【摘要】：隨著互聯(lián)網(wǎng)技術(shù)在各領(lǐng)域的廣泛應(yīng)用,信息安全問題也隨之而來,且越來越受到關(guān)注。以高級滲透和傳播技術(shù)為手段,具有極強(qiáng)隱蔽性以及持久性特點(diǎn)的APT(高級持續(xù)性威脅)攻擊已成為目前威脅網(wǎng)絡(luò)安全的極大隱患。針對APT這一信息安全領(lǐng)域的熱點(diǎn)問題,本文以APT攻擊中各階段所使用的典型隱蔽通信為研究對象,設(shè)計(jì)實(shí)現(xiàn)若干種隱蔽通信方法,并進(jìn)行試驗(yàn)驗(yàn)證和分析,所研究方法可為APT數(shù)據(jù)流建模與分析提供技術(shù)支持。論文開展的主要研究工作如下:(1)根據(jù)APT攻擊的特點(diǎn),借鑒已有的攻擊鏈模型,對APT攻擊各階段潛在的隱蔽通信方法進(jìn)行深入分析;(2)CC(控制和命令服務(wù)器)地址獲取是潛入網(wǎng)絡(luò)的惡意節(jié)點(diǎn)實(shí)施隱蔽通信所需要解決的首要問題。本文首先對傳統(tǒng)地址獲取方法進(jìn)行了詳細(xì)的介紹,接著介紹了常用的DGA(域名生成算法)方法原理及現(xiàn)有檢測方法。在此基礎(chǔ)上,指出DGA安全性上的不足,設(shè)計(jì)實(shí)現(xiàn)了一種基于網(wǎng)頁信息隱藏的CC地址獲取方法;(3)數(shù)據(jù)搬運(yùn)主要依靠偽裝通信技術(shù),偽裝分為基于行為的偽裝以及基于協(xié)議的偽裝。針對基于行為的偽裝,本文提出了一種基于門限密碼的多網(wǎng)盤分存數(shù)據(jù)搬運(yùn)方法,該方法包括了數(shù)據(jù)分塊算法的設(shè)計(jì)和數(shù)據(jù)分存協(xié)議的設(shè)計(jì),分塊算法主要采用的基于門限秘密共享的方法,分存協(xié)議實(shí)現(xiàn)了攻擊節(jié)點(diǎn)與網(wǎng)盤的交互,最后基于網(wǎng)盤的開源API設(shè)計(jì)搭建系統(tǒng),驗(yàn)證了本文所提出方法的可行性和有效性。(4)針對協(xié)議偽裝隱蔽通信,本文設(shè)計(jì)實(shí)現(xiàn)了一種基于SSL協(xié)議的偽裝通信。該方法在原有SSL協(xié)議基礎(chǔ)上,針對典型應(yīng)用從數(shù)據(jù)包的行為序列、長度序列、時(shí)間序列進(jìn)行分析和建模,使得所構(gòu)建偽裝通信與正常通信具有較高的相似度。論文最后對全文進(jìn)行了總結(jié),并對未來進(jìn)一步值得研究的問題進(jìn)行了展望。
[Abstract]:With the wide application of Internet technology in various fields, the problem of information security has been paid more and more attention. APT (Advanced persistent threat) attack, which takes advanced penetration and communication technology as the means, has the characteristics of strong concealment and persistence, which has become a great hidden danger to the network security at present. Aiming at the hot issue of APT in the field of information security, this paper takes the typical covert communication used in each stage of APT attack as the research object, designs and implements a number of covert communication methods, and carries out experimental verification and analysis. The method can provide technical support for modeling and analysis of APT data stream. The main research work of this paper is as follows: (1) according to the characteristics of APT attack, the existing attack chain model is used for reference. The potential covert communication methods in each stage of APT attack are deeply analyzed. (2) CC (control and command server address acquisition is the most important problem to be solved for malicious nodes sneaking into the network to implement covert communication. In this paper, the traditional address acquisition method is introduced in detail, and then the principle of DGA (Domain name Generation algorithm) and the existing detection methods are introduced. On this basis, this paper points out the shortcomings of DGA security, designs and implements a CC address acquisition method based on web page information hiding. (3) data handling mainly depends on camouflage communication technology, camouflage is divided into Behavior-based camouflage and Protocol-based camouflage. Aiming at the behavior based camouflage, this paper proposes a threshold cipher based data handling method for multi-disk sharing, which includes the design of the data partitioning algorithm and the design of the data sharing protocol. The partition algorithm is mainly based on the threshold secret sharing method. The sharing protocol realizes the interaction between the attack node and the network disk. Finally, the open source API based on the network disk is designed to build the system. The feasibility and effectiveness of the proposed method are verified. (4) A camouflage communication based on SSL protocol is designed and implemented for the camouflage covert communication. Based on the original SSL protocol, this method analyzes and models the behavior sequence, length sequence and time series of the typical applications, which makes the camouflage communication have a high similarity with the normal communication. At the end of the paper, the paper summarizes the whole paper and looks forward to the problems worth further study in the future.
【學(xué)位授予單位】：江蘇科技大學(xué)
【學(xué)位級別】：碩士
【學(xué)位授予年份】：2017
【分類號】：TP393.08

