摘要
随着网络安全越来越受到重视,入侵检测系统(Intrusion DetectionSystem,IDS)成为目前网络安全领域内一个活跃的研究课题。目前各种IDS普遍存在的问题是漏报和误报现象严重,响应能力不足。蜜罐是一种没有任何产品价值的安全资源,具有转移攻击者视线,收集攻击信息的作用。相对于防火墙日志、系统日志以及入侵检测预警等,蜜罐所产生的数据量少而精,这些数据对研究新型攻击具有重要价值。本文的研究目的是如何利用蜜罐发现未知攻击特征,提高入侵检测系统的响应能力和检测能力。
本文首先分析了入侵检测技术与蜜罐技术的工作机制及优缺点,然后设计了一种动态混合蜜罐模型,应用该模型改进入侵检测系统,并对其关键技术进行了实现。
动态混合蜜罐模型主要包括诱骗模块和伪装服务模块,两个模块之间通过转发机制协同工作。诱骗模块由低交互蜜罐组成,模拟网络中的操作系统和服务,主要作用是充分吸引攻击者,扩大蜜罐被攻击的概率;伪装服务由高交互蜜罐组成,采用真实的有漏洞的操作系统和服务,作用是给攻击者提供更加真实的环境,充分调动攻击者的热情,以充分捕获未知攻击的信息。诱骗模块具有部署简单和低风险的特点,可以分布在网络的各个角落,使入侵者陷于虚实结合的网络环境;伪装服务模块部署代价高、风险大,所以被部署在一个单独的高度受控的子网内,接收多个诱骗模块转发的连接,在与攻击者交互的过程中捕获攻击信息。
本文采用多层数据捕获机制:网络捕获、蜜罐捕获和内核捕获。用多层捕获机制可以充分记录攻击的网络数据和主机数据,确保数据的完备性。内核捕获主要是针对入侵数据加密的情况,是在伪装服务中的高交互蜜罐主机上实现的。采用XML语言设计规范的入侵信息描述格式。在对IP、TCP、UDP和ICMP等常用协议分析的基础上,提出了在各种数据包中可选的参考特征。采用攻击树的方法重构攻击过程,提取复杂入侵特征。
采用SQL蠕虫测试系统的收集能力和分析能力,试验表明该模型可以扩大蜜罐的视野,生成入侵特征,降低入侵检测系统的漏报率,提高入侵检测系统的性能。该系统还存在一些不足之处,未来应进一步研究如何实现高交互蜜罐的自动设置和管理;如何实现入侵数据的标准化表示,以便实现与其它安全产品的信息交互。
With the increasing importance of network security, Intrusion Detection System (IDS) has become an active research topic in the field of network security. Now all kinds of IDS have common problems which are serious miss reports and wrong reports, insufficient response capacity.Honeypot is a security resource without any valuable products, which can transfer the attackers' attention and collect the attacking information. Compared to the firewall log, system log and early warning by IDS, the data generated by honeypot is much more less. These data has an important value on researching the new invasion.The aim of this paper is how to use honeypot to find unknown signature to improve the response capability and detection capability of IDS.
This paper first introduces the basic concepts, advantages and disadvantages of IDS and honeypot, then designs a dynamic hybird honeypots model, use this model to improve IDS, and implementes its key technologies.
The dynamic hybrid honeypot model proposed in this paper includes decoy module and camouflage service module. Through connection redirection, the two modules work cooperatively.Decoy module is composed by low interactive honeypots, simulating the operating system and network services. Its role is to attract intruders as more as possible to improve the probability of honeypot being attatcked, using true operating system and services with loopholes. Camouflage service module is composed by high interactive honeypots.Its role is to provide more real environment and fully mobilize the enthusiasm of the intruders, so to fully capture attacking information. Decoy module is simple to deploy and have low risk, so can be distributed to every corner of the network, trapping attackers in real and virtual network situation. Camouflage service module has high deployment-cost and high risk, so is deployed in a separated and highly controlled subnet, receiving connections redirected by more than one decoy module, capturing attacking information in the process of interacting with the attackers.
This paper uses multi-data capture mechanism: network capture, honeypot capture and core capture. Using multi-capture mechanism to fully record the network data and host data and to ensure the completeness of the data. Core capture is mainly against the invasion of data encryption, and is implemented on high interaction honeypot in the camouflage service module.Using XML language design intrusion information description to format the invasion data.Based on analysis of common protocol such as IP, TCP, UDP and ICMP, proposed reference signature that can be extracted from data packets. Use attacking tree to reconstructe attacking process, extracting complex intrusion signature.
Using SQL worm to test capabilities of system in data collection and analysis,experiments show that this model can expand the horizons of honeypot ,generate intrusion signature, reduce the rate of miss reports and improve the performance of intrusion detection system.
This system also has some shortcomings.In future we should further study how to automatic setup and manage high interaction honeypots; how to achieve the standardization of attacking data, in order to exchange information with other security products.
引文
[1]Briny,Andy&Rose,Barbara Study.Confirms Increased Security Risks of E-Commerce[online]< http://www.icsa.net/news/press_room>.
[2]Sotiris Ioannidis,AngelosD.K eromytis,S tevenM.Bellovin,Jonathan M.Smith.Implemening a distributed firewall.ACM Conference on Computer and Communications Security,2000.190-199.
[3]曹元大.入侵检测技术概述.北京,人民邮电出版社,2007.4-7.
