CN102387163A

CN102387163A - Network server defense method based on risk balance

Info

Publication number: CN102387163A
Application number: CN2011104224135A
Authority: CN
Inventors: 穆成坡; 韩操正
Original assignee: Individual
Current assignee: Individual
Priority date: 2011-12-16
Filing date: 2011-12-16
Publication date: 2012-03-21

Abstract

The invention provides a network server defense method based on risk balance. A network server defense system based on the risk balance comprises three parts, namely, an alarm acquisition and response execution part, an event handling part and a display and management part, wherein the alarm acquisition and response execution part comprises various invasion detecting systems and load balancers, the invasion detecting systems complete invasion detection, an Agent residing on the invasion detecting systems achieves standard format conversion and convergence of alarm and sends the alarm to an event handling center for treatment, and the risk balancers receive an invasion response command from the event handling center, and convert the access service process to achieve risk balance of server clusters; the event handling part comprises alarm handling, on-line risk assessment and invasion response decision-making, the alarm handling can be realized through alarm filtering, alarm verification and alarm linkage, so as to reduce the false alarm rate and alarm missing rate of the system and form an alarm line representing the invasion process, the on-line risk assessment aims to calculate the risk to hosts from each invasion alarm line (invasion process) in real time, and the invasion response decision-making is realized in the way that whether the access service process is converted or not is determined according to the risk situation of hosts, and a conversion command is formed and sent to the risk balancers for implementation; and the display management part is used for completing parameter configuration, management, maintenance and other man-machine interaction operation on a management control board.

Description

A kind of based on the balanced webserver defence method of risk

Technical field

The present invention relates to a kind of based on the balanced webserver defence method of risk; Especially utilize hierarchical network to invade the method that online risk assessment method is invaded the risk assessment of process; Especially utilize the risk evaluation result that quantizes to carry out the balanced method of risk, belong to field of computer information security.

Background technology

Along with all kinds of development, support the important goal that these professional disparate networks servers (Web server, Ftp server and Database server etc.) become the invasion activity based on Internet service.According to " report of China Internet network security " that CNCERT issued, be first three network intrusions behavior of rank in recent years to the attack (distorting activities such as webpage) of Web service is movable.How effectively to carry out the protection of the webserver, resist all kinds of attacks to the webserver, be the emphasis and the focus of network security research field always.Under new form of security; Static security defense techniques such as host access control originally, fire compartment wall isolation can not satisfy demand for security; The important development trend of network security is comprehensively to use intrusion detection, intrusion response, system vulnerability to find in advance and defense technique such as security risk assessment, is formed on security strategy and instructs detection down, response to circulate with the dynamic security that protects.Model proposed by the invention and method have embodied the theory of dynamic security circulation; Be " dredging " to invasion or unusual network behavior change " blocking-up "; When effectively server being protected, greatly reduce the defence action the negative effect that possibly bring.

Summary of the invention

The object of the invention is exactly to design method and system a kind of and the IDS collaborative work; The warning message that utilizes IDS is as input; The risk that online assessment invasion process causes goal systems, the result according to risk assessment judges then, and then carries out the equilibrium of risk.

Be the experiment above-mentioned purpose, the present invention has realized planting based on risk balanced webserver defence method and system,

Its step is following:

Step 1: obtain the warning message that the bottom alarm module provides;

Step 2: according to source IP address and purpose IP address warning message is carried out integrated treatments such as polymerization is related, the information of the thread that obtains reporting to the police;

Step 3: calculate and upgrade the warning quantity in this warning thread, the warning kind, the attack certainty factor that up-to-date warning is indicated is attacked the order of severity, attacks with by the degree of correlation of target of attack.And above-mentioned five parameters are fused to the risk index that objective factor produces with the D-S evidence theory.

Step 4: risk index and the threshold value that configures according to this process compare, and through the mode (NAT) of network address translation, carry out the platform conversion of this service, thereby reach the equilibrium of risk.

Characteristics of the present invention are: the risk assessment of stratification is that the intrusion response decision-making of stratification provides foundation, can the coverage of response be limited in the suitable scope; Setting through the response risk threshold value can increase the tolerance of system to the diverse network abnormal movement, reduces the risk that wrong report causes the mistake response; Can also carry out the adjustment of response scheme through risk situation, increase the adaptivity of response.This appraisal procedure can be used as the high layer model of intrusion detection, and can be and invade evidence obtaining work targetedly in real time and provide support.The response decision model will invade risk assessment and the risk equilibrium combines, and carries out the intrusion response decision-making according to this risk index, determines whether to carry out the platform conversion, thereby selects the service host of safety that service outwards is provided.Reach the dynamic equilibrium of risk.The intrusion response mechanism that is proposed well balance the validity and the contradiction of response between the negative effect of intrusion response, both stoped attack effectively, reduced the risk of mistake response again.Such intrusion response mechanism has improved the validity of intrusion response, and the system that solved is responding the problem that influences network speed when reporting to the police.

