CN101162992A - Cipher protocol safety operation protecting method and system of tolerant intrusion - Google Patents
Cipher protocol safety operation protecting method and system of tolerant intrusion Download PDFInfo
- Publication number
- CN101162992A CN101162992A CNA2007100187713A CN200710018771A CN101162992A CN 101162992 A CN101162992 A CN 101162992A CN A2007100187713 A CNA2007100187713 A CN A2007100187713A CN 200710018771 A CN200710018771 A CN 200710018771A CN 101162992 A CN101162992 A CN 101162992A
- Authority
- CN
- China
- Prior art keywords
- protocol
- cipher protocol
- cipher
- attack
- tolerated
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention discloses the defending method and system of the safe operation of cryptographic protocols, which can tolerate invasions. In the method, the current protocol event information of a user is collected by a user end and compared with the preset correct operation rules of a cryptographic protocol, characteristics in an attack database and the behavior profile of the normal operation of the cryptographic protocol in order to detect if known or unknown attack behaviors exist in the operation of the cryptographic protocol; when the occurrence of an attack is discovered or suspected, security parameters and a operation mode which operate a cryptographic protocol algorithm are dynamically changed, or the currently used cryptographic protocol or cryptographic algorithm is replaced by a congeneric cryptographic protocol or cryptographic algorithm selected from the classified databases of cryptographic protocols and cryptographic algorithms, so that the attack fails. The defending system of safe operation utilizes an invasion detection module to realize invasion detection on cryptographic protocol attacks in the process of operation, and detection results are sent to an invasion-tolerant module for adaptive adjustment in order to prevent or tolerate invasions. The invention can be used for the security and protection of the operation of various cryptographic protocols in networks.
Description
Technical field
The invention belongs to network information field, relate to the network information security, specifically relate to the inbreak-tolerated security protection of cipher protocol run duration in the safety zone.
Background technology
Cipher protocol claims security protocol again, is one of important means of building network security context, protection information system security and communication system security.Its objective is the safety of guarantee information, if but there is leak in cipher protocol itself, the assailant can utilize these leaks, legitimate correspondence person disguises oneself as, eavesdropping secret or changed information, significant damage is caused in the business field that information system and communication system are related, mechanism especially to concerning such as government, finance, military safety like this, even this moment cryptographic algorithm the good again safe transmission that also can't ensure data of intensity.
In recent years, in order to guarantee the fail safe of cipher protocol, many new methods occurred, but more or less all there are some shortcomings in existing these methods, can not guarantee fully that the cipher protocol that designs is perfectly safe at cipher protocol design, analysis field.Up to the present, people's cipher protocol that designs of safety analysis method validation safety whether of adopting cipher protocol more.
The safety analysis method of cipher protocol roughly can be divided into two big classes: heuristic analysis and formalization analysis.Whether safe the heuristic analysis method is a kind simple attack method of inspection, whether can resist existing attack by judging agreement, draw agreement conclusion.Obviously, the heuristic analysis method can only judge whether the known attack mode is effective to agreement, because the diversity and the unpredictability of attack means, this method is the correctness of identification protocol to a certain extent, fail safe that can not strict identification protocol.Formalization method is the natural expansion to the heuristic analysis method, and it is that method with mathematics and logic is described and verifies agreement, mainly is divided into trust logic method, model detection method and theorem proving method etc.Because its refining, succinct and unambiguity, progressively become the reliable and approach accurately of of analyzing cipher protocol, and successfully found leak on many cipher protocols, but there is the problem that conclusion relies on original hypothesis of analyzing, if original hypothesis is incorrect, also be wrong then by the conclusion that draws after the formalization analysis.So the formalization analysis method is the necessary condition of guarantee agreement safety, rather than adequate condition.
Though some famous cipher protocols have found that there is safety defect in it in addition, are still used widely, this has brought very big hidden danger to the network information security.
The Alec Yasinsac of U.S. FLORIDA state university attempts intrusion detection method in the network is applied to [A.Yasinsac.An Environment for Security Protocol Intrusion Detection[J] .Journal of Computer Security in the implementation of cipher protocol, 2002,10:177-188.], set condition to attack detecting in the cipher protocol implementation, environment etc., and on this basis, designed intrusion detection method at the cipher protocol running, whether can detect in real time has invasion in the cipher protocol running/the attack generation, but the misuse detection method that is based on feature that the method adopts exists the high problem of rate of failing to report of attacking that detects inevitably.Thereafter, Tysen Glen Leckie has proposed based on unusual cipher protocol intrusion detection method [Tysen Leckie, Alec Yasinsac.Metadata forAnomaly-Based Security Protocol Attack Deduction[J] .IEEE Transactions on Knowledge andData Engineering, 2004,9 (16): 1157-1168.], but this method as the foundation whether unusual invasion takes place, exists the high problem of rate of false alarm with the statistics of normal operation agreement inevitably.And existing these methods are single except detection mode, exist outside high leakage/rate of false alarm, how to tackle for detecting attack back system, also do not propose concrete solution.
The content of invention
For overcoming the deficiency of above-mentioned prior art, one of purpose of the present invention provides a kind of inbreak-tolerated cipher protocol safety operation protecting method, to guarantee in the cipher protocol implementation, automatically whether detection protocol is attacked accurately and efficiently, and after detecting attack, adjust strategy by the self adaptation of implementing some cipher protocols automatically, reach prevention or inbreak-tolerated effect; Two of the object of the invention provides an inbreak-tolerated cipher protocol safety operation guard system, and the inbreak-tolerated cipher protocol safety operation protecting method of design can effectively be implemented, and reduces mistake/rate of failing to report.
Technical scheme of the present invention is achieved in that
One, inbreak-tolerated cipher protocol safety operation protecting method
The cipher protocol safety operation protecting method that the present invention is inbreak-tolerated comprises following process:
(1) at the normal operation action summary table of true(-)running rule base, known attack feature database and cipher protocol, cipher protocol and cryptographic algorithm class library, the inbreak-tolerated tactful adjuster of cipher protocol self adaptation of each user side configuration protocol incident collector, all kinds of cipher protocols, after bringing into operation, also in different time sections, set up cipher protocol actual motion behavior summary table according to the practical operation situation of cipher protocol;
(2) gather the cipher protocol event message of the current operation of user by the protocol events collector of user side, by the state exchange in the operating event message triggering of this agreement finite-state automata, and with in the true(-)running rule base of the state exchange that taken place and described cipher protocol about the rule of this cipher protocol, feature about this cipher protocol in the known attack feature database compares, described cipher protocol event message is added in the current actual motion behavior summary table simultaneously, and compare with behavior parameter in the normal operation action summary table of cipher protocol, there is unknown novel attack to detect cipher protocol known attack or the suspection of whether existing in service;
(3) when finding to have the generation of attack or suspection to have attack to take place, by the inbreak-tolerated tactful adjuster of cipher protocol self adaptation, increase key length, the piecemeal length parameter of the cryptographic algorithm that uses in the current operation cipher protocol, or the operational mode of change cryptographic algorithm, to strengthen assailant's successful implementation difficulty of attacking once more; Or from cipher protocol and cryptographic algorithm class library, select for use and current operation agreement or similar cipher protocol or the algorithm of algorithm, replace the cryptographic algorithm that uses in the cipher protocol that using or the agreement, make the assailant invalid to the attack of current password agreement.
Above-mentioned safety operation protecting method, wherein: the parameter in the described normal operation action summary table comprised in each time period, and each cipher protocol executes the maximum times threshold value that state-transition takes place in the maximum number threshold value, finite-state automata of interruption/failure session between the maximum number threshold value, session side of cipher protocol session between required maximum time threshold value, the session side; Parameter in the described actual motion behavior summary table comprised in each time period, the average time that state-transition takes place in the average number of interruption/failure session, the finite-state automata between the average number of cipher protocol session, the session side between the average time that each cipher protocol executes, the session side.
