CN111835694B - Network security vulnerability defense system based on dynamic camouflage - Google Patents

Network security vulnerability defense system based on dynamic camouflage Download PDF

Info

Publication number
CN111835694B
CN111835694B CN201910326789.2A CN201910326789A CN111835694B CN 111835694 B CN111835694 B CN 111835694B CN 201910326789 A CN201910326789 A CN 201910326789A CN 111835694 B CN111835694 B CN 111835694B
Authority
CN
China
Prior art keywords
vulnerability
false
host
unit
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910326789.2A
Other languages
Chinese (zh)
Other versions
CN111835694A (en
Inventor
张长河
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to CN201910326789.2A priority Critical patent/CN111835694B/en
Publication of CN111835694A publication Critical patent/CN111835694A/en
Application granted granted Critical
Publication of CN111835694B publication Critical patent/CN111835694B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention provides a network security vulnerability defense system based on dynamic camouflage. The basic technical idea is as follows: based on the concept of moving target defense, a network dynamic environment is constructed, a large number of dynamic false hosts are constructed around the protected host by utilizing a network deception technology, and a dynamic false leakage library is constructed to trap an attacker; in addition, a number of false leak libraries can be randomly and dynamically generated for a real-existing host. No matter a hacker scans the target host for vulnerabilities by using a known or unknown vulnerability scanning tool, the hacker can inevitably touch the false vulnerabilities on the false host or the real host, the detection and utilization of the false vulnerabilities can trigger the alarm of the defense system, the defense system can automatically and real-timely position attackers and cut off the first loop of a network attack chain, and therefore defense in advance is achieved and the threat of unknown vulnerabilities is effectively reduced.

