【摘要】：隨著計算機網(wǎng)絡(luò)的飛速發(fā)展,黑客攻擊技術(shù)也越來越復(fù)雜而多樣,獲得攻擊工具以及發(fā)動攻擊越來越容易,入侵活動越來越頻繁,致使網(wǎng)絡(luò)安全問題日益嚴(yán)重和突出�，F(xiàn)有的網(wǎng)絡(luò)安全防御技術(shù)主要有防火墻、入侵檢測系統(tǒng)、用戶認(rèn)證、數(shù)據(jù)加密和解密、漏洞掃描、防病毒軟件等,但任何單一安全防護(hù)技術(shù)已經(jīng)不能確保網(wǎng)絡(luò)和系統(tǒng)的安全,而且大部分安全防御技術(shù)是被動、滯后的。 針對以上問題,本文提出將網(wǎng)絡(luò)可視化技術(shù)、蜜罐技術(shù)、攻擊特征自動提取技術(shù)、Snort入侵檢測技術(shù)、防火墻聯(lián)動技術(shù)這5項安全技術(shù)融合,設(shè)計和實現(xiàn)一個可以在各級網(wǎng)絡(luò)中應(yīng)用的動態(tài)復(fù)合虛擬網(wǎng)絡(luò)框架,為系統(tǒng)提供主動的、前攝的、實時的入侵防御。 本文的主要研究內(nèi)容如下： (1)提出基于NetFlow技術(shù)的被動服務(wù)發(fā)現(xiàn)方法,定義和編寫了6個啟發(fā)判定函數(shù)重組單向流為面向連接的雙向流,整理輸出3種類型的流,進(jìn)而提取4種類型的端點,連續(xù)而準(zhǔn)確檢測給定網(wǎng)絡(luò)的服務(wù)群,簡單有效地實現(xiàn)大型網(wǎng)絡(luò)的服務(wù)可視化。 (2)提出將主動掃描和被動探測結(jié)合組成本框架的掃描模塊,重點分析Nmap主動掃描的掃描間隔、并發(fā)線程數(shù)等參數(shù)對掃描時間、所需資源和物理網(wǎng)絡(luò)的影響,使協(xié)同掃描既可以準(zhǔn)確、快速的識別物理網(wǎng)絡(luò)拓?fù)浜椭鳈C配置,自動跟蹤物理網(wǎng)絡(luò)配置變化,同時盡可能減少對物理網(wǎng)絡(luò)的沖擊,消耗占用最少的系統(tǒng)資源。進(jìn)而依據(jù)掃描模塊的發(fā)現(xiàn)結(jié)果,自動配置更新基于Honeyd的前端低交互蜜罐網(wǎng)絡(luò),重點研究空閑IP數(shù)和預(yù)留IP比例對虛擬網(wǎng)絡(luò)吸引黑客攻擊兒率的影響,實現(xiàn)依據(jù)物理網(wǎng)絡(luò)來確定虛擬網(wǎng)絡(luò)主機的數(shù)量、占用的IP地址、操作系統(tǒng)以及開放的端口和服務(wù)配置,保證虛擬網(wǎng)絡(luò)的欺騙性和仿真度。 (3)提出由大量前端低交互蜜罐和少量后端高交互蜜罐共同組成虛擬網(wǎng)絡(luò),來有效吸引攻擊并收集信息。提出多模塊組合判定策略,開發(fā)6個基本判定模塊,實現(xiàn)將受限于低交互蜜罐的交互性而具備研究價值的數(shù)據(jù)透明地轉(zhuǎn)發(fā)給后端高交互蜜罐。在前后端蜜罐網(wǎng)絡(luò)同時提取攻擊特征,實現(xiàn)自動特征提取的互補性,并給出一個新的特征提純算法,刪除重復(fù)特征降低生成的特征數(shù)量,進(jìn)一步剔除特征中的冗余信息,測試結(jié)果顯示本虛擬網(wǎng)絡(luò)框架可以有效提取攻擊特征,減小特征尺寸,提高所生成特征的可用性。 (4)提出利用Snort入侵檢測系統(tǒng),針劉Windows平臺,分別基于Windows主機和Cisco路由器設(shè)計丌發(fā)聯(lián)動模塊,實現(xiàn)主動入侵防御。在主機端借助Windows內(nèi)嵌的IPSec篩選器或防火墻和Snort實現(xiàn)響應(yīng)聯(lián)動,在Snort入侵檢測系統(tǒng)發(fā)現(xiàn)危險報警后,聯(lián)動模塊自動設(shè)置IPSec的篩選器或防火墻來對相應(yīng)的進(jìn)出向數(shù)據(jù)包進(jìn)行過濾,實驗測試表明在沒有附加任何第三方防火墻,也沒有對Windows系統(tǒng)內(nèi)核做任何修改的情況下,成功實現(xiàn)對危險網(wǎng)絡(luò)數(shù)據(jù)的阻塞。同時基于路由器的訪問控制列表,在Snort發(fā)現(xiàn)危險報警后,自動選擇恰當(dāng)網(wǎng)絡(luò)拓?fù)湮恢玫穆酚善?更新修改相應(yīng)路由器的ACL,阻斷來自攻擊者的危險數(shù)據(jù)包,通過對三種入侵IP的聯(lián)動測試,表明基于Cisco路由器聯(lián)動方式在沒有對現(xiàn)有拓?fù)浣Y(jié)構(gòu)做任何修改也沒有添加新硬件的條件下成功完成對來自危險IP的網(wǎng)絡(luò)數(shù)據(jù)的隔離和控制。 本文設(shè)計和實現(xiàn)的虛擬網(wǎng)絡(luò)框架可以有針對性地主動誘騙網(wǎng)絡(luò)攻擊,迷惑攻擊者,讓他無法辨識真實的攻擊目標(biāo),將攻擊盡可能長時間地捆綁在虛擬的網(wǎng)絡(luò)和機器上,抵御包括網(wǎng)絡(luò)掃描、DoS和DDoS等多種網(wǎng)絡(luò)攻擊,消耗攻擊者資源,贏得時間保護(hù)實際網(wǎng)絡(luò),拓寬主動防御的范疇。同時可以有效地收集和分析黑客攻擊信息,了解黑客和黑客團(tuán)體的攻擊動因、攻擊工具、活動規(guī)律,捕捉蠕蟲和病毒,為分析和應(yīng)對包括分布式拒絕服務(wù)攻擊在內(nèi)的復(fù)雜黑客攻擊等提供數(shù)據(jù)依據(jù)。更重要的是本虛擬網(wǎng)絡(luò)可以發(fā)現(xiàn)新型攻擊,并針對新型攻擊自動提取攻擊特征,擴(kuò)充Snort入侵檢測的規(guī)則庫。依據(jù)這些規(guī)則,Snort借助于防火墻聯(lián)動技術(shù)配置防火墻或路由器,實時屏蔽入侵?jǐn)?shù)據(jù),過濾掉危險數(shù)據(jù)包,實現(xiàn)主動入侵防御,提高整個系統(tǒng)的安全防范能力。
[Abstract]:With the rapid development of computer network, hacker attack technology is becoming more and more complex and diverse, access to attack tools and launching attacks more and more easy, more and more frequent intrusion activities, resulting in increasingly serious and prominent network security problems. Encryption and decryption, vulnerability scanning, anti-virus software and so on, but any single security protection technology can not ensure the security of the network and system, and most of the security defense technology is passive and lagging.