Above-mentioned safety operation protecting method is wherein being deposited various different kind of cipher agreements and cryptographic algorithm in cipher protocol and the cryptographic algorithm class library, the type under each cipher protocol and cryptographic algorithm all identify.The cipher protocol type comprises: folk prescription authentication protocol, two side's authentication protocols, contain third-party authentication protocol, two side's IKEs, contain third-party IKE, two side's authentications and IKE, contain third-party authentication and IKE, two side's key agreement protocols, contain third-party key agreement protocol, two side's authentications and key agreement protocol, contain third-party authentication and key agreement protocol; The cryptographic algorithm type comprises: symmetric encipherment algorithm, rivest, shamir, adelman, signature algorithm, hash algorithm, random number generating algorithm.Cipher protocol and cryptographic algorithm class library both can be deposited in a special server in network, also can deposit in this locality of each user.Every class cipher protocol in cipher protocol and the cryptographic algorithm class library all provides a unified application interface to the user, is embedded in the application program in a kind of mode of unanimity guaranteeing; Every class cryptographic algorithm also provides a unified application interface for various different kind of cipher agreements, is embedded in the various cipher protocols in a kind of mode of unanimity guaranteeing.
Above-mentioned safety operation protecting method wherein comprises in the protocol events message of the current operation of user of the protocol events collector collection of user side: cipher protocol name, cipher protocol participant, session number, event type; This event type comprises the transmission and the reception of conversation message, and the foundation of session, interruption, failure; This session number is arranged in order by Arabic numerals; This cipher protocol participant adopts the network address or mac address information to represent; This cipher protocol name is the protocol name of the current operation of reflection, can be any existing cipher protocol name, for example NS agreement, Loo-Lam agreement.
Above-mentioned safety operation protecting method, it is as follows wherein to detect the current password agreement process of known attack or unknown novel attack that whether exists in service:
(1), judges whether be that a new cipher protocol session begins, if then create finite-state automata, otherwise find the finite-state automata of this incident correspondence about this session according to the cipher protocol type according to the event message that collects.This finite-state automata is used to describe a series of normal condition conversions of cipher protocol;
(2) event message that collects is added in the actual motion behavior summary table of current slot, and utilize the described finite-state automata of this Event triggered, make the cipher protocol generation state exchange of operation, and with cipher protocol true(-)running rule base in the state transition rules of this cipher protocol compare, if it is consistent, then gather next agreement run case, repeat (1)~(2), if up to the incident that collects the normal end of run of cipher protocol, the state exchange that triggers still with rule base in regular consistent, then normal operational report is sent in this cipher protocol normal termination;
(3) if regular inconsistent in cipher protocol operation and the true(-)running rule base, then the state exchange of cipher protocol operation and the attack signature in the cipher protocol known attack feature database are compared, if there is the state-transition rule that meets a certain attack signature, represent the current attack that exists, send intrusion alarm, comprise the title of being attacked to some extent in this alarm;
(4) to those unknown attack patterns, or the executing rule of may directly not violating the agreement, just cause network service or use unusual attack pattern, be that the operation of cipher protocol and agreement true(-)running rule and known attack feature be not when all meeting, parameter in cipher protocol actual motion behavior summary table and the normal operation action summary table of cipher protocol is compared, judge whether each parameter value exceeds preset threshold, as exceed threshold value, represent currently may have attack, send suspicious alarm, include the type that to be attacked in this alarm.
Two, inbreak-tolerated cipher protocol safety operation guard system
For the means of defence that makes design can the present invention further provides an inbreak-tolerated cipher protocol safety operation guard system better in the application in service of actual cipher protocol, realize the cipher protocol safety operation protecting method that designs.
Cipher protocol safety operation guard system provided by the invention, comprise the inbreak-tolerated module of cipher protocol intrusion detection module and cipher protocol, this intrusion detection module realizes the intrusion detection to cipher protocol attack in service, and testing result sent to inbreak-tolerated module, this inbreak-tolerated module adopts different self adaptations to adjust strategy to different intrusion behaviors, and the result of decision fed back to legal cipher protocol user side, the operation of dynamic adjustments cipher protocol, the implementation of new round cipher protocol is set, under the situation that does not influence the agreement normal use, reach prevention or inbreak-tolerated effect.
Above-mentioned cipher protocol safety operation guard system, wherein intrusion detection module comprises the protocol events collector, event message queue, the intrusion behavior determinant, the normal operation action summary table of cipher protocol, cipher protocol true(-)running rule base, cipher protocol known attack feature database, this protocol events collector is gathered the executory event message of cipher protocol in real time, and these message are kept in the event message queue, this event message queue is the data structure of a formation type, being used for storage is produced by the protocol events collector, but the event message that not invaded as yet behavior determinant uses, this intrusion behavior determinant reads message from event message queue, make judgement to whether existing in the current password protocol implementation to attack, comprised the behavior pattern parameter when portraying all kinds of cipher protocols and normally moving in the normal operation action summary table of this cipher protocol, the executing rule when this cipher protocol true(-)running rule base and cipher protocol known attack feature database are stored the correct execution rule of all kinds of cipher protocols respectively and the known attack mode is taken place.
Above-mentioned cipher protocol safety operation guard system, wherein inbreak-tolerated module comprise cipher protocol and cryptographic algorithm class library, the inbreak-tolerated tactful adjuster of cipher protocol self adaptation, the inbreak-tolerated execution unit of self adaptation.Store classifiedly various types of cipher protocols and cryptographic algorithm in this cipher protocol and the cryptographic algorithm class library, the inbreak-tolerated tactful adjuster of this cipher protocol self adaptation receives the intrusion detection result that the invasion detection module sends, alarm/attack kind according to test results report, increase the cryptographic algorithm key length that uses in the current operation cipher protocol, the piecemeal length parameter, or the operational mode of change cryptographic algorithm, or from cipher protocol and cryptographic algorithm class library, select for use and current operation agreement or similar cipher protocol or the algorithm of algorithm, the cryptographic algorithm that uses in cipher protocol that replacement is being used or the agreement, adjust with the inbreak-tolerated strategy of the self adaptation of carrying out cipher protocol, and strategy is adjusted the result issue the inbreak-tolerated execution unit of self adaptation, the inbreak-tolerated execution unit of this self adaptation uses the information exchange mechanism between the session participant, self adaptation is adjusted other legal participant of cipher protocol in the result notification network, and the implementation of new round cipher protocol is set.
The present invention has following advantage:
(1) intrusion detection in real time targetedly
Because the information data of nearly all use was all encrypted during cipher protocol was carried out, adopt traditional intrusion detection method effectively to detect, so the cipher protocol intrusion detection that the present invention adopts mainly is the feature when carrying out according to cipher protocol, the implementation of cipher protocol has been divided into different states, use the execution in step of finite-state automata mapping cipher protocol, in the cipher protocol implementation, monitor the operation of cipher protocol in real time, dynamically, in time find known attack.
(2) can be dual carry out intrusion detection
In the cipher protocol intrusion detection method, based on the unusual intrusion detection method rate of false alarm height of statistics, based on the high problem of the Method of Misuse Intrusion Detection rate of failing to report of feature, the cipher protocol intrusion detection method that the present invention adopts feature intrusion detection and unusual intrusion detection to combine effectively detects, and has reduced the rate of false alarm and the rate of failing to report of testing result.
