CN100463461C - Active network safety loophole detector - Google Patents

Active network safety loophole detector Download PDF

Info

Publication number
CN100463461C
CN100463461C CNB2005100426556A CN200510042655A CN100463461C CN 100463461 C CN100463461 C CN 100463461C CN B2005100426556 A CNB2005100426556 A CN B2005100426556A CN 200510042655 A CN200510042655 A CN 200510042655A CN 100463461 C CN100463461 C CN 100463461C
Authority
CN
China
Prior art keywords
leak
attack
information
analysis
class
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CNB2005100426556A
Other languages
Chinese (zh)
Other versions
CN1694454A (en
Inventor
郑庆华
管晓宏
陈秀真
林晨光
赵婷
姚婷婷
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xian Jiaotong University
Original Assignee
Xian Jiaotong University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xian Jiaotong University filed Critical Xian Jiaotong University
Priority to CNB2005100426556A priority Critical patent/CN100463461C/en
Publication of CN1694454A publication Critical patent/CN1694454A/en
Application granted granted Critical
Publication of CN100463461C publication Critical patent/CN100463461C/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Computer And Data Communications (AREA)

Abstract

This invention discloses an active network safety leakage detector composed of three control modules of a detect agent, a data center and an analysis control stand, among which, the detection agent collection system matches the information and upwards it to the data center, the analysis control stand analyzes information stored in the data center to identify the host leakage by the OVAL leakage definition and carry out the associate analysis of attack/leakage by the predicate logic theory to find out the safety problem brought with the leakage combination to display potential attack paths in sight.

