CN100379201C - Distributed hacker tracking system in controllable computer network - Google Patents

Abstract

The present invention provides a distributed hacker tracking system suitable for a controllable computer network by using network intrusion detection and data fingerprint technique. Network monitors are respectively arranged in all sharing network segments of a controllable or correspondingly-sealed network system in the system, wherein intrusion warning messages in the network are sent to a manager by the monitors, and corresponding records are looked up by the manager to backtrack message attacking paths in case the intrusion is discovered by some monitors; therefore, network segments of a hacker and even an original source of the network segments can be determined. The system also has good extensibility and real-time performance and can be used for large-sized heterogeneous networks.

Description

The method that the distributed hacker of controllable computer network is followed the trail of

Technical field

The present invention relates to the distributed treatment of Computer information network safety, relate in particular to hacker's method for tracing of controllable computer network.

Background technology

Computer and internet have become one of most important information infrastructure of country.Protect the safety of these facilities; make their not attacked destruction to country, computer hacker and other computer crime person; be the sovereignty and integrity and the information security of protection country, guarantee the necessary condition of the normal operations of industry and department such as government, finance, commerce, science and technology.

If can obtain hacker's true address, and the record relevant testimony, with its lawing, just can deter the network crime and computer crime, the fail safe of maintaining network and computer system effectively.Have important safe meaning though carry out hacker's tracking, in network environment, assailant's (being also referred to as the hacker) is easy to pretend and IP spoofing, carries out hacker's tracking and faces following difficulty:

A. address imitating: the hacker can forge the IP address of oneself easily.

B. being extensive use of of various application gateways and NAT technology: after adopting this type of technology, the source address destination address of IP message all is converted, and just can't see assailant 11 true address from victim 13, as shown in Figure 1.

C. login the chain technology: the hacker hides the true address of oneself by logining a series of intermediate host, as shown in Figure 2.

In order to sign in to Hn, the hacker at first signs in to main frame 2 (H2) 22 from main frame 1 (H1) 21, sign in to H3 by H2 again, sign in to n main frame (Hn) 24 by n-1 main frame (Hn-1) 23 at last, as can see from Figure 2, in each section of login chain, the source address of message and destination address are all inequality.

Because hacker's tracer technique has important safe meaning, has carried out number of research projects abroad, but because up to the present the technical difficulty of itself, goes back the solution of neither one comparative maturity.

1) DIDS DIDS (Distributed Intrusion Detection System)

DIDS proposes model by California university Davis branch school at first, proceeds exploitation by Trident company afterwards.DIDS is a DIDS, and it can be in the territory that can monitor, the login behavior of monitoring user.

A monitoring program Host Monitor is all arranged on DIDS each main frame in the territory, be responsible for to collect the log information of this machine, and it is analyzed, then important incident (such as log-in events etc.) is reported to a concentrated manager Director.Director carries out analysis-by-synthesis to the information of each Host Monitor report, just can construct the login path of user at each main frame, thereby obtains the source of user's login.

The shortcoming of DIDS is that it can only detect the connection event based on TCP, can't detect in the UDP message and attack; Hacker in the territory signs in to overseas main frame, and when then the main frame in the territory being started to attack, DIDS also can't track hacker's true address; Can't follow the trail of the hacker in real time.

2) call out authentication (Caller-ID)

USAF has taked diverse ways to carry out hacker's tracking.Because therefore the employing of this technology need, be not a general system through the approval of judicial department.

The Caller-ID system is based on following hypothesis: if the hacker wishes to start to attack by some intermediate host, so very likely have leak on the main frame between in these, thereby make the hacker can visit these main frames.When take place attacking, Caller-ID can attack main frame along inverse path, constantly obtains the address of a main frame, and the like, finally obtain hacker's true address.Such as, the hacker sends by following path and attacks: H-＞M1-＞M2-＞...-＞Mn-＞V, wherein, H starts the source host attacked for the hacker, and V is by target of attack, then Caller-ID is by attacking Mn, learn attack from Mn-1, and then shoot Mn-1, or the like, at last, can judge attack from H.

The shortcoming of Caller-ID system is its high risk and uncertainty.Have only when the hacker is online and just can follow the trail of; If can't break through middle arbitrary main frame, just can't obtain hacker's true address; The attack means that adopts might destroy intermediate host etc.

3) caller identities identification systems (Caller Identification system)

Caller Identification system is based on following principle: the All hosts on the login chain all writes down the information of its upstream login chain.If user attempt signs in to Hn from Hn-1, then Hn to all upstream main frame Hn-1, Hn-2 ..., H2, the information of H1 inquiry login chain if the information that all upstream main frames return is all consistent, just allows to login.

The shortcoming of Caller Identification system is with existing systems incompatible, need on the All hosts in the territory corresponding software be installed all; If arbitrary main frame in the login chain is broken, Caller Identificationsystem just can't obtain hacker's true address.Such as, the hacker logins successively and enters H1, and H2 has overturned H2 then, makes H2 all answer this user to the inquiry of all downstream main frames and directly logins from control desk.Then for all downstream main frame H3, H4 ..., think that all the source of login is H2, rather than H1.