Description

Network security vulnerability defense system based on dynamic camouflage
Technical Field
The invention relates to the field of network security, in particular to a network security vulnerability defense system based on dynamic camouflage.
Background
With the rapid development of network technology, the internet has become an indispensable part of human production and life, and the wave of informatization influences every corner of modern civilization society. According to the statistical report issued by the information center of the Chinese Internet, the national netizen scale reaches 8.02 hundred million and the popularization rate is 57.7 percent by 30 days of 6 months in 2018; the scale of mobile phone net citizens reaches 7.88 hundred million, and the scale of network payment users in China reaches 5.69 hundred million. While informatization is continuously promoted, various network security problems are continuously generated due to the openness of the internet, and an attacker can easily perform invasion and attack on a target network by using technical means such as scanning, monitoring, detecting, deceiving and the like, such as denial of service attack, unauthorized access, confidential information stealing, backdoor program installation, worm virus propagation and the like. Diversified network services and rich application backgrounds make attack means increasingly complex, and great threats are caused to network security.
A network security vulnerability (vulnerability for short) is a defect that a computer information system intentionally or unintentionally generates in the processes of demand, design, implementation, configuration, operation and the like. The defects exist in various layers and links of the computer information system in different forms, and once the defects are utilized by a malicious subject, the safety of the computer information system is damaged, so that the normal operation of the computer information system is influenced. The control right of a computer is obtained by utilizing certain bugs in a program (the code written by the computer is enabled to pass through the limit of the program with the bugs, so that the running authority is obtained), and the control right is an essential link in most network attacks.
The existing defense system generally lacks of a control technology at the lateral boundary of the network, and once a certain terminal computer is attacked or infected with viruses, the defense system is likely to be diffused in the network in a large amount. Although known risky ports are closed on a switch, ports considered secure today are likely to be the subject of attacks in the future due to operating system and software bugs that may continue to emerge, which has occurred many times in the history of computer technology development. We cannot exclude new malicious viruses from exploiting vulnerabilities for propagation. Once a new type of malicious virus spreads in the network, the harm is hard to predict.
In addition, the existing network security system is a common static architecture, a network structure is static, an equipment IP address is fixed, and network topology is easy to separate out. Once a computer is implanted with malicious software through a USB flash disk ferry and other modes to become a 'meat machine', even if the computer has no important information, the malicious program of the computer can perform means such as sniffing, vulnerability scanning and the like, analyze network topology and architecture and discover vulnerabilities of other hosts or servers, thereby achieving the purpose of controlling the whole network.
Finally, unknown network attacks cannot be defended. Although the existing network longitudinal boundary is reliable, the computer technology is developed rapidly, and the existing longitudinal boundary has weak resistance to unknown network attacks. The vulnerabilities of an operating system and software can continuously appear, attacks aiming at unknown vulnerabilities are difficult to deal with under the existing system, even if a network defender can deal with the vulnerabilities in a port closing and patching mode, vulnerability repair has hysteresis, only sheep death and fastness patching can be carried out, and the mode is large in workload and often has little effect.
Generally, the existing defense system mainly focuses on enhancing the static defense capability of the network, and the security of the network is protected to a certain extent. For a variety of reasons, the existence of network security vulnerabilities is unavoidable, and once some of the more serious vulnerabilities are discovered by an attacker, they may be exploited to gain unauthorized access to or destruction of the computer system. The existing defense technology is not free when the infinite vulnerabilities are layered, and an attacker often has sufficient time to analyze a network architecture, a host system and the defense technology and find out the vulnerabilities, so that the network is gradually permeated, and the purpose of attacking is achieved.
Disclosure of Invention
The invention provides a dynamic camouflage-based network security vulnerability defense system, which is another method for effectively relieving the threat of vulnerabilities to network security and improving the identification and defense capabilities to unknown vulnerabilities. The basic technical idea is as follows: based on the concept of moving target defense, a network dynamic environment is constructed, a large number of dynamic false hosts are constructed around the protected host by utilizing a network deception technology, and a dynamic false leak library is constructed to trap an attacker; in addition, a number of false leak libraries can be randomly and dynamically generated for a real-existing host. No matter a hacker scans the target host for vulnerabilities by using a known or unknown vulnerability scanning tool, the hacker can inevitably touch the false vulnerabilities on the false host or the real host, the detection and utilization of the false vulnerabilities can trigger the alarm of the defense system, the defense system can automatically and real-timely position attackers and cut off the first loop of a network attack chain, and therefore defense in advance is achieved and the threat of unknown vulnerabilities is effectively reduced.
In order to achieve the purpose of the invention, the technical scheme provided by the invention is as follows:
a dynamic masquerading-based network security vulnerability defense system, comprising:
the management unit is used for configuring blacklist rules, false response information, dynamic transformation intervals and the like;
the flow receiving and sending unit is used for receiving and sending network communication data packets;
the vulnerability analysis unit is used for carrying out protocol reduction and session recombination on the original data packet and carrying out vulnerability identification and detection according to the false vulnerability library generated by the disguise unit;
the disguise unit randomly and dynamically generates a false vulnerability library according to the IP address range of the false host, the real host IP address and the vulnerability configuration information configured by the management unit;
and the dynamic conversion unit regularly informs the disguise unit to carry out random dynamic conversion on the false host IP address and the false leak library according to the dynamic conversion time interval configured by the management unit.
