基于Spark的蜜罐系统的设计与实现

发布时间：2018-10-16 21:51

【摘要】：互联网、电子商务和电子政务等技术的迅速发展,便捷了生活却也吸引了大量攻击,如何有效防护大型互联网网站的安全成为研究热点。现有的安全防御技术多为被动防御技术,存在措施采取滞后性的缺点,蜜罐技术作为一种主动防御技术,将诱骗技术引入安全领域,能主动吸引攻击、收集分析攻击行为,根据分析结果提前对被保护系统设防,有效解决了被动防御技术的不足。其次网站单日访问量大,用户查询、交易等生成的日志信息量剧增,普通数据分析技术易引起延迟防护等问题,使用大数据处理技术将降低处理延迟,提高防护效率。本文首先分析了网站安全防御现状,将蜜罐技术应用于网站安全防御中,实现网站的主动防御。其次针对网站访问数据量大而普通数据处理技术的延迟问题,将Spark大数据处理技术引入系统,将能提高数据分析效率。系统的实现架构为:在构建的局域网和云平台基础上,虚拟出四台虚拟机,其中两台分别作为被保护的系统和蜜罐、一台作为堡垒机实现重定向、一台作为大数据平台的搭建。当用户访问时,根据输入的域名在DNS服务器解析出IP地址(堡垒机),接着用户根据解析结果访问到堡垒机,堡垒机利用Iptables日志功能进行数据捕获,Spark数据处理中心调用捕获的数据进行实时分析,根据既定的规则找出潜在威胁的用户,堡垒机会根据分析结果对用户进行重定向,当用户存在威胁时,重定向到蜜罐中,否则就将其链接到被保护系统。再者,系统利用多个安全防护层确保蜜罐不会被非法访问者攻陷而用于攻击其他系统。最后,对系统从蜜罐的仿真度、系统的可用性和数据分析模块的性能进行测试。实验及测试表明,本次设计用大数据技术对日志文件进行分析,提高了信息的处理速率和系统的防护效率;用相同的网站系统延长了非法访问者在蜜罐系统中滞留的时间,达到了收集非法访问者更多信息,便于今后分析与研究的目的。
[Abstract]:With the rapid development of Internet, E-commerce and E-government technology, the convenience of life has attracted a large number of attacks. How to effectively protect the security of large Internet sites has become a research hotspot. Most of the existing security defense technologies are passive defense technologies, which have the disadvantage of lagging measures. Honeypot technology, as an active defense technology, introduces the decoy technology into the security field, which can actively attract attacks and collect and analyze attacks. According to the analysis results, the defenses of the protected system are advanced in advance, which effectively solves the deficiency of the passive defense technology. Secondly, the amount of log information generated by users' inquiries and transactions is greatly increased, and the common data analysis technology is easy to cause problems such as delay protection. Using big data processing technology will reduce processing delay and improve the efficiency of protection. Firstly, this paper analyzes the present situation of website security defense, applies honeypot technology to website security defense, and realizes the active defense of website. Secondly, aiming at the problem of the delay of the common data processing technology, the Spark big data processing technology will be introduced into the system, which will improve the efficiency of data analysis. The architecture of the system is as follows: on the basis of the local area network and cloud platform, four virtual machines are created, two of which are used as protected systems and honeypots, one as fortress machine to redirect, and one as the platform of big data. When the user visits, the IP address is resolved on the DNS server based on the domain name entered, and then the user accesses the fortress machine based on the parsing results. The bastion machine makes use of the Iptables log function to capture the data, the Spark data processing center calls the captured data for real-time analysis, according to the established rules to find out the potential threat users, fortress opportunity to redirect the user according to the analysis results. When the user is threatened, redirect to the honeypot or link it to the protected system. Furthermore, the system uses multiple layers of security to ensure that honeypots are not captured by illegal visitors and used to attack other systems. Finally, the simulation of the system from the honeypot, the availability of the system and the performance of the data analysis module are tested. Experiments and tests show that this design uses big data technology to analyze log files, which improves the processing speed of information and the efficiency of system protection, and prolongs the retention time of illegal visitors in honeypot system with the same website system. It achieves the purpose of collecting more information of illegal visitors and facilitating future analysis and research.
【学位授予单位】：西安科技大学
【学位级别】：硕士
【学位授予年份】：2017
【分类号】：TP393.08

【参考文献】