(3) dynamic self-adapting is inbreak-tolerated
After not only having considered to detect attack; the response treating method that should take; also consider the countermeasure that may have system under the attack condition; the present invention has designed two kinds of inbreak-tolerated adjustment strategies of cipher protocol self adaptation: the algorithm self adaptation adjusts strategy and parameter adaptive is adjusted strategy; can be according to current type of being attacked; dynamically adjust the operation of cipher protocol, make assailant's intrusion behavior to be prevented from or tolerated the security of operation of better protection cipher protocol.
(4) intrusion detection and inbreak-tolerated collaborative work
The intrusion detection module is responsible for the ruuning situation of real time monitoring cipher protocol, in time finds attack, and inbreak-tolerated module is responsible for detecting the processing after the attack, with the security of operation of better protection cipher protocol.
(5) occupation mode is flexible
For the ease of using, respectively intrusion detection module and two modules of inbreak-tolerated module have been carried out independent design, the user in use, both can select the intrusion detection module separately, as detecting the instrument of whether being attacked in the cipher protocol implementation, also can select two modules to work together simultaneously, with after detecting attack, the operation of dynamic adjustments cipher protocol stops or tolerates certain attack.
(6) the present invention has remedied existing deficiency to the cipher protocol security analytical method, both can detect the cipher protocol running in real time, in time find attack, can handle detected attack again, stop or tolerate that these attack to continue take place, the security protection in all directions to the cipher protocol operation is provided.
Technical scheme of the present invention and effect can further specify with execution mode in conjunction with the following drawings.
Description of drawings
Fig. 1 is the safe operation protection process schematic diagram of cipher protocol of the present invention
The message schematic diagram that comprises in the incident that Fig. 2 collects for the protocol events collector
Fig. 3 is inbreak-tolerated cipher protocol safety operation guard system schematic diagram
Fig. 4 is a cipher protocol intrusion detection modular structure schematic diagram
Fig. 5 is the inbreak-tolerated modular structure schematic diagram of cipher protocol
Fig. 6 is a performance simulation experimental situation schematic diagram of the present invention
The response condition schematic diagram of server when Fig. 7 does not all start for intrusion detection module and inbreak-tolerated module
The response condition schematic diagram of server when Fig. 8 starts for the intrusion detection module
The response condition schematic diagram of server when Fig. 9 all starts for intrusion detection module and inbreak-tolerated module
Figure 10 is for using the response condition embodiment schematic diagram that improves the inbreak-tolerated module runtime server in back.
One, the concrete enforcement of inbreak-tolerated cipher protocol safety operation protecting method
With reference to Fig. 1, the cipher protocol safety operation protecting method that the present invention is inbreak-tolerated comprises following process:
1, disposes the normal operation action summary table of true(-)running rule base, known attack feature database and cipher protocol, cipher protocol and cryptographic algorithm class library, the inbreak-tolerated tactful adjuster of cipher protocol self adaptation of all kinds of cipher protocols at each user side, after bringing into operation, also in different time sections, set up new cipher protocol actual motion behavior summary table according to the practical operation situation of cipher protocol.
Deposit the true(-)running rule of various cipher protocols in the true(-)running rule base of these all kinds of cipher protocols.Because the new attack method at cipher protocol emerges in an endless stream, it is unpractical therefore all attacks at cipher protocol being described.And the normal state transitions of cipher protocol can be described and be limited, therefore the state exchange of a series of normal cipher protocol can be described with finite-state automata, utilize the trigger of the run case of current operation cipher protocol as the state machine state variation, during the transformation rule in the true(-)running rule base that if a series of state exchanges that the cipher protocol of current operation produces are not systems to be set in advance, then think attack at this cipher protocol may take place.
Deposit in this known attack feature database various cipher protocols by successful attack the time operation rule.Similar with the true(-)running rule base of all kinds of cipher protocols, the state exchange of cipher protocol when describing a series of successful attack with finite-state automata, also utilize simultaneously the trigger of agreement run case as the finite-state automata state variation, if a series of state exchanges that the cipher protocol of current operation produces are accepted by the known attack feature database that system sets in advance, then think attack at this cipher protocol has taken place certainly.
All kinds of activity statistics parameters of portraying all kinds of cipher protocol operation normal behaviour patterns have been comprised in the normal operation action summary table of this cipher protocol.These all kinds of activity statistics parameters comprised in each time period, and each cipher protocol executes the maximum times threshold value that state-transition takes place in the session maximum number threshold value, finite-state automata of interruption/failure between the maximum number threshold value, session side of cipher protocol session between required maximum time threshold value, the session side.The foundation of these threshold values be by the systematic training stage to not comprising all kinds of cipher protocol service datas of any attack, carry out processed offline, the normal behaviour model of activity overview obtains when setting up the operation of all kinds of cipher protocols, at detection-phase the agenda of it and cipher protocol is compared, if greater than the deviation of given threshold value, just think invasion taken place.
Be that the practical operation situation according to cipher protocol is set up in each different time sections of system's operation in this actual motion behavior summary table, parameter in the table comprised in each time period, the average time that state-transition takes place in the average number of interruption/failure session, the finite-state automata between the average number of cipher protocol session, the session side between the average time that each cipher protocol executes, the session side, the continuous generation of protocol events when the value of these parameters is moved along with cipher protocol and being brought in constant renewal in.
Depositing dissimilar various cipher protocols and cryptographic algorithm in this cipher protocol and the cryptographic algorithm class library.These cipher protocols had both comprised authentication protocol, also comprised authentication and IKE and authentication and key agreement protocol; Both comprise two side's agreements, also comprised three parts or multilateral accord; Both comprised the existing conventional cipher protocol, and, also comprised in the academic research as the D-H IKE, also being comprised two/tripartite agreement that may design future by some agreements of extensive discussions as IPSec, SSL, SSH; Both may be the cipher protocol at wired applied environment, also may be the cipher protocol at Wireless Application Environment even spatial network environment; Cryptographic algorithm comprises various existing symmetric encipherment algorithms, rivest, shamir, adelman, signature algorithm, hash algorithm, random number generating algorithm.
The inbreak-tolerated tactful adjuster of this cipher protocol self adaptation is used for being subjected to the cryptographic algorithm that the cipher protocol that maybe may be subjected to attack or agreement are used to current, agreement or algorithm in the agreement that accesses to your password and the cryptographic algorithm class library are replaced, so that current attack is invalid; Or dynamically change employed security parameter or operational mode in current agreement or the algorithm, and strengthen the following successful implementation difficulty of attacking of assailant, reach the ability of the current invasion of tolerance.
2, gather the protocol events message of the current operation of user by the protocol events collector of user side, and the event message that collects added in the current actual motion behavior summary table, judge then whether the incident that collects represents that a new cipher protocol session begins, if, then create finite-state automata, otherwise find the finite-state automata of this incident correspondence about this session according to the cipher protocol type.
The protocol events collector of user side is caught the network communication data of user side, and the networks of different type communication data is gathered and carried out protocol events format expression, finishes the function of current agreement run case generator.
With reference to Fig. 2, comprise in the protocol events message of the current operation of user of the protocol events collector collection of user side: cipher protocol name, cipher protocol participant, cipher protocol session number, event type.This event type comprises the transmission and the reception of conversation message, and the foundation of session, end, interruption, failure; This session number to the current cipher protocol session of having set up of this user side according to be arranged in order for example session 1, session 2... its settling time by Arabic numerals; This cipher protocol participant represents to participate in this user side the user of the cipher protocol of current operation, adopts the network address or mac address information to represent, for example: 25.20.176.72; This cipher protocol name is the protocol name of the current operation of reflection, can be any existing cipher protocol name, for example NS agreement, Loo-Lam agreement.According to the cipher protocol name that comprises in these event messages and this agreement participant's title, just can uniquely determine that this incident is to belong to which cipher protocol which user participates in, again according to session number and event type, the ruuning situation of real time monitoring cipher protocol.
