Service-oriented large-scale network security Situation Assessment device and method
Technical field
The invention belongs to information security field, relate to service-oriented large-scale network security Situation Assessment system.
Background technology
Along with the Internet era arriving, China's network security problem becomes increasingly conspicuous.Networks security situation assessment (Network Security Situational Assessment, NSSA) refer to by may occur in the appraisal procedure evaluating system in design or the fragility that realizes, this process is used for guaranteeing that network system is not subjected to accidental or deliberate infringement.The networks security situation assessment technology is the dynamic reflection security status on the whole, and the development trend of safe condition is predicted and early warning, for strengthening internet security, provides reliable with reference to the property foundation.
Network service is Resource Encapsulation and the elementary cell of sharing under open network environment, is network provides the specific demand that meets different user by various means a series of functions and action.It comprises all functions that all services (such as DNS, FTP, Http etc.) that network application layer is contained and server and the network equipment can provide to the user.
external aspect, U.S. TRUST research team is setting up a computer defense technique net (DETER NETWORK) as distributed denial of service attack and worm attack in the clinical Simulation with I nternet of coming of experiment, the impact that the analytical attack of attempting system causes whole network is also found possible solution, this system utilizes that Byzantine is fault-tolerant guarantees between all correct duplicating process to carry out identical operation with the consistency Negotiation Technology, to guarantee the integrality of service and system mode, fault-tolerant and the consistency Negotiation Technology of Byzantine, but authentication password technology of sharing and majority votinl all can be used for detecting service processes and the data server that had lost efficacy.
The people such as Matthew V.Mahoney and Philip K.Chan have used 33 kinds of attributes that extract from Ethernet, IP, TCP, UDP, icmp header to detect analysis, these models can be good at detecting DoS and the S/P class is attacked, as analyze the TCP heading, the SYN message of a certain port of arrival system in statistics a period of time, computation of characteristic values,, if surpass threshold value, think that SYN Flooding has occurred to be attacked, but for U2R and R2L two classes, attack helpless.
Christopher has described a kind of method for detecting abnormality for the DNS service, message load is aggregated into 6 fields according to 256 ascii characters, calculate the occurrence frequency of each field, and by from high to low sequential storage, the service request messages of same type is set up the load distributed model, use X
2-test method is calculated the exceptional value judgement attack message that new service request messages load distributes.
U.S.'s system of defense website report on July 12nd, 2010, the new commandant Keyes of the Sai Bo headquarter Alexandria of U.S. Department of Defense represents a public occasion, Ministry of National Defence faces weak Situation Awareness problem, and region of war needs more powerful situational awareness, as Iraq and Afghanistan.
The Washington technology web sites everyday reported November 10 in 2010, and team of Ray Thcon will provide service for U.S. national defense Office Of Information Systems, to resist the potential attack that obstructs Ministry of National Defence's network.Be worth the contract of 2,800 ten thousand dollars according to portion, Ray Thcon will develop the solution of integrated network operation situation perception (NetOps SA), and this will make Ministry of National Defence's fast detecting network intrusions, the health status of the whole network of assessment.
Domestic aspect, Xian Electronics Science and Technology University proposes the concept based on Service survivability, the fault of system service is summed up in the point that the configuration of atomic service, because each atomic service only has a kind of configuration, different configurations is made up can survive in going to service and is carried out quantitative analysis to same service configuration.
The Chinese Academy of Sciences proposes to come with the mode of screening and the daily record of mark network service the attack of discovering network service, the user is become the access of main object to the demand for services of network service system, the security attribute of network service system is proposed, carry out the rule of restriction service system action according to the security attribute of network system, thereby according to behavior abnormal, detect the abnormal of service.
Tsing-Hua University according to the service public characteristic formulated unified service model and descriptive language, based on this modelling a flexibly customized service testing engine, can realize to a certain extent general service monitoring framework and Fault Locating Method.
Xi'an Communications University is based on the frequency of service attack and the statistical analysis of Attack Severity, the security postures of evaluation services, thereby the importance factor of service and main frame self is weighted, the security postures of service in the critic network system, main frame and whole network system.