Description

Active network safety loophole detector
Technical field
The invention belongs to the computer network security technology field, particularly a kind of active network safety loophole detector AVCS (Active Vulnerability Checker for computer network Systems) is used to detect cyberspace vulnerability.
Background technology
Leak is the root of all network security problems, and Hole Detection is the basis that solves network security problem, only knows about the potential safety hazard that system exists, and just can accomplish to defend targetedly, avoids the blindness protection, really accomplishes " Know the enemy and know yourself, and you can fight a hundred battles with no danger of defeat ".The Hole Detection technology has just caused the very big attention of network safety filed once proposition, is listed as the main flow research direction of network security with fire compartment wall, intrusion detection, encryption and anti-virus technology.
From home and abroad database retrieval and document analysis, the detection of known bugs mainly is divided into two big classes: initiatively simulated strike formula and passive monitoring formula.Wherein, the former integrated known information gathering and assault gimmick according to ICP/IP protocol, sends the hidden danger probe data packet to destination host, and the simulated strike process is carried out leak to the response of detection packet and judged by being scanned equipment.But the physical distance of auditing system has limited a large amount of communications in the simulated strike process, and the testing process duration is long.The simulated strike technology is difficult to accomplish exhaustive, and accuracy is low.And the simulated strike process has certain destructiveness, and systematic function is had negative effect.The latter's operation principle is just as protocol analyzer or based on network intrusion detection device, monitoring traffic in network, utilize feature database to mate, determine network topology, operation service and leak, have and move continuously, network performance is not had influence, disposes simple and reports advantage timely.Yet this class detector depends on the packet content caught and carries out leak and judge, can not find not the fragile server with any equipment session, turns turtle changing under service default sign or the configuration honey jar situation.And these two kinds of detectors are only discerned the leak of main frame, do not attempt to analyze the leak that the combination of disposing between main frame in same main frame or the consolidated network causes, the function of global analysis network security a little less than.
To the detection of unknown leak, i.e. the research of the safety problem that combination brings to leak is divided into: model detection technique and pattern analysis technology.No matter adopt the model detection technique, or adopt the model of pattern analysis technology, all there is not good treatment and Hole Detection result's organic integration, in the expansion of large scale network or the visualization display problem of attack path.
Summary of the invention
The objective of the invention is to overcome the deficiency that above-mentioned prior art exists, a kind of active network safety loophole detector AVCS is provided, discern networking security hidden danger in advance, realize the active defence of network security, improve the network security performance.
The technical solution that realizes foregoing invention is; on the OVAL basis; in conjunction with the relation of the reciprocal causation between attack/leak knowledge base and attack and the leak, realize that quick, high-precision known bugs detects, and the potential unknown Hole Detection that threatens the protection target.Mainly comprise following content: a kind of active network safety loophole detector, based on open leak assessment language OVAL, distribution gathering system configuration information, concentrated leak analysis and assessment, realization is to the detection of network system leak, therefrom find the threat of leak combination, the potential attack path that threatens the protection target that shows further directly perceived to the protection target; It comprises detects agency, data center and analysis console three partial contents:
Detect the agency and be distributed on each main frame in the network to be assessed, the system features information of utilizing OVAL to collect each main frame, and it is uploaded to data center, use for analysis and assessment;
Analysis console is a leak evaluated user's interface, main being responsible for: 1) according to the assessment needs, the configuration assessment objective selects to detect strategy and evaluation condition; 2) start and stop of control detection system; 3) utilize open leak assessment language definition OVAL Definitions, analyzing and testing agency's reporting information, the known bugs that exists in the judgement system; 4) based on the known bugs tabulation of finding, use the attack/leak association analysis model of predicate logic, analyze the safety problem that the leak combination brings; 5) the potential attack path of visualization display identification;
Data center adopts Database Systems to realize the storage and the management of leak information, mainly comprise system configuration information and Hole Detection result that attack/leak primary knowledge base, attack/leak relation table, each detection agency report, data center and Hole Detection are acted on behalf of, analysis console is mutual, the collaborative Hole Detection of finishing;
Workflow may further comprise the steps:
A. analysis console sends " beginning " control command, the start detection agency;
B. detect the agency and send " greeting " message, inform that analysis console is ready, wait task;
C. analysis console then sends " collection request of data " information, and notice detects the gathering system information of acting on behalf of;
D. detect the agency and send " collection data answering " information, begin to collect data simultaneously, and be sent to data center to analysis console;
E. when detection agency collection data finish, send " collection ED " notice to analysis console;
F. analysis console is received " collection ED " notice, the information at beginning data query center, and carry out leak according to Query Result and judge.
Detection agency based on OVAL, the sub-thread class AgentTask of its core depends on communication packaging group SSL_Agent and information gathering class InfoCollector finishes concrete testing process, the information of distributed collection destination host comprises the information of system file, registration code, process, registered user, window networking information server IIS log-on message and network connection state;
The all working that the SSL_Agent class is responsible for communicating by letter comprises the initialization of port, the initialization of SSL SSL process, and the abnormality processing in the communication process; The InfoCollector class is responsible for data collection, under windows platform, depend on RegistryKeys, Ps, MetabaseKeys, AccountPrivileges, the FileAttributes class is collected registration code respectively, process, the IIS log-on message, registered user's account number and system file information rely on File respectively under linux system, InetListeningServers, Process, RPMInfo, RPMVersionCompare and Uname class gathering system file, the network monitoring service, process, external member management and required file association database information, external member version comparison information and conventional system information.
Described predicate logic attack/leak association analysis model, the atom predicate formula as basic model unit, attack, leak and the causality between the two are carried out modeling, and use the modeling of atom predicate formula detecting the general leak careless mistake CVE tabulation that configuration information that the agency provides and analysis console identify automatically, further based on attack/leak knowledge base and the relation of the reciprocal causation between the two, attack/association analysis of leak by attack/leak association analysis algorithm, make up the potential attack path that threatens Security Target.