3, detect the cipher protocol novel attack that whether has known attack behavior or the unknown in service.
(1) the described finite-state automata of protocol events message trigger that utilizes described protocol events collector to collect, make the cipher protocol generation state exchange of current operation, and compare with transformation rule in the cipher protocol true(-)running rule base, if it is inconsistent, then show to exist and attack, change step (2), otherwise judge whether described finite-state automata has entered state of termination, if, show agreement normal end of run, then send normal operational report, otherwise gather next agreement run case, repeat 2 by the protocol events collector of user side;
(2) if regular inconsistent in cipher protocol operation and the described true(-)running rule base, then state exchange that the cipher protocol operation is taken place and the attack signature in the cipher protocol known attack feature database compare, if meet the state-transition rule of a certain attack signature, represent the current attack that exists, send intrusion alarm, comprise the title of being attacked to some extent in this intrusion alarm;
(3) to the executing rule of directly not violating the agreement, just cause network service or use unusual attack pattern, be operation and the agreement true(-)running rule and all incongruent unknown attack mode of known attack feature of cipher protocol, parameter in cipher protocol actual motion behavior summary table and the normal operation action summary table of cipher protocol is compared, judge whether each parameter value exceeds preset threshold, if the cipher protocol time of implementation of current operation surpasses maximum time in the normal operation action summary table of cipher protocol during threshold value, then send overtime suspicious alarm of time of implementation; When if the number of times that state-transition takes place in the session number of interruption/failure, the finite-state automata between the cipher protocol session maximum number of initiating in current slot between the cipher protocol session side of current operation, the session side surpasses in the normal operation action summary table of cipher protocol corresponding threshold value, represent currently may have attack, send the suspicious alarm of violating corresponding execution parameter.
4, the inbreak-tolerated counter-measure of self adaptation is taked in attack.
When finding the generation of attack is arranged, adopt the tactful device of the inbreak-tolerated adjustment of self adaptation that the cipher protocol operation self adaptation of current operation is adjusted strategy, so that current attack is invalid.The tactful device of the inbreak-tolerated adjustment of this self adaptation, but the implementation algorithm self adaptation is adjusted strategy and parameter adaptive is adjusted strategy.Wherein:
The algorithm self adaptation is adjusted the main reply of strategy known attack, when intrusion alarm sends, at the current attack type that is subjected to, message replay attack as cipher protocol or cryptographic algorithm, man-in-the-middle attack, parallel session is attacked, reflection attack, interleaving attack, the cryptographic service abuse is attacked, similar other cipher protocol or the algorithm of employed cryptographic algorithm in cipher protocol and presently used cipher protocol of cryptographic algorithm class library request or current password agreement, replace employed cryptographic algorithm in presently used cipher protocol of user side or the cipher protocol, it is invalid to make current attack mode attack for following successful implementation;
Parameter adaptive is adjusted the main reply of strategy unknown attack, when suspicious alarm is sent, increase the key length of the cryptographic algorithm that uses in the cipher protocol of current operation or the cipher protocol, these security parameters of branch block length of cryptographic algorithm, perhaps dynamically change the operational mode of employed cryptographic algorithm in the current password agreement, change ECB as the cryptographic algorithm that ssl protocol is used into from the CBC pattern, the CFB pattern, or require the user before sending the cipher protocol conversation request, to answer the Puzzle that server sends earlier to server, it is invalid so that current attack mode is attacked for following successful implementation, or make the required resource that expends of following successful implementation attack continue to increase, until abandoning attack.
Two, the concrete enforcement of inbreak-tolerated cipher protocol safety operation guard system
With reference to Fig. 3, safe operation guard system of the present invention comprises: the inbreak-tolerated module of cipher protocol intrusion detection module and cipher protocol.Wherein the realization module of cipher protocol intrusion detection module and cipher protocol self is carried out alternately, whether having attack in the real-time detection cipher protocol running, and sends warning information for when finding to attack the inbreak-tolerated module of cipher protocol; The inbreak-tolerated module of cipher protocol is in time adjusted the cipher protocol of operation according to certain strategy behind the warning information that receives from the intrusion detection module, makes that current attack pattern is invalid.
1, cipher protocol intrusion detection module
With reference to Fig. 4, cipher protocol intrusion detection module comprises protocol events collector, event message queue, cipher protocol true(-)running rule base, cipher protocol known attack feature database, cipher protocol behavior summary table, intrusion behavior determinant.
Described protocol events collector is caught the cipher protocol communication data of user side, different kind of cipher protocol communication data are gathered and carried out protocol events format expression, finish the function of current agreement run case generator, and the incident after these formats is kept in the event message queue.
Described event message queue is the data structure of a formation type, is used for preserving producing by the protocol events collector, but the event message that not invaded as yet behavior determinant uses.
The true(-)running rule base of described cipher protocol and cipher protocol known attack feature database are formed by the text of same size one by one, operation rule when all depositing a kind of true(-)running rule of cipher protocol in each text or known attack taking place, these rule schematas are:
begin ×× NUM type
statel?principal(/)principal?state2?msgNum
state1?principal(/)principal?state2?msgNum
--
end。
Wherein:
Begin/end: presentation protocol normally moves or certain attack signature begins/finishes in this delegation;
NUM: represent a digital value, the true(-)running rule of expression cipher protocol and when having known attack after this feature of executing rule followed by be a correct agreement operation or an attack, NUM>=0 representation feature is an attack signature, and NUM=-1 represents that this feature is the normal operation of agreement.
Type: effective when NUM>=0, represent the corresponding attack type of current rule, its value can be:
The R-message replay attack;
The P-parallel session is attacked;
The M-man-in-the-middle attack;
The O-reflection attack
The L-interleaving attack
C-is at the attack of cryptographic algorithm
State1: the state of expression finite automata before incident sends or receives beginning, as: SS represents initial state, and S1 represents state 1;
State2: the state of expression finite-state automata after incident takes place, S2 represents state 2; FS represents done state;
/: expression is a transmission/reception incident, with →/← represent;
Principal: presentation protocol participant title, show with single alphabetical identifier list, as: A, B, S;
MsgNum: the message SN during the presentation protocol true(-)running.
For example, the NS protocol specification is:
1)A→S:A,B,Na
2)S→A:{Na,B,Kab,{Kab,A}Kbs}Kas
3)A→B:{Kab,A}Kb
4)B→A:{Nb}Kab
5)A→B:{Nb-1}Kab
Its true(-)running rule can be described below:
begin?NS -1
ss?A→S?s1?1
s1?S←A?s2?1
s2?S→A?s3?2
s3?A←S?s4?2
s4?A→B?s5?3
s5?B←A?s6?3
s6?B→A?s7?4
s7?A←B?s8?4
s8?A→B?s9?5
s9?B←A?fs?5
end。
Suppose to run to for the 3rd when step, have an assailant M monitoring network and writing down message 3 when the NS agreement, but the session key K ' of M replay old at this moment
Ab, the A that disguises oneself as by following step, initiates the Replay Attack between A and the B.
1)A→S:A,B,N
a
2)S→A:{N
a,B,K
ab,{K
ab,A}K
bs}K
as
3)A→B:{K
ab,A}K
bs
3′)M(A)→B:{K′
ab,A}K
bs
4)B→M(A):{N
b}K?′
ab
5)M(A)→B:{N
b-1}K′
ab
At this moment, B believes him still in the correct execution of agreement, and M can with the key K of stealing '
Ab, the A that continues to disguise oneself as communicates by letter with B, and this moment, M successfully destroyed the important goal that this agreement will reach, and promptly confirmed the actual communication of main body.