[4]唐正军,李建华.入侵检测技术.北京,清华大学出版社,2004.1-9.
[5]吴玉.构建基于Snort的入侵检测系统.微电子学与计算机,2005,22(7):165-170.
[6]罗光春,张俊.入侵检测系统的历史、现状与研究发展,计算机应用究.2003,(8):1-3.
[7]汤文字,李文娟.轻量级网络入侵检测系统Snort及其应用.江苏通信术,2005,21(2):10-13.
[8]Lance Spitzner.Honeypot-Definltions and Value of Honeypots[EB/OL).http://www.securityfocus.com/infocus/1492.2005.
[9]张新宇,卿斯汉,刘卫东等.蜜罐研究与进展[J].全国网络与信息安全技术研讨会,2005.139-148.
[10]诸葛建伟,吴智发,张芳芳等.利用蜜网技术深入剖析互联网安全威胁[A].2005年中国计算机大会(CNCC'2005)论文集[C].清华大学出版社,2005.
[11]The Honeynet Project.Know Your Enemy:Honeynets[EB/OL].http://honeynet.org.2003.
[12][美]Rebecca Curkey Bace(著),陈明奇等(译).入侵检测,北京,人民邮电出版社,2001.12-21.
[13]康振勇.网络入侵检测系统Snort的研究与改进[硕士论文].西安电子科技大学,2006.
[14]鲁杰.基于主机的入侵检测方法的研究,[硕士学位论文].北京工业大学,2005.
[15]蒋建春,冯登国.网络入侵检测原理与技术,国防工业出版社,2001.25-27.
[16]Michael M Sebring,Eric Shellhouse,Mary E Hanna,and R Alan Whitehurst.Expert systems in intrusion detection.A case study In Proceedings of the 11th National Computer Securinty conference,1988,74-81.
[17]Yeung.D.Y.Ding.Host-based intrusion detection using dynamic and static behavioral models.Pattern Recognition,2003,1(36):229-243.
[18]Doak,Justin.Intrusion:the application of feature selection-a comparison of algorithrns,and the application of a wide area network analyzer[MS thesis].Department of Computer Science,University of California,1992.
[19]Koral Ilgun,Richard A Kemmerer,and phillip A Porras.State transition analysis:A rule-based intrusion detection approach.IEEE Transactions on software Engineering,1995,21(3):181-199.
[20]常卫东.智能入侵检测中的特征提取和集成学习技术研究[硕士论文].国防科技大学,2005.
[21]Stuart Staniford Chen.Common intrusion detection framework,http://seclab.cs.uedavis.edu/cidf/
[22]Lance Spitzner.Honeypots,tracking the hackers.Addison Wesley,2002:141-166.
[23]曹登元.针对应用层未知攻击的蜜罐系统的研究与实现[硕士论文].江苏大学,2005.
[24]Lance Spitzner.Open Source Honeypots:Learning with Honeyd.http://www.securityfoeus.eorn/infoeus/1659,January 20,2003
[25]Lance Spitzner.Open Source Honeypots,Part Two:Deploying Honeyd in the Wild.http://www.securityfocus.com/infocus/1675,March 12,2003.
[26]The specter honeypot,http://www.specter.com.
[27]ManTrap:Covertly Protect Your Network from Attack and Intrusion.Recourse Technologies,2001,http://www.mantrap.corn/resources/white/whitepaper_form.php
[28]周莲英,曹登元,年轶.虚拟蜜罐系统Honeyd的分析与研究.计算机工程与应用,2005,27:137-149.
[29]George Chamales.Know your enemy:Honeywall cdrom[J],IEEE Computer Society,2004,2(2):77-79.
[30]郑君杰,肖军模,刘志华等.基于Honeypot技术的网络入侵检测系统.电子科技大学学报,2007,36(2):255-259.
[31]宋苑,卢扬明.网络安全扫描技术综述.广东通信,2004,8:59-60.
[32]张庆华.网络安全与黑客攻防宝典.北京:电子工业出版社,2007.130-132.
[33]宋善德,何栋,梅雪莲.在J2EE体系结构上构建基于XML的数据交换系统[J].小型微型计算机系统,2003年04期:156-158.
[34]陈廷斌,吴伟,张光前.基于J2EE与XML的多层架构动态组合技术[J].计算机工程,2004年10期:31-33.
[35]任小林,桂仕伟,吴祈宗.基于XML的Web信息发布系统及其J2EE实现[J].计算机应用,2003年10期,136-139.
[36]唐正军、李建华.入侵检测技术.北京,清华大学出版社,2004.27-28.
[37Douglas E.Comer著.用TCP/IP进行网际互连-第1卷:原理、协议和体系结构[M]..林瑶,蒋慧,杜蔚轩等译.北京:电子工业出版社,1998.
[38]Bruce Schneier.Attack Trees:Modeling Security Threats[J].Dr.Dobb's Journal,1999,12(24):21-29.
[39]Christian Kreibich,Jon Crowcroft.Honeycomb-Creating Intrusion Detection Signatures Using Honeypots[J].Computer Communication Review(ACM SIGCOMM),2004,34(1):51-56.
[40]齐建,陶兰,孙总参.入侵检测工具-snort剖析[J].计算机工程与设计,2004,25(1):36-38.
[41]陶文林.基于VMware的虚拟密网系统的研究[J].计算机应用与软件,2006,23(5):131-134.
[42]刘志平.基于VMware虚拟网络的构建.内蒙古大学学报,2007,38(1):94-97.