4) intrusion detection agency plant IDA (Intrusion Detection Agent System)

IDA is by the intruding detection system based on mobile agent of Japanese Waseda university exploitation, can realize the tracking to the hacker.Whole system is mainly by manager, and transducer is followed the trail of the agency, and information gathering the agency form.A transducer all is installed on each monitored machine, and transducer judges whether to take place intrusion behavior by the monitoring to the system core file, when judging the generation intrusion behavior, sends warning message to manager.After manager is received warning message, send the tracking agency to the main frame at transducer place, follow the trail of the agency and judge its upstream main frame according to the information of user's login, the tracking agency is moved to this main frame then, up to the source of finding the hacker to login.Follow the trail of the agency before migration, generate an information gathering agency, finish corresponding information search work by it, and information is sent to manager.

Several hacker's tracer techniques in front all belong to Host Based tracing system.Its characteristics are the information that detects all from host log with to the operation of critical file, and its major defect is:

A. as long as arbitrary the main frame of login in the middle of the chain do not installed corresponding system or by hacker attacks and cisco unity malfunction then just can't track the source of logining chain, this makes that they can't be as tracking system that can be general in the Internet scope;

B. it requires in a monitored territory, and all main frames that tracking system software has been installed all are safe, and this is difficult to be guaranteed in practice;

C. they can not detect the network internal user and sign in to network-external, the attack that the network internal main frame is started then.

5) fingerprint technique (Thumbprints)

The notion of fingerprint technique is proposed by people such as Heberlein the earliest.So-called fingerprint is one section very short data, and it can be reflected in effectively and connect the content of being transmitted in a period of time.In some sense, fingerprint is similar to summary.

If the hacker is at main frame H1, H2, H3, login successively on the H4, each operation of hacker all can produce a message from H1 to H2, after H2 handles, corresponding information is being sent to H3, and same, H3 also can send message to H4, orders and is carried out at H4 at last.Principle by Telnet can be known, H1 and H2, and the message content that transmits between H2 and H3, H3 and H4 all is identical.

If can monitor all Content of Communication between different main frames, analyzed and just can be learnt that they belong to same login chain, just can determine the sequencing logined by the time that monitors message again, thereby can find the source of login chain.Because login chain possibility last very long, the data volume of communication is very big, adopt said method to need a large amount of Installed System Memories, the processing of data also needs for a long time, desirable method is still to determine the consistency of the Content of Communication between same login chain main frame with less data (fingerprint), can the connection that other is irrelevant make a distinction simultaneously.

A good fingerprint should meet the following conditions:

A. length should be short as far as possible, to reduce needed memory space;

B. uniqueness is good, makes the possibility of two irrelevant fingerprint unanimities that connect as far as possible little.

C. robustness, when the content that connects during by various wrong interference the in the reality, the variation of fingerprint should be as far as possible little.

D. additive property, the fingerprint in the continuous time period can addition form the fingerprint of a long period.

E. the amount of calculation of fingerprint is little.

In practice, fingerprint is subjected to the interference of following factors:

F. clock jitter

On different main frames,, might appear in n the fingerprint of certain main frame by a character, but appear in n+1 the fingerprint of another main frame if clock is asynchronous.

G. propagation delay

Propagation delay can cause the mistake the same with clock jitter.Causing the reason of propagation delay is not network itself, and mainly is the main frame that load is overweight, and it can cause the delay of several seconds or tens of seconds.

H. character is lost

Because monitor is just intercepted the content of communication passively, rather than a part that connects, therefore, mistake and the Flow Control function that can't utilize TCP to provide.Under the heavier situation of monitor load, might lose character.

I. route changes

Router based on the IP agreement can be selected route for each message according to the change dynamics ground of network traffics, therefore, and the message that monitor possibly can't listen to.

J. hacker's countermove

In order to resist fingerprint technique, the hacker may add, decipher message on the different linkage sections of login chain, also can disturb character that fingerprint technique was lost efficacy by adding.

6) network invasion monitoring technology

Intrusion Detection Technique is to obtain fast-developing active safe practice in recent years, and its system prototype is proposed by DorothyDenning, as shown in Figure 3.At present, Intrusion Detection Technique and architecture thereof all are on this basis expansion and refinement.According to the object difference that detects, Intrusion Detection Technique can be divided into Host Based Intrusion Detection Technique and based on network Intrusion Detection Technique.

A. Host Based intrusion detection

Can pass through: the Audit data and the system journal of (1) visit main frame; (2) behavior of monitoring individual host such as system call, cpu busy percentage and I/O operation; (3) whether monitor user ' detects main frame to the operation of main frame three kinds of modes such as (as the orders of keying in) and is invaded.

Host Based intrusion detection is monitoring system or user's behavior all sidedly, can detect attacks such as whether personation takes place by set up behavioural characteristic for each user.But Host Based intrusion detection can't detect network attack such as DoS, TCP etc.; Be subjected to the constraint of operating system platform, portable poor; Need on each detected main frame, intruding detection system be installed, be difficult to configuration and management.

B. based on network intrusion detection

Based on network intrusion detection is by all messages in the monitoring network, and analyzes content of message and wait and judge whether network or main frame be under attack.

Based on network intrusion detection has the following advantages: irrelevant with detected system platform; The real-time height; At an IP subnet detection node only need be installed, just can monitor whole subnet; Can not exert an influence to network service.