Represent NS agreement execution this Replay Attack under can be expressed as following 11 incidents by receiving and send event methods:
1)A→S
2)S←A
3)S→A
4)A←S
5)A→B
6)M(A)→B
7)B←M(A)
8)B→M(A)
9)M(A)←B
10)M(A)→B
11)B←M(A)
Because the message informing that the M assailant can not send him or receive is to the invasion detection module, so the incident that the intrusion behavior determinant is received is:
1)A→S
2)S←A
3)S→A
4)A←S
5)A→B
6)B←A
7)B→A
8)B←A
Then just should deposit following rule format in the cipher protocol known attack feature database:
begin?NS?0?R
ss?A→S?s1?1
s1?S←A?s2?1
s2?S→A?s3?2
s3?A←S?s4?2
s4?A→B?s6?3
s6?B→A?s8?4
s8?B←A?fs?5
end
Described cipher protocol behavior summary table comprises normal operation action summary table of cipher protocol and cipher protocol actual motion behavior summary table.Comprised the behavior pattern parameter when portraying the operation of all kinds of cipher protocols in the cipher protocol behavior summary table, because what of cipher protocol frequency of utilization in the system, relevant with the date and time section at place to a great extent, as 9:00-11:00 cipher protocol application request quantity, to be higher than the cipher protocol application request of 11:00-13:00; And to the same period, the cipher protocol application request quantity of working day and festivals or holidays is also inequality, thus in the behavior summary table to distinguishing on working day and festivals or holidays, and portray respectively being divided into 6 different time periods 24 hours every days.
Various parameter values when main storage cipher protocol normally moves in the normal operation action summary table of cipher protocol, these parameters are to judge whether there is the foundation that cipher protocol is attacked in the current system, the selection of parameter item is by in the systematic training stage training data of the cipher protocol operation that do not comprise any attack being carried out processed offline, and the normal behaviour model of activity overview obtains when setting up all kinds of cipher protocols operation.These values comprised when cipher protocol normally moves in each time period, each cipher protocol executes in the maximum number, network of cipher protocol session in required maximum time, the network protocol conversation in violation of rules and regulations, as the maximum times of state-transition generation in the maximum number of the session of interruptions/failure, the finite-state automata; For reducing the rate of false alarm of intrusion detection, above-mentioned cipher protocol operation action is defined a threshold value, as the maximum deviation of normal behaviour; Various parameter values when cipher protocol actual motion behavior summary table is mainly stored the cipher protocol actual motion in each time period, comprise in each time period, each cipher protocol executes in the average number, network of cipher protocol session between required average time, the current agreement participant protocol conversation in violation of rules and regulations, as the average time of state-transition generation in the average number of the session of interruptions/failure, the finite-state automata.
Described intrusion behavior determinant reads message from event message queue, information in the agreement that comprehensively accesses to your password true(-)running rule base, cipher protocol known attack feature database, the normal operation action summary table of cipher protocol is made judgement to whether existing in the current password protocol implementation to attack, maybe may exist attack then to report to the police as existing, to comprise in the warning and suffer attack type to some extent to the inbreak-tolerated module of cipher protocol.An independently intrusion behavior determinant both can be set in protected network; adopt to concentrate determinating mode to receive each main frame is sent in the automatic network protocol events message whether to have the judgement of invasion; also can on each user side, design intrusion behavior determinant separately, adopt the distribution determinating mode whether there is the judgement of invasion from the protocol events message of sending on the local host.
2. the inbreak-tolerated module of cipher protocol
With reference to Fig. 5, the inbreak-tolerated module of cipher protocol comprises: cipher protocol and cryptographic algorithm class library, the inbreak-tolerated tactful adjuster of cipher protocol self adaptation, the inbreak-tolerated execution unit of self adaptation.
Depositing existing known various different kind of cipher agreements and cryptographic algorithm in described cipher protocol and the cryptographic algorithm class library.Type under each cipher protocol and cryptographic algorithm all identify.The cipher protocol type comprises: folk prescription authentication protocol, two side's authentication protocols, contain third-party authentication protocol, two side's IKEs, contain third-party IKE, two side's authentications and IKE, contain third-party authentication and IKE, two side's key agreement protocols, contain third-party key agreement protocol, two side's authentications and key agreement protocol, contain third-party authentication and key agreement protocol; The cryptographic algorithm type comprises: symmetric encipherment algorithm, rivest, shamir, adelman, signature algorithm, hash algorithm, random number generating algorithm.Cipher protocol and cryptographic algorithm class library both can be deposited in a special server in network, also can deposit in this locality of each user.Every class cipher protocol in cipher protocol and the cryptographic algorithm class library all provides a unified application interface to the user, is embedded in the application program in a kind of mode of unanimity guaranteeing; Every class cryptographic algorithm also provides a unified application interface for various different kind of cipher agreements, is embedded in the various cipher protocols in a kind of mode of unanimity guaranteeing.
The inbreak-tolerated tactful adjuster of described cipher protocol self adaptation, be mainly used in when receiving the intrusion alarm that sends from cipher protocol intrusion detection module, lead to employed cipher protocol or cryptographic algorithm are carried out tactful self adaptation adjustment, make that current attack is invalid, realize the ability of these invasions of system tolerant.The inbreak-tolerated tactful adjuster of cipher protocol self adaptation can be realized two types cipher protocol invasion adjustment strategy, i.e. algorithm self adaptation adjustment strategy and parameter adaptive are adjusted tactful.Wherein algorithm self adaptation adjustment strategy is: be subjected at the cipher protocol self or the message replay attack of employed cryptographic algorithm wherein when receiving from intrusion detection module report, man-in-the-middle attack, parallel session is attacked, reflection attack, interleaving attack, when the cryptographic service abuse is attacked, to cipher protocol and the request of cryptographic algorithm class library other cipher protocol or the cryptographic algorithm similar with presently used cipher protocol or cryptographic algorithm, replace presently used cipher protocol or cryptographic algorithm, under the situation that keeps current system security function, make current attack mode invalid for implementing successful attack future.Parameter adaptive adjustment strategy is: to be subjected to the time of implementation from intrusion detection module report overtime or when violating the suspicious alarm of execution parameter when receiving, increase the key length of the cryptographic algorithm that uses in the cipher protocol of current operation or the cipher protocol, the parameters such as branch block length of cryptographic algorithm, so that the assailant once more successful implementation attack the required resource that expends and continue to increase, abandon attacking until at last; Perhaps dynamically change the operational mode of employed cryptographic algorithm in the current password agreement, make current attack mode invalid, and increase the artificial diversity and the unpredictability of the algorithm operational mode that accesses to your password for implementing successful attack future.
The inbreak-tolerated execution unit of described self adaptation is used to guarantee that the inbreak-tolerated tactful adjuster of cipher protocol self adaptation no matter adopts is algorithm self adaptation adjustment strategy or adopts parameter adaptive to adjust strategy, can both adopt identical adjustment strategy to carry out the self adaptation adjustment between the session participant of cipher protocol, this mainly realizes by the information exchange between the session participant.When using the algorithm self adaptation to adjust strategy, if deposit in cipher protocol and the cryptographic algorithm class library specialized server in network, the inbreak-tolerated execution unit of this self adaptation also needs to use the information exchange mechanism between user side and this specialized server that new cryptographic algorithm or cipher protocol are downloaded to the local use of user side.
