面向主动入侵防御的动态复合虚拟网络研究
发布时间:2018-08-23 07:58
【摘要】:随着计算机网络的飞速发展,黑客攻击技术也越来越复杂而多样,获得攻击工具以及发动攻击越来越容易,入侵活动越来越频繁,致使网络安全问题日益严重和突出。现有的网络安全防御技术主要有防火墙、入侵检测系统、用户认证、数据加密和解密、漏洞扫描、防病毒软件等,但任何单一安全防护技术已经不能确保网络和系统的安全,而且大部分安全防御技术是被动、滞后的。 针对以上问题,本文提出将网络可视化技术、蜜罐技术、攻击特征自动提取技术、Snort入侵检测技术、防火墙联动技术这5项安全技术融合,设计和实现一个可以在各级网络中应用的动态复合虚拟网络框架,为系统提供主动的、前摄的、实时的入侵防御。 本文的主要研究内容如下: (1)提出基于NetFlow技术的被动服务发现方法,定义和编写了6个启发判定函数重组单向流为面向连接的双向流,整理输出3种类型的流,进而提取4种类型的端点,连续而准确检测给定网络的服务群,简单有效地实现大型网络的服务可视化。 (2)提出将主动扫描和被动探测结合组成本框架的扫描模块,重点分析Nmap主动扫描的扫描间隔、并发线程数等参数对扫描时间、所需资源和物理网络的影响,使协同扫描既可以准确、快速的识别物理网络拓扑和主机配置,自动跟踪物理网络配置变化,同时尽可能减少对物理网络的冲击,消耗占用最少的系统资源。进而依据扫描模块的发现结果,自动配置更新基于Honeyd的前端低交互蜜罐网络,重点研究空闲IP数和预留IP比例对虚拟网络吸引黑客攻击儿率的影响,实现依据物理网络来确定虚拟网络主机的数量、占用的IP地址、操作系统以及开放的端口和服务配置,保证虚拟网络的欺骗性和仿真度。 (3)提出由大量前端低交互蜜罐和少量后端高交互蜜罐共同组成虚拟网络,来有效吸引攻击并收集信息。提出多模块组合判定策略,开发6个基本判定模块,实现将受限于低交互蜜罐的交互性而具备研究价值的数据透明地转发给后端高交互蜜罐。在前后端蜜罐网络同时提取攻击特征,实现自动特征提取的互补性,并给出一个新的特征提纯算法,删除重复特征降低生成的特征数量,进一步剔除特征中的冗余信息,测试结果显示本虚拟网络框架可以有效提取攻击特征,减小特征尺寸,提高所生成特征的可用性。 (4)提出利用Snort入侵检测系统,针刘Windows平台,分别基于Windows主机和Cisco路由器设计丌发联动模块,实现主动入侵防御。在主机端借助Windows内嵌的IPSec筛选器或防火墙和Snort实现响应联动,在Snort入侵检测系统发现危险报警后,联动模块自动设置IPSec的筛选器或防火墙来对相应的进出向数据包进行过滤,实验测试表明在没有附加任何第三方防火墙,也没有对Windows系统内核做任何修改的情况下,成功实现对危险网络数据的阻塞。同时基于路由器的访问控制列表,在Snort发现危险报警后,自动选择恰当网络拓扑位置的路由器,更新修改相应路由器的ACL,阻断来自攻击者的危险数据包,通过对三种入侵IP的联动测试,表明基于Cisco路由器联动方式在没有对现有拓扑结构做任何修改也没有添加新硬件的条件下成功完成对来自危险IP的网络数据的隔离和控制。 本文设计和实现的虚拟网络框架可以有针对性地主动诱骗网络攻击,迷惑攻击者,让他无法辨识真实的攻击目标,将攻击尽可能长时间地捆绑在虚拟的网络和机器上,抵御包括网络扫描、DoS和DDoS等多种网络攻击,消耗攻击者资源,赢得时间保护实际网络,拓宽主动防御的范畴。同时可以有效地收集和分析黑客攻击信息,了解黑客和黑客团体的攻击动因、攻击工具、活动规律,捕捉蠕虫和病毒,为分析和应对包括分布式拒绝服务攻击在内的复杂黑客攻击等提供数据依据。更重要的是本虚拟网络可以发现新型攻击,并针对新型攻击自动提取攻击特征,扩充Snort入侵检测的规则库。依据这些规则,Snort借助于防火墙联动技术配置防火墙或路由器,实时屏蔽入侵数据,过滤掉危险数据包,实现主动入侵防御,提高整个系统的安全防范能力。
[Abstract]:With the rapid development of computer network, hacker attack technology is becoming more and more complex and diverse, access to attack tools and launching attacks more and more easy, more and more frequent intrusion activities, resulting in increasingly serious and prominent network security problems. Encryption and decryption, vulnerability scanning, anti-virus software and so on, but any single security protection technology can not ensure the security of the network and system, and most of the security defense technology is passive and lagging.