In view of the above problems, this paper proposes to design and implement a dynamic composite virtual network framework which can be applied in all levels of networks by integrating five security technologies: network visualization technology, honeypot technology, automatic attack feature extraction technology, Snort intrusion detection technology and firewall linkage technology. It provides active, proactive and real-time for the system. Intrusion prevention.
The main contents of this paper are as follows:
(1) A passive service discovery method based on NetFlow technology is proposed. Six heuristic decision functions are defined and written to reorganize one-way flows into connection-oriented two-way flows, and three types of flows are sorted out. Four types of endpoints are extracted to detect the service groups of a given network continuously and accurately, so as to realize service visualization of large-scale networks simply and effectively.
(2) A scanning module which combines active scanning with passive detection is proposed to form a cost framework. The scanning interval of Nmap active scanning, the number of concurrent threads and other parameters on scanning time, resource requirements and physical network are analyzed in detail, so that cooperative scanning can identify physical network topology and host configuration accurately and quickly, and track physical network automatically. Network configuration changes, while minimizing the impact on the physical network and consuming the least system resources. Then, according to the results of scanning module discovery, Honeyd-based front-end Low-interaction honeypot network is automatically configured and updated, focusing on the study of the impact of idle IP number and reserved IP ratio on the rate of virtual network attracted hackers to achieve the basis. Physical network determines the number of virtual network hosts, IP addresses occupied, operating systems, and open ports and service configurations to ensure deception and Simulation of the virtual network.
(3) A virtual network composed of a large number of front-end Low-interaction honeypots and a small number of back-end high-interaction honeypots is proposed to effectively attract attacks and collect information. A multi-module combination decision strategy is proposed, and six basic decision modules are developed to transparently forward the data which is limited by the interaction of Low-interaction honeypots to the back-end high-interaction honeypots. Mutual honeypot. In front and back honeypot networks, attack features are extracted simultaneously to realize the complementarity of automatic feature extraction. A new feature purification algorithm is proposed, which deletes duplicate features to reduce the number of features generated, and further eliminates redundant information in features. The test results show that the virtual network framework can effectively extract attack features and reduce the number of features generated. Feature size improves the usability of the generated features.