Three, performance simulation of the present invention
In order to verify the performance of the cipher protocol safety operation protecting method that the present invention is designed, we have carried out performance simulation based on the method for simulation.As Fig. 6, experiment is carried out based on the client-server pattern in LAN environment, and the PC that to adopt three Pentium4 CPU 1.6GHz, internal memory 512MB, operating systems be Windows2003 is respectively client computer 1, client computer 2, client computer 3 as client computer; Another is that the PC of Windows2003 is as server with Pentium 4 CPU 3.06GHz Hz, internal memory 2048MB, operating system, by using a client-side program ceaselessly to send connection request to server, and carry out normally or the agreement operating procedure under fire the time, simulate validated user and assailant.When client-side program simulation validated user, completely correctly move whole NS agreement, D-H agreement, O-R agreement, W-L agreement and ssl protocol with server; When client-side program simulated strike person, carry out alternately with server according to attack rule at these agreements.At the test experiments of cipher protocol intrusion detection capability of the present invention, mainly launch: the intrusion detection the when intrusion detection the when intrusion detection during single session, Replay Attack, parallel session from following three aspects; At the test experiments of the inbreak-tolerated ability of cipher protocol of the present invention, be that detection and the tolerance effect that simulation is attacked at ssl protocol under highly concurrent situation launched.
Under single session case, system of the present invention only moves described agreement respectively on an individual session, can correctly detect the attack at these agreements.
In order to test the ability of preventing playback attack, we have at first simulated the true(-)running of NS agreement and O-R agreement on the server of an individual session, after 5 seconds, move one once more and attack session on same protocol module then.
Experiment shows, in each example, can both detect the attack at such playback.
In order to test the parallel ability of attacking that detects, two examples of our concurrent running W-L agreement, experiment shows, attacks also can be detected exactly.
In order to test the ability that antireflection is attacked, we at first initiate operation W-L agreement by server end, the message from server that will be received by the assailant intactly sends back to server end then, and testing result shows that this attack also can be detected well.
In order to test inbreak-tolerated ability, we are with reference to technology [the Serge Vaudenay.Security Flaws Induced by CBCPadding-Applications to SSL that carries out the limit channel attack under the CBC fill pattern at ssl protocol that provides of Serge Vaudenay, IPSEC, WTLS..., Advances in Cryptology EUROCRYPT ' 02, Amsterdam, Netherland, Lecture Notes in Computer Science No.23 32, Springer-Verlag, 2002, pp.534-545.], ceaselessly send connection request to server by attacker, draw some information according to the length of server response time then about system password with the initial vector of meticulous preparation.As described in this article, the assailant just can crack the whole system password by sending 2048 specific conversation request.Because the assailant need not the whole agreement of entire run at every turn, only need obtain the step response that server provides and get final product, so a principal character of this attack is exactly, and the assailant initiates the conversation request of dying on the vine in a large number in very short time.
Behavior summary table when at first needing to set up ssl protocol and normally moving can not comprise the operation action of any attack activity by the monitoring ssl protocol in 1 time-of-week, through data acquisition and processing (DAP), and the every behavior parameter when obtaining its normal operation.On client computer 1,2, simulate the assailant and the legitimate client of ssl protocol then respectively, all do not stop to send the ssl protocol request to server with the speed of interval 200ms, the legitimate client of simulation DH agreement does not stop to send the ssl protocol request to server with the speed of interval 100ms on client computer 3
Because a principal character of described attack is exactly the conversation request of initiating at short notice to die on the vine in a large number, therefore described attack will surpass the respective threshold in the normal operation action summary table of cipher protocol because of the session number of interruption/failure in the current slot and be detected.As Fig. 7, server end was not to these three kinds of request responding situations when expression intrusion detection module and inbreak-tolerated module all started.As can be seen from Fig. 7, the assailant has obtained about 63 response from server altogether 25 seconds time, and therefore wanting successful implementation to attack needs 2048/63*25=812 second altogether, promptly about 13 minutes.
After starting cipher protocol intrusion detection module, experiment shows, can receive the suspicious alarm that interruption/failure session maximum number threshold value between the session side has been violated by system that module is sent soon, shows that attack activity is detected.As Fig. 8, expression intrusion detection module starts the back server end to these three kinds of request responding situations, as seen, because the startup of intrusion detection module has consumed certain system resource, causes system that the responding ability of normal operation agreement has also been produced certain influence.
As Fig. 9, expression intrusion detection module and inbreak-tolerated module all start the back server end to these three kinds of request responding situations, here the suspicious warning of adopting parameter adaptive response policy that the intrusion detection module is sent responds, and requires ssl protocol promoter first Puzzle that answers from server before the request of sending.Because the generation of Puzzle only need select a random number to carry out Hash calculating and the result is issued client getting final product, server produces puzzle and client computer and finds the solution the required systematic cost of puzzle and compare much smallerly, therefore can not bring too much load to server; And the ssl protocol promoter wants to start the SSL session, must carry out exhaustive search in the plaintext space of this Hash function, needs long computing time.What provide among the figure is Puzzle response condition when using 6 bit values, because server does not add differentiation to the request from client computer 1 and client computer 2, therefore the response speed to client computer 1 and client computer 2 all has decline significantly, and this moment, the request of client computer 3 was then well guaranteed.As can be seen from Fig. 8, the assailant has obtained the response about about 5 from server altogether 25 seconds time, and therefore wanting successful implementation to attack needs 2048/5*25=10240 second altogether, promptly about 170 minutes.Obviously, the cost that the assailant wants the successful implementation attack to pay becomes very big, and promptly system can tolerate such attack to a certain extent.If want further to improve assailant's invasion cost, only need figure place with Puzzle improve again and get final product, 1 of every raising, the cost that the assailant will pay will be doubled.
As Figure 10, provided the results of property of the inbreak-tolerated response scheme after a kind of improve, in the invasion report, not only comprise the current attack type that suffers, and comprise the IP address at assailant place, inbreak-tolerated like this module only needs to send the Puzzle challenge at client computer 1 and gets final product, and has guaranteed the response performance of validated user client computer 2 and client computer 3 in inbreak-tolerated.
Claims (10)
1. inbreak-tolerated cipher protocol safety operation protecting method comprises following process:
True(-)running rule transformation warehouse, known attack feature database, the normal inbreak-tolerated tactful adjuster of behavior summary table, cipher protocol and cryptographic algorithm class library, cipher protocol self adaptation that moves of cipher protocol at each user side configuration protocol incident collector, all kinds of cipher protocols; After safety operation protecting method brings into operation, also in different time sections, set up cipher protocol actual motion behavior summary table according to the practical operation situation of cipher protocol;
Gather the cipher protocol event information of the current operation of user in real time by the protocol events collector of user side, state exchange takes place by this protocol events message trigger cipher protocol operation, and with in the true(-)running rule base of the state exchange that taken place and described cipher protocol about the rule of this cipher protocol, feature about this cipher protocol in the known attack feature database compares, described cipher protocol event message is added in the current actual motion behavior summary table simultaneously, and compare with behavior parameter in the normal operation action summary table of cipher protocol, there is unknown novel attack to detect cipher protocol known attack or the suspection of whether existing in service;
When finding to have the generation of attack or suspection to have attack to take place, by the inbreak-tolerated tactful adjuster of cipher protocol self adaptation, from cipher protocol and cryptographic algorithm class library, select for use and current operation agreement or similar other cipher protocol or the algorithm of algorithm, the cryptographic algorithm that uses in cipher protocol that replacement is being used or the agreement is so that current attack is invalid; Perhaps dynamically change key length, the piecemeal length parameter of the cryptographic algorithm that uses in the current operation cipher protocol, or change the operational mode of cryptographic algorithm, strengthen the following successful implementation difficulty of attacking of assailant, reach the ability of the current invasion of tolerance.