【參考文獻(xiàn)】

相關(guān)期刊論文 前10條

1 鄭威;蘭少華;樹雅倩;朱書宏;;基于HTTP請求行為的組合式隱蔽信道的構(gòu)造研究[J];計(jì)算機(jī)應(yīng)用與軟件;2016年11期

2 張小松;牛偉納;楊國武;卓中流;呂鳳毛;;基于樹型結(jié)構(gòu)的APT攻擊預(yù)測方法[J];電子科技大學(xué)學(xué)報(bào);2016年04期

3 梁亦清;林嘉靖;孫嘉敏;;反彈端口在遠(yuǎn)程控制軟件中的應(yīng)用與實(shí)現(xiàn)[J];電腦知識與技術(shù);2016年06期

4 吳成茂;;直方圖均衡化的數(shù)學(xué)模型研究[J];電子學(xué)報(bào);2013年03期

5 楊岳湘;鄧文平;鄧勁生;李陽;;基于云存儲的網(wǎng)盤系統(tǒng)架構(gòu)及關(guān)鍵技術(shù)研究[J];電信科學(xué);2012年10期

6 谷傳征;王軼駿;薛質(zhì);;基于DNS協(xié)議的隱蔽信道研究[J];信息安全與通信保密;2011年12期

7 劉資茂;李芝棠;李戰(zhàn)春;李冬;方平;;基于代理控制力的Fast-Flux僵尸網(wǎng)絡(luò)檢測方法[J];廣西大學(xué)學(xué)報(bào)(自然科學(xué)版);2011年S1期

8 侯文濱;吳成茂;;基于Arnold變換的圖像分存加密方法[J];計(jì)算機(jī)應(yīng)用;2011年10期

9 朱奎龍;侯麗敏;;抗解壓縮/壓縮攻擊的MP3壓縮域音頻水印[J];上海大學(xué)學(xué)報(bào)(自然科學(xué)版);2008年04期

10 游韻;喻占武;;基于橢圓曲線公鑰算法的SSL協(xié)議分析和實(shí)現(xiàn)[J];微計(jì)算機(jī)信息;2006年30期

相關(guān)博士學(xué)位論文 前1條

1 焦棟;門限秘密共享策略及其應(yīng)用研究[D];大連理工大學(xué);2014年

相關(guān)碩士學(xué)位論文 前5條

1 佟海奇;面向未知木馬的APT攻擊檢測方法研究[D];北京郵電大學(xué);2015年

2 章思宇;基于DNS流量的惡意軟件域名挖掘[D];上海交通大學(xué);2014年

3 康樂;基于DNS數(shù)據(jù)流的僵尸網(wǎng)絡(luò)檢測技術(shù)研究[D];哈爾濱工業(yè)大學(xué);2011年

4 王立彥;HTTPS協(xié)議中間人攻擊的實(shí)現(xiàn)與防御[D];東北大學(xué);2011年

5 文志軍;基于ICMP協(xié)議的控守系統(tǒng)研究與實(shí)現(xiàn)[D];解放軍信息工程大學(xué);2009年

，

本文編號：2186560