At present, the patent of delivering about the network performance Situation Awareness System has application number to be 200610095391.5, to be the RES(rapid evaluation system) based on the roomage state perception on December 5th, 2007 in open day, a kind of RES(rapid evaluation system) towards space flight measurement and control is provided in this patent document, expert system and distributed interactive simulation means are applied in DSS, but this patent only relates to the assessment of space flight hardware resource, does not relate to network safety filed.Application number is 200710121584.8, was large range battlefield situation intelligent perception system and the cognitive method on May 7th, 2008 in open day, utilize distributed many videos multi-hop wireless sensor network in this patent document, the large range battlefield situation of multi-target detection, classification, location and tracking.The described situation of this patent is identification, classification and the location for target in battlefield.
The individual and the mechanism that carry out at present network security situation awareness research both at home and abroad are a lot, and research angle and the research method of employing are also varied, but adopt the correlative study of the service-oriented large-scale network security Situation Assessment of being open-minded to yet there are no all reports.
Summary of the invention
The object of the present invention is to provide a kind of can be under large-scale network environment, network service situation situation is carried out Real Time Monitoring, and the service-oriented large-scale network security Situation Assessment device that network behavior potential, malice is become before uncontrollable and carries out assessment, defence, response and the early warning of security postures.The present invention also aims to provide a kind of service-oriented large-scale network security method for situation assessment.
The object of the present invention is achieved like this:
Service-oriented large-scale network security Situation Assessment device of the present invention comprises monitor supervision platform and Collection agent; Described monitor supervision platform comprises data analysis/index extraction module, Situation Assessment module, database middleware module, command configuration module, card module, XML data conversion module; Described Collection agent comprises server performance state acquisition agency, network equipment state acquisition agency and specific service performance state Collection agent;
Data analysis/index extraction module, data analysis are that the situation data analysis that the data Collection agent gathers is up processed, needed some the new situation information of generating network safety situation evaluation, and find contingent abnormal behaviour; Index extraction is to extract, arrange the helpful index of safety situation evaluation, with corresponding data structure, these information are stored in the security postures information bank, for next step networks security situation assessment ready;
Whose relatively important decision-making is the Situation Assessment module, make to factor in twos;
The database middleware module, extract the data that collect, and realizes simultaneously the configuration management of automation;
The command configuration module, comprise basic command configuration information maintenance module, command configuration information legitimacy detection module and command configuration file generating module, basic command configuration information maintenance module is responsible for safeguarding basic configuration information, and the keeper creates, inquires about relation between various objects and object thereof with this module; Command configuration information legitimacy detection module checks whether the association between each object is legal, and the prompting keeper checks the problem that some are potential; The command configuration file generating module generates each self-corresponding configuration file and bibliographic structure according to the basic command configuration information for each Collection agent;
Card module, realize the communication with other functional modules;
XML data conversion module, finished surface, to unitized, the format of service safe situation information, convert the data file of XML form to, for the inquiry of monitor supervision platform and calling of access and upper layer application according to the data common model of the XML-based that makes;
Server performance state acquisition agency, be responsible for gathering the running status of Windows server and Linux server, these performances and state comprise: OS Type, server apparatus type, server hard disc number, CPU usage, port open situation, memory usage, port flow, each disk occupancy, leak and patch; , for those servers of opening the SNMP agent functionality, can also utilize the GET order of snmp protocol to obtain corresponding information.
Network equipment state acquisition agency, collect the network performance information on all kinds router, switch and end-to-end data link, these information spinners will comprise: device type, unit type, port number, port flow, port speed, the network bandwidth, transfer rate, end-to-end packet loss, round-trip delay;
The specific service performance collection proxy, gather comparatively common on present network, as the property indices of the indispensable FTP of network infrastructure service, DNS service, WEB service, these indexs mainly comprise service request rate, service clicking rate, Responsibility, service error rate, service response time, service availability, service leak, service message length, service message type and service message load.
