面向主動(dòng)入侵防御的動(dòng)態(tài)復(fù)合虛擬網(wǎng)絡(luò)研究
發(fā)布時(shí)間:2018-08-23 07:58
【摘要】:隨著計(jì)算機(jī)網(wǎng)絡(luò)的飛速發(fā)展,黑客攻擊技術(shù)也越來(lái)越復(fù)雜而多樣,獲得攻擊工具以及發(fā)動(dòng)攻擊越來(lái)越容易,入侵活動(dòng)越來(lái)越頻繁,致使網(wǎng)絡(luò)安全問(wèn)題日益嚴(yán)重和突出,F(xiàn)有的網(wǎng)絡(luò)安全防御技術(shù)主要有防火墻、入侵檢測(cè)系統(tǒng)、用戶認(rèn)證、數(shù)據(jù)加密和解密、漏洞掃描、防病毒軟件等,但任何單一安全防護(hù)技術(shù)已經(jīng)不能確保網(wǎng)絡(luò)和系統(tǒng)的安全,而且大部分安全防御技術(shù)是被動(dòng)、滯后的。 針對(duì)以上問(wèn)題,本文提出將網(wǎng)絡(luò)可視化技術(shù)、蜜罐技術(shù)、攻擊特征自動(dòng)提取技術(shù)、Snort入侵檢測(cè)技術(shù)、防火墻聯(lián)動(dòng)技術(shù)這5項(xiàng)安全技術(shù)融合,設(shè)計(jì)和實(shí)現(xiàn)一個(gè)可以在各級(jí)網(wǎng)絡(luò)中應(yīng)用的動(dòng)態(tài)復(fù)合虛擬網(wǎng)絡(luò)框架,為系統(tǒng)提供主動(dòng)的、前攝的、實(shí)時(shí)的入侵防御。 本文的主要研究?jī)?nèi)容如下: (1)提出基于NetFlow技術(shù)的被動(dòng)服務(wù)發(fā)現(xiàn)方法,定義和編寫了6個(gè)啟發(fā)判定函數(shù)重組單向流為面向連接的雙向流,整理輸出3種類型的流,進(jìn)而提取4種類型的端點(diǎn),連續(xù)而準(zhǔn)確檢測(cè)給定網(wǎng)絡(luò)的服務(wù)群,簡(jiǎn)單有效地實(shí)現(xiàn)大型網(wǎng)絡(luò)的服務(wù)可視化。 (2)提出將主動(dòng)掃描和被動(dòng)探測(cè)結(jié)合組成本框架的掃描模塊,重點(diǎn)分析Nmap主動(dòng)掃描的掃描間隔、并發(fā)線程數(shù)等參數(shù)對(duì)掃描時(shí)間、所需資源和物理網(wǎng)絡(luò)的影響,使協(xié)同掃描既可以準(zhǔn)確、快速的識(shí)別物理網(wǎng)絡(luò)拓?fù)浜椭鳈C(jī)配置,自動(dòng)跟蹤物理網(wǎng)絡(luò)配置變化,同時(shí)盡可能減少對(duì)物理網(wǎng)絡(luò)的沖擊,消耗占用最少的系統(tǒng)資源。進(jìn)而依據(jù)掃描模塊的發(fā)現(xiàn)結(jié)果,自動(dòng)配置更新基于Honeyd的前端低交互蜜罐網(wǎng)絡(luò),重點(diǎn)研究空閑IP數(shù)和預(yù)留IP比例對(duì)虛擬網(wǎng)絡(luò)吸引黑客攻擊兒率的影響,實(shí)現(xiàn)依據(jù)物理網(wǎng)絡(luò)來(lái)確定虛擬網(wǎng)絡(luò)主機(jī)的數(shù)量、占用的IP地址、操作系統(tǒng)以及開放的端口和服務(wù)配置,保證虛擬網(wǎng)絡(luò)的欺騙性和仿真度。 (3)提出由大量前端低交互蜜罐和少量后端高交互蜜罐共同組成虛擬網(wǎng)絡(luò),來(lái)有效吸引攻擊并收集信息。提出多模塊組合判定策略,開發(fā)6個(gè)基本判定模塊,實(shí)現(xiàn)將受限于低交互蜜罐的交互性而具備研究?jī)r(jià)值的數(shù)據(jù)透明地轉(zhuǎn)發(fā)給后端高交互蜜罐。在前后端蜜罐網(wǎng)絡(luò)同時(shí)提取攻擊特征,實(shí)現(xiàn)自動(dòng)特征提取的互補(bǔ)性,并給出一個(gè)新的特征提純算法,刪除重復(fù)特征降低生成的特征數(shù)量,進(jìn)一步剔除特征中的冗余信息,測(cè)試結(jié)果顯示本虛擬網(wǎng)絡(luò)框架可以有效提取攻擊特征,減小特征尺寸,提高所生成特征的可用性。 (4)提出利用Snort入侵檢測(cè)系統(tǒng),針劉Windows平臺(tái),分別基于Windows主機(jī)和Cisco路由器設(shè)計(jì)丌發(fā)聯(lián)動(dòng)模塊,實(shí)現(xiàn)主動(dòng)入侵防御。在主機(jī)端借助Windows內(nèi)嵌的IPSec篩選器或防火墻和Snort實(shí)現(xiàn)響應(yīng)聯(lián)動(dòng),在Snort入侵檢測(cè)系統(tǒng)發(fā)現(xiàn)危險(xiǎn)報(bào)警后,聯(lián)動(dòng)模塊自動(dòng)設(shè)置IPSec的篩選器或防火墻來(lái)對(duì)相應(yīng)的進(jìn)出向數(shù)據(jù)包進(jìn)行過(guò)濾,實(shí)驗(yàn)測(cè)試表明在沒有附加任何第三方防火墻,也沒有對(duì)Windows系統(tǒng)內(nèi)核做任何修改的情況下,成功實(shí)現(xiàn)對(duì)危險(xiǎn)網(wǎng)絡(luò)數(shù)據(jù)的阻塞。