摘要
对网络攻击进行科学合理的分类是深入理解并从而抵御攻击的有效方法,目前的攻击分类主要基于攻击者的角度来进行,而并没有从实际应用的主体——受害者的角度进行分析和研究,导致不能深入刻画受害者所受的破坏并进而指导采取有效措施防止遭受类似攻击。本文首先在总结前人研究成果和不足的基础上提出了访问权限分类法和其他几种分类法,它们的分类特征限定为攻击受害者可以发现和探测的,随后运用RDF模型将这些分类法逻辑组合成为基于受害者的网络攻击描述体系。再结合对典型攻击——DoS攻击与防范技术的深入研究,不仅提出了一套比较完整的“预防—检测—响应”对策,更展现了描述体系优异的扩展性、描述性和应用性。最后总结以上研究成果提出了网络攻击自动响应和决策系统。
Rationally classifying network attacks is an available method to deeply comprehend and defense them. Present attack taxonomies don't stand on the primary part of the practical application-victim's viewpoint, but on the attacker's. Therefore the damages could not be depicted and the same attacks could not be validly avoided. This thesis first presents an access level taxonomy and several other taxonomies based on the analyses of previous work, and their taxonomic characteristics used to define a network attack are limited in scope to those features that are observable and measurable at the victim of the attack. Then the taxonomies are integrated into a Victim-based Network Attack Description System under RDF model. Associating with the deeply research of DoS attack and protection technology, completer "Protect-Detect-Response" countermeasures are proposed; furthermore better expansibility, descriptive power and application of the description system are shown. Finally summarizing above achievement, proposes the Automatic Network Attack Decision Making and Response System.
引文
[1]谢希仁.计算机网络.北京:电子工业出版社,1999.
[2]Robert H Zakon. Hobbes' Internet Timeline v6.1. 2002. http://www.zakon.org/robert/internet/timeline/
[3]CERT. CERT Statistics 1988-2003. http://www.cert.org/stats/cert_stats.html
[4]龚俭,陆晟 王倩.计算机网络安全导论.东南大学出版社,1999.
[5]黄旸,胡伟栋,陈克非.网络攻击与安全防护的分类研究.计算机工程,2001,27(5),131-140.
[6]John Howard. An Analysis of Security Incidents on the Internet. PhD thesis, Carnegie Mellon University, 1997
[7]Ulf Lindqvist and Erland Jonsson. How to systematically classify computer security intrusions. In Proceedings of the 1997 IEEE Symposium on Security and Privacy, pages 154-163. IEEE, May 1997
[8]Edward G. Amoroso. Fundamentals of Computer Security Technology, Prentice-Hall PTR, 1994
[9]M. Bishop. A Taxonomy of UNIX System and Network Vulnerabilities.Tech. Rep. CSE-95-10, Purdue University, May 1995.
[10]R. P. Abbott, J. S. Chin, J. E. Donnelley, W. L. Konigsford, K. Yokubo, and D. A. Webb. Security Analysis and Enhancements of Computer Operation Systems. Tech. Rep. NBSIR 76-1041, National Bureau of Standards, April 1976.
[11]C. E. Landwehr, A. R. Bull, J. P. McDermott, and W. S. Choi. A taxonomy of computer program security flaws. ACM Computing Surveys, vol. 26 (3), 1994, 211-254.
[12]CarlE Landwehr, Alan R Bull, John P M cde rm ott et al. A taxonomy of Computer program security flaws, with examples. Naval Research Laboratory, Tech Rep:9591, 1993.
[13]T.Aslam. Use of a Taxonomy of Security Fault. Tech, Rep, 96-05. COAST Laboratory, Department of Computer Science, Purdue University, March 1996.
[14]T. Aslam. A Taxonomy of Security Faults in the Unix Operating System. M.S. Thesis, Purdue University, West Lafayette, IN, 1995.
[15]M. Crosbie, B. Dole, T. Ellis, I. Krsul, and E. H. Spafford. IDIOT-User's Guide. Tech. Rep. TR-96-050, COAST Laboratory, Purdue University, September 4, 1996.
[16]Peter G. Neumann and Donn B. Parker. A summary of computer misuse techniques.
In Proceedings of the 12th National Computer Security Conference, pages 396-407. National Institute of Standards, October 1998.
[17]Sandeep Kumar. Classification and Detection of Computer Intrusion. Department of Science, Purdue University, Ph.D. Dissertation. 1995. ftp://coast.cs.purdue.edu/pub/COAST/papers/sandeep-kumar/kumar-intdet-phddiss.pdf.
[18]王晓程,刘恩德,解小权.攻击分类研究与分布式网络入侵检测系统.计算机研究与发展.2001,38(6),727~734.
[19]C. A. Carver, Jr., J. M. D. Hill, and U. Pooch. A Methodology for Using Intelligent Agents to Provide Automated Intrusion Response. IEEE Systems, Man, and Cybernetics Information Assurance and Security Workshop, West Point, New York, June 6-7 2000.
[20]邓健.对网络攻击行为实施欺骗和诱导的研究.广西师范大学硕士研究生学位论文.2002年4月15日.
[21]John McHugh, Alan Christie, and Julia Allen. Intrusion detection implementation and operational issues. CERT, January 2001.
[22]Jitsu-Disk, Simple Nomad, Irib, Delirium Tremens, Phrack Magazine, http://www.phrack-dont-give-a-shit-about-dmca.org/show.php?p=56&a=6,2000.5.1.
[23]Jeffrey Undercoffer and John Pinkston. Modeling Computer Attacks: A Target-Centric Ontology for Intrusion Detection, Under review IEEE First International Workshop on Information Assurance, 2002, http://www.csee.umbc.edu/cadip/2002Symposium/Ont-for-IDS.pdf.