In view of the above problems, this paper proposes to design and implement a dynamic composite virtual network framework which can be applied in all levels of networks by integrating five security technologies: network visualization technology, honeypot technology, automatic attack feature extraction technology, Snort intrusion detection technology and firewall linkage technology. It provides active, proactive and real-time for the system. Intrusion prevention.
The main contents of this paper are as follows:
(1) A passive service discovery method based on NetFlow technology is proposed. Six heuristic decision functions are defined and written to reorganize one-way flows into connection-oriented two-way flows, and three types of flows are sorted out. Four types of endpoints are extracted to detect the service groups of a given network continuously and accurately, so as to realize service visualization of large-scale networks simply and effectively.
(2) A scanning module which combines active scanning with passive detection is proposed to form a cost framework. The scanning interval of Nmap active scanning, the number of concurrent threads and other parameters on scanning time, resource requirements and physical network are analyzed in detail, so that cooperative scanning can identify physical network topology and host configuration accurately and quickly, and track physical network automatically. Network configuration changes, while minimizing the impact on the physical network and consuming the least system resources. Then, according to the results of scanning module discovery, Honeyd-based front-end Low-interaction honeypot network is automatically configured and updated, focusing on the study of the impact of idle IP number and reserved IP ratio on the rate of virtual network attracted hackers to achieve the basis. Physical network determines the number of virtual network hosts, IP addresses occupied, operating systems, and open ports and service configurations to ensure deception and Simulation of the virtual network.
(3) A virtual network composed of a large number of front-end Low-interaction honeypots and a small number of back-end high-interaction honeypots is proposed to effectively attract attacks and collect information. A multi-module combination decision strategy is proposed, and six basic decision modules are developed to transparently forward the data which is limited by the interaction of Low-interaction honeypots to the back-end high-interaction honeypots. Mutual honeypot. In front and back honeypot networks, attack features are extracted simultaneously to realize the complementarity of automatic feature extraction. A new feature purification algorithm is proposed, which deletes duplicate features to reduce the number of features generated, and further eliminates redundant information in features. The test results show that the virtual network framework can effectively extract attack features and reduce the number of features generated. Feature size improves the usability of the generated features.
(4) Propose to use Snort intrusion detection system and pin-to-pin Windows platform to design and develop interaction module based on Windows host and Cisco router to realize active intrusion prevention. IPSec filters or firewalls are automatically set up to filter incoming and outgoing packets. Experimental results show that the blocking of dangerous network data is successfully achieved without any additional third-party firewalls or any modifications to the Windows system kernel. After discovering the danger alarm, the router automatically selects the appropriate network topology location, updates and modifies the corresponding router ACL, blocks the dangerous packets from the attacker. Through the linkage test of three kinds of intrusive IP, it shows that the CISCO router linkage mode has not made any changes to the existing topology structure and has not added new hardware bars. The isolation and control of network data from dangerous IP is completed successfully.
The virtual network framework designed and implemented in this paper can decoy the network attack and confuse the attacker, so that he can not identify the real attack target, bundle the attack on the virtual network and machine as long as possible, resist the network attacks including network scanning, DoS and DDoS, consume the attacker's resources and win the time. At the same time, it can effectively collect and analyze hacker attack information, understand hacker and hacker groups'attack motivation, attack tools, activity rules, catch worms and viruses, and provide data basis for analyzing and dealing with complex hacker attacks including distributed denial of service attacks. The important thing is that the virtual network can discover new attacks, and automatically extract attack features for new attacks, and expand the rules library of Snort intrusion detection. According to these rules, Snort configures firewalls or routers by means of firewall linkage technology, shields intrusion data in real time, filters out dangerous packets, and realizes active intrusion prevention and improves the performance. The security of the whole system.
【学位授予单位】:东北林业大学
【学位级别】:博士
【学位授予年份】:2014
【分类号】:TP393.08
本文编号:2198395
[Abstract]:With the rapid development of computer network, hacker attack technology is becoming more and more complex and diverse, access to attack tools and launching attacks more and more easy, more and more frequent intrusion activities, resulting in increasingly serious and prominent network security problems. Encryption and decryption, vulnerability scanning, anti-virus software and so on, but any single security protection technology can not ensure the security of the network and system, and most of the security defense technology is passive and lagging.