同時(shí)基于路由器的訪問(wèn)控制列表,在Snort發(fā)現(xiàn)危險(xiǎn)報(bào)警后,自動(dòng)選擇恰當(dāng)網(wǎng)絡(luò)拓?fù)湮恢玫穆酚善?更新修改相應(yīng)路由器的ACL,阻斷來(lái)自攻擊者的危險(xiǎn)數(shù)據(jù)包,通過(guò)對(duì)三種入侵IP的聯(lián)動(dòng)測(cè)試,表明基于Cisco路由器聯(lián)動(dòng)方式在沒有對(duì)現(xiàn)有拓?fù)浣Y(jié)構(gòu)做任何修改也沒有添加新硬件的條件下成功完成對(duì)來(lái)自危險(xiǎn)IP的網(wǎng)絡(luò)數(shù)據(jù)的隔離和控制。 本文設(shè)計(jì)和實(shí)現(xiàn)的虛擬網(wǎng)絡(luò)框架可以有針對(duì)性地主動(dòng)誘騙網(wǎng)絡(luò)攻擊,迷惑攻擊者,讓他無(wú)法辨識(shí)真實(shí)的攻擊目標(biāo),將攻擊盡可能長(zhǎng)時(shí)間地捆綁在虛擬的網(wǎng)絡(luò)和機(jī)器上,抵御包括網(wǎng)絡(luò)掃描、DoS和DDoS等多種網(wǎng)絡(luò)攻擊,消耗攻擊者資源,贏得時(shí)間保護(hù)實(shí)際網(wǎng)絡(luò),拓寬主動(dòng)防御的范疇。同時(shí)可以有效地收集和分析黑客攻擊信息,了解黑客和黑客團(tuán)體的攻擊動(dòng)因、攻擊工具、活動(dòng)規(guī)律,捕捉蠕蟲和病毒,為分析和應(yīng)對(duì)包括分布式拒絕服務(wù)攻擊在內(nèi)的復(fù)雜黑客攻擊等提供數(shù)據(jù)依據(jù)。更重要的是本虛擬網(wǎng)絡(luò)可以發(fā)現(xiàn)新型攻擊,并針對(duì)新型攻擊自動(dòng)提取攻擊特征,擴(kuò)充Snort入侵檢測(cè)的規(guī)則庫(kù)。依據(jù)這些規(guī)則,Snort借助于防火墻聯(lián)動(dòng)技術(shù)配置防火墻或路由器,實(shí)時(shí)屏蔽入侵?jǐn)?shù)據(jù),過(guò)濾掉危險(xiǎn)數(shù)據(jù)包,實(shí)現(xiàn)主動(dòng)入侵防御,提高整個(gè)系統(tǒng)的安全防范能力。
[Abstract]:With the rapid development of computer network, hacker attack technology is becoming more and more complex and diverse, access to attack tools and launching attacks more and more easy, more and more frequent intrusion activities, resulting in increasingly serious and prominent network security problems. Encryption and decryption, vulnerability scanning, anti-virus software and so on, but any single security protection technology can not ensure the security of the network and system, and most of the security defense technology is passive and lagging.
In view of the above problems, this paper proposes to design and implement a dynamic composite virtual network framework which can be applied in all levels of networks by integrating five security technologies: network visualization technology, honeypot technology, automatic attack feature extraction technology, Snort intrusion detection technology and firewall linkage technology. It provides active, proactive and real-time for the system. Intrusion prevention.