Further, according to the network security vulnerability defense system based on dynamic camouflage, the management unit (1) is used for configuration and display. Wherein the configuration information includes, but is not limited to, blacklist rules, false response information, dynamic transformation intervals, etc. The blacklist rule is configured in the traffic transceiving unit (2) and is used for filtering the communication data packet, and after the blacklist is started, the data packet of the user (IP address) listed in the blacklist can not pass through; the false response information is configured in a disguising unit (4), the false response information comprises but is not limited to an IP address range of a false host, an IP address of a real host and vulnerability configuration information, and the vulnerability configuration information comprises a characteristic field of each vulnerability, response content when scanning the vulnerability and/or an IP address and a port of a redirection honeypot; the dynamic transformation time interval is used for configuring the dynamic transformation unit (5), and the dynamic transformation unit (5) regularly informs the disguise unit (4) to carry out random dynamic transformation on the false host and the false leak library according to the configured time interval. The display part is characterized in that the management unit (1) reads log information provided by the log unit (6), visual presentation of the IP address, the uplink and downlink flow, the vulnerability scanning behavior and the like of the host is realized, and the whole network threat visualization is realized through multi-dimensional display of abundant reports.
Further according to the network security vulnerability defense system based on dynamic camouflage, the traffic transceiving unit (2) is used for receiving and transmitting network data packets and comprises a data packet receiving module (21) and a data packet transmitting module (22). The data packet receiving module (21) receives data packets sent to the system, the data packets of users (IP addresses) listed in a blacklist are discarded according to blacklist rules configured in the management unit (1), the data packet receiving module (21) sends the processed data packets to the vulnerability analysis unit (3), and the data packet sending module (22) is used for sending the data packets processed by the vulnerability analysis unit (3), releasing normal flow, and carrying out false response on attack flow for vulnerability detection and utilization or redirecting the attack flow to a honeypot. The flow transceiving unit (2) improves the processing performance of the data packet by adopting a DPDK technology, the DPDK technology provides a set of API (application program interface) for rapidly processing the data packet, and the network card can drive the network card to operate in a user space without modifying a kernel, so that data copying between the kernel and the user space is eliminated, the copying times and the sharing bus operation times in the message forwarding process are reduced, the communication delay is effectively reduced, the network throughput rate is increased, and the data packet processing performance is greatly improved.
According to the network security vulnerability defense system based on dynamic camouflage, the vulnerability analysis unit (3) identifies and detects vulnerabilities according to a false vulnerability library generated by the camouflage unit (4), and the vulnerability analysis unit comprises a protocol restoration and session recombination module (31), a false host vulnerability analysis module (32) and a real host vulnerability analysis module (33). The protocol restoration and session recombination module (31) captures and analyzes the data packets from bottom to top in sequence according to the sequence of the protocol stack according to the data packets of the traffic transceiving unit (2), finally restores the original session information of the user, generates the IP address information of the host and the log information of the uplink and downlink traffic at the same time, and sends the IP address information and the log information to the log unit (6). On an internet transmission link, protocol session information content transmission between a user and a server occurs in the form of a data packet encapsulated layer by layer (a transmission layer, a network layer, a data link layer, etc.), and session information is replayed through processes of analyzing a packet header, splicing data, extracting network additional information, etc., for example, for various applications based on a TCP/IP protocol system, a protocol restoration and session reassembly module (31) generally adopts the following restoration process: preferably, quintuple information (source and destination IP addresses, source and destination port numbers and protocol numbers) is used for extracting data packets of different streams, then the data packets are sequenced according to the sequence, and the work of analyzing the application layer protocol can be carried out after the TCP/IP stream data packets are received. The false host vulnerability analysis module (32) matches the destination IP address of the data packet according to the false host IP address generated by the disguise unit (4) and the corresponding false vulnerability library, records the access log of the false host and sends the access log to the log unit (6) if the matching is successful, then matches the vulnerability characteristic field corresponding to the IP address with the content of the data packet, and carries out false response and/or sends the response content corresponding to the vulnerability generated by the disguise unit (4) into a honeypot if the matching is successful, and meanwhile generates the vulnerability access log of the false host and sends the vulnerability to the log unit (6). The real host vulnerability analysis module (33) matches the target IP address of the data packet according to the real host IP address generated by the disguise unit (4) and the corresponding false vulnerability library, matches the vulnerability characteristic field corresponding to the IP address by using the content of the data packet if the matching is successful, performs false response and/or sends the response content to a honeypot according to the response content corresponding to the vulnerability generated by the disguise unit (4) if the matching is successful, and simultaneously generates an access log of the false vulnerability of the real host and sends the access log to the log unit (6).
Further, according to the network security vulnerability defense system based on dynamic camouflage, the camouflage unit (4) randomly and dynamically generates a false vulnerability library according to the IP address range of the false host, the real host IP address and the vulnerability configuration information configured by the management unit (1), and comprises a host camouflage module (41) and a vulnerability camouflage module (42). The host camouflage module (41) randomly generates a plurality of false hosts according to the configured IP address range of the false hosts, and the vulnerability camouflage module (42) randomly generates a plurality of false vulnerability libraries for each real/false host, wherein the false vulnerability libraries comprise the characteristic field of each vulnerability, the response content when scanning the vulnerability and/or the IP address and the port of a redirected honeypot. The disguise unit (4) also receives the notice sent by the dynamic transformation unit (5) and carries out random dynamic transformation on the false leak library.
Further, according to the network security vulnerability defense system based on dynamic camouflage, the dynamic transformation unit (5) regularly informs the camouflage unit (4) to carry out random dynamic transformation on the false host IP address and the false vulnerability library according to the dynamic transformation time interval configured by the management unit (1), so that a dynamic network environment is realized, vulnerability knowledge accumulation of an attacker is effectively broken, the attacker cannot accurately obtain vulnerability information of a target host, and the next attack behavior cannot be developed.