Network Intrusion Detection System generally includes transducer and two parts of manager.Transducer is distributed on each network segment of network, by detecting the message in the network in real time, and it is analyzed, can judge normal message or attack message, when finding attack message, can send warning message, the record attack message, and can revise the rule list of fire compartment wall, filter follow-up attack message.Manager is then realized the management and the configuration of concentrating.

Because the intruding detection system of each research unit and manufacturer development comprises that architecture, alert data form, attack signature numbering etc. have nothing in common with each other, make them can't collaborative work.Can collaborative work for the intruding detection system that makes different vendor, in March, 1997, U.S. Department of Defense's tissue has initiated to carry out the standardized work of intruding detection system, and the standard of foundation is called CIDF.System model as shown in Figure 4.

In Fig. 4, monitoring modular 44 is finished the collection of data, and relevant data is saved in the database 45, finishes attack signature by analysis module 42 according to the interior perhaps rule in the knowledge base 43.When finding to attack, finish corresponding responsive operation by corresponding module 41, comprise warning, blocking-up connection etc., communication and authentication module 46 are finished different internodal communications and authentication.

According to the difference of attacking recognizer, intrusion detection is divided into abnormality detection again and based on the detection of knowledge.

C. abnormality detection (Abnormal Detection)

The normal behaviour of user or system is set up model (profile), then with current system or user's behavioural characteristic with the normal behaviour feature compare judge whether under attack.

Though Network Intrusion Detection System can detect attack, and can identify the assailant, it can't solve the problem that foregoing hacker tracking system faces.

D. based on the intrusion detection (Misuse Detection) of knowledge

For model (being also referred to as attack signature) is set up in each known attack, the current behavior with the user relatively determines whether under attack with various attack model (attack signature) then.

Based on the detection method of knowledge, its shortcoming is and need constantly sets up model for each emerging attack, it is joined in the attack signature storehouse.Its advantage is to attack the recognition accuracy height, and can discern the type of attack, therefore can take corresponding measure to stop attack.

In hacker tracking system,, therefore adopted detection method based on knowledge owing to will discern the type of attack.

7) discern based on the login chain of TCP sequence number

The Kunikazu Yoda at IBM Japanology center and Hiroaki Etoh have proposed to follow the trail of way based on the login chain of TCP sequence number.Connect the sequence number that sends data by each TCP on each network segment of detection record, just can judge whether they belong to same login chain.Its algorithm is:

$\frac{1}{d}\underset{0\&le;k\&le;m^{\&prime;}}{\min }\left\{\right|\underset{h=1}{\overset{d}{\mathrm{\&Sigma;}}}\left(T(h,k\right)-\underset{1\&le;h\&le;d}{\mathrm{<figure-callout\; id="1"\; label="min"\; filenames="C0113234100181.png,C0113234100191.png"\; state="\{\{state\}\}">min</figure-callout>}}\left\{T(h,k)\right\}|,|\underset{h=1}{\overset{d}{\mathrm{\&Sigma;}}}(T(h,k)-\underset{1\&le;h\&le;d}{\mathrm{<figure-callout\; id="1"\; label="max"\; filenames="C0113234100181.png,C0113234100191.png"\; state="\{\{state\}\}">max</figure-callout>}}\left\{T(h,k)\right\})\left|\right\}$

Wherein, and T (h, k)=u (bk+h)-t (a0+h), d=an-a0, m '=max{i|bi+d≤bm}

Ai is the sequence of message number that TCP connects a, and t (s) is for it reaches the time, and bi, u (r) are the sequence of message of TCP connection b number and the time of advent.

Based on the login chain recognition methods of TCP sequence number,, also can discern for encrypted data.With respect to " fingerprint " technology that Heberlein proposes, need the data volume of preserving still less, and calculating strength is little.But it still needs to preserve the information of sequence of message that all TCP connect number, and, can only concentrate to compare, have difficulties in large-scale network application; Simultaneously, if the network latency fluctuation is big, then the error of the method generation also increases thereupon; For short connection of duration, the error of generation is also bigger.

But existing intruding detection system mostly lays particular emphasis on the discovery and the strick precaution of attack, although can detect most of based on network attacks, all is difficult to provide the tracking to the real source of hacker.

Summary of the invention

The objective of the invention is to have proposed a kind of method of following the trail of, thereby determine the network segment at hacker place even determine its initial source based on the distributed network hacker of intrusion detection and Digital Fingerprinting Technology for the tracking of real realization to the hacker source.

The object of the present invention is achieved like this, the method that a kind of distributed network hacker of controllable computer network follows the trail of, comprise step: S0. provides network monitor and manager, described network monitor is distributed in the assailant to the network path of victim, between per two gateways a network monitor is set, each network monitor respectively with the manager physical connection;

S1. described network monitor is intercepted the data that transmit on the network, and record attack wherein just sends warning message to manager immediately in case find attack;

S2. described manager according in the given time threshold received from the attack type between the group alarm information of network monitor, the similarity of attacking time of taking place and this group alarm information comes the correlation between the group alarm information that the decision network monitor transmitted, if there is not correlation, just return execution in step S1, if there is then execution in step S3 of correlation;

S3. described manager judge have correlation between the group alarm information after, further determine the actual location of assailant and victim again according to the time of the address of assailant in the warning message and victim and warning message.