Described attack/leak association analysis algorithm; utilize connection, selection and 3 calculuss of relation of projection of relational database management system; at first begin to carry out sweep forward from the prerequisite of class attack and the instantiation leak coupling of system; the consequence of attacking from class begins to carry out sweep backward with the coupling of protection target then, and the attack type that changes of the prerequisite that an analysis classes is attacked in each iteration or consequence.
The potential attack path of described visualization display identification is leak and the node of attacking as figure, directed edge represent to attack and leak between correlation, and regulation only shows only as the leak of attacking prerequisite, utilize the selection and the projection relation calculation of relational database management system, the output of analytical attack/leak correlation engine, set up the oriented cause-and-effect diagram between the attack/leak, the potential attack path that exists in the visualization display system.
Characteristics of the present invention are: 1) fail safe and controllability height, mainly show: the loophole detector AVCS that does not need to develop attack code, the appraiser who is suitable for network system inside carries out system security assessment, the hacker of system outside can't utilize this instrument to carry out illegal detected event, guarantees that product can illegally not used; Detect the SSL coded communication between agency and the analysis console, and the transmission encryption function that adopts database to provide between agency and data center or control desk and the data center is provided, realized the confidentiality of information, guarantee that data are not eavesdropped; The appraiser has the initiative to the operation of system control, according to the evaluation process of the security needs control system of system.2) speed of service is fast, and the mechanism that adopts distribution gathering system characteristic information, central evaluation to analyze has reduced the traffic that detects between agency and the analysis console, has shortened detection running time.3) accuracy of detection height greatly reduces rate of false alarm based on the Hole Detection principle of OVAL.4) Du Te potential attack path structuring capacity, make full use of the reciprocal causation relation of attack and leak based on the attack/leak association analysis model of predicate logic, can discern in the main frame automatically or the leak between main frame combination brings in the consolidated network safety problem, surmount the ability of conventional scanners.
Description of drawings
Fig. 1 is an architectural schematic of the present invention;
Fig. 2 is a sequential chart of the present invention;
Fig. 3 is class and the relation thereof that windows platform detects definition in agency's design;
Fig. 4 is class and the relation thereof that the Linux platform detects definition in agency's design;
Fig. 5 is base table title and the description of Windows 2000 OVAL Schema;
Fig. 6 (a) is a class leak predicate table in the knowledge base;
Fig. 6 (b) is that class is attacked attribute list in the knowledge base;
Fig. 6 (c) is that class is attacked the prerequisite table in the knowledge base;
Fig. 6 (d) is that class is attacked the consequence table in the knowledge base;
Fig. 6 (e) is the leak and the predicate numbering table of comparisons in the knowledge base;
Fig. 7 passs stepwise Hole Detection principle model;
Fig. 8 is the related principle of attack/leak;
Fig. 9 is the association analysis model of attack/leak;
Figure 10 adds up detection time of the present invention, and wherein abscissa is an assessment objective main frame number (platform), and ordinate is to detect spended time (second);
Figure 11 is that NESSUS adds up detection time, and wherein abscissa is an assessment objective main frame number (platform), and ordinate is to detect spended time (second);
Figure 12 is that attack/leak association results is visual.
Embodiment
The present invention is described in further detail below in conjunction with accompanying drawing.
1, the composition of security breaches detector AVCS
As shown in Figure 1, provide the composition of active network safety loophole detector AVCS, be divided into: detect agency, data center and analysis console three parts from physical distribution.Wherein, detect the agency and be distributed on interior each main frame of network operation in back way.When receiving when request of data " collect ", the system features information of utilizing OVAL to collect this machine, and data security uploaded to data center, for the analysis and assessment use of back.
Analysis console is the graphical user interface of system, and the keeper is provided with main frame to be assessed, connects database, detects strategy, evaluation condition according to the assessment needs.When receiving " collecting the ED notice ", analyze each and detect the system configuration information that the agency reports, the leak in the recognition system and the combination of leak, and show known and unknown leak and the relevant field information of finding.
Data center adopts SQL Server 2000, is used to deposit all data messages, comprises attacks/leak database, each detects the system configuration information that the agency reports and the leak tabulation of analysis console discovery etc.Data center and control desk, detection agency cooperate and finish the detection of known and unknown leak jointly alternately.
As shown in Figure 2, provide the time sequential routine of AVCS system, be specially:
A, analysis console send " beginning " control command, the start detection agency;
B, detection agency send " greeting " message, inform that analysis console is ready, wait task;
C, analysis console then send " collection request of data " information, and notice detects the gathering system information of acting on behalf of;
D, detection agency send " collection data answering " information to analysis console, begin to collect data simultaneously, and are sent to data center;
E, detect the agency and collect data when finishing, send " collection ED " notice to analysis console;
F, analysis console are received " collection ED " notice, the information at beginning data query center, and carry out leak according to Query Result and judge;
2, submodule design
Detect the agency
Detect the agency and operate in the detected main frame, collect the system information of this machine, and upload to data center, notify control desk to assess simultaneously.
Detection agency's the flow process that is applied to windows platform is as follows:
Input: the enabling signal of analysis console
Output: data to data to be assessed center
A) initialization port, initialization SSL starts the sub-thread of scanning;
B) read in scan profile;
C) whether file MD5 sign indicating number is consistent, if d then), otherwise f);
D) reading system file, IIS registry, window registry sign indicating number, operation process and information of registered users successively;
E) upload data to data center;
F) send end signal to analysis console, finish the book thread simultaneously;
As shown in Figure 3, provide some important classes among the detection agency who is applicable to windows platform and between relation, what be in core is the sub-thread class of AgentTask, represent once concrete evaluation process, its realization depends on communication packaging group SSL_Agent and information gathering class InfoCollector.The all working that SSL_Agent is responsible for communicating by letter, comprise port initialization, SSL process initialization and handle unusual in the communication process.InfoCollector is responsible for data collection, and it depends on RegistryKeys, Ps, MetabaseKeys, AccountPrivileges, the FileAttributes class is collected registration code, process, IIS registry, registered user's account number and system file information respectively.