2. safety operation protecting method according to claim 1 is characterized in that having comprised in the normal behavior summary table that moves of cipher protocol all kinds of activity statistics parameters of portraying all kinds of cipher protocols operation normal behaviour patterns.These all kinds of activity statistics parameters comprised in each time period, and each cipher protocol executes the maximum times threshold value that state-transition takes place in the session maximum number threshold value, finite-state automata of interruption/failure between the maximum number threshold value, session side of cipher protocol session between required maximum time threshold value, the session side.
3. safety operation protecting method according to claim 1 is characterized in that depositing in cipher protocol and the cryptographic algorithm class library various different kind of cipher agreements and cryptographic algorithm, the type under each cipher protocol and cryptographic algorithm all identify.
4. safety operation protecting method according to claim 1 is characterized in that comprising in the protocol events message of the current operation of user of protocol events collector collection of user side: cipher protocol name, cipher protocol participant, session number, event type; This event type comprises the transmission and the reception of conversation message, and the foundation of session, interruption, failure; This session number is arranged in order by Arabic numerals; This cipher protocol participant adopts the network address or mac address information to represent; This cipher protocol name is the protocol name of the current operation of reflection.
5. safety operation protecting method according to claim 1, it is as follows to it is characterized in that detecting the cipher protocol process of known attack behavior or unknown novel attack that whether exists in service:
(1), judges whether be that a new cipher protocol session begins, if then create finite-state automata, otherwise find the finite-state automata of this incident correspondence about this session according to the cipher protocol type according to the protocol event information that collects;
(2) event message that collects is added in the actual motion behavior summary table of current slot, and utilize the described finite-state automata of this Event triggered, make the cipher protocol generation state exchange of operation, and with cipher protocol true(-)running rule base in the state transition rules of this cipher protocol compare, if it is consistent, then gather next agreement run case, repeat (1)~(2), if up to the incident that collects the normal end of run of cipher protocol, the state exchange that triggers still with rule base in regular consistent, then normal operational report is sent in this cipher protocol normal termination;
(3) if regular inconsistent in cipher protocol operation and the true(-)running rule base, then the state exchange of cipher protocol operation and the attack signature in the cipher protocol known attack feature database are compared, if there is the state-transition rule that meets a certain attack signature, represent the current attack that exists, send intrusion alarm, comprise the title of being attacked to some extent in this alarm;
(4) to those unknown attack patterns, or the executing rule of may directly not violating the agreement, just cause network service or use unusual attack pattern, be that the operation of cipher protocol and agreement true(-)running rule and known attack feature be not when all meeting, parameter in cipher protocol actual motion behavior summary table and the normal operation action summary table of cipher protocol is compared, judge whether each parameter value exceeds preset threshold, as exceed threshold value, represent currently may have attack, send suspicious alarm, include the type that to be attacked in this alarm.
6. according to claim 2 or 5 described safety operation protecting methods, it is characterized in that suspicious alarm types, comprise suspicious alarm that the time of implementation is overtime and the suspicious alarm of violating execution parameter; If the cipher protocol time of implementation of current operation surpasses maximum time in the normal operation action summary table of cipher protocol during threshold value, then send overtime suspicious alarm of time of implementation; If when the number of times that state-transition takes place in the session number of interruption/failure, the finite-state automata between the cipher protocol session maximum number of initiating between the cipher protocol session side of current operation, the session side surpasses in the normal operation action summary table of cipher protocol corresponding threshold value, send the suspicious alarm of violating corresponding execution parameter in current slot.
7. safety operation protecting method according to claim 5, it is characterized in that finite-state automata is used to describe a series of normal condition conversions of cipher protocol, utilize the trigger of the run case of current operation cipher protocol as the state machine state variation, if the transformation rule in the true(-)running rule base that a series of state exchanges that the cipher protocol of current operation produces are not systems to be set in advance is then thought attack at this cipher protocol has been taken place.
8. inbreak-tolerated cipher protocol safety operation guard system, comprise the inbreak-tolerated module of cipher protocol intrusion detection module and cipher protocol, this intrusion detection module realizes the intrusion detection to cipher protocol attack in service, and testing result sent to inbreak-tolerated module, this inbreak-tolerated module adopts different self adaptations to adjust strategy to different intrusion behaviors, and the result of decision fed back to legal cipher protocol user side, the operation of dynamic adjustments cipher protocol, the implementation of new round cipher protocol is set, under the situation that does not influence protocol safety, reach prevention or inbreak-tolerated effect.
9. safe operation guard system according to claim 8 is characterized in that the intrusion detection module comprises behavior summary table, the intrusion behavior determinant of protocol events collector, event message queue, cipher protocol true(-)running rule base, cipher protocol known attack feature database, the normal operation of cipher protocol; This protocol events collector is caught the cipher protocol communication data of user side, different kind of cipher protocol communication data is gathered and is carried out protocol events format expression, and the incident after these formats is kept in the event message queue; This event message queue is the data structure of a formation type, is used to store the event message that is produced by the protocol events collector; This intrusion behavior determinant reads message from event message queue, make judgement to whether existing in the current password protocol implementation to attack; Comprised the behavior pattern parameter when portraying all kinds of cipher protocols and normally moving in the normal operation action summary table of this cipher protocol; Executing rule when this cipher protocol true(-)running rule base and cipher protocol known attack feature database are stored the correct execution rule of all kinds of cipher protocols respectively and the known attack mode is taken place.
10. safe operation guard system according to claim 9, it is characterized in that inbreak-tolerated module comprises cipher protocol and cryptographic algorithm class library, the inbreak-tolerated tactful adjuster of cipher protocol self adaptation, the inbreak-tolerated execution unit of self adaptation, store classifiedly various types of cipher protocols and cryptographic algorithm in this cipher protocol and the cryptographic algorithm class library, the inbreak-tolerated tactful adjuster of this cipher protocol self adaptation is according to the intrusion detection result who receives from the intrusion detection module, dynamically change presently used cipher protocol or cryptographic algorithm, perhaps change employed security parameter or operational mode in cipher protocol or the cryptographic algorithm, and strategy is adjusted the result issue the inbreak-tolerated execution unit of self adaptation, the legal participant of cipher protocol in the informing network, the implementation of new round cipher protocol is set, the inbreak-tolerated execution unit of this self adaptation is adjusted other legal participant of cipher protocol in the result notification network with self adaptation, and the implementation of new round cipher protocol is set.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200710018771A CN101162992B (en) | 2007-09-29 | 2007-09-29 | Cipher protocol safety operation protecting method and system of tolerant intrusion |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200710018771A CN101162992B (en) | 2007-09-29 | 2007-09-29 | Cipher protocol safety operation protecting method and system of tolerant intrusion |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101162992A true CN101162992A (en) | 2008-04-16 |