Manager is analyzed the correlation between per two warning messages in this group alarm information comprising in the correlation determination step between the group alarm information, if all have correlation between per two warning messages, judge so between this group alarm information to have correlation.

Interface driver module, common program module, memory management module, message data storehouse, attack signature storehouse, communication and authentication module, attack signature identification engine and scheduler module are set on above-mentioned network monitor, and the step of this network monitor operation is as follows:

A. the user comes the configuration-system parameter by the friendly operation interface of network monitor;

B. the user starts receiving process by the friendly operation interface of network monitor;

C. read network message by the interface driver module;

D. carry out packet parsing by the common program module;

E. the message after will being resolved by scheduler module is given attack signature identification engine and is carried out that IP checks, UDP checks, TCP checks, ICMP checks, TELNET checks, WWW checks and FTP checks, if belong to attack message, then search the corresponding strategy storehouse according to the type of attacking, carry out the corresponding strategy of appointment, and the calling communication module sends warning message to manager.

Alert data storehouse, attack signature storehouse, response policy storehouse, communication and authentication module are set on this manager, and its workflow comprises the steps:

A. the user comes the configuration-system parameter and creates database by the friendly operation interface of manager;

B. the user starts receiving process by the friendly operation interface of manager;

C. communication of attack signature identification engine invokes and authentication module are read and resolve the warning message sent from network monitor and it is added the warning message database by standard Sockets interface;

D. attack signature identification engine carries out correlation analysis according to the recorded content of being sent by the heterogeneous networks monitor in attack signature storehouse and the warning message storehouse;

E. attack signature identification engine carries out alarm response according to correlation analysis result and response policy storehouse.

Above-mentioned correlation analysis comprises the judgement that whether has correlation between the warning message, the judgement of attack source and the judgement of target of attack.

Article two, whether exist the decision condition of correlation as follows between the warning message:

A. attack type is identical;

The time interval of b. receiving warning message be shorter than one preset time threshold value; This, threshold range can be 30-150 second preset time;

C. attack type is the TCP application layer;

D. the TCP message data part similarity of two warning message data fingerprints is greater than 0.5.

Above-mentioned calculation of similarity degree adopts pattern matching algorithm, and its step is as follows:

A. each network monitor record, joins these Content of Communication in the warning message when monitoring attack based on the Content of Communication in the past period of TCP connection, sends to manager;

B. manager utilizes following formula to calculate its similarity to the content of the identical warning message of attack type in a period of time;

Long sequence X=the x of given l ₀x ₁... x _L-1, Y=y ₀y ₁... y _L-1, order

$\mathrm{\&delta;}\left(\text{X,Y,i}\right)\text{=}\left\{\begin{array}{ccc}0,& \mathrm{if}& \mathrm{xi}\&NotEqual;\mathrm{yi}.\\ 1,& \mathrm{if}& \mathrm{xi}=\mathrm{yi}.\end{array}\right.$

$\mathrm{\&Delta;}(X,Y)=\underset{i=0}{\overset{l-1}{\mathrm{\&Sigma;}}}\mathrm{\&delta;}(X,Y,i).,$

Note X _i=x _ix _I+1... x _I+l-1, its subscript delivery l, then the similarity of sequence X and Y is defined as

$R(X,Y)=\underset{i=0}{\overset{l-1}{\max }}\left\{\mathrm{\&Delta;}(\mathrm{Xi},Y)\right\}.,$

The above results is carried out normalized, obtain

$R{(X,Y)}^{\&prime;}=\frac{R(X,Y)}{l}.;$

C. utilize R (X, Y) ', just can compare the similarity of two sequences effectively.

When judging the attack source, the assailant IP address that meets following condition might be the IP address of attack source:

A. assailant's IP address is typical interior net address;

B. the IP address of assailant and network monitor is in the same network segment.

When judging target of attack, the victim IP address that meets following condition might be the IP address of target of attack:

A. the IP address of victim is typical interior net address;

B. the IP address of victim and network monitor is in the same network segment.

Above-mentioned Network Intrusion Detection System can be provided with a plurality of managers, can also form the hierarchy type structure between the manager.Above-mentioned Network Intrusion Detection System also can omit the network monitor in the middle of the attack path, two network monitors that reservation and assailant and victim are nearest.

The hacker tracking system of setting up by the inventive method has following advantage:

1, can accurately track hacker's true address

If the network monitor agency is installed in network internal, also can obtain hacker's true address, if the network monitor agency is installed, then can determine the IP subnet at assailant place in the exit of network.

2, good extensibility

Owing to directly analyze data the network monitor Agency, do not need to transmit data monitored, reduced the network bandwidth that need take; Simultaneously, alleviated the load of central manager; Make a manager can handle the warning message of a plurality of network monitors.And manager can be easy to be arranged to the hierarchy type structure, makes total go for catenet, as shown in Figure 7.

Compare with the hacker tracking system based on fingerprint technique, the hacker that the present invention proposes follows the trail of the data that model has greatly reduced the content that needs storage and needed to handle.Need store the fingerprint of the content of all communications on each network path based on the hacker tracking system of fingerprint technique, the comparison of final data can only be carried out on a central host.And the hacker tracking system that the present invention proposes is distributed on a plurality of network monitors the processing of network message, only needs to preserve warning message on manager.

