高级持续性威胁中的典型隐蔽通信技术研究

发布时间：2018-08-16 16:38

【摘要】：随着互联网技术在各领域的广泛应用,信息安全问题也随之而来,且越来越受到关注。以高级渗透和传播技术为手段,具有极强隐蔽性以及持久性特点的APT(高级持续性威胁)攻击已成为目前威胁网络安全的极大隐患。针对APT这一信息安全领域的热点问题,本文以APT攻击中各阶段所使用的典型隐蔽通信为研究对象,设计实现若干种隐蔽通信方法,并进行试验验证和分析,所研究方法可为APT数据流建模与分析提供技术支持。论文开展的主要研究工作如下:(1)根据APT攻击的特点,借鉴已有的攻击链模型,对APT攻击各阶段潜在的隐蔽通信方法进行深入分析;(2)CC(控制和命令服务器)地址获取是潜入网络的恶意节点实施隐蔽通信所需要解决的首要问题。本文首先对传统地址获取方法进行了详细的介绍,接着介绍了常用的DGA(域名生成算法)方法原理及现有检测方法。在此基础上,指出DGA安全性上的不足,设计实现了一种基于网页信息隐藏的CC地址获取方法;(3)数据搬运主要依靠伪装通信技术,伪装分为基于行为的伪装以及基于协议的伪装。针对基于行为的伪装,本文提出了一种基于门限密码的多网盘分存数据搬运方法,该方法包括了数据分块算法的设计和数据分存协议的设计,分块算法主要采用的基于门限秘密共享的方法,分存协议实现了攻击节点与网盘的交互,最后基于网盘的开源API设计搭建系统,验证了本文所提出方法的可行性和有效性。(4)针对协议伪装隐蔽通信,本文设计实现了一种基于SSL协议的伪装通信。该方法在原有SSL协议基础上,针对典型应用从数据包的行为序列、长度序列、时间序列进行分析和建模,使得所构建伪装通信与正常通信具有较高的相似度。论文最后对全文进行了总结,并对未来进一步值得研究的问题进行了展望。
[Abstract]:With the wide application of Internet technology in various fields, the problem of information security has been paid more and more attention. APT (Advanced persistent threat) attack, which takes advanced penetration and communication technology as the means, has the characteristics of strong concealment and persistence, which has become a great hidden danger to the network security at present. Aiming at the hot issue of APT in the field of information security, this paper takes the typical covert communication used in each stage of APT attack as the research object, designs and implements a number of covert communication methods, and carries out experimental verification and analysis. The method can provide technical support for modeling and analysis of APT data stream. The main research work of this paper is as follows: (1) according to the characteristics of APT attack, the existing attack chain model is used for reference. The potential covert communication methods in each stage of APT attack are deeply analyzed. (2) CC (control and command server address acquisition is the most important problem to be solved for malicious nodes sneaking into the network to implement covert communication. In this paper, the traditional address acquisition method is introduced in detail, and then the principle of DGA (Domain name Generation algorithm) and the existing detection methods are introduced. On this basis, this paper points out the shortcomings of DGA security, designs and implements a CC address acquisition method based on web page information hiding. (3) data handling mainly depends on camouflage communication technology, camouflage is divided into Behavior-based camouflage and Protocol-based camouflage. Aiming at the behavior based camouflage, this paper proposes a threshold cipher based data handling method for multi-disk sharing, which includes the design of the data partitioning algorithm and the design of the data sharing protocol. The partition algorithm is mainly based on the threshold secret sharing method. The sharing protocol realizes the interaction between the attack node and the network disk. Finally, the open source API based on the network disk is designed to build the system. The feasibility and effectiveness of the proposed method are verified. (4) A camouflage communication based on SSL protocol is designed and implemented for the camouflage covert communication. Based on the original SSL protocol, this method analyzes and models the behavior sequence, length sequence and time series of the typical applications, which makes the camouflage communication have a high similarity with the normal communication. At the end of the paper, the paper summarizes the whole paper and looks forward to the problems worth further study in the future.
【学位授予单位】：江苏科技大学
【学位级别】：硕士
【学位授予年份】：2017
【分类号】：TP393.08

【参考文献】