网络主动防御系统的研究与实现

上海交通大学硕士学位论文网络主动防御系统的研究与实现姓名：蒯俊申请学位级别：硕士专业：计算机技术指导教师：李生红20070701I,IIRESEARCHANDAPPLICATIONOFNETWORKACTIVEDEFENSESYSTEMABSTRACTThedevelopmentandpopularizationofnetworkdevelopmentprovidealotofconvenienttopeople'sworkandlives,butatthesametimehackingactivitiesarebecominguniversal,complex,frequent,networkwormalsowantonlyspreadanddamage.Networkinformationsecurityfollowingballooneffect,onewasdestroyed,thewholesystemmaycollapse.Withthedevelopmentofnetworkattacks,varioussecuritytoolsarenotcapableofworkingseparatelytodefendattack.Thispaperpresentsawholenetworkactivedefenseideas,thatthevarioussecuritytools,includingfirewalls,trapnetworksystemsintegratedtogether,andestablishedanefficientandstableactivedefensesystemtomediumandlargeenterprises,governmentagencies,schoolsandotherunitsonthefutureofinformationsecurityneeds.Firstofall,thispaperdescribedtheSignificanceofresearchingthenetworkactivedefensesystemandthecurrentIIIstatusofthenetworkactivedefensesystem.Then,inordertodesigntheproperdefensesystem,thisarticlefromthein-depthanalysisofthecurrentformofcomputerattackandattacktrends,launchedonthemarketrightnowwidelyusedsecuritysystemintroducedandpointedtoitslimitations,andproposedthenecessarilyoftakingtheinitiativeofnetworkdefensesystemresearch.Inthefourthchapterdetailsonactivenetworkdefensesystemoveralldesignarchitectureandprincipleofsystemoperation,thesystem'ssoftwareandhardwareplatformsanddevelopmentplatform,thenadetailedanalysisofthemainoperatingmechanism.Finally,thearticleanalyzedthelackofsystemsandfuturedevelopment.KEYWORDS:activedefense,worms,double-layerdetection,physicalisolation5657611.1NADNetworkActiveDefense1.219991502001998200257IDC5347[1]2.1[2]83.1922.11Figure1Attackclassificationdiagram1012.1.112Solaris[3]3RootWindowsApacheWeb42.1.21(1)11(2)(3)WEBCGICGICGICGI[4]2(1)(2)(3)32.1.31NOP12IDS2,IDS2.1.41DOSDOSDOS23rootRootroot4Root52.1.5132.22.2.1:12(ScriptKids)()320004Internet2.2.2SHELLCODE,12ICP14HTIPICMPHITPIDS32.2.3CERTInternet2.2.4IPP(TheInternetPrintingProtoco1)WEBDAV(Web-basedDistributedAuthoringandVisioning)(ActiveXcontrol,JavaJavaScript)[5]2.2.5InternetIntemet[6]2.2.6151DDOS(DistributedDenialOfService)DDOSDDOS220019250,000(SQLslammer)BlasterDOS3DNS(DomainNameSystem)IP(1)CERT80WEB(2)BIND(BerkeleyInternetNameDomain)BIND(3)DOSInternet(4)4Intemet(1)IP(2)DOS(3)16IPDDOS1733.1FiedCohen1984EugeneHSpaffoid[7]1982XeroxPARCJohnFShoch1988MorrisEugeneHSpaffoid[8]183.1.1BUDPTFTP[9]1Slammer2(1)Windows9XWindows2000/XPService(2)(3)guest1933.2,(IDS,IntrusionDetectionSystem)(IPS,IntrusionPreventionSystem)3.2.1[10]B10620IDS?3.2.2(Firewall)()().ASIC[11]OSI,OSI[12]6021URL[15]3.2.3(IDS,IntrusionDetectionSystem)():()(promiscuousmode)[13]?IDSIDS22(AnomalyDetectionSystem)(MisuseDetectionSystem)()IDS[27]TCP/IPSNORTSnortVirusRuleSNORTBIDSIDSIDS3.2.4(IPS,IntrusionPreventionSystem)[14]IDSIPS23IDSIPSIDSIPS[16]IPSIPS3.2.5TCP/UDP(FTPTelnet)TCP/UDP2444.1(NAD,NetworkActiveDefense)22Figure2NetworkActiveDefenseSystemArchitectureDiagram25NADNAD(NADCMCNetworkActiveDefenseControlandMonitorCenter)NAD(NADAgent)1.NADCMC(ControlandMonitorCenter)2.NADAgent4.2,NADCMCNAD31HUB1NADCMC2NADCMC263Figure3NetworkActiveDefenseSystemsIntrusionKnowledgeAcquisitionDiagramInternetInternetWebNADCMCNADAgent2211274NADCMCNADNADNADCMCNADCMCNADCMCNADCMCNADCMC()CMCAgentInternetInternetWebNADCMCNADAgent11224NADFigure4NetworkActiveDefenseSystemsIntrusionKnowledgeApplicationDiagram28NAD5NADAgentCMCNADCMC5Figure5NetworkActiveDefenseSystemSoftwareArchitectureDiagram4.3NADAgentCMCAgentNIC()2,4CMC:29:2.4G:ServerWorks(RCC)3.0:1GB:120GB:NIC10/100Mbps3Com3C509NIC10/100MbpsAgentCMC1Agent10100Mbps80Agent2CMCNADWebNAD4.41NADAgentRedHatLinuxProfessional9.0(Kernel2.4.0-18)NADCMCRedHatEnterpriseLinuxAS4.0(Kernel2.6.9-5.EL)Linux1)2)LinuxLinuxUnixLinuxUnix1430LinuxLinuxRedHatLinuxRedHatLinuxRedHatEnterpriseLinuxAS40(WebRHEL3023)2NADAgentMySQL5.0AgentMySQLCMCOracle9.2Oracle9.2RAC(RealApplicationClusters)[17]4.51.ACE(ADAPTIVECommunicationEnvironment).ACE(OO)(framework)ACE(wrapperfacade)()[26]ACE1)ACEOSOS31ACE2)ACE3)ACE(QoS)4)TAOACECORBAACETAO[18]2.Libpcap.LibpcapUnixLinuxTCPDUMPSNORTLibpcapNAD(Linux)1)LibpcapUnixWindowsWinpcapWindows2)LibpcapBPF(BSDPacketFilter)SunNIT(NetworkInterfaceTap)10150CSPF(CMUStanfordPacketFilter)1.520BPFRISCCPUBPF[19]323.Libnet.Libnet[28]Libnet1)LibnetICMPARPOSPFHttp(libnet_autobuild_ethenet)2)LibnetPPPoE(Point-to-PointProtocoloverEthernet)libnet-headers.hPPPoElibnet-functions.hsrclibnet_build_pppoe.cmakefileLibnet4.6()TAP(TestAccessPort)NetFlow331TAPNetFlow(TypeofService)(iflndex)[23]CiscoEnterasysExtremeFoundryJuniper[31]TAPTAPNADNAD(BT)()NetFlowNADTAP345NAD5.1NAD5.1.1(1)SunMicrosystemsLanceSpitzner30blackhat1)SolarisLinuxWindowsServerCiscoswitchLinuxWindowsIISSolarisDatabase2)Internet(3)3563LinuxWindowsSolarisInternet,,1P6Figure6NetworkTrapDiagram365.1.2(1)AIS(ArtificialImmuneSystem)AIS(InnateImmuneResponse)[21]IBIBIB(Antigen)IBIIhIhBIhIhBBIhIB[24](2)NADNADNADNADNADNAD3777Figure7Double-SizeDetectionTechnologyDiagramNADIhNADNADNADBNADInternetInternetWebNADCMCNADAge