Service-oriented large-scale network security method for situation assessment of the present invention is:
Service-oriented large-scale network security Situation Assessment device comprises monitor supervision platform and Collection agent; Described monitor supervision platform comprises data analysis/index extraction module, Situation Assessment module, database middleware module, command configuration module, card module, XML data conversion module; Described Collection agent comprises server performance state acquisition agency, network equipment state acquisition agency and specific service performance state Collection agent;
At first step 1 inputs acquisition in monitor supervision platform;
In step 2 determining step 1, whether input is newer command, if just perform step 3; No person directly performs step 4;
Step 3 enters card module, defines and generate corresponding plug-in unit, then performs step 4;
Step 4 enters the acquisition generation module, generates more detailed acquisition, sends order to Collection agent;
Step 5 Collection agent is received acquisition, gathers the security postures index and index is sent back monitor supervision platform with FTP communication;
After step 6 monitor supervision platform obtains index, enter data analysis/index extraction module, corresponding index is analyzed extraction with index, then perform step simultaneously 7,8,9;
Step 7, with the input of the output of step 6 as the database middleware module, realizes the data access of kernel process to database;
Step 8 enters the XML modular converter, finished surface is to unitized, the format of service safe situation information, convert the data file of XML form according to the data common model of the XML-based that makes to, be used for the inquiry of monitor supervision platform and calling of access and upper layer application;
Step 9 enters the evaluation module of security postures, carries out the networks security situation assessment of large scale network, then performs step 10;
Step 10 is at output module output assessment report and show the running status of all kinds of safety indexs with the form of motion graphics.
Described data analysis/index extraction the module that enters, corresponding index is analyzed with the method for the extraction of index be:
(1) extract all kinds of situation data that send over from Collection agent;
(2) by data on flows and performance data are set up the normal discharge model, then draw normal threshold interval, by the method for protocal analysis, the message characteristic field carried out the attack message judgement, characteristic is carried out characteristic matching;
(3) give and there emerged a situation achievement data status characteristic of correspondence value according to detection model;
(4) judge whether normal condition of data according to characteristic value, if normally enter step (5); Otherwise enter step (7);
(5) extract all kinds of indexs relevant to service-oriented networks security situation assessment;
Also will change into the XML reference format when (6) data after security postures index classified finishing being entered the safety situation evaluation step stores in the situation database;
(7) trigger anomalous event or alert event;
(8) also to carry out the security incident analysis when data flow (5), and then change into the XML reference format, finally to upper strata integrated group submit security incident to or the XML data stored in the situation database as historical data, in order to inquiry from now on.
The networks security situation assessment that the described evaluation module that enters security postures carries out large scale network is to adopt a kind of Fuzzy AHP to process, and concrete steps are as follows:
(1) the situation quantizating index is divided into several different key elements;
(2) weight vectors that calculates each layer index comprises: the weight vectors of the weight vectors of each layer index and each layer internal indicator, the model precedence relation matrix, secondly precedence relation matrix is changed into Fuzzy consistent matrix, utilize finally the row normalization method to obtain weight vectors;
(3) set up the evaluation grade set;
(4) with the weight of the inner quantizating index of each layer and with it corresponding Fuzzy consistent matrix carry out the Fuzzy compose operation, and then calculate the Fuzzy comprehensive evaluation vector;
(5) calculate the comprehensive assessment matrix.
The invention provides a kind of service-oriented large-scale network security situation sensor-based system.This system main purpose is to solve under large-scale network environment, network service situation situation is carried out Real Time Monitoring, and network behavior potential, malice is become before uncontrollable and carries out assessment, defence, response and the early warning of security postures, provide corresponding countermeasure.The present invention helps the global safety of network system is made accurate evaluation, facilitates the timely adjustment of network manager's security strategy, and for the prediction of follow-up security postures and situation is visual that theoretical foundation and technical support be provided.
With respect to existing network safety situation evaluation system, advantage of the present invention has: (1) is for the specific safety sexual demand of network system, angle from service, collection may affect the various types of security data of network system application, finish dealing with by analysis to the quota portray of network system security situation, the Situation Assessment result has novelty, the characteristics such as directly perceived, concrete.And existing system is only assessed network from the angle of network security; (2) be different from the single situation evaluating system of existing network security, the present invention can realize the multistage service safe Situation Assessment of server state level in network system, network equipment level and network service level, be convenient to the safe condition that the safety officer holds each layer of system comprehensively, correct decisions is provided.(3) fully compatible with SNMP, support nearly all operating platform, can carry out Real Time Monitoring and management to remote server and service thereof.And existing system is only for the single operation platform.