Further, according to the network security vulnerability defense system based on dynamic masquerading, the management unit (1) can issue the following configuration information to the masquerading unit (4): the real host IP, the vulnerability signature fields that actually exist on the real host and the content of the corresponding false response, and/or the IP address and port of the redirection honeypot. When finding that an attacker accesses the real loophole on the real host, the defense system can carry out false response or redirect the loophole into the honeypot, so that the utilization of the real loophole on the real host by the attacker is effectively prevented, and the defense system has important practical value for networks with difficult timely repair of certain computer loopholes, such as a secret military network, an industrial control network and the like.
The network security vulnerability defense system based on dynamic camouflage is deployed at the two-layer or three-layer outlet of the network, and can comprehensively monitor the communication of a target network in real time. Preferably, the network security vulnerability defense system based on dynamic masquerading can perform false response on an attacker or redirect attack traffic to a honeypot for further behavior analysis aiming at vulnerability scanning of the attacker.
The invention has the beneficial effects that:
1) According to the network security vulnerability defense system based on dynamic camouflage, a large number of dynamic false hosts are dynamically constructed around the protected host, and meanwhile, a dynamic false vulnerability library is constructed to trap attackers, so that the attackers are effectively confused, the attackers cannot accurately obtain vulnerability information of network topology and a target host, the utilization value of unknown vulnerabilities is effectively reduced, vulnerability scanning of the attackers is further invalidated, and the security and stability of a target network are effectively improved.
2) By arranging the network security vulnerability defense system based on dynamic camouflage provided by the invention, an attacker scans the vulnerability of the target host to obtain false response information, and the false vulnerability information can be randomly and dynamically changed according to the configuration of a user. The system presents a complex and diverse dynamically-changed network environment for an attacker, the dynamic change of false vulnerability information can break through the attack accumulation of the attacker, the attack time window is shortened, and the attack difficulty of the attacker is greatly increased.
3) The network security vulnerability defense system based on dynamic camouflage provided by the invention is arranged, the physical topological structure of a target network does not need to be changed, plug-ins do not need to be installed on a terminal host, the access habits of users are not changed, the system can be matched with the existing security protection products in the target network for use, and the installation and maintenance cost is low.
4) The practice of model machine use proves that the method can effectively resist the attack of attackers on the target host by utilizing the loopholes, has better defense capability on unknown loopholes, is easy to arrange in the existing network, is simple to operate, is safe and reliable, and has remarkable economic and social benefits and wide market popularization and application prospects.
Drawings
FIG. 1 is a schematic diagram of an internal structure of a network security vulnerability defense system based on dynamic masquerading according to the present invention;
FIG. 2 is a schematic structural diagram of a traffic transceiving unit of the network security vulnerability defense system based on dynamic masquerading according to the present invention;
FIG. 3 is a schematic structural diagram of a vulnerability analysis unit of the network security vulnerability defense system based on dynamic masquerading according to the present invention;
FIG. 4 is a schematic structural diagram of a dynamic masquerading-based network security vulnerability defense system masquerading unit of the present invention;
the meanings of the reference symbols in the figures are as follows:
the method comprises the following steps of 1-a management unit, 2-a flow receiving and sending unit, 3-a vulnerability analysis unit, 4-a disguise unit, 5-a dynamic transformation unit and 6-a log unit;
21-a data packet receiving module and 22-a data packet sending module;
31-a protocol recovery and session reconstruction module, 32-a false host vulnerability analysis module, and 33-a real host vulnerability analysis module;
41-host camouflage module and 42-vulnerability camouflage module.
Detailed Description
The following detailed description of the embodiments of the present invention is provided in conjunction with the accompanying drawings to enable those skilled in the art to more clearly understand the embodiments of the present invention, but not to limit the scope of the present invention.
With the rapid development of information technology, the internet has become an indispensable part of human social production and daily life, but the network security problem with the internet is becoming more and more serious. Network security has become an important factor influencing global economic security operation and political stable development, and the international society and countries are all generally exploring how to strengthen the treatment of network security problems. The vulnerability exploitation is a necessary technical means for hackers to carry out network attacks and becomes the first threat of network security. According to statistics, on average, every 1500 lines of codes in software development have one bug, and as the size of computer program codes is larger and larger, objective bugs are inevitable and are increased continuously. In addition, a large number of purposely preset backdoors, such as key core software and hardware technologies like a U.S. monopoly CPU chip and an operating system, are also provided, and are preset when products are exported all over the world, and the backdoors are vulnerabilities. They are difficult to discover, and the critical point is that the bug breaks through the weapon of the network system of the other party.
Under the existing internet architecture, technologies adopted by network security products include antivirus software technology, firewall technology, intrusion detection technology, data encryption technology and the like, and the network security is protected to a certain extent. However, due to the static nature of the network architecture and the lag nature of bug fixing, the network security technology is often inattentive in view of the continuously developed attack technology, and attackers often have sufficient time to analyze the intranet architecture, the host system and the security technology and find out bugs therein, so as to gradually penetrate the network and achieve the attack target. Therefore, the research on how to effectively reduce the threat of the vulnerability (especially unknown vulnerability) to the network security has important practical significance.