3, can discern various protocols and attack kind

Present various hacker tracking systems can only detect connection-oriented attack type, promptly based on the attack of Transmission Control Protocol.Hacker tracking system proposed by the invention can detect the attack of various protocols type.

4, real-time

The hacker tracking system that the present invention proposes can detect the true address of attacking and can tracking the hacker in real time, and present various hacker tracking systems all can't carry out hacker's tracking in real time.

The present invention analyzes on the characteristics and not enough basis of existing hacker's tracer technique in comprehensive summing up, utilizes network invasion monitoring and data fingerprint technology, has proposed a distributed hacker tracking system model that is applicable to the controllable computer network environment.This model can be realized the tracking to the hacker in the zone that can monitor, be with good expansibility and real-time, can be applicable to large-scale heterogeneous network.The several data fingerprint algorithm has been compared in network analysis, and exploitation has realized the system prototype that is proposed, and has set up hacker tracking system.Test analysis shows: this system has overcome the shortcoming and defect of existing method, has accurate, the real-time and extendible advantage of tracking.System design thought advanced person, perfect function is effective, the practical network hacker tracing system of a cover.

Description of drawings

Fig. 1 is existing application gateway conversion message address schematic diagram;

Fig. 2 is existing login chain technology conversion message address schematic diagram;

Fig. 3 is existing general intrusion detection model;

Fig. 4 is existing CIDF architecture;

Fig. 5 is the distributed hacker tracking system model 1 according to controllable computer network of the present invention;

Fig. 6 is the distributed hacker tracking system simplified model of controllable computer network of the present invention;

Fig. 7 is the hierarchy type structural representation of the distributed hacker tracking system of controllable computer network of the present invention;

Fig. 8 is a network monitor software configuration schematic diagram of the present invention;

Fig. 9 is a network monitor workflow diagram of the present invention;

Figure 10 is the formation schematic diagram in attack signature of the present invention storehouse;

Figure 11 is the structural representation of manager software of the present invention;

Figure 12 is a manager workflow diagram of the present invention;

Figure 13 is while of the present invention, a plurality of attack schematic diagrames of the same type;

Figure 14 is the test environment schematic diagram of the distributed hacker tracking system of controllable computer network of the present invention.

Embodiment

Below we will be in conjunction with the accompanying drawings, further the present invention will be described by embodiment.

Complete hacker's tracer technique is made up of two parts: hacker's identification, hacker follow the trail of.The present invention adopts Intrusion Detection Technique to finish hacker's identification, finishes hacker's tracking according to the warning message and the data fingerprint of intrusion detection.The hacker tracking system model that the present invention sets up as shown in Figure 5.

In Fig. 5, the hacker is assailant 11, and the destination host of being attacked is a victim 13, gateway 1 (Gateway1) 56, gateway 2 (Gateway2) 57...... gateway n-1 (Gateway (n-1) 58.Network monitor 1 (NM1) 52, network monitor 2 (NM2) 53 ... network monitor n (NMn) 54 is distributed on the network path from assailant to the victim.Network monitor is finished the monitoring of network message and analysis, if find to attack, just sends warning message to manager.Manager is finished the correlation analysis to each network monitor agency, and by the complete attack path of structure, thereby acquisition assailant's true address.

In Fig. 5, source IP (SourceIP) address that hacker 11 sends network message is H, and destination address (DestinationIP) is G1.This message is detected by network monitor 1 (NM1) 56, and identifies attack, has sent warning message to manager.Warning message comprises following content:

<NM?Time?SourceIP?DestinationIP?Attack?Signature>

Wherein, NM is the IP address of the network monitor that sends warning message, and Time is for attacking the time of taking place, and SourceIP is the assailant's that sees of network monitor IP address, DestinationIP is the IP address of victim, and AttackSignature is an attack type.The warning message content that NM1 sends is:

<NM1?t1?H?G1?S>

When message passed through the path at network monitor 2 (NM2) 53 places, NM2 also can find to attack, and sends following warning message:

<NM2?t2?G1?G2?S>

Equally, network monitor n (NMn) 54 sends following warning message:

<NMn?tn?G(n-1)V?S>

51 pairs of warning messages of receiving of manager carry out the scanning of slidingtype window, warning message in a period of time is carried out correlation analysis, time, assailant's IP address and the IP address of victim according to the type of attacking, attack take place can construct complete attack path:

H→G1→G2→...G(n-1)→V

Can judge attack from H by attack path.

In above-mentioned model, require on all attack paths, all to install network monitor, this has big difficulty in actual applications sometimes.Because the purpose that the hacker follows the trail of is to obtain hacker's true address, and is indifferent to the path of attack.Process is to above-mentioned simplified models, obtain simplified model, as shown in Figure 6, in this model, omitted the intermediate path of attacking, manager 51 can be judged H according to the warning message of network monitor 1 (NM1) 52 and network monitor n (NMn) 54 V has been started attack.

