does exist, then outputs it as
recorded file format or records it in the
database .
Figure 3. Snort invasion detection principle
4.
Response system architecture
The system is built on 2-Tier architecture
(as shown in Figure 4), it can be divided into
three layers such as : user interface, processing
layer and solid layer ; the usage layer mainly
uses WEB interface and EMAIL to inform
learner and system manager current network
situation and related solution ; processing layer
is mainly made up of Snort, it outputs the packet
it analyzes to the database to facilitates program
access and mutual interaction ; solid layer
mainly stores and outputs the analysis data of
abnormal packet, it uses information exploring
method to extract related information and
solution based on analysis data .
society, therefore, lots of the learners are not
familiar with internet security, or even don’t
have the capability to self-maintain the computer,
adding of detection mode into the system in
order to provide the learners with in-time
network status of computer access, it lets the
learner understand the importance of internet
security in addition to the learning courses.
For the system manager, the use of invasion
detection can reduce the system maintenance
difficulty and keep the time effectiveness of
answering the questions from the learners, it also
allows the learners to understand the potential
threats of virus or the type of Trojan horse that
might threaten the system currently in the
internet so that the learner may perform
immediate reaction. The following Figure shows
an Web in-time response mechanism prepared by
internet university by using the detection system
( Figure 6 ) and a mail notification
mechanism(Figure 7) .
Figure 4. System architecture
Realization and application of
invasion detection system
As shown in the system flow chart of
Figure 5, Winpcap and Snort 2.0 software are
first installed into the E-learning system, it
targets at the output information to develop an
in-time response system by using the ASP.NET
program of Microsoft, it also targets at abnormal
packet record, verifies and gives immediate
response to the registration letter and access
content in the remote teaching system according
to the IP computer of the learner.
Figure 5. System flow chart
This system is applied in a three credits
class of special education general theory in the
National KaoHsiung Normal University. The
main targets of the internet university are on-job
teachers, students and normal people in the
Figure 6
Web notification interface
Figure 7
Mail notification interface
Test of the system
To verify its function and feasibility, 264
learners join the three credits class of special
education general theory and a questionnaire
survey was performed after the completion of
the courses, the result is used as functional
evaluation of the system, and the questionnaire
survey result is as shown in Table 1.
Table 1. The questionnaire survey result of
system usage (Effective questionnaire number:
245)
Conclusion
Build invasion detection response system in
the E-learning platform by using the Snort, it not
only has low cost but also put low load to the
system, a system test after the introduction of
E-learning platform shows the enhancement of
system stability and usability, it allows each
learner to enjoy better and safer learning
platform ; in addition, the system’s high
transplantation property makes it suitable for the
E-learning platform set up by any system .
Meanwhile, there are many output formats such
as : general system documents, Tcpdump format,
XML format and database format, it can be
designed according to specific requirements,
since it can be output to the database, it can be
used to analyze the correlation between related
internet packets and the users.
Reference
[1] 中國科技訊息- OECD2003 年資訊系
統及網路安全會議,
http://www.chinainfo.gov.cn/data/200401/1_200
40103_72053.html
[2] 中國科技訊息-美國國家科學基金會
資助三千萬加強網路安全,
http://www.chinainfo.gov.cn/data/200401/1_200
40103_72045.html
[3] 中山大學-網路教學概論,
http://cu.nsysu.edu.tw/10001door/book/a04.htm
[4] 林濤(民 88):科技的迷惘。中央日報,
7 月 6 日。
[5] 特殊教育通論三學分班,
http://nu.nknu.edu.tw/spc
[6] 微軟資訊安全首頁,
http://www.microsoft.com/taiwan/security/
[7] AirSnort, http://airsnort.shmoo.com/
[8] Snort FAQ,
http://www.snort.org/docs/faq.html
[9] Snort users manual ,
http://www.snort.org/docs/writing_rules/
[10] Snort.org Web site:
http://www.snort.org
[11] The Snort drinking game ,
http://www.theadamsfamily.net/~erek/snort/drin
king_game.txt
[12] The snort user’s mailing list,
http://lists.sourceforge.net/lists/listinfo/snort-use
rs
Download