First, the innovative principles of the present invention will be described. The invention constructs a dynamic environment by utilizing a network deception technology based on a novel network Defense idea of Moving Target Defense (MTD). The moving target defense is different from the previous network security thought, and aims to deploy and operate uncertain and random dynamic networks and systems, so that an attacker is difficult to find a target, the probability of vulnerability exposure can be greatly reduced, the passive situation of network defense is changed, and the 'active' defense is really realized. Based on the idea of moving target defense, the invention combines with a Software Defined Network (SDN) framework, keeps the integrity of the original Network configuration, minimizes operation management, realizes the random dynamic change of Network topology and host vulnerability under the condition that the normal Network application of a user is not influenced, changes the target Network into a maze which can not be detected and predicted, and greatly reduces the probability of successfully finding and utilizing the host vulnerability.
The network security vulnerability defense system based on dynamic camouflage deals with vulnerability detection of attackers by utilizing a network spoofing technology. In order to effectively improve the identification and defense capacity of unknown bugs, the defense system constructs a large number of false hosts around the protected host, and simultaneously constructs a dynamic false leak library to trap attackers. In addition, a number of false leak libraries can be randomly and dynamically generated for the hosts that actually exist in the network. Under normal conditions, a legal user does not scan and detect the false host, frequent access to the false host or detection and utilization of the false bug are suspected high-risk attack behaviors, and unknown bugs can be effectively discovered by redirecting attack flow into a honeypot for further behavior analysis. In addition, the falsely constructed bug can confuse an attacker, the IP address and the bug of the false host can be dynamically and randomly changed, and the complexity of the network is greatly increased, so that the cognitive accumulation of the attacker on the bug information of the target host can be broken through. No matter a hacker scans the target host for vulnerabilities by using a known or unknown vulnerability scanning tool, the hacker can touch the false vulnerabilities on the false host or the real host unavoidably, the detection and utilization of the false vulnerabilities can trigger the alarm of the defense system, the defense system can automatically position attackers in real time and cut off the first ring of a network attack chain, so that defense in advance is realized and the threat of unknown vulnerabilities is effectively reduced.
The network security vulnerability defense system based on dynamic camouflage is deployed at the outlet of the second layer or the third layer of the network, and can comprehensively monitor the communication of a target network in real time. Preferably, the network security vulnerability defense system based on dynamic masquerading can perform false response on an attacker or redirect attack traffic to a honeypot for further behavior analysis aiming at vulnerability scanning of the attacker. An attacker scans the target host for vulnerabilities by using technical means and cannot obtain the real vulnerability information of the target host. According to the network security vulnerability defense system based on dynamic masquerading, the types of false vulnerabilities include, but are not limited to, vulnerabilities of an operating system, vulnerabilities of application software and vulnerabilities of a network protocol.
The principle and the working process of the network security vulnerability defense system based on dynamic disguise according to the present invention are described in detail below with reference to the accompanying drawings, which preferably include the following first preferred embodiment and second preferred embodiment.
First preferred embodiment
As shown in fig. 1, as a first preferred embodiment, the network spoofing-based dynamic defense system according to the present invention includes a management unit (1), a traffic receiving unit (2), a vulnerability analyzing unit (3), a disguising unit (4), a dynamic transformation unit (5), and a log unit (6); the management unit (1) is connected with the flow receiving unit (2), the disguising unit (4) and the dynamic transformation unit (5), the flow receiving and sending unit (2) is connected with the vulnerability analysis unit (3), the vulnerability analysis unit (3) is connected with the flow receiving and sending unit (2), the disguising unit (4) and the log unit (6), the disguising unit (4) is connected with the vulnerability analysis unit (3), the dynamic transformation unit (5) is connected with the disguising unit (4), and the log unit (6) is connected with the management unit (1).
The management unit (1) is used for configuration and presentation. Wherein the configuration information includes, but is not limited to, blacklist rules, false response information, dynamic transformation intervals, etc. The blacklist rule is configured in the traffic transceiving unit (2) and is used for filtering the communication data packet, and after the blacklist is started, the data packet of the user (IP address) listed in the blacklist can not pass through; the false response information is configured in a disguise unit (4), the false response information comprises but is not limited to an IP address range of a false host, an IP address of a real host and vulnerability configuration information, and the vulnerability configuration information comprises a characteristic field of each vulnerability, response content when scanning the vulnerability and/or an IP address and a port of a redirection honeypot; the dynamic transformation time interval is used for configuring the dynamic transformation unit (5), and the dynamic transformation unit (5) regularly informs the disguise unit (4) to carry out random dynamic transformation on the false host and the false leak library according to the configured time interval. The display part is characterized in that the management unit (1) reads log information provided by the log unit (6), visual presentation of the IP address, the uplink and downlink flow, the vulnerability scanning behavior and the like of the host is realized, and the whole network threat visualization is realized through multi-dimensional display of abundant reports.
The flow transceiving unit (2) is used for receiving and transmitting network data packets and comprises a data packet receiving module (21) and a data packet transmitting module (22). The data packet receiving module (21) receives data packets sent to the system, the data packets of users (IP addresses) listed in a blacklist are discarded according to blacklist rules configured in the management unit (1), the data packet receiving module (21) sends the processed data packets to the vulnerability analysis unit (3), and the data packet sending module (22) is used for sending the data packets processed by the vulnerability analysis unit (3), releasing normal flow, and carrying out false response on attack flow for vulnerability detection and utilization or redirecting the attack flow to a honeypot. The flow transceiving unit (2) improves the processing performance of the data packet by adopting a DPDK technology, the DPDK technology provides a set of API (application program interface) for rapidly processing the data packet, and the network card can drive the network card to operate in a user space without modifying a kernel, so that data copying between the kernel and the user space is eliminated, the copying times and the sharing bus operation times in the message forwarding process are reduced, the communication delay is effectively reduced, the network throughput rate is increased, and the data packet processing performance is greatly improved.