The main contents of this paper are as follows:
(1) A passive service discovery method based on NetFlow technology is proposed. Six heuristic decision functions are defined and written to reorganize one-way flows into connection-oriented two-way flows, and three types of flows are sorted out. Four types of endpoints are extracted to detect the service groups of a given network continuously and accurately, so as to realize service visualization of large-scale networks simply and effectively.
(2) A scanning module which combines active scanning with passive detection is proposed to form a cost framework. The scanning interval of Nmap active scanning, the number of concurrent threads and other parameters on scanning time, resource requirements and physical network are analyzed in detail, so that cooperative scanning can identify physical network topology and host configuration accurately and quickly, and track physical network automatically. Network configuration changes, while minimizing the impact on the physical network and consuming the least system resources. Then, according to the results of scanning module discovery, Honeyd-based front-end Low-interaction honeypot network is automatically configured and updated, focusing on the study of the impact of idle IP number and reserved IP ratio on the rate of virtual network attracted hackers to achieve the basis. Physical network determines the number of virtual network hosts, IP addresses occupied, operating systems, and open ports and service configurations to ensure deception and Simulation of the virtual network.
(3) A virtual network composed of a large number of front-end Low-interaction honeypots and a small number of back-end high-interaction honeypots is proposed to effectively attract attacks and collect information. A multi-module combination decision strategy is proposed, and six basic decision modules are developed to transparently forward the data which is limited by the interaction of Low-interaction honeypots to the back-end high-interaction honeypots. Mutual honeypot. In front and back honeypot networks, attack features are extracted simultaneously to realize the complementarity of automatic feature extraction. A new feature purification algorithm is proposed, which deletes duplicate features to reduce the number of features generated, and further eliminates redundant information in features. The test results show that the virtual network framework can effectively extract attack features and reduce the number of features generated. Feature size improves the usability of the generated features.
(4) Propose to use Snort intrusion detection system and pin-to-pin Windows platform to design and develop interaction module based on Windows host and Cisco router to realize active intrusion prevention. IPSec filters or firewalls are automatically set up to filter incoming and outgoing packets. Experimental results show that the blocking of dangerous network data is successfully achieved without any additional third-party firewalls or any modifications to the Windows system kernel. After discovering the danger alarm, the router automatically selects the appropriate network topology location, updates and modifies the corresponding router ACL, blocks the dangerous packets from the attacker. Through the linkage test of three kinds of intrusive IP, it shows that the CISCO router linkage mode has not made any changes to the existing topology structure and has not added new hardware bars. The isolation and control of network data from dangerous IP is completed successfully.
The virtual network framework designed and implemented in this paper can decoy the network attack and confuse the attacker, so that he can not identify the real attack target, bundle the attack on the virtual network and machine as long as possible, resist the network attacks including network scanning, DoS and DDoS, consume the attacker's resources and win the time. At the same time, it can effectively collect and analyze hacker attack information, understand hacker and hacker groups'attack motivation, attack tools, activity rules, catch worms and viruses, and provide data basis for analyzing and dealing with complex hacker attacks including distributed denial of service attacks. The important thing is that the virtual network can discover new attacks, and automatically extract attack features for new attacks, and expand the rules library of Snort intrusion detection. According to these rules, Snort configures firewalls or routers by means of firewall linkage technology, shields intrusion data in real time, filters out dangerous packets, and realizes active intrusion prevention and improves the performance. The security of the whole system.
【學(xué)位授予單位】:東北林業(yè)大學(xué)
【學(xué)位級(jí)別】:博士
【學(xué)位授予年份】:2014
【分類號(hào)】:TP393.08
本文編號(hào):2198395
[Abstract]:With the rapid development of computer network, hacker attack technology is becoming more and more complex and diverse, access to attack tools and launching attacks more and more easy, more and more frequent intrusion activities, resulting in increasingly serious and prominent network security problems. Encryption and decryption, vulnerability scanning, anti-virus software and so on, but any single security protection technology can not ensure the security of the network and system, and most of the security defense technology is passive and lagging.
In view of the above problems, this paper proposes to design and implement a dynamic composite virtual network framework which can be applied in all levels of networks by integrating five security technologies: network visualization technology, honeypot technology, automatic attack feature extraction technology, Snort intrusion detection technology and firewall linkage technology. It provides active, proactive and real-time for the system. Intrusion prevention.
The main contents of this paper are as follows:
(1) A passive service discovery method based on NetFlow technology is proposed. Six heuristic decision functions are defined and written to reorganize one-way flows into connection-oriented two-way flows, and three types of flows are sorted out. Four types of endpoints are extracted to detect the service groups of a given network continuously and accurately, so as to realize service visualization of large-scale networks simply and effectively.
(2) A scanning module which combines active scanning with passive detection is proposed to form a cost framework. The scanning interval of Nmap active scanning, the number of concurrent threads and other parameters on scanning time, resource requirements and physical network are analyzed in detail, so that cooperative scanning can identify physical network topology and host configuration accurately and quickly, and track physical network automatically. Network configuration changes, while minimizing the impact on the physical network and consuming the least system resources. Then, according to the results of scanning module discovery, Honeyd-based front-end Low-interaction honeypot network is automatically configured and updated, focusing on the study of the impact of idle IP number and reserved IP ratio on the rate of virtual network attracted hackers to achieve the basis. Physical network determines the number of virtual network hosts, IP addresses occupied, operating systems, and open ports and service configurations to ensure deception and Simulation of the virtual network.
(3) A virtual network composed of a large number of front-end Low-interaction honeypots and a small number of back-end high-interaction honeypots is proposed to effectively attract attacks and collect information. A multi-module combination decision strategy is proposed, and six basic decision modules are developed to transparently forward the data which is limited by the interaction of Low-interaction honeypots to the back-end high-interaction honeypots. Mutual honeypot. In front and back honeypot networks, attack features are extracted simultaneously to realize the complementarity of automatic feature extraction. A new feature purification algorithm is proposed, which deletes duplicate features to reduce the number of features generated, and further eliminates redundant information in features. The test results show that the virtual network framework can effectively extract attack features and reduce the number of features generated. Feature size improves the usability of the generated features.
(4) Propose to use Snort intrusion detection system and pin-to-pin Windows platform to design and develop interaction module based on Windows host and Cisco router to realize active intrusion prevention. IPSec filters or firewalls are automatically set up to filter incoming and outgoing packets. Experimental results show that the blocking of dangerous network data is successfully achieved without any additional third-party firewalls or any modifications to the Windows system kernel. After discovering the danger alarm, the router automatically selects the appropriate network topology location, updates and modifies the corresponding router ACL, blocks the dangerous packets from the attacker. Through the linkage test of three kinds of intrusive IP, it shows that the CISCO router linkage mode has not made any changes to the existing topology structure and has not added new hardware bars. The isolation and control of network data from dangerous IP is completed successfully.
The virtual network framework designed and implemented in this paper can decoy the network attack and confuse the attacker, so that he can not identify the real attack target, bundle the attack on the virtual network and machine as long as possible, resist the network attacks including network scanning, DoS and DDoS, consume the attacker's resources and win the time. At the same time, it can effectively collect and analyze hacker attack information, understand hacker and hacker groups'attack motivation, attack tools, activity rules, catch worms and viruses, and provide data basis for analyzing and dealing with complex hacker attacks including distributed denial of service attacks. The important thing is that the virtual network can discover new attacks, and automatically extract attack features for new attacks, and expand the rules library of Snort intrusion detection. According to these rules, Snort configures firewalls or routers by means of firewall linkage technology, shields intrusion data in real time, filters out dangerous packets, and realizes active intrusion prevention and improves the performance. The security of the whole system.
【學(xué)位授予單位】:東北林業(yè)大學(xué)
【學(xué)位級(jí)別】:博士
【學(xué)位授予年份】:2014
【分類號(hào)】:TP393.08
【參考文獻(xiàn)】
相關(guān)期刊論文 前6條
1 高曉飛;申普兵;;網(wǎng)絡(luò)安全主動(dòng)防御技術(shù)[J];計(jì)算機(jī)安全;2009年01期
2 唐蕓;周學(xué)君;;網(wǎng)絡(luò)掃描技術(shù)與安全防御策略研究[J];計(jì)算機(jī)與數(shù)字工程;2008年04期
3 張偉明;羅軍勇;王清賢;;網(wǎng)絡(luò)拓?fù)淇梢暬芯烤C述[J];計(jì)算機(jī)應(yīng)用研究;2008年06期
4 徐兵;胡寧;方紅琴;;基于Netflow的網(wǎng)絡(luò)流量監(jiān)測(cè)系統(tǒng)研究[J];計(jì)算機(jī)測(cè)量與控制;2012年01期
5 陳亮;龔儉;;基于NetFlow記錄的高速應(yīng)用流量分類方法[J];通信學(xué)報(bào);2012年01期
6 莊鎖法;龔儉;;網(wǎng)絡(luò)拓?fù)浒l(fā)現(xiàn)綜述[J];計(jì)算機(jī)技術(shù)與發(fā)展;2007年10期
,本文編號(hào):2198395
本文鏈接:http://www.sikaile.net/guanlilunwen/ydhl/2198395.html
最近更新
教材專著