| CN101162992B CN101162992B (en) | 2010-05-19 |
Family
ID=39297832
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200710018771A Expired - Fee Related CN101162992B (en) | 2007-09-29 | 2007-09-29 | Cipher protocol safety operation protecting method and system of tolerant intrusion |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101162992B (en) |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102195925A (en) * | 2010-03-03 | 2011-09-21 | 中国人民解放军信息工程大学 | Game-sequence-based cryptographic protocol security certification method and device |
| CN105376265A (en) * | 2014-07-24 | 2016-03-02 | 阿里巴巴集团控股有限公司 | Use method and use device of network exhaustible resource |
| CN105446322A (en) * | 2015-12-21 | 2016-03-30 | 浙江中控研究院有限公司 | Control code anomaly detection method and device |
| CN106685896A (en) * | 2015-11-09 | 2017-05-17 | 中国科学院声学研究所 | Plaintext data acquisition method and system within SSH protocol multi-layer channel |
| CN107302428A (en) * | 2017-05-26 | 2017-10-27 | 北京国电通网络技术有限公司 | The machinery of consultation of the cryptographic algorithm of data transport services in a kind of power distribution network |
| WO2018076369A1 (en) * | 2016-10-31 | 2018-05-03 | 美的智慧家居科技有限公司 | Method and system for communication security level switching, household appliance, and mobile terminal |
| WO2018076368A1 (en) * | 2016-10-31 | 2018-05-03 | 美的智慧家居科技有限公司 | Method and system for safely operating device in local area network, and device therefor |
| CN108052768A (en) * | 2017-12-28 | 2018-05-18 | 吉林大学 | A kind of concurrent real-time system reliability estimation method based on quantitative verification method |
| CN110381065A (en) * | 2019-07-23 | 2019-10-25 | 腾讯科技(深圳)有限公司 | A kind of agreement cracks monitoring method, device, server and storage medium |
| CN112491867A (en) * | 2020-11-24 | 2021-03-12 | 北京航空航天大学 | SSH man-in-the-middle attack detection system based on session similarity analysis |
| CN116186718A (en) * | 2023-04-27 | 2023-05-30 | 杭州大晚成信息科技有限公司 | Reinforcing test method based on kernel protection server data |
| CN117278335A (en) * | 2023-11-22 | 2023-12-22 | 深圳奥联信息安全技术有限公司 | Password suite selection method and device, electronic equipment and storage medium |
| CN117748745A (en) * | 2024-02-19 | 2024-03-22 | 国网浙江省电力有限公司宁波供电公司 | Method and system for optimizing and enhancing reliability of power distribution network |
| CN117748745B (en) * | 2024-02-19 | 2024-05-10 | 国网浙江省电力有限公司宁波供电公司 | Method and system for optimizing and enhancing reliability of power distribution network |
-
2007
- 2007-09-29 CN CN200710018771A patent/CN101162992B/en not_active Expired - Fee Related
Cited By (21)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102195925B (en) * | 2010-03-03 | 2014-04-09 | 中国人民解放军信息工程大学 | Game-sequence-based cryptographic protocol security certification method and device |
| CN102195925A (en) * | 2010-03-03 | 2011-09-21 | 中国人民解放军信息工程大学 | Game-sequence-based cryptographic protocol security certification method and device |
| CN105376265B (en) * | 2014-07-24 | 2019-04-02 | 阿里巴巴集团控股有限公司 | A kind of application method and device of network exhaustive resource |
| CN105376265A (en) * | 2014-07-24 | 2016-03-02 | 阿里巴巴集团控股有限公司 | Use method and use device of network exhaustible resource |
| CN106685896A (en) * | 2015-11-09 | 2017-05-17 | 中国科学院声学研究所 | Plaintext data acquisition method and system within SSH protocol multi-layer channel |
| CN106685896B (en) * | 2015-11-09 | 2019-08-20 | 中国科学院声学研究所 | Clear data acquisition method and system in a kind of SSH agreement multilevel access |
| CN105446322A (en) * | 2015-12-21 | 2016-03-30 | 浙江中控研究院有限公司 | Control code anomaly detection method and device |
| WO2018076369A1 (en) * | 2016-10-31 | 2018-05-03 | 美的智慧家居科技有限公司 | Method and system for communication security level switching, household appliance, and mobile terminal |
| WO2018076368A1 (en) * | 2016-10-31 | 2018-05-03 | 美的智慧家居科技有限公司 | Method and system for safely operating device in local area network, and device therefor |
| CN107302428A (en) * | 2017-05-26 | 2017-10-27 | 北京国电通网络技术有限公司 | The machinery of consultation of the cryptographic algorithm of data transport services in a kind of power distribution network |
| CN108052768A (en) * | 2017-12-28 | 2018-05-18 | 吉林大学 | A kind of concurrent real-time system reliability estimation method based on quantitative verification method |
| CN108052768B (en) * | 2017-12-28 | 2021-06-25 | 吉林大学 | Concurrent real-time system reliability evaluation method based on quantitative verification method |
| CN110381065A (en) * | 2019-07-23 | 2019-10-25 | 腾讯科技(深圳)有限公司 | A kind of agreement cracks monitoring method, device, server and storage medium |
| CN110381065B (en) * | 2019-07-23 | 2021-05-04 | 腾讯科技(深圳)有限公司 | Protocol cracking monitoring method, device, server and storage medium |
| CN112491867A (en) * | 2020-11-24 | 2021-03-12 | 北京航空航天大学 | SSH man-in-the-middle attack detection system based on session similarity analysis |
| CN112491867B (en) * | 2020-11-24 | 2021-11-12 | 北京航空航天大学 | SSH man-in-the-middle attack detection system based on session similarity analysis |
| CN116186718A (en) * | 2023-04-27 | 2023-05-30 | 杭州大晚成信息科技有限公司 | Reinforcing test method based on kernel protection server data |
| CN117278335A (en) * | 2023-11-22 | 2023-12-22 | 深圳奥联信息安全技术有限公司 | Password suite selection method and device, electronic equipment and storage medium |
| CN117278335B (en) * | 2023-11-22 | 2024-04-09 | 深圳奥联信息安全技术有限公司 | Password suite selection method and device, electronic equipment and storage medium |
| CN117748745A (en) * | 2024-02-19 | 2024-03-22 | 国网浙江省电力有限公司宁波供电公司 | Method and system for optimizing and enhancing reliability of power distribution network |
| CN117748745B (en) * | 2024-02-19 | 2024-05-10 | 国网浙江省电力有限公司宁波供电公司 | Method and system for optimizing and enhancing reliability of power distribution network |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101162992B (en) | 2010-05-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101162992B (en) | Cipher protocol safety operation protecting method and system of tolerant intrusion | |
| Ford et al. | Applications of machine learning in cyber security | |
| McHugh et al. | Defending yourself: The role of intrusion detection systems | |
| Sabahi et al. | Intrusion detection: A survey | |
| US7603709B2 (en) | Method and apparatus for predicting and preventing attacks in communications networks | |
| Sherif et al. | Intrusion detection: systems and models | |
| CN101771702B (en) | Method and system for defending distributed denial of service attack in point-to-point network | |
| Nizam et al. | Attack detection and prevention in the cyber physical system | |
| Appiah-Kubi et al. | Decentralized intrusion prevention (DIP) against co-ordinated cyberattacks on distribution automation systems | |
| Liu et al. | Real-time diagnosis of network anomaly based on statistical traffic analysis | |
| Joglekar et al. | Protomon: Embedded monitors for cryptographic protocol intrusion detection and prevention | |
| Liu et al. | A survey of botnet architecture and batnet detection techniques | |
| CA2471055A1 (en) | A network security enforcement system | |
| Kwon et al. | Hidden bot detection by tracing non-human generated traffic at the zombie host | |
| Shinde et al. | Early dos attack detection using smoothened time-series andwavelet analysis | |
| Yasinsac | Dynamic analysis of security protocols | |
| Abou Haidar et al. | High perception intrusion detection system using neural networks | |
| Oujezsky et al. | Modeling botnet C&C traffic lifespans from NetFlow using survival analysis | |
| Hansen | Internet commerce security: Issues and models for control checking | |
| Vashist et al. | Detecting communication anomalies in tactical networks via graph learning | |
| Chen et al. | IDSIC: an intrusion detection system with identification capability | |
| CN117278335B (en) | Password suite selection method and device, electronic equipment and storage medium | |
| CN109862022B (en) | Protocol freshness checking method based on direction | |
| Tanaka | Effectiveness and weakness of quantified/automated anomaly based IDs | |
| Wu et al. | Mitigating distributed denial-of-service attacks using network connection control charts |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20100519 Termination date: 20100929 |