According to the needs that the hacker follows the trail of, the present invention has designed distributed Network Intrusion Detection System.As shown in Figure 7, Network Intrusion Detection System is made up of n network monitor and two kinds of nodes of manager.Can form the hierarchy type structure between the manager, comprise manager 1 (Manager1) 71 and manager 2 (Manager2) 72, thereby system have extensibility preferably.The target of network monitor design is high-performance and portability, may operate on Windows, Linux and the unix system, and the platform-neutral of network monitor mainly is to realize by the design and the network driver interface of platform independence.For friendly man-machine interface is provided, manager is selected the Windows system for use.

Utilize this Network Intrusion Detection System, can carry out network hacker and follow the trail of, its method comprises three steps.

At first intercept the data that transmit on the network by network monitor, record attack wherein just sends warning message to manager immediately in case find attack.

The function of network monitor comprises: intercept network message, filtering packets, analysis message content, send warning message.Network monitor also can only be operated in logging mode, and the message that is about to listen to is saved in the file.Network monitor also can read in message analysis from file.On windows platform, the network monitor part also provides friendly operation interface, configuration parameter can be set, the online warning message etc. of checking.

When testing, reality finds that when network message speed reached 30Mbps, network monitor can produce the packet loss phenomenon.For head it off, designed the packet filtering module, can filter message according to IP address or port (PORT), therefore, network monitor is only handled the message of relevant type, and does not need to handle irrelevant message; Simultaneously, also can on the bigger network segment of network traffics, dispose a plurality of network monitors, make the message of its monitoring different IP addresses or different application type, like this, just can not miss detection because of packet loss to attacking.

The software configuration of network monitor as shown in Figure 8, wherein, interface driver module 88 is finished reception, the transmission of message, has shielded the part relevant with operating system simultaneously, thereby makes system have the good platform independence; Common program module 86 comprises some common programs such as analytic message, calculate message verification and etc.; Memory management module 83 is finished the management work of buffering area, owing to require network monitor to have very high real-time, the management algorithm of buffering area has adopted " zero-copy " technology, and it can be eliminated because the influence that memory copying brings systematic function; The message of receiving in the past period is deposited in message data storehouse 84, is used to carry out message reorganization and statistical analysis.Because the number of message may be very big, therefore, designed the multiple algorithm of HASH efficiently and improved the efficient of searching.The signature (signature) of all known attacks is deposited in attack signature storehouse 82.Owing to adopted pattern matching algorithm, signature is deposited with two kinds of forms: function, feature string.Attack signature storehouse 82 is one of nucleus modules of intruding detection system, and the detection efficiency of attack and accuracy rate are all closely bound up with the design of attack signature.Communication is finished communicating by letter and certification work between monitor and the manager with authentication module 89.Communication module 89 also will be finished the ARP analytical capabilities.Attack signature identification engine 81 types according to the message that receives mate possible attack signature, thereby whether identification belong to the type of attack message and attack.Scheduler module 85 is finished the scheduling to all-network monitor software.It receives message by the interface driver module, give attack signature identification engine 81 then and analyze,, then search corresponding strategy storehouse 87 according to the type of attacking if belong to attack message, carry out the corresponding strategy of appointment, and calling communication module 89 sends warning message to manager.

Attack signature storehouse 82 is one of nucleus modules of intruding detection system, and its structure all has very big influence to the detection efficiency and the accuracy rate of attacking.We adopt the mode of classification each signature group to be made into the structure of tree type and chained list combination.Like this, just can reduce the search volume of attack signature coupling effectively, improve the performance of system.

The operational flow diagram of network monitor as shown in Figure 9, its concrete step is as follows:

A. the user comes the configuration-system parameter by the friendly operation interface of network monitor;

B. the user starts receiving process by the friendly operation interface of network monitor;

C. read network message by the interface driver module;

D. carry out packet parsing by the common program module;

Message after will being resolved by scheduler module is given attack signature identification engine and is carried out that IP checks, UDP checks, TCP checks, ICMP checks, TELNET checks, WWW checks and FTP checks, if belong to attack message, then search the corresponding strategy storehouse according to the type of attacking, carry out the corresponding strategy of appointment, and the calling communication module sends warning message to manager.

The structure in attack signature storehouse as shown in figure 10, in the design in attack signature storehouse, we are divided into two kinds with attack type, promptly the Internet type attack 102 and the IPX type attack 103.The Internet type attacks and 102 to be subdivided into attack 104 based on the IP agreement again, based on the attack 106 of udp protocol, based on attack 105 of Transmission Control Protocol or the like.

To different network attacks, different response policies can be set.The response policy that system supported comprises:

1, sends warning message to manager

2, record attack message

3, blocking-up connects

The present invention finds that in test network monitor can send a large amount of identical warning messages, for this reason, has designed the warning inhibit feature, identical warning message in the period can be filtered out when DoS attack takes place.

Then, manager according in the given time threshold received from the attack type between the group alarm information of network monitor, the similarity of attacking time of taking place and this group alarm information comes the correlation between the group alarm information that the decision network monitor transmitted, its detailed process is as follows:

The manager software system as shown in figure 11, different with network monitor is, manager receives the warning message of sending from network monitor by standard Socket interface 117, simultaneously, provides gui interface 111 to be used to check warning message and carries out relevant configuration.Because the data of manager processes are warning messages, rather than original message, therefore, the attack signature recognizer of employing is also inequality, mainly carries out correlation analysis.