Description of drawings
Fig. 1 is the frame diagram of device of the present invention;
Fig. 2 is data analysis/index extraction module workflow diagram;
Fig. 3 is safety situation evaluation module single treatment flow chart.
Embodiment
Below for a more detailed description to the present invention for example:
In conjunction with Fig. 1. for completing target of the present invention, service-oriented large-scale network security Situation Assessment device of the present invention comprises monitor supervision platform and Collection agent, wherein: described monitor supervision platform is responsible for carrying out networks security situation assessment work, monitor supervision platform will send instruction to the remote collection agency, the monitoring program that operation is necessary.According to the data of passing back from described Collection agent, system will, according to its configuration file, be taked to take action flexibly.And according to the specific demand of remote collection, system will by the plug-in unit that moves a customization test more special project (as, check whether the data manipulation of database normal).If the value that test is returned exceeds the scope of normal permission.Described monitor supervision platform will give a warning and take predefined button.onrelease to carry out emergency processing by one or more modes.
Described monitor supervision platform comprises data analysis/index extraction module, data analysis is exactly that a large amount of situation data analysis that the data Collection agent gathers are up processed, with needed some the new situation information of generating network safety situation evaluation, and find contingent abnormal behaviour.Index extraction is to extract, arrange the helpful index of safety situation evaluation, with corresponding data structure, these information are stored in the security postures information bank, for next step networks security situation assessment ready.
Whose relatively important decision-making is the Situation Assessment module, make to factor in twos.
The database middleware module, extract and collect to obtain data efficiently, realizes simultaneously the configuration management of automation.
The command configuration module, comprise basic command configuration information maintenance module, command configuration information legitimacy detection module and command configuration file generating module.Basic command configuration information maintenance module is responsible for safeguarding basic configuration information, and the keeper creates, inquires about relation between various objects and object thereof with this module; The function of command configuration information legitimacy detection module is to check whether the association between each object is legal, and the prompting keeper checks the problem that some are potential; The command configuration file generating module generates each self-corresponding configuration file and bibliographic structure according to the basic command configuration information for each Collection agent.
Card module, its major function are the communications with other functional modules.
XML data conversion module finished surface, to unitized, the format of service safe situation information, converts the data file of XML form to, for the inquiry of monitor supervision platform and calling of access and upper layer application according to the data common model of the XML-based that makes.
Described Collection agent comprises server performance state acquisition agency, network equipment state acquisition agency and specific service performance state Collection agent, Collection agent is responsible for receiving the specific monitor command that monitor supervision platform sends over, and completes the collecting work of diverse network security postures index.
(1) the main at present comparatively popular Windows server of collection and the running status of Linux server be responsible for of server performance state acquisition agency, these performances and state comprise: OS Type, server apparatus type, server hard disc number, CPU usage, port open situation, memory usage, port flow, each disk occupancy, leak and patch etc.,, for those servers of opening the SNMP agent functionality, can also utilize the GET order of snmp protocol to obtain corresponding information.
(2) the main network performance information of being responsible for collecting on all kinds router, switch and end-to-end data link of network equipment state acquisition agency.These information spinners will comprise: device type, unit type, port number, port flow, port speed, the network bandwidth, transfer rate, end-to-end packet loss, round-trip delay etc.
(3) the specific service performance collection proxy mainly be responsible for to gather comparatively common on present network, as the property indices of the indispensable FTP service of network infrastructure, DNS service, WEB service, these indexs mainly comprise service request rate, service clicking rate, Responsibility, service error rate, service response time, service availability, service leak, service message length, service message type and service message load etc.