As shown in Figure 4, provide some important classes among the detection agency who is applied to the Linux platform and between relation, with be applicable to that different is windows platform, information gathering class InfoCollector relies on File, InetListeningServers, Process, RPMInfo, RPMVersionCompare and Uname class gathering system file, network monitoring service, process, external member management and required file association database information, external member version comparison information and conventional system information respectively.
By Design and Features decomposition carefully, native system has been grasped the definite of class well, and the relation between the class is more clear, does not occur a class that function is powerful especially simultaneously again.Because the space is limit, only introduce the definition that detects the sub-thread class AgentTask of agency:
class AgentTask:public TThread
{
private:
Unsigned int port;
Protected:
void__fastcall Execute();
public:
__fastcall AgentTask(bool CreateSuspended,unsigned int port);
void__fastcall wrapsync();
};
Data center
Data center provides all data that evaluation process is used, and mainly comprises the system configuration information and the assessment result that detect agent acquisition in attack/leak knowledge base, the evaluation process.
As shown in Figure 5, provide base table title and corresponding descriptor that Windows 2000 OVAL Schema (open leak assessment language mode) comprise, decision detects the system information content that the agency collects.
Shown in Fig. 6 (a, b, c, d, e), provide the knowledge base sample table that relates in attack/leak association analysis model, comprise that class leak predicate table, class are attacked attribute list, class is attacked prerequisite/consequence table, leak and the predicate numbering table of comparisons, be used to deposit the association attributes of attack/leak and the relation between the two.
The form of leak database is with reference to ICAT Metabase, comprises leak title Vul_Name, date issued Pub_Date, summary description Sum, threaten degree Th_Sev, utilizes scope Ex_Range, loss type Loss_Type, leak type Vul_Type, fragile software and version Vul_SofAVer thereof, repairs measure Rem_Measure and relevant reference site Ref.
Analysis console
Analysis console is in charge of start and stop control, the leak of configuration, the Hole Detection process of detection system and is judged, and attacks/association analysis of leak the unknown leak that the combination of identification leak causes.In the design of control desk, make full use of the power of relational database management system and enrich operational set, realize the detection of known bugs and the analysis of unknown leak.About the analytical method of known bugs detection and unknown leak, will in main key technology, introduce in detail.
3, main key technology
Before describing in detail, some nouns that at first use in the define system:
Define 1 class and attack V: a tlv triple (fact, prerequisite, consequence), represent prerequisite and consequence that a class is attacked, here fact representation attribute title collection, each has a relevant codomain, incidental information is attacked in expression, prerequisite, consequence are respectively a molecule predicate formula and the set of atom predicate formula, its all free variables are gathered at fact, the consequence that condition that the two separate provision success attack must satisfy and success attack may be brought.
Define 2 instantiations and attack v: class is attacked the definite instantiation of V, and promptly class is attacked the limited tuple set of the fact attribute of V.
Define 3 class leak D: can be used as any system property that class is attacked prerequisite, i.e. each atom predicate formula in the prerequisite logical formula of known class attack V.
Define 4 instantiation leak d: the definite instantiation of class leak D has the IP address that is attached thereto.
Define the attack/leak of 5 associations: supposition P (v) expresses all prerequisite predicate set that v is attacked in present instantiation, and replaces its parameter with the property value of d.If ∃ p ∈ P ( v ) , Make instantiation leak d hint p, be called that to attack v related with leak d, claim that also d is that v prepares or d and v have prepare for relation.
The detection of known bugs
As shown in Figure 7, provide the stepwise Hole Detection principle model of passing of the present invention, depend on OVAL, according to system's characteristics (application software of the operating system of installation, operating system setting, installation and application software setting thereof) and configuration information (register button setting, file system attributes and configuration file), the leak that exists in the recognition system, allocation problem or patch installation situation.This model has 4 levels from bottom to top: information source, system mode, middle judgement and result judge, wherein information source comprises system registry, Metabase registration table and system file information, and system mode refers to installed software and version, operation service and relative set and patch information.At the detection of a certain leak, at first from information source, obtain the required system status information of safety detection, fragile software in the middle of carrying out on this basis and fragile configuration logic are judged, last actuating logic AND operation realizes final fragility judgement.Formal Hole Detection process is as follows:
At first, 5 set of definition: dbase collection FN={fn 1..., fn n, software version collection AV={av 1... av n, software patch collection PS={ps 1..., ps m, operation service collection RS={rs 1..., rs vAnd set of configuration settings CS={cs 1..., cs u, and each element represents that with atom predicate formula exist (x) or its logical combination all elements is three state variables in 5 set, its codomain is { 0,1, φ }.Value is φ, and this atom predicate formula is not used in the judgement of expression Hole Detection; Value is 1 or 0, and the expression leak judges that required system's predicate is " TRUE " or " FALSE ".
Secondly, the discriminant function of the fragile software of define system:
g ( fn , av , ps ) = 1 , fn ≠ 0 and av ≠ 0 and ps ≠ 1 0 , fn = 0 or av = 0 or ps = 1 Formula 1
Wherein, fn ∈ FN, av ∈ AV, ps ∈ PS, the output result represents that whether the fragile software that leak is deposited exists.
Once more, the discriminant function of the fragile configuration of define system:
h ( rs , cs ) = 1 , rs ≠ 0 and cs ≠ 0 0 , rs = 0 or cs = 0 Formula 2
Wherein, rs ∈ RS, cs ∈ CS, the conclusion whether result exists for the fragility configuration relevant with leak.
At last, the discriminant function of define system tender spots:
F (g, h)=(ps) (rs, cs) formula 3 for ∩ h for fn, av for g
Wherein, g (fn, av, ps), h (rs cs) is obtained by formula 1 and 2 respectively, output the result whether have this tender spots for system.
The known bugs of AVCS detects and relates to 3 steps: gathering system feature and configuration data, judgement leak and allocation problem, submission testing result, finally realized by the Embedded SQL statement.
The analysis of unknown leak
Based on the known bugs information of finding, from the whole defence of computer network angle, how research and utilization low layer leak makes up is realized high-rise target of attack, structure jeopardizes the potential attack path of Security Target, the global analysis that belongs to network security fragility is that of conventional scanners surmounts.
As shown in Figure 8, provide attack/leak association analysis principle based on predicate logic, core concept is to utilize the reciprocal causation relation of attack/leak, be that attack is to be that prerequisite takes place with some host information in the network system and access control right, change host information and access control right in the network system after taking place conversely again, comprise the valuable information of discovery, promote user right, remove filtering rule, add trusting relationship etc.By mating a consequence and the back prerequisite of attacking initiation that previous attack utilizes system vulnerability to bring, from system's initial condition, make up the potential attack path that a series of leaks arrive the system safety targets in the discovery network system.