The correlation analysis of warning message is described as follows:

(1) whether there is the judgement of correlation between the warning message

Central management server carries out correlation analysis to the warning message of receiving.Article two, there is correlation between the warning message

Condition is as follows:

1, attack type is identical

2, the time interval of receiving warning message is lacked (in 120 seconds)

3, attack type is the TCP application layer

4, the TCP message data part similarity of two warning message data fingerprints is greater than 0.5

Judge for the group alarm information correlativity more than three:, think that then there is correlation in this group alarm information if all have correlation between per two warning messages.

At last, after manager judges there is correlation between the group alarm information, further determine the actual location of assailant and victim again according to the time of the address of assailant in the warning message and victim and warning message.Its detailed process is as follows:

(2) judgement of attack source

One group of relevant warning message has reflected that certain once attacks, and the attack source refers to the real assailant who starts this time attack.The method of determining the attack source is as follows:

In a certain group of relevant warning message, meeting the assailant IP address shown in the information of following condition might be the IP address of attack source:

1, assailant's IP address is typical interior net address (as 192.168.X.X).

2, the IP address of assailant and NM is in the same network segment.

If have eligible 1 information in this group alarm information, eligible 1 the warning message of then receiving has the earliest been indicated the IP address of attack source.

If do not have eligible 1 information in this group alarm information, but have eligible 2 information, eligible 2 the warning message of then receiving has the earliest been indicated the IP address of attack source.

If neither have eligible 1 information in this group alarm information, there is not eligible 2 information again.Think that then the attack source can't judge.May be that the residing network segment is not provided with NM or does not receive with the warning message that NM sent that the attack source is in the same network segment or lost in the attack source, also may be that the assailant has forged the IP address with its different segment.

(3) judgement of target of attack

Target of attack refers to the real victim of certain attack.Determine that scheme is as follows:

In a certain group of relevant warning message, meeting the victim IP address shown in the information of following condition might be the IP address of target of attack:

1, the IP address of victim is typical interior net address (as 192.168.X.X).

2, the IP address of victim and NM is in the same network segment.

If have eligible 1 information in this group alarm information, eligible 1 the warning message of then receiving has the earliest been indicated the IP address of target of attack.

If do not have eligible 1 information in this group alarm information, but have eligible 2 information, eligible 2 the warning message of then receiving has the earliest been indicated the IP address of target of attack.

If neither have eligible 1 information in this group alarm information, there is not eligible 2 information again.Then think and indicate the warning message of target of attack not receive yet.May be NM is not set or does not receive with the warning message that NM sent that target of attack is in the same network segment or lose at the residing network segment of target of attack.

The workflow of manager as shown in figure 12,

A. the user comes the configuration-system parameter and creates database by the friendly operation interface of manager;

B. the user starts receiving process by the friendly operation interface of manager;

C. communication of attack signature identification engine invokes and authentication module are read and resolve the warning message sent from network monitor and it is added the warning message database by standard Sockets interface;

D. attack signature identification engine carries out correlation analysis according to the recorded content of being sent by the heterogeneous networks monitor in attack signature storehouse and the warning message storehouse;

Though the hacker tracking system of above-mentioned intrusion detection Network Based can be realized the tracking to the hacker in the territory that can monitor, in some cases, may get the wrong sow by the ear.

In Figure 13, H1 and H2 are respectively to target V1, and V2 has started the attack of same kind simultaneously.After manager was received the warning of NM1 and NM3, because t3＞t1, manager can think that it is the attack of S that H1 has started type to V2.

For fear of the defective of said method, we have adopted content-based pattern matching algorithm.Each network monitor record is based on the Content of Communication in the past period of TCP connection.When detecting attack, these Content of Communication are joined in the warning message, send to manager.Manager calculates its similarity to the content of the identical warning message of attack type in a period of time, if surpass certain value, just thinks that its content is identical.

Long sequence X=the x of given l ₀x ₁X _L-1, Y=y ₀y _lY _L-1Order

$\mathrm{\&delta;}\left(\text{X,Y,i}\right)\text{=}\left\{\begin{array}{ccc}0,& \mathrm{if}& \mathrm{xi}\&NotEqual;\mathrm{yi}.\\ 1,& \mathrm{if}& \mathrm{xi}=\mathrm{yi}.\end{array}\right.$

$\mathrm{\&Delta;}(X,Y)=\underset{i=0}{\overset{l-1}{\mathrm{\&Sigma;}}}\mathrm{\&delta;}(X,Y,i).$

Note X _i=x _ix _I+1X _I+l-1, its subscript delivery l.Then the similarity of sequence X and Y is defined as

$R(X,Y)=\underset{i=0}{\overset{l-1}{\max }}\left\{\mathrm{\&Delta;}(\mathrm{Xi},Y)\right\}.$

The above results is carried out normalized, obtain

$R{(X,Y)}^{\&prime;}=\frac{R(X,Y)}{l}.$

Utilize R (X, Y) ', just can compare the similarity of two sequences effectively.

To the data that are connected with non-TCP, also can compare to determine whether a plurality of attacks stem from same main frame by above-mentioned algorithm.

In order to check the validity of hacker tracking system model, we have set up test topology, and as shown in figure 14, wherein, gateway 1 (Gateway1) 56 has been NAT, and gateway 2 (Gateway2) 57 is only made route.