The vulnerability analysis unit (3) identifies and detects vulnerabilities according to a false vulnerability library generated by the disguise unit (4), and comprises a protocol reduction and session recombination module (31), a false host vulnerability analysis module (32) and a real host vulnerability analysis module (33). The protocol restoration and session recombination module (31) captures and analyzes the data packets from bottom to top in sequence according to the sequence of the protocol stack according to the data packets of the traffic transceiving unit (2), finally restores the original session information of the user, generates the IP address information of the host and the log information of the uplink and downlink traffic at the same time, and sends the IP address information and the log information to the log unit (6). On the internet transmission link, the protocol session information content transmission between the user and the server occurs in the form of data packets encapsulated layer by layer (transmission layer, network layer, data link layer, etc.), and the session information is replayed by the procedures of analyzing packet headers, data splicing, fetching network additional information, etc., for example, for various applications based on the TCP/IP protocol system, the protocol restoring and session reassembling module (31) usually adopts the following restoring procedures: preferably, quintuple information (source and destination IP addresses, source and destination port numbers and protocol numbers) is used for extracting data packets of different streams, then the data packets are sequenced according to the sequence, and the work of analyzing the application layer protocol can be carried out after the TCP/IP stream data packets are received. The false host vulnerability analysis module (32) matches the destination IP address of the data packet according to the false host IP address generated by the disguise unit (4) and the corresponding false vulnerability library, records the access log of the false host and sends the access log to the log unit (6) if the matching is successful, then matches the vulnerability characteristic field corresponding to the IP address with the content of the data packet, and carries out false response and/or sends the response content corresponding to the vulnerability generated by the disguise unit (4) into a honeypot if the matching is successful, and meanwhile generates the vulnerability access log of the false host and sends the vulnerability to the log unit (6). The real host vulnerability analysis module (33) matches the target IP address of the data packet according to the real host IP address generated by the disguise unit (4) and the corresponding false vulnerability library, matches the vulnerability characteristic field corresponding to the IP address by using the content of the data packet if the matching is successful, performs false response and/or sends the response content to a honeypot according to the response content corresponding to the vulnerability generated by the disguise unit (4) if the matching is successful, and simultaneously generates an access log of the false vulnerability of the real host and sends the access log to the log unit (6).
The disguising unit (4) randomly and dynamically generates a false vulnerability library according to the IP address range of the false host, the real host IP address and the vulnerability configuration information configured by the management unit (1), wherein the false vulnerability library comprises a host disguising module (41) and a vulnerability disguising module (42). The host disguise module (41) randomly generates a plurality of false hosts according to the configured IP address range of the false hosts, and the bug disguise module (42) randomly generates a false vulnerability library for each real/false host, wherein the false vulnerability library comprises a characteristic field of each bug, response content when scanning aiming at the bug and/or an IP address and a port of a redirection honeypot. The disguise unit (4) also receives the notice sent by the dynamic transformation unit (5) and carries out random dynamic transformation on the false leak library.
The dynamic transformation unit (5) regularly informs the disguise unit (4) to carry out random dynamic transformation on the false host IP address and the false leak library according to the dynamic transformation time interval configured by the management unit (1), thereby realizing a dynamic network environment, effectively breaking the accumulation of vulnerability knowledge of an attacker, ensuring that the attacker cannot accurately obtain vulnerability information of a target host and cannot develop the next attack behavior.
Therefore, the network security vulnerability defense system based on dynamic camouflage is arranged on the Internet, an attacker scans vulnerabilities of the target host by using a technical means, and real vulnerability information of the target host cannot be obtained. No matter a hacker scans the target host for vulnerabilities by using a known or unknown vulnerability scanning tool, the hacker can inevitably touch the false vulnerabilities on the false host or the real host, the detection and utilization of the false vulnerabilities can trigger the alarm of the defense system, the defense system can automatically and real-timely position attackers and cut off the first loop of a network attack chain, and therefore defense in advance is achieved and the threat of unknown vulnerabilities is effectively reduced.
Those skilled in the art can further include more information into the false leak library as required based on the first embodiment, which depends on the specific application field of the system, but all fall into the technical idea scope of the present invention.
Second preferred embodiment
The network security vulnerability defense system based on dynamic camouflage in the second preferred embodiment of the invention is different from the first preferred embodiment in that when discovering that an attacker accesses a vulnerability really existing on a real host, the defense system can carry out false response or redirect the vulnerability to a honeypot, thereby effectively defending the attacker from utilizing the vulnerability really existing on the real host, and having important practical value for networks with difficult timely repair of certain computer vulnerabilities, such as a secret military network, an industrial control network and the like. In the network security vulnerability defense system based on dynamic masquerading according to the second preferred embodiment of the present invention, the management unit (1) may issue the following configuration information to the masquerading unit (4): the real host IP, the vulnerability signature fields that actually exist on the real host and the content of the corresponding false responses, and/or the IP address and port of the redirect honeypot.
The invention provides a network security vulnerability defense system based on dynamic camouflage, which constructs a large number of dynamic false hosts around a protected host by utilizing a network deception technology and constructs a dynamic false vulnerability library to trap attackers; in addition, a number of false leak libraries may be randomly and dynamically generated for a real-existing host. By carrying out false response on vulnerability detection and utilization, attackers are effectively puzzled, the probability of successful discovery and utilization of host vulnerabilities is greatly reduced, and the security and stability of a target network are effectively maintained.
The above description is only for the preferred embodiment of the present invention, and the technical solution of the present invention is not limited thereto, and any known modifications made by those skilled in the art based on the main technical idea of the present invention belong to the technical scope of the present invention, and the specific protection scope of the present invention is subject to the description of the claims.