Description of drawings

Fig. 1: risk assessment arborescence.

Fig. 2: the risk evaluation model figure on the service level.

Fig. 3: system experimentation environment map.

Fig. 4: vertical scanning main frame risk situation figure.

Fig. 5: Windows server page figure.

Fig. 6: to the main frame risk situation figure of IIS leak invasion.

Fig. 7: Linux server page figure.

Fig. 8: Ftp MDTM flooding main frame risk situation figure.

Fig. 9: the wrong report risk situation figure that thread produced.

Figure 10: the balanced defensive disposition figure of the risk under the high bandwidth network environment.

Embodiment

Below in conjunction with accompanying drawing and instantiation the present invention is further specified:

The composition of whole system is as shown in Figure 1.Below explain risk evaluating system and risk equalizing system emphatically.

Protected network system is made up of various main frames, is moving operating system and various application network service routine on the main frame:

Define 1. risk index RI (risk index) and be the invasion process to degree of danger that specific objective caused.

Defining that 2. target risks are interval to distribute (risk distribution). risk distribution is meant the distribution situation between the high, medium and low risk area that goal systems can bear.

Steps A: the online risk assessment of network intrusions

If m platform main frame H is arranged on the protecting network _i(i=1,2 ..., m), each operating system is OS _i, main frame H _iLast operation n _iIndividual network service is S _Ij(j=1,2 ..., n _i).The object of being assessed is meant a warning thread k (representing an invasion process) who is formed by the warning relating module.Some invasion activity is not to certain leak of serving, but still formation is to the threat of service.Here, be invasion activity for distinguishing to any service, be included into without exception in the attack of operating system.For expressing conveniently, will also be regarded as a kind of assessment to the assessment of operating system to service.According to the definition that distributes between risk index and risk area, the assessment factor of the service level of selection is as shown in Figure 2.In these 6 factors; Preceding 5 factors have made full use of the various parameters that produced in the system alarm processing procedure (comprising the study of report to the police checking, warning polymerization, warning association and warning confidence level), reflect the safe condition and attack threat situation of system from objective angle; The 6th parameter specified based on situation by the keeper, is subjective factor, represented by the resource situation of protection system and keeper's purpose.

In the risk assessment of service level; At first use the D-S evidence theory to merge preceding 5 and the risk that invasion is caused is carried out assessment objectively with the bigger factor of attacker's correlation; Just do not considering under the goal systems importance situation; Calculating specific invasion process k is the evaluation process of five objective factors below the risk index on the service level

, its assessment factor membership function such as Fig. 3.

(1) the warning quantity in this warning thread (Amount of alerts) A _k, this parameter had both been represented the intensity of invasion, had also reflected the situation of be sure oing of invasion from another point of view.

μ_{11} = \{\begin{matrix} \frac{α_{2} - A_{k}}{α_{2}} & A_{k} \leq α_{2} \\ 0 & A_{k} > α_{2} \end{matrix},

μ_{12} = \{\begin{matrix} 0 & α_{1} &GreaterEqual; A_{k} \\ \frac{A_{k} - α_{1}}{α_{3} - α_{1}} & α_{1} < A_{k} \leq α_{3} \\ 1 & α_{3} < A_{k} \end{matrix}

Here α ₁, α ₂, α ₃Be constant, confirm general desirable α by expertise ₁∈ [5,15], α ₂∈ [10,20], α ₃∈ [15,30].μ _IjBe to belong to V according to i the definite dbjective state of influencing factor _jDegree of membership.

(2) indicated attack certainty factor (Alert confidence) C of up-to-date warning among the warning thread k _K0∈ [0,1], its indicated abnormal movement of having represented to report to the police is real possibility of attacking, and can be obtained by the warning confidence level study module of native system.

μ ₂₁＝1-C _k0，μ ₂₂＝C _k0

(3) the warning species number in this warning thread (Number of alert types) B _k, this argument section ground has reflected the situation of carrying out of invasion, and the progress along with invasion causes more warning kinds, and invasion is just more and more serious to the threat of destination service, and simultaneously, it has also reflected invador's technical merit, its value can be obtained by the warning relating module.