Assault person 11 starts to attack to victim 13, network monitor 1 (NM1) 52 sends warning message 1---the attack from 192.168.1.1 to 211.80.37.24 to manager 51, and NM 2 sends warning message 2---the attack from 202.120.1.34 to 211.80.37.24 to manager.

Warning message 1 meets attack source decision condition 1, and warning message 2 does not meet, thus no matter warning message 1 be arrive earlier the Central manager or after arrive, it is the IP address of attack source that the assailant IP address 192.168.1.1 shown in it will be considered.

Warning message 1 does not meet arbitrary target of attack decision condition, and warning message 2 meets target of attack decision condition 2, so no matter warning message 2 be arrive earlier manager or after arrive, it is the IP address of target of attack that the victim IP address 211.80.37.24 shown in it will be considered.

Out of Bound attack with system discovery is the process that example explanation hacker follows the trail of below.At first, network monitor 1 (NM1) 52 detects Out of Bound and attacks, and generates a warning message and mail to manager 51, wherein comprises address, attack source 192.168.1.1, attack destination address 211.80.37.24, the information such as partial content of the attack message of noting; Then, network monitor 2 (NM2) 53 detects this attack, also generates a warning message and mails to manager 51, and wherein address, attack source 202.120.1.34 attacks destination address 211.80.37.24.Manager 51 has successively been received this two warning messages, judges then.Find that attack type Id is identical, attack time is quite near (only differing from one second), and it is bigger with the similitude that draws these two messages after the Content of Communication calculating of similarity algorithm to part, judge that thus real attack is to attack to the Out of Bound that 211.80.37.24 sends from 192.168.1.1, tracks the source of attack in view of the above.

Claims (3)

1. the distributed network hacker of the controllable computer network method of following the trail of, its step comprises:

S0., network monitor and manager are provided, and described network monitor is distributed in the assailant to the network path of victim, between per two gateways a network monitor is set, each network monitor respectively with the manager physical connection;

S1. described network monitor is intercepted the data that transmit on the network, and record attack wherein just sends warning message to manager immediately in case find attack;

S2. described manager compares in twos to the group alarm information from network monitor received in the given time threshold, judge correlation between per two warning messages according to the similarity of attack type, the time of attack taking place and warning message, it is as follows to be judged as the condition with correlation:

A. attack type is identical;

The time interval of b. receiving warning message be shorter than one preset time threshold value, this threshold value can be 30-150 second;

C. attack type is the TCP application layer:

D. the TCP message data part similarity of two warning message data fingerprints is greater than 0.5;

Described similarity adopts pattern matching algorithm to obtain, and this arthmetic statement is as follows:

Make X and Y represent the content of two warning messages: X=x respectively ₀x ₁... x _L-1, Y=y ₀y ₁Y _L-1, order

$\mathrm{\&delta;}(X,Y,i)=\left\{\begin{array}{ccc}0,& \mathrm{if}& x_i\&NotEqual;y_i.\\ 1,& \mathrm{if}& x_i=y_i.\end{array}\right.$

$\mathrm{\&Delta;}(X,Y)=\underset{i=1}{\overset{l-1}{\mathrm{\&Sigma;}}}\mathrm{\&delta;}(X,Y,i),$

Note X _i=x _ix _I+1... x _I+l-1, its subscript delivery l calculates

$R(X,Y)=\underset{i=0}{\overset{l-1}{\max }}\left\{\mathrm{\&Delta;}(\mathrm{Xi},Y)\right\},$

The above results is carried out normalized, obtain

$R{(X,Y)}^{\&prime;}=\frac{R(X,Y)}{l}$

R (X, Y) ' be the similarity of two warning messages;

If this group alarm information has correlation, then execution in step S3; Otherwise return execution in step S1,

S3. determine the actual location of assailant and victim, method is as follows:

The assailant IP address that meets following condition will be judged to be the real IP address of attack source:

A. assailant's IP address is typical interior net address;

B. the IP address of assailant and network monitor is in the same network segment,

The victim IP address that meets following condition will be judged to be the IP address of target of attack:

A. the IP address of victim is typical interior net address;

B. the IP address of victim and network monitor is in the same network segment.

2. the method that distributed network hacker as claimed in claim 1 follows the trail of, it is characterized in that, interface driver module, common program module, memory management module, message data storehouse, attack signature storehouse, communication and authentication module, attack signature identification engine and scheduler module are set on described network monitor, and step S1 comprises following substep:

A. configuration-system parameter;

B. start receiving process;

C. read network message by described interface driver module;

D. carrying out network message by described common program module resolves;

E. the network message after will being resolved by described scheduler module is given attack signature identification engine and is carried out that IP checks, UDP checks, TCP checks, ICMP checks, TELNET checks, WWW checks and FTP checks, if belong to attack message, then send warning message to manager.

3. the method that distributed network hacker as claimed in claim 1 follows the trail of is characterized in that alert data storehouse, attack signature storehouse, response policy storehouse, communication and authentication module are set, and the substep of step S2 is as follows on described manager:

A. configuration-system parameter and create database;

B. start receiving process;

C. read and resolve the warning message sent from network monitor and it is added the warning message database;

D. attack signature identification engine carries out correlation analysis according to the warning message of being sent by the heterogeneous networks monitor in attack signature storehouse and the warning message storehouse.

Images