As shown in Figure 9, provide network system leak analysis model of the present invention, by 4 big modules: knowledge acquisition, system information are obtained, association analysis engine and visualization display are formed.4 modules were both relatively independent, and were interrelated again.
Knowledge acquisition
The knowledge acquisition module is this model based knowledge hierarchy, set up the primary knowledge base (leak property data base, attack signature database, attack cause table and attack consequence table) of attack/leak, realize that for active loophole detector AVCS the association analysis of attack/leak lays the foundation.Yet,, be difficult to catch automatically and attack prerequisite and the required semanteme of attack result because loophole detector uses natural language text to describe the leak information of finding mostly.For this reason, the known bugs that provides according to some famous security websites and the information of attack technology are carried out the systematization arrangement, set up attack/leak database.Based on this database, further use the atom predicate formula of leak to represent the prerequisite and the consequence of attacking, set up and comprehensively attack prerequisite and attack result rule base.In the knowledge acquisition process, relate to the modeling that concerns between system vulnerability, assault and attack and the leak.
(1) leak modeling
The leak that the present invention mentions refers to can be as any system property of attacking prerequisite, according to vulnerability definitions, it comprises 4 parts: the access strategy of the CVE of the machine of being injured (general leak careless mistake, Common Vulnerabilities andExposures) tabulation, assailant's initial rights (assailant user right, the program executive capability on attack plane and the attack script that has), fire compartment wall setting and assailant are at the user right of the machine of being injured.Use the atom predicate formula, leak be modeled as:
Vul_Name(VICTIM) Predicate 1
User_Name(VICTIM) Predicate 2
User_Name(ATTACK) Predicate 3
Policy_Name(ATTACK,VICTIM) Predicate 4
EXECUTE(ATTACK) Predicate 5
PGM_Name(ATTACK) Predicate 6
Find leak Vul_Name on the Predicate 1 expression VICTIM main frame, with the expression of CVE numbering.Among Predicate 2 and the Predicate 3, User_Name stipulates the operational set that the user may carry out on main frame, be respectively: lack of competence NONE, the NORMAL_USER of domestic consumer, three ranks of power user SUP_USER.Among the Predicate4, the access strategy Policy_Name of system represents the network connectivity, is divided into 4 level: application layer APP_LAYER, transport layer TRANS_LAYER, network layer NET_LAYER and linking layer LINK_LAYER according to the hierarchical structure of TCP/IP protocol suite.Predicate 5 and Predicate 6 are illustrated respectively in can executive program and the software that has PGM_Name by name on the ATTACK main frame.
(2) attack modeling
NSMS (network security monitoring system, Network Security Monitoring System) existing intrusion feature database is as the attack signature database of active security breaches detector AVCS, nearly thousand IDS (intruding detection systems have been deposited in this storehouse at present, Intrusion Detection System) attack or the suspicious actions that can detect, the model of atomic strike is:
Exploit_Name(ATTACK,Mid_Host,VICTIM) Predicate 7
This model representation as springboard, is initiated the Mid_Host main frame Exploit_Name to the VICTIM machine of being injured and is attacked from the assailant of ATTACK main frame.
(3) attack/leak relationship modeling
In order to find to threaten the potential attack path of protection target, need to consider the reciprocal causation relation of attack and leak, check is attacked the prerequisite whether consequence helps another attack.Attack/leak the relational model that uses predicate logic to set up is:
Figure C200510042655D00161
Predicate 8
exploit ⇒ { consequence 1 , · · · , consequence m } Predicate 9
Wherein, prerequisite i, exploit and consequence jRepresent with the atom predicate formula respectively.Above two molecule predicate formulas represent that the successful prerequisite that exploit attacks is prerequisite i(i=1 ..., n) be necessary for TRUE, successful consequence is consequence j(j=1 ..., m) may be TRUE.
Information is obtained
The function of system information acquisition module is to find network topological information, i.e. the security breaches of object such as work station, server and access control right information, and use certain form to be described, for making up, attack path provides useful information.Therefore, find network topology automatically, very important for the application of AVCS system in real network.
The author is at Windows and two platforms of Linux, developed powerful detection agency, make full use of OVAL, automatically export detailed machines configurations information, comprise operation service, component software and network connectivity, solved the problem that existing detector can not provide access strategy and other configuration informations.For the destination host of Window platform,, obtain access control policy by reading each regular key assignments of fire compartment wall in the registration table.For the assessment objective of linux system,, obtain access control policy by reading the text configuration file of fire compartment walls such as IPTable or IPChains.Access strategy helps to determine that can the assailant send the data target of reporting for work, for inferring that the multistage attacks very useful.Further, analyze the configuration information that each detects agency's output, the CVE leak that recognition system exists, and according to the leak and the predicate numbering table of comparisons (seeing Fig. 6 (e)), the CVE leak and the configuration information of identification are changed into the instantiation leak, compose with occurrence promptly for the Property Name collection fact of class leak, finally be stored in the following table:
Table 1 instantiation leak
InsVulID InsVulPredicate Src_Host Dst_Host
1 TRNS_IIS_RDS 192.168.1.10 192.168.1.19
2 TRNS_IIS_RDS 192.168.1.50 192.168.1.19
3 EXECUTE 192.168.1.10 NULL
4 SERVICE_FTP 192.168.1.19 NULL
The association analysis engine of attack/leak
The association analysis engine is based on the core in predicate logic The Theory Construction potential attack path, the power and the reciprocal causation between attack/leak that make full use of relational database management system are closed, analytical attack/leak knowledge base and concrete system configuration information, realize the association of attack/leak, promptly find to have the attack and the leak of preparefor relation, and store the association results table shown in the table 2 into.
Table 2 association results
Preparing Prepared
TRANS_FTP(192.168.1.10,192.168.1.19) WUFTPDX(192.168.1.10, 192.168.1.19)
EXECUTE(192.168.1.10) WUFTPDX(192.168.1.10, 192.168.1.19)
At first, some variablees and the function of using in the definition association process:
S Found: under current system configuration condition, identification might successful attack collection.
S Current: in this iterative process, the successful attack collection of possibility of discovery.
SC Current: in this iterative process, the consequence collection of the possible successful attack of discovery.
P (e t)/C (e t): class is attacked e tPrerequisite/consequence collection.
Sign: the symbolic variable of identification discovery attack path, regulation sign value is 1 simultaneously, there is an attack path at least in expression; Value is 0, and attack path is not found in expression.