In view of the above problems, this paper proposes to design and implement a dynamic composite virtual network framework which can be applied in all levels of networks by integrating five security technologies: network visualization technology, honeypot technology, automatic attack feature extraction technology, Snort intrusion detection technology and firewall linkage technology. It provides active, proactive and real-time for the system. Intrusion prevention.
The main contents of this paper are as follows:
(1) A passive service discovery method based on NetFlow technology is proposed. Six heuristic decision functions are defined and written to reorganize one-way flows into connection-oriented two-way flows, and three types of flows are sorted out. Four types of endpoints are extracted to detect the service groups of a given network continuously and accurately, so as to realize service visualization of large-scale networks simply and effectively.
(2) A scanning module which combines active scanning with passive detection is proposed to form a cost framework. The scanning interval of Nmap active scanning, the number of concurrent threads and other parameters on scanning time, resource requirements and physical network are analyzed in detail, so that cooperative scanning can identify physical network topology and host configuration accurately and quickly, and track physical network automatically. Network configuration changes, while minimizing the impact on the physical network and consuming the least system resources. Then, according to the results of scanning module discovery, Honeyd-based front-end Low-interaction honeypot network is automatically configured and updated, focusing on the study of the impact of idle IP number and reserved IP ratio on the rate of virtual network attracted hackers to achieve the basis. Physical network determines the number of virtual network hosts, IP addresses occupied, operating systems, and open ports and service configurations to ensure deception and Simulation of the virtual network.
(3) A virtual network composed of a large number of front-end Low-interaction honeypots and a small number of back-end high-interaction honeypots is proposed to effectively attract attacks and collect information. A multi-module combination decision strategy is proposed, and six basic decision modules are developed to transparently forward the data which is limited by the interaction of Low-interaction honeypots to the back-end high-interaction honeypots. Mutual honeypot. In front and back honeypot networks, attack features are extracted simultaneously to realize the complementarity of automatic feature extraction. A new feature purification algorithm is proposed, which deletes duplicate features to reduce the number of features generated, and further eliminates redundant information in features. The test results show that the virtual network framework can effectively extract attack features and reduce the number of features generated. Feature size improves the usability of the generated features.
(4) Propose to use Snort intrusion detection system and pin-to-pin Windows platform to design and develop interaction module based on Windows host and Cisco router to realize active intrusion prevention. IPSec filters or firewalls are automatically set up to filter incoming and outgoing packets. Experimental results show that the blocking of dangerous network data is successfully achieved without any additional third-party firewalls or any modifications to the Windows system kernel. After discovering the danger alarm, the router automatically selects the appropriate network topology location, updates and modifies the corresponding router ACL, blocks the dangerous packets from the attacker. Through the linkage test of three kinds of intrusive IP, it shows that the CISCO router linkage mode has not made any changes to the existing topology structure and has not added new hardware bars. The isolation and control of network data from dangerous IP is completed successfully.
The virtual network framework designed and implemented in this paper can decoy the network attack and confuse the attacker, so that he can not identify the real attack target, bundle the attack on the virtual network and machine as long as possible, resist the network attacks including network scanning, DoS and DDoS, consume the attacker's resources and win the time. At the same time, it can effectively collect and analyze hacker attack information, understand hacker and hacker groups'attack motivation, attack tools, activity rules, catch worms and viruses, and provide data basis for analyzing and dealing with complex hacker attacks including distributed denial of service attacks. The important thing is that the virtual network can discover new attacks, and automatically extract attack features for new attacks, and expand the rules library of Snort intrusion detection. According to these rules, Snort configures firewalls or routers by means of firewall linkage technology, shields intrusion data in real time, filters out dangerous packets, and realizes active intrusion prevention and improves the performance. The security of the whole system.
【学位授予单位】:东北林业大学
【学位级别】:博士
【学位授予年份】:2014
【分类号】:TP393.08
【参考文献】
相关期刊论文 前6条
1 高晓飞;申普兵;;网络安全主动防御技术[J];计算机安全;2009年01期
2 唐芸;周学君;;网络扫描技术与安全防御策略研究[J];计算机与数字工程;2008年04期
3 张伟明;罗军勇;王清贤;;网络拓扑可视化研究综述[J];计算机应用研究;2008年06期
4 徐兵;胡宁;方红琴;;基于Netflow的网络流量监测系统研究[J];计算机测量与控制;2012年01期
5 陈亮;龚俭;;基于NetFlow记录的高速应用流量分类方法[J];通信学报;2012年01期
6 庄锁法;龚俭;;网络拓扑发现综述[J];计算机技术与发展;2007年10期
,本文编号:2198395
本文链接:https://www.wllwen.com/guanlilunwen/ydhl/2198395.html