μ_{31} = \{\begin{matrix} \frac{λ_{2} - B_{k}}{λ_{2}} & B_{k} \leq λ_{2} \\ 0 & B_{k} > λ_{2} \end{matrix},

μ_{32} = \{\begin{matrix} 0 & λ_{1} &GreaterEqual; B_{k} \\ \frac{B_{k} - λ_{1}}{λ_{3} - λ_{1}} & λ_{1} < B_{k} \leq λ_{3} \\ 1 & λ_{3} < B_{k} \end{matrix}

Here λ ₁, λ ₂, λ ₃Be constant, confirm, generally get λ by expertise ₁∈ [1,5], λ ₂∈ [5,9], λ ₃∈ [6,10].

(4) attack the order of severity (Rank of alert severity) P _R0, be the indicated attack order of severity of up-to-date warning among the warning thread k, obviously attack is serious more, and the risk that service is caused is big more.The value of the order of severity directly obtains by reporting to the police, and most of IDS embodies in warning with the such parameter of similar alert levels attacking the order of severity, and concrete regulation which rank report to the police be more serious, which is serious and very serious.

μ_{41} = \{\begin{matrix} \frac{φ - P_{r 0}}{φ} & P_{r 0} \leq φ \\ 0 & P_{r 0} > φ \end{matrix},

μ_{42} = \{\begin{matrix} \frac{P_{r 0}}{φ} & P_{r 0} \leq φ \\ 1 & P_{r 0} > φ \end{matrix}

The constant φ here sets according to the concrete regulation of IDS.For example, use Priority to show the order of severity of incident in the warning message of Snort intruding detection system, it is divided into 3 grades altogether, and 1 grade is very serious incident, and 2 grades is serious incident, and 3 grades is than matters of aggravation, like this order: P _R0=4-Priority. _Snort, φ=3 get final product.

(5) attack together by the degree of correlation of target of attack (Alert relevance score) R _S0∈ [0,1] is up-to-date attack was directed against in the warning thread the target conditions matching degree with the realistic objective situation.Its value can be obtained by the warning authentication module.

μ ₅₁＝1-R _s0， μ ₅₂＝R _s0

The degree of membership distribution situation that each assessment factor has been arranged just can be calculated burnt first elementary probability number.For warning thread k, q the determined dbjective state V of assessment factor _jThe probability assignments function

For:

m_{q}^{k} (V_{j}) = \frac{μ_{qj}}{Σ_{i = 1}^{2} μ_{qi} + 1 - w_{q} \times P_{IDSi}} - - - (1)

m_{q}^{k} (θ) = 1 - Σ_{j = 1}^{2} m_{q}^{k} (V_{j}) - - - (2)

Here q=1,2 ..., 5, j=1,2.P _IDSiBe the total accuracy of detection of IDS.Intrusion detection comes down to a problem that network packet or various daily record data sample are classified.In assorting process, having following four kinds of situation takes place: 1. attack the data that produced and correctly be categorized as abnormal data; 2. attack the data that produced and be categorized as normal data by error; 3. normal data correctly is categorized as normal data; 4. normal data is categorized as abnormal data by error.It is correct classification samples number that the data sample that 3. 1. situation classified with situation is counted sum, situation 2. be the sample number of being classified for failing to report the sample number of (false negative), the sample number that 4. situation is classified is wrong report (false positive) sample number.

In most of intruding detection system, total accuracy of detection is defined as:

Total accuracy of detection (PIDS, precision)=correct sample number of classifying/total sample number.

Like this, 1-PIDS has just represented situation about can not correctly classify, wrong report and situation about failing to report in just detecting, and intruding detection system produces probabilistic root and wrong report is with failing to report just.In addition, added correction factor wq ∈ [0,1] here mainly based on following two reasons: 1. receive the influence of complex network environment, most IDS do not reach desirable precision in the middle of reality is used; 2. the uncertainty of each factor in the target risk evaluation process is different, and the assessment effect is different, has added correction factor, so that each factor is brought into play suitable effect in assessment.When wq is set, make w5 >=w4 >=w3 >=w2 >=w1, reason is following: because the existence of repetition of alarms, it is uncertain maximum to cause utilizing warning quantity to carry out risk assessment; The warning that produced of quite a few IDS at present IDS of characteristic (particularly based on) does not provide the such parameter of warning certainty factor (native system is to get through study), so the uncertainty of this part is also relatively large; The type of alarm of most of wrong report is single relatively, and the real type of alarm that phagocytic process produced is then abundant relatively, so the threat situation that how much can reflect invasion well of type of alarm in the thread; It is how serious that the order of severity of reporting to the police representes that attack has, and the degree of correlation combines by information of protection system (like leak) and attack information, has represented possibility of success attack, and these two factors are maximum with target risk situation correlation.

Obtain burnt first probability assignments of each risk factors through formula (1) (2) after, just can merge the judge of these 5 different assessment factors to security risk, the evaluation result m after obtaining merging according to formula (3) again ^k(V ₁), m ^k(V ₂) and m ^k(θ).Here the risk quantification that specific invasion process k is produced is that risk index

can be obtained by following formula:

{RI}_{s}^{k} = m^{k} (V_{2}) .