Claims (5)

1. A network security vulnerability defense system based on dynamic camouflage is characterized by comprising a vulnerability analysis unit, a camouflage unit and a dynamic transformation unit, wherein the vulnerability analysis unit processes network communication flow in real time and identifies and detects vulnerabilities, the camouflage unit randomly generates a false vulnerability library for each real/false host, and the dynamic transformation unit regularly informs the camouflage unit to carry out random dynamic transformation on the false vulnerability library;
the dynamic defense system based on the network deception further comprises a management unit and a flow receiving and sending unit;
the management unit is connected with the flow receiving and sending unit, the disguising unit and the dynamic transformation unit;
the flow receiving and sending unit is connected with the vulnerability analysis unit;
the management unit is used for configuring and displaying, wherein configuration information comprises but is not limited to blacklist rules, false response information and dynamic transformation intervals;
the blacklist rule is configured in the traffic transceiving unit and is used for filtering the communication data packet, and after the blacklist is started, the data packet of the user listed in the blacklist can not pass through;
the false response information is configured in the disguise unit, the false response information comprises but is not limited to an IP address range of a false host, an IP address of a real host and vulnerability configuration information, and the vulnerability configuration information comprises a characteristic field of each vulnerability, response content when scanning aiming at the vulnerability and/or an IP address and a port of a redirection honeypot;
the flow receiving and sending unit is used for receiving and sending network data packets; the traffic transceiving unit adopts a DPDK technology to improve the processing performance of the data packet;
the vulnerability analysis unit comprises a protocol reduction and session recombination module, a false host vulnerability analysis module and a real host vulnerability analysis module, wherein the protocol reduction and session recombination module captures and analyzes data packets layer by layer from bottom to top according to the sequence of a protocol stack according to the data packets of the flow receiving and sending unit, and finally restores the original session information of the user;
the protocol recovery and session reconstruction module adopts the following recovery flow: extracting data packets of different streams by utilizing quintuple information, then sequencing the data packets according to the sequence, and performing application layer protocol analysis after the TCP/IP stream data packets are received, wherein the quintuple information comprises a source and destination IP address, a source and destination port number and a protocol number.
2. The system according to claim 1, wherein the vulnerability analysis unit matches a destination IP address of the data packet, if the matching is successful, the vulnerability signature field corresponding to the IP address is matched with the content of the data packet, and if the matching is successful, the vulnerability analysis unit performs a false response and/or sends the response content corresponding to the vulnerability generated by the disguise unit to the honeypot, and simultaneously generates an access log to the virtual vulnerability.
3. The system according to claim 1, wherein the masquerading unit comprises a host masquerading module and a vulnerability masquerading module, the host masquerading module randomly generates a plurality of false hosts according to the configured IP address range of the false hosts, and the vulnerability masquerading module randomly generates a false vulnerability library for each real/false host, including the characteristic field of each vulnerability, the response content when scanning for the vulnerability and/or the IP address and port of a redirected honeypot.
4. The system for defending network security vulnerabilities based on dynamic masquerading according to any of claims 1-3, characterized in that under normal conditions, legitimate users generally do not scan and vulnerability detect false hosts, frequent access to false hosts or detection and exploitation of false vulnerabilities are suspected high-risk attacks, and unknown vulnerabilities can be effectively discovered by redirecting attack traffic into honeypots for further behavioral analysis; in addition, the falsely constructed bugs can confuse attackers, the IP addresses and the bug information of the false host can be dynamically and randomly changed, the complexity of the network is greatly increased, and the cognitive accumulation of the attacker on the bug information of the target host can be broken through.
5. The system for defending network security vulnerabilities based on dynamic masquerading according to any of claims 1-3, characterized in that for networks where some computer vulnerabilities are difficult to repair in time, the following configuration information can be issued: the real host IP, the real existing vulnerability characteristic field on the real host and the corresponding content of the false response, and/or the IP address and the port of the redirection honeypot can carry out the false response or redirection to the honeypot when the defense system finds that the attacker accesses the real existing vulnerability on the real host, thereby effectively defending the attacker from utilizing the real existing vulnerability on the real host.
CN201910326789.2A 2019-04-23 2019-04-23 Network security vulnerability defense system based on dynamic camouflage Active CN111835694B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910326789.2A CN111835694B (en) 2019-04-23 2019-04-23 Network security vulnerability defense system based on dynamic camouflage