(4) Propose to use Snort intrusion detection system and pin-to-pin Windows platform to design and develop interaction module based on Windows host and Cisco router to realize active intrusion prevention. IPSec filters or firewalls are automatically set up to filter incoming and outgoing packets. Experimental results show that the blocking of dangerous network data is successfully achieved without any additional third-party firewalls or any modifications to the Windows system kernel. After discovering the danger alarm, the router automatically selects the appropriate network topology location, updates and modifies the corresponding router ACL, blocks the dangerous packets from the attacker. Through the linkage test of three kinds of intrusive IP, it shows that the CISCO router linkage mode has not made any changes to the existing topology structure and has not added new hardware bars. The isolation and control of network data from dangerous IP is completed successfully.
The virtual network framework designed and implemented in this paper can decoy the network attack and confuse the attacker, so that he can not identify the real attack target, bundle the attack on the virtual network and machine as long as possible, resist the network attacks including network scanning, DoS and DDoS, consume the attacker's resources and win the time. At the same time, it can effectively collect and analyze hacker attack information, understand hacker and hacker groups'attack motivation, attack tools, activity rules, catch worms and viruses, and provide data basis for analyzing and dealing with complex hacker attacks including distributed denial of service attacks. The important thing is that the virtual network can discover new attacks, and automatically extract attack features for new attacks, and expand the rules library of Snort intrusion detection. According to these rules, Snort configures firewalls or routers by means of firewall linkage technology, shields intrusion data in real time, filters out dangerous packets, and realizes active intrusion prevention and improves the performance. The security of the whole system.
【學(xué)位授予單位】：東北林業(yè)大學(xué)
【學(xué)位級別】：博士
【學(xué)位授予年份】：2014
【分類號】：TP393.08

【參考文獻(xiàn)】

相關(guān)期刊論文 前6條

1 高曉飛;申普兵;;網(wǎng)絡(luò)安全主動防御技術(shù)[J];計算機安全;2009年01期

2 唐蕓;周學(xué)君;;網(wǎng)絡(luò)掃描技術(shù)與安全防御策略研究[J];計算機與數(shù)字工程;2008年04期

3 張偉明;羅軍勇;王清賢;;網(wǎng)絡(luò)拓?fù)淇梢暬芯烤C述[J];計算機應(yīng)用研究;2008年06期

4 徐兵;胡寧;方紅琴;;基于Netflow的網(wǎng)絡(luò)流量監(jiān)測系統(tǒng)研究[J];計算機測量與控制;2012年01期

5 陳亮;龔儉;;基于NetFlow記錄的高速應(yīng)用流量分類方法[J];通信學(xué)報;2012年01期

6 莊鎖法;龔儉;;網(wǎng)絡(luò)拓?fù)浒l(fā)現(xiàn)綜述[J];計算機技術(shù)與發(fā)展;2007年10期

，

本文編號：2198395