The present invention adopts monitor supervision platform-Collection agent structure in large scale network.Monitor supervision platform side is responsible for carrying out networks security situation assessment work, data analysis/index extraction module that it is integrated, safety situation evaluation module, plug-in unit definition module, acquisition generation module, XML modular converter, database middleware module and, it provides convenience, friendly user interface, be used for the order that configuration sends to monitoring agent before collection, demonstration real-time in test process moves progress, submits various forms of assessment reports after monitoring finishes to.Collection agent side need to be arranged on the network service key node in advance, such as being deployed in WEB server, router and switch etc., Collection agent mainly is responsible for receiving the specific acquisition that monitor supervision platform sends over, and completes the collecting work of diverse network security postures index.
See also Fig. 1, this system is assessed service-oriented large-scale network security situation by following steps.
1) at first input acquisition in above-mentioned monitor supervision platform;
2) in determining step 1, whether input is newer command, if just perform step 3; No person directly performs step 4;
3) enter card module, define and generate corresponding plug-in unit, then perform step 4;
4) enter the acquisition generation module, generate more detailed acquisition, send order to Collection agent;
5) Collection agent is received acquisition, gathers the security postures index and index is sent back monitor supervision platform with FTP communication;
6) after monitor supervision platform obtains index, enter data analysis/index extraction module, corresponding index is analyzed extraction with index, then perform step simultaneously 7,8,9;
7), with the input of the output of step 6 as the database middleware module, realize the data access of system core process to database;
8) enter the XML modular converter, finished surface is to unitized, the format of service safe situation information, convert the data file of XML form according to the data common model of the XML-based that makes to, facilitate the inquiry of monitor supervision platform and calling of access and upper layer application;
9) enter the evaluation module of security postures, carry out the networks security situation assessment of large scale network, then perform step 10;
10) at output module output assessment report with show the running status of all kinds of safety indexs with the form of motion graphics;
Wherein: card module mainly is responsible for the communication with other functional modules in step 3, and when the present invention need to detect the state of special services or server, system can be moved preassigned plug-in unit, then received the result that plug-in unit returns.
The command configuration module is responsible for unified management and is generated the command configuration file and the command configuration file of each server practicality is sent on corresponding server in step 4.
Work as Collection agent and receive the acquisition that monitor supervision platform sends in step 5, Collection agent starts to gather the situation index of various large scale network key nodes, comprises the situation index of server, the network equipment and specific service.
Data analysis in step 6/index extraction module is by setting up the normal discharge model to data on flows and performance data, then draw normal threshold interval, by methods such as protocal analysises, the message characteristic field carried out the attack message judgement, data are carried out characteristic matching, provide the characteristic value of respective performances index.As shown in Figure 2, data analysis/index extraction module workflow:
(1) extract all kinds of situation data that send over from Collection agent;
(2) by data on flows and performance data are set up the normal discharge model, then draw normal threshold interval, by the method for protocal analysis, the message characteristic field carried out the attack message judgement, characteristic is carried out characteristic matching.
(3) give and there emerged a situation achievement data status characteristic of correspondence value according to detection model;
(4) judge whether normal condition of data according to characteristic value, if normally enter step (5); Otherwise enter step (7);
(5) extract all kinds of indexs relevant to service-oriented networks security situation assessment;
Also will change into the XML reference format when (6) data after security postures index classified finishing being entered the safety situation evaluation step stores in the situation database;
(7) trigger anomalous event or alert event;
(8) also to carry out the security incident analysis when data flow (5), and then change into the XML reference format, finally to upper strata integrated group submit security incident to or the XML data stored in the situation database as historical data, in order to inquiry from now on.
The evaluation module of security postures adopts a kind of Fuzzy AHP to process in step 9.Concrete steps following (as Fig. 3, showing):
(1) the situation quantizating index is divided into several different key elements;
(2) weight vectors that calculates each layer index comprises: the weight vectors of the weight vectors of each layer index and each layer internal indicator.The model precedence relation matrix, secondly change into Fuzzy consistent matrix with precedence relation matrix, utilizes finally the row normalization method to obtain weight vectors;
(3) set up the evaluation grade set;
(4) with the weight of the inner quantizating index of each layer and with it corresponding Fuzzy consistent matrix carry out the Fuzzy compose operation, and then calculate the Fuzzy comprehensive evaluation vector;
(5) calculate the comprehensive assessment matrix.