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910326789.2A CN111835694B (en) 2019-04-23 2019-04-23 Network security vulnerability defense system based on dynamic camouflage

Publications (2)

Publication Number Publication Date
CN111835694A CN111835694A (en) 2020-10-27
CN111835694B true CN111835694B (en) 2023-04-07

Family

ID=72912395

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910326789.2A Active CN111835694B (en) 2019-04-23 2019-04-23 Network security vulnerability defense system based on dynamic camouflage

Country Status (1)

Country Link
CN (1) CN111835694B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112383546B (en) * 2020-11-13 2023-07-25 腾讯科技(深圳)有限公司 Method for processing network attack behavior, related equipment and storage medium
CN112769771A (en) * 2020-12-24 2021-05-07 中国人民解放军战略支援部队信息工程大学 Network protection method, system and system architecture based on false topology generation
CN113609491B (en) * 2021-08-02 2024-01-26 中通服咨询设计研究院有限公司 Plug-in vulnerability automatic scanning method based on message queue
CN114448737B (en) * 2022-04-11 2022-08-05 北京安盟信息技术股份有限公司 Active protection method and system for information security of machine tool
CN115208679B (en) * 2022-07-14 2023-12-08 软极网络技术(北京)有限公司 Attacker IP defending method and defending system based on honey array cooperation
CN115296902B (en) * 2022-08-03 2023-11-10 国家电网公司华中分部 Network camouflage method of virtual information

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105721442A (en) * 2016-01-22 2016-06-29 耿童童 Spurious response system and method based on dynamic variation and network security system and method
CN106685900A (en) * 2015-11-10 2017-05-17 中国电信股份有限公司 Loophole prevention method and apparatus
CN106888211A (en) * 2017-03-10 2017-06-23 北京安赛创想科技有限公司 The detection method and device of a kind of network attack
CN107343011A (en) * 2017-09-04 2017-11-10 北京经纬信安科技有限公司 A kind of endogenous intimidation defense equipment based on dynamic object defence
CN109347794A (en) * 2018-09-06 2019-02-15 国家电网有限公司 A kind of Web server safety defense method

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106685900A (en) * 2015-11-10 2017-05-17 中国电信股份有限公司 Loophole prevention method and apparatus
CN105721442A (en) * 2016-01-22 2016-06-29 耿童童 Spurious response system and method based on dynamic variation and network security system and method
CN106888211A (en) * 2017-03-10 2017-06-23 北京安赛创想科技有限公司 The detection method and device of a kind of network attack
CN107343011A (en) * 2017-09-04 2017-11-10 北京经纬信安科技有限公司 A kind of endogenous intimidation defense equipment based on dynamic object defence
CN109347794A (en) * 2018-09-06 2019-02-15 国家电网有限公司 A kind of Web server safety defense method

Also Published As

Publication number Publication date
CN111835694A (en) 2020-10-27

Similar Documents

Publication Publication Date Title
CN111385236B (en) Dynamic defense system based on network spoofing
CN111835694B (en) Network security vulnerability defense system based on dynamic camouflage
CN107888607B (en) Network threat detection method and device and network management equipment
Cazorla et al. Cyber stealth attacks in critical information infrastructures
Kumar Survey of current network intrusion detection techniques
Mell et al. A denial-of-service resistant intrusion detection architecture
Ghafir et al. A survey on botnet command and control traffic detection
CN111917691A (en) WEB dynamic self-adaptive defense system and method based on false response
CN111641620A (en) Novel cloud honeypot method and framework for detecting evolution DDoS attack
CN113422779B (en) Active security defense system based on centralized management and control
Innab et al. Hybrid system between anomaly based detection system and honeypot to detect zero day attack
Ban et al. Behavior analysis of long-term cyber attacks in the darknet
Tian et al. An architecture for intrusion detection using honey pot
Yadav et al. Comparative study of datasets used in cyber security intrusion detection
Li-Juan Honeypot-based defense system research and design
Behal et al. Signature-based botnet detection and prevention
Simkhada et al. Security threats/attacks via botnets and botnet detection & prevention techniques in computer networks: a review
Jadidoleslamy Weaknesses, Vulnerabilities and Elusion Strategies Against Intrusion Detection Systems
Ojugo et al. Forging A Smart Dependable Data Integrity And Protection System Through Hybrid-Integration Honeypot In Web and Database Server
Sulieman et al. Detecting zero-day polymorphic worm: A review
Henchiri et al. Innovative architectural framework design for an effective machine learning based APT detection
KR100879608B1 (en) A Network Traffic Analysis and Monitoring Method based on Attack Knowledge
Le Malécot MitiBox: camouflage and deception for network scan mitigation
Szczepanik et al. Detecting New and Unknown Malwares Using Honeynet
Amir et al. DDoS attacks detection and prevention techniques in cloud computing: A systematic review

Legal Events

Date Code Title Description
DD01 Delivery of document by public notice
DD01 Delivery of document by public notice

Addressee: Zhang Changhe

Document name: Notification of Passing Preliminary Examination of the Application for Invention

PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant