网络攻击样本生成技术研究与实现

发布时间：2018-07-06 10:53

本文选题：网络攻击 + 入侵检测系统　；参考：《北京邮电大学》2017年硕士论文

【摘要】：网络攻击现象的频发性使得网络安全问题变得不容小觑,针对网络攻击行为,传统的防御手段大部分采用被动防御策略,由网络管理员制定一定的安全策略,并在此基础上建立支撑策略的安全模型,例如防火墙技术等。但实际上,我们需要全面深入了解并分析不法分子的攻击行为,争取从被动防御到主动遏制,而网络攻击样本生成技术正是一种主动遏制手段。现阶段的攻击样本生成技术大多是搭建攻击场景,并使用攻击工具或恶意代码等发起攻击,从而生成攻击流量,最后将流量保存下来作为攻击样本文件。但这种方式受限于攻击场景的搭建,往往缺少攻击方式多样性以及真实性。因此,本文提出并实现了一种基于入侵检测技术的攻击样本生成系统,系统能够高速捕获网络数据包并将其缓存,然后对数据包准确进行分析检测,将攻击流生成样本。本文介绍的攻击样本生成系统以入侵检测技术为攻击检测平台,实现了数据流预处理、数据报文缓存、完整数据流保存等功能。攻击样本生成系统将捕获的数据包按照五元组信息即源IP、目的IP、协议、源端口、目的端口组合成数据流,对网络数据流进行预处理,并使用HASH函数对数据流五元组内容进行哈希映射,将数据流存放到哈希表结构中,然后对捕获的数据包进行攻击检测,当系统检测到某个数据包携带攻击特征后,把哈希表结构中当前数据流缓存的所有网络数据报文写入到样本文件中,生成攻击样本。同时为了避免无用流占用哈希表内存资源,系统使用最近最久未使用的超时策略对哈希表的数据流进行管理,并使用守护线程对数据流进行超时检测,若发现哈希表中存在超时数据流,则将数据流移除哈希表。
[Abstract]:The frequent occurrence of network attack makes the network security problem not to be underestimated. In view of the network attack behavior, most of the traditional defense methods adopt passive defense strategy, and the network administrator formulates a certain security policy. On this basis, the security model of supporting policy, such as firewall technology, is established. However, in fact, we need to understand and analyze the attacking behavior of the illegal elements thoroughly and deeply, and strive for the passive defense to the active containment, and the network attack sample generation technology is a kind of active containment means. At this stage, most of the attack sample generation techniques are to set up attack scenarios, and use attack tools or malicious code to launch attacks to generate attack traffic, and finally save the traffic as attack sample files. However, this approach is limited by the construction of attack scenes, and often lacks the diversity and authenticity of attack methods. Therefore, this paper proposes and implements an attack sample generation system based on intrusion detection technology. The system can capture and cache the network data packets at high speed, and then analyze and detect the packets accurately and generate the samples from the attack flow. The attack sample generation system introduced in this paper takes the intrusion detection technology as the attack detection platform and realizes the functions of data stream preprocessing data message cache and complete data stream preservation. The attack sample generation system combines the captured data packets into data streams according to the five-tuple information, namely source IPs, destination IPs, protocols, source ports and destination ports, and preprocesses the network data streams. The hash function is used to hash the five-tuple contents of the data stream, and the data stream is stored in the hash table structure. Then, the captured packets are detected for attack. When the system detects the attack characteristics of a packet, the system detects the attack characteristics of the data packet. All network data packets cached from the current data stream in the hash table structure are written to the sample file to generate attack samples. At the same time, in order to avoid the unwanted stream occupying the hash table memory resource, the system uses the most recent unused timeout policy to manage the data flow of the hash table, and uses the daemon thread to detect the timeout of the data stream. Remove the hash table if a timeout data stream is found in the hash table.
【学位授予单位】：北京邮电大学
【学位级别】：硕士
【学位授予年份】：2017
【分类号】：TP393.08

【参考文献】