[24]Andrew S. Tanenbaum. Modern Operating Systems. Prentice Hall, Englewood Cliffs, NJ, 1992.
[25]IEEE. The IEEE Standard Dictionary of Electrical and Electronics Terms. Sixth Edition, JohnRadatz, Editor, Institute of Electrical and Electronics Engineers, Inc., New York, NY, 1996.
[26]R.M. Needham. Denial of service: An example, Communications of the ACM, 37(11):42-46, Nov. 1994.
[27]Ora Lassila, Ralph R. Swick. Resource Description Framework (RDF) Model and Syntax Specification. [W3C Recommendation]. Feb 1999, http://www.w3.org/TR/REC-rdf-syntax.
[28]D. Curry and H. Debar. Intrusion detection message exchange format data model and extensible markup language (xml) document type definition. draft-ietfidwg-idmef-xml-07.txt, June 2002, expires December 19,2002.
[29]CAIDA. Inferring Internet Denial-of-Service Activity. University of California, San
Diego. http://www.caida.org/outreach/papers/backscatter/.
[30]张耀疆.聚焦黑客—攻击手段与防护策略.人民邮电出版社.2002,9.
[31]CERT. CERT advisory CA-1996-21: TCP SYN Flooding and IP Spoofing Attacks. 1996. http://www.cert.org/advisories/CA-1996-21.html
[32]CERT. CERT incident note IN-2000-05: "mstream" Denial of Service Tool. 2000.http://www.cert.org/incident_notes/IN-2000-05.html
[33]Dave Dittrich: Source Code to mstream, a DDoS tool. Bugtraq mailinglist, 2000-05-01. http://cert.uni-stuttgart.de/archive/vuln-dev/2000/04/msg00042.html
[34]Lasse Huovinen, Jani Hursti. Denial of Service Attacks: Teardrop and Land, http://www.hut.fi/~lhuovine/hacker/dos.html, March 1998
[35]CERT. CERT advisory CA-1996-01: UDP Port Denial-of-Service Attack. 1996 http://www.cert.org/advisories/CA-1996-01.html
[36]Windows NT bonk Update. August 1999 http://www.ndsu.nodak.edu/csg/info/bonknt.html.
[37]CERT. Denial-of-Service Attack via Ping. 1996. http://www.cert.org/advisories/CA-96.26.ping.html.
[38]CERT. CERT advisory CA-1998-01 : Smurf IP Denial-of-Service Attacks. 1998. http://www.cert.org/advisories/CA-1998-01.html.
[39]阎雪.黑客就这么几招.北京科海集团公司.2002年3月.
[40]朱良根,张玉清.DoS攻击及其防范.“全国网络与信息安全技术研讨会”论文集(光盘版).2003年7月.
[41]NtWaK0. Windows XP Remote DOS attacks with SYN Flag. Make CPU 100 %. 2002,2,15. http://marc.theaimsgroup.com/?1=bugtraq&m=101408718030099&w=2.
[42]翟钰,张玉清,武维善,胡建武.系统安全漏洞研究及数据库实现.计算机工程(已录用).2004年4月待发.
[43]David Dittrich. The "stacheldraht" distributed denial of service attack tool. University of Washington. December 31, 1999. http://staff.washington.edu/dittrich/misc/stacheldraht.analysis.
[44]郎良,张玉清,高有行,钱秀槟.漏洞检测与主动防御系统模型的研究与实现.计算机工程(已录用),2004年7月待发.
[45]Steven T. Eckmann, Giovanni Vigna, Richard A. Kemmerer. STATL: An Attack Language for State-based Intrusion Detect. 2000. http://citeseer.nj.nec.com/eckmann00statl.html.
[46]CERT. Managing the Threat of Denial-of-Service Attacks v 10.0. October, 2001. http://www.cert.org/archive/pdf/Managing_DoS.pdf.
[47]信息安全国家重点实验室.保护网络空间的国家战略(草案).美国信息保障国家战略(上册).2003年4月.34~103.
[48]Energy-ISAC. Energy-ISAC Member Operating Rules. October 24, 2001. http://www.energyisac.com/docs/local/operatingrules.pdf.
[49]FS-ISAC. Financial Services-ISAC Member Operating Rules. April 11, 2000. http://www.fsisac.com/docs/local/operatingrules.pdf.
[50]张超,霍红卫,张玉清,钱秀槟.入侵检测系统概述.计算机工程与应用(已录用).
[51]Baoqing Ye. Network denial-of-service: Classification, Detection, Protection. PhD thesis, Syracuse University. December, 2001.
[52]A. Mankin. Random Drop Congestion Control. Proc. of ACM SIGCOMM, September 1990, pp. 1-7.
[53]D. J. Bernstein. SYN cookies, http://cr.yp.to/syncookies.html.
[54]E-LAB.多业务企业网QoS保障技术.2002年11月12日.http://education.vavic.corn/Others/Knowledge_Details.asp?ID=23.
[55]蔡淑珍.拒绝服务攻击分析及其解决方案研究.南京师范大学硕士论文.2003年5月.
[56]D. Schnackenberg, K. Djahandari, and D. Sterne. Infrastructure for Intrusion Detection and Response. in Proceedings of the DARPA Information Survivability Conference and Exposition (DISCEX), Hilton Head, South Carolina, January 2000.
[57]Curits.A Carver JR. Adaptive agent-based intrusion response. PhD thesis. Texas A&M University. May 2001.
[58]Minho Sung, Markus Haas, Jun Xu. Analysis of DoS attack traffic data. First Conference 2002. http://www.first.org/events/progconf/2002/d5-03-haas-paper.pdf.
[59]Cisco System. White paper: NetFlow services and applications. June 2000. http://www.cisco.com/warp/public/732/Tech/netflow/.