Function correlation (i, temp): determine the correlation rule that can the instantiation attack successful, promptly judge among the instantiation attribute i, whether identical with the value of character " ATTACK ", " Mid_Host " and " VICTIM " correspondence position among the generic attribute temp.If identical, then corresponding with i instantiation is attacked and may be taken place, and function return value is " TRUE ".Otherwise instantiation is attacked and can not be taken place, and function return value is " FALSE ".Attack IISRDS such as a class, suppose
Figure C200510042655D00181
I={Money, NULL, Money, Maude, Maude, NULL}, the the 1st and the 3rd corresponding with " ATTACK " character of temp among i element is Money, 4th and 5th element corresponding with " VICTIM " character is Maude, judges that thus the instantiation of the IISRDS corresponding with i is attacked and may be taken place, and function return value is " TRUE ".
Function output (i, temp): attack for a concrete class, with " ATTACK " of temp, the value of " Mid_Host " and " VICTIM " character correspondence position, replace atom predicate formula e respectively among the use i t(ATTACK, Mid_Host, individuality VICTIM).Such as definition correlation (i, temp) in the function for example, use function IISRDS (output (i, temp)) can obtain instantiation attack predicate IISRDS (Money, Maude).
Function ins (P (e t)): according to starter system configuration information collection, attacking e with class tThe atom predicate formula instantiation of prerequisite correspondence, compose with concrete IP address promptly for common variable " ATTACK ", " Mid_Host " and " VICTIM ".
For guarantee finding the attack path collection of and goal condition initial, propose: from attacking attack/leak association algorithm that sweep forward Forward_search that prerequisite begins to mate and the sweep backward Backward_search that begins to mate from the attack consequence are formed by two processes about network.Because the details of two search procedures is similar, limit by the space, only provides the specific implementation details of Forward_search algorithm, algorithm is as follows:
Input: class is attacked collection E, class leak collection V, the prerequisite collection TP that class is attacked, the consequence collection TC that class is attacked, starter system information set TI, protection target G.
Output: related attack/leak collection S Ve.
The details * of/* sweep forward Forward_search/
S Found← φ, S Current← φ, SC Current=TI, SC ' Current← φ, S Ve← φ, stgn=0; / *Initialization */
While((SC current\G)∩P(E))≠φ{
Figure C200510042655D00191
For each e t ∈ E do
P ( e t ) = σ e t TP ;
If((SC current\G)∩P(e t))≠φ
Figure C200510042655D00193
For each a∈ins(P(e t))do
If II aSC Current≠ φ temp i=II aSC CurrentA a/ * A aFor the predicate * in the former iteration/
Else temp i=A a
Figure C200510042655D00201
For each i∈temp2 do
If correlation (i, temp)==TRUE/* judge may be successful attack */
e t(output(i,temp))→S current C ( e t ) = σ e t ( TC ) , SC′ current=∪C(e t);
S found=∪S currentt,C(e t)→TI,S ve=∪(P(e t),e t),S ve=∪(e t,C(e t));
For each d∈C(e t)do
If(d==G)sign=1;
Figure C200510042655D00203
If (sign==1) (S Ve, S Found)=Backward_search (S Ve); / * by sweep backward remove redundant path */
Else Print(“G is enough secure”);
The visualization technique of attack path
The output of visualization display module analysis attack/leak correlation engine further utilizes selection, the projection operation of relational database management system, sets up the oriented cause-and-effect diagram between the attack/leak, the potential attack path that exists in the visualization display system.On directed graph is represented, leak and attack node, directed edge as figure represent to attack and leak between correlation, one is pointed to the directed edge of attacking s from leak v, expression v is the prerequisite of s.Similarly, from attacking the directed edge that s points to leak v, expression v is the consequence of s.Simultaneously, in order to save display space, only in attack path figure, only show as a leak of attacking prerequisite, for not only as the consequence of last attack, but also be the leak of the prerequisite of back one attack, in attack graph, will not show.The visualization display algorithm that proposes is as follows:
Input: related attack/leak collection S Ve, the attack collection S of the success of identification Found, protection target G
Output: the attack path figure that threatens Security Target
P ing=II preparingS ve,P ed=II preparedS ve
For each v∈P ing{
Figure C200510042655D00211
E=II PreparedPreparing= vS Ve), BuildGraph (v, e); / * build the directed graph * of prerequisite and attack/
}
Else if v∈S found{
v=II preparedpreparingvS ve);
If v '==G BuildGraph (v, v '); / * builds and attacks and the directed graph * of protection target/
Else{
e=II preparedpreparing=v′S ve);
BuildGraph (v, e); / * build the directed graph * that attacks and attack/
}
}
}
The present invention compared with prior art, the effect that is produced is:
1. accuracy of detection: table 3 provides the testing result at IE 6.0, in conjunction with the Microsoft's Web site data, finds that the Hotfix of 7 leaks of AVCS System Reports has all been included among IE 6.0 SP1.Table 4 provides the experimental result to IIS 5.0, and it is leaky that the leak that AVCS finds has contained the institute of MBSA report.Simultaneously, MBSA wrong report leak MS04-004 is not because the corresponding fragile software I E 6+SP1 with it of system configuration conforms to.Find out that thus comprise abundant vulnerability definitions and upgrade in time as long as guarantee system knowledge base, the AVCS system just can provide high-quality report.Obviously improved the rate of false alarm of loophole detector based on the AVCS system of OVAL, this is mainly owing to the difference of Hole Detection principle.
Table 3 is at the testing result of IE 6.0
Detector MBSA AVCS
The leak number 3 8
Vulnerability Name MS04-004、IE6、 MS03-030 CAN-2002-0371、CAN-2002-0189、CAN-2002-0193、 CVE-2002-0023、CVE-2002-0026、CAN-2003-1326、 CAN-2003-1328、CAN-2003-0346
Table 4 is at the testing result of IIS 5.0
Detector MBSA AVCS
The leak number 2 6
Vulnerability Name MS01-026、 MS01-033 CVE-2002-0073、CVE-2001-0333、CVE-2000-0886、 CVE-2000-0884、CVE-2002-0074、CAN-2003-0109
2. detection speed:
As Figure 10, shown in Figure 11, provide and use AVCS and two detectors of Nessus, horizontal ordinate to represent assessment objective main frame number (platform) respectively, detect spended time (second), the run time statistics result who detects at the target of different numbers.At 1 same destination host, the used time of AVCS is 1/9 of NESSUS.Identical 3 main frames are detected, and AVCS and NESSUS used average time is respectively 58 seconds and 346 seconds.
3. unknown Hole Detection:
As shown in figure 12, provide the leak analysis result of a mininet, two CVE leaks: the combination of the CAN-2003-0694 of the CVE-2002-1142 of Amy main frame and Rake main frame threatens the protection target: the safety of the superuser right of Rake main frame.This work lays the foundation for implementing effective safe precaution measure, helps the keeper to analyze the safety whether existing safety measure is enough to guarantee a certain critical resource.
4. cross-platform: the Hole Detection that realizes Windows and two platforms of Linux.
5. " zero " influence: bandwidth occupancy only is 8-28Kb/s under the representative operation, can not influence the normal use of network substantially because of scanning, the main frame that moves control desk and database is simultaneously only increased by 2%~5% CPU burden.
6. autgmentability: to the leak of new announcement,, just can realize its detection, not need to develop attack code as long as define the logical condition of existence.And, only needing the prerequisite and the consequence of definition attack type, can realize attacking/association analysis of leak, do not need to define hacker's intrusion model.
7. safety detection: adopt 128 SSL cryptographic protocol, the transmission encryption function of utilizing database to provide has guaranteed communication security.

Claims (5)

1. active network safety loophole detector, it is characterized in that, based on open leak assessment language OVAL, distribution gathering system configuration information, concentrated leak analysis and assessment, realization is to the detection of network system leak, therefrom find the threat of leak combination, the potential attack path that threatens the protection target that shows further directly perceived to the protection target; This active network safety loophole detector comprises detection agency, data center and analysis console three partial contents:
Detect the agency and be distributed on each main frame in the network to be assessed, the system features information of utilizing OVAL to collect each main frame, and it is uploaded to data center, use for analysis and assessment;
Analysis console is a leak evaluated user's interface, main being responsible for: 1) according to the assessment needs, the configuration assessment objective selects to detect strategy and evaluation condition; 2) start and stop of control detection system; 3) utilize open leak assessment language definition OVAL Definitions, analyzing and testing agency's reporting information, the known bugs that exists in the judgement system; 4) based on the known bugs tabulation of finding, use the attack/leak association analysis model of predicate logic, analyze the safety problem that the leak combination brings; 5) the potential attack path of visualization display identification;
Data center adopts Database Systems to realize the storage and the management of leak information, mainly comprise system configuration information and Hole Detection result that attack/leak primary knowledge base, attack/leak relation table, each detection agency report, data center and Hole Detection are acted on behalf of, analysis console is mutual, the collaborative Hole Detection of finishing;
Workflow may further comprise the steps:
A. analysis console sends " beginning " control command, the start detection agency;
B. detect the agency and send " greeting " message, inform that analysis console is ready, wait task;
C. analysis console then sends " collection request of data " information, and notice detects the gathering system information of acting on behalf of;
D. detect the agency and send " collection data answering " information, begin to collect data simultaneously, and be sent to data center to analysis console;
E. when detection agency collection data finish, send " collection ED " notice to analysis console;
F. analysis console is received " collection ED " notice, the information at beginning data query center, and carry out leak according to Query Result and judge.
2. active network safety loophole detector according to claim 1, it is characterized in that, said detection agency, based on OVAL, this detection agency's the sub-thread class AgentTask of core depends on communication packaging group SSL_Agent and information gathering class InfoCollector finishes concrete testing process, the information of distributed collection destination host comprises the information of system file, registration code, process, registered user, window networking information server IIS log-on message and network connection state;
The all working that the SSL_Agent class is responsible for communicating by letter comprises the initialization of port, the initialization of SSL SSL process, and the abnormality processing in the communication process; The InfoCollector class is responsible for data collection, under windows platform, depend on RegistryKeys, Ps, MetabaseKeys, AccountPrivileges, the FileAttributes class is collected registration code respectively, process, the IIS log-on message, registered user's account number and system file information rely on File respectively under linux system, InetListeningServers, Process, RPMInfo, RPMVersionCompare and Uname class gathering system file, the network monitoring service, process, external member management and required file association database information, external member version comparison information and conventional system information.
3. active network safety loophole detector according to claim 1, it is characterized in that, the attack of said predicate logic/leak association analysis model uses the atom predicate formula as basic model unit, to attacking, leak and the causality between the two are carried out modeling, and use the modeling of atom predicate formula detecting the general leak careless mistake CVE tabulation that configuration information that the agency provides and analysis console identify automatically, further based on attack/leak primary knowledge base and the relation of the reciprocal causation between the two, attack/association analysis of leak by attack/leak association analysis algorithm, make up the potential attack path that threatens Security Target.
4. active network safety loophole detector according to claim 3; it is characterized in that; attack/leak association analysis algorithm; utilize connection, selection and 3 calculuss of relation of projection of relational database management system; at first begin to carry out sweep forward from the prerequisite of class attack and the instantiation leak coupling of system; the consequence of attacking from class begins to carry out sweep backward with the coupling of protection target then, and the attack type that changes of the prerequisite that an analysis classes is attacked in each iteration or consequence.
5. active network safety loophole detector according to claim 1, it is characterized in that, the potential attack path of said visualization display identification is leak and the node of attacking as figure, directed edge represent to attack and leak between correlation, and regulation only shows only as the leak of attacking prerequisite, utilize the selection and the projection relation calculation of relational database management system, the output of analytical attack/leak correlation engine, set up the oriented cause-and-effect diagram between the attack/leak, the potential attack path that exists in the visualization display system.
CNB2005100426556A 2005-05-10 2005-05-10 Active network safety loophole detector Expired - Fee Related CN100463461C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNB2005100426556A CN100463461C (en) 2005-05-10 2005-05-10 Active network safety loophole detector

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNB2005100426556A CN100463461C (en) 2005-05-10 2005-05-10 Active network safety loophole detector

Publications (2)

Publication Number Publication Date
CN1694454A CN1694454A (en) 2005-11-09
CN100463461C true CN100463461C (en) 2009-02-18

Family

ID=35353253

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB2005100426556A Expired - Fee Related CN100463461C (en) 2005-05-10 2005-05-10 Active network safety loophole detector

Country Status (1)

Country Link
CN (1) CN100463461C (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106302430A (en) * 2016-08-10 2017-01-04 东北电力大学 A kind of computer network defense decision control system

Families Citing this family (25)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101060396B (en) * 2006-03-24 2011-02-09 东软集团股份有限公司 An event detection method and device
CN101162993B (en) * 2007-11-29 2010-12-01 哈尔滨工程大学 Network risk analysis method
KR20090121579A (en) * 2008-05-22 2009-11-26 주식회사 이베이지마켓 System for checking vulnerabilities of servers and method thereof
CN101699815B (en) * 2009-10-30 2012-08-15 华南师范大学 Network attack automatic execution/exhibition system and method
CN101741862B (en) * 2010-01-22 2012-07-18 西安交通大学 System and method for detecting IRC bot network based on data packet sequence characteristics
CN102468985B (en) * 2010-11-01 2016-03-23 北京神州绿盟信息安全科技股份有限公司 The method and system of penetration testing is carried out for Network Security Device
CN102123042B (en) * 2010-12-30 2013-05-15 中国民航信息网络股份有限公司 System configuration intelligent management system and management method thereof
CN102170431A (en) * 2011-03-25 2011-08-31 中国电子科技集团公司第三十研究所 Host risk evaluation method and device
CN102413011B (en) * 2011-11-18 2015-09-30 北京奇虎科技有限公司 A kind of method and system of LAN safety assessment
CN103124223B (en) * 2011-12-21 2016-01-27 中国科学院软件研究所 A kind of automatic real-time judgment method of IT system security postures
CN103067361A (en) * 2012-12-18 2013-04-24 蓝盾信息安全技术股份有限公司 Method for intelligently collecting Web application firewall white lists
CN103258165B (en) * 2013-05-10 2016-10-05 华为技术有限公司 The treating method and apparatus of leak evaluation
CN104065645A (en) * 2014-05-28 2014-09-24 北京知道创宇信息技术有限公司 Web vulnerability protection method and apparatus
CN104077531B (en) * 2014-06-05 2017-11-07 中标软件有限公司 System vulnerability appraisal procedure, device and system based on open vulnerability assessment language
CN104978257B (en) * 2015-07-17 2018-06-12 北京奇安信科技有限公司 Computing device elasticity methods of marking and device
US20170126727A1 (en) * 2015-11-03 2017-05-04 Juniper Networks, Inc. Integrated security system having threat visualization
CN106230857A (en) * 2016-08-30 2016-12-14 上海新华控制技术(集团)有限公司 A kind of active leakage location towards industrial control system and detection method
CN108959931B (en) * 2017-05-24 2022-03-01 阿里巴巴集团控股有限公司 Vulnerability detection method and device, information interaction method and equipment
CN107659583B (en) * 2017-10-27 2020-08-04 深信服科技股份有限公司 Method and system for detecting attack in fact
CN108804926B (en) * 2018-05-23 2020-06-26 腾讯科技(深圳)有限公司 Universal Web application vulnerability detection and repair method and device
CN109543419B (en) * 2018-11-30 2020-12-04 杭州迪普科技股份有限公司 Method and device for detecting asset security
CN110572409B (en) * 2019-09-16 2021-10-12 国家计算机网络与信息安全管理中心 Industrial Internet security risk prediction method, device, equipment and storage medium
CN112765613A (en) * 2021-01-28 2021-05-07 北京明略昭辉科技有限公司 Vulnerability detection method and system for vehicle-mounted terminal system
CN113179241B (en) * 2021-03-01 2022-06-17 西安理工大学 Multi-step attack characterization method based on time sequence correlation analysis
CN117216767B (en) * 2023-09-05 2024-04-05 四川大学 Vulnerability exploitation attack prediction method based on graph neural network

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1484148A (en) * 2002-05-31 2004-03-24 �������ؼ��ô�˾ Secret hashing for SYN/FIN correspondence
US20050022003A1 (en) * 2003-07-01 2005-01-27 Oliphant Brett M. Client capture of vulnerability data
CN1581089A (en) * 2003-08-04 2005-02-16 联想(北京)有限公司 Invasion detecting method

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1484148A (en) * 2002-05-31 2004-03-24 �������ؼ��ô�˾ Secret hashing for SYN/FIN correspondence
US20050022003A1 (en) * 2003-07-01 2005-01-27 Oliphant Brett M. Client capture of vulnerability data
CN1581089A (en) * 2003-08-04 2005-02-16 联想(北京)有限公司 Invasion detecting method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于粗糙集理论的主机安全评估方法. 陈秀真,郑庆华等.西安交通大学学报,第38卷第12期. 2004 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106302430A (en) * 2016-08-10 2017-01-04 东北电力大学 A kind of computer network defense decision control system

Also Published As

Publication number Publication date
CN1694454A (en) 2005-11-09

Similar Documents

Publication Publication Date Title
CN100463461C (en) Active network safety loophole detector
Sheyner Scenario graphs and attack graphs
Ning et al. Techniques and tools for analyzing intrusion alerts
CN104509034B (en) Pattern merges to identify malicious act
Goldman et al. Information modeling for intrusion report aggregation
CN111431939B (en) CTI-based SDN malicious flow defense method
CN115296924B (en) Network attack prediction method and device based on knowledge graph
Tianfield Cyber security situational awareness
CN1328638C (en) Intrusion detection method for host under Windows environment
CN103890771A (en) User-defined countermeasures
CN101222317A (en) Depth-first attack drawing generating method
CN110460611B (en) Machine learning-based full-flow attack detection technology
CN112560029A (en) Website content monitoring and automatic response protection method based on intelligent analysis technology
CN111049827A (en) Network system safety protection method, device and related equipment
CN116566674A (en) Automated penetration test method, system, electronic equipment and storage medium
Li et al. An approach to model network exploitations using exploitation graphs
CN101252440A (en) Network intrude detecting method based on inherent subsequence mode decomposition
Roschke et al. Using vulnerability information and attack graphs for intrusion detection
CN115186136A (en) Knowledge graph structure for network attack and defense confrontation
Mathew et al. Understanding multistage attacks by attack-track based visualization of heterogeneous event streams
CN103501302A (en) Method and system for automatically extracting worm features
Li et al. A hierarchical mobile‐agent‐based security operation center
Godefroy et al. Automatic generation of correlation rules to detect complex attack scenarios
Rouached et al. An efficient formal framework for intrusion detection systems
Touloumis et al. Vulnerabilities Manager, a platform for linking vulnerability data sources

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20090218

Termination date: 20150510

EXPY Termination of patent right or utility model