Step B: the realization that risk is balanced

Method on the dissimilar main frames realizes through the access services process is transferred in the risk equilibrium, and its decision model is following:

The setting risk threshold value is T _t, work as RI _k＜T _tThe time, show invasion process k to risk that server host produced in the safety tolerance range, do not carry out service processes and shift, to process k service is provided by the continuation of existing server host;

Work as RI _k>=T _tThe time, show that invasion process k exceeds in the safe tolerance range the risk that server host produced, carry out service processes and shift, to process k service is provided by the main frame that is different from existing type of server;

The reference load equalization methods, our the risk equilibrating mechanism that realized is following at present:

Act on behalf of the risk equilibrium.Under this mode, the risk equalizer is as the service intermediary of two or more servers (server zone), and all services request that mail to server zone are at first come the risk equalizer, how to distribute these requests by the decision of risk equalizer;

The NAT load balancing.The risk equalizer is the entry and exit point of whole server zone; When services request arrives the risk equalizer; The risk equalizer becomes privately owned address of certain server and port in the server zone through network address translation (nat) with the legitimate purpose address of access request bag with port translation, and packet is issued this server, thus the server process access request; And give a response, the bag of response must turn back to the risk equalizer.

Except above-mentioned risk equilibrating mechanism, can also be with reference to based on methods such as the load balancing of agreement and mixed type load balancing.In addition, the risk equalizer also can adopt tandem (INLINE), single channel parallel (ONE-ARM) and the parallel dispositions methods such as (SIDE-ARM) of two-way as load equalizer.

In system shown in Figure 3, the risk equalizer is realized through the NAT mode, adopts the series connection access way.In order to realize intrusion detection effect preferably, the hub that adopts the here all devices that interconnects.The intruding detection system Network Based of being disposed is Snort; Cluster of servers is made up of two main frames, and wherein web host A operating system is Windows 2000, and the Web service system on it is IIS 5.0; Host B is Red Hat Linux 9.0 systems; The Web service system that is moved is Apache, and two-server can provide content identical Web service to outer net, and service is accomplished by web host A under the default situation.In addition, also disposed Host Based IDS system on the server, and the Agent of native system.The control desk main frame is accomplished integrated treatment, risk assessment and the response decision-making that all IDS report to the police, and response command is mail to the risk equalizer, realizes the transfer of service processes.The risk threshold value that is provided with in the system is T _t=0.8.

At first carry out longitudinal scanning; From a computer of outer net Web server is carried out longitudinal scanning; Because default server is A; All scanning probe packets all will be transmitted to server A through equalizer, and this longitudinal scanning not only all tcp port states of detecting server main frame obtains the open service state, also use agreements such as NETBIOS and SNMP to collect all kinds of sensitive informations such as the operating system of destination host, local group, user and registration table.The warning that experiment produces is through integrated treatment and Risk Calculation, and its result is as shown in Figure 4.

The greateset risk that produces is 0.7191, does not reach risk threshold value, i.e. RI _k＜T _t, at this moment the risk equalizer does not carry out service processes and shifts, when we at the webpage as shown in Figure 5 that outer net obtains during with the computer access Web service of implementing scanning, explaining that Web service remains is provided by server A.

Next be to utilize the multistep of a buffering Overflow Vulnerability that exists among the Idq.dll of IIS 5.0 to invade experiment suddenly.At first use the remote server of scanning tools and networking command scanning experiment subnet at outer net; Obtain operating system and Web service version information; Then IISIDQ invasion instrument carries out flooding, uses the NC instrument to obtain the connection with administrator right at last.The risk situation of phagocytic process is as shown in Figure 6, and through after the flooding stage, the main frame risk sharply is increased to 0.9823, has surpassed risk threshold value.

At this moment; When the invasion computer of use outer net conducts interviews to intranet Web server; Obtain webpage shown in Figure 7, the risk equalizer is described, carried out the conversion of service processes; Any services request that just comes from outer net invasion computer is no longer handled by host A, and is handled by host B.Although the IIS in the host A has taken place to overflow; But the invador can't use NC to connect; The assailant can not implement deep intrusion behavior to host A; And there is not the Idq.dll leak in the service platform (Linux+Apache) after the conversion, and to carry out flooding also of no avail even the invador re-uses IISIDQ.

In addition; We go back the intrusion prevention experiment that the application risk equalizer has carried out the Ftp server; Server A among Fig. 3 is configured to Windows 2000+Serv-U Ftp 5.0; Server B be configured to Linux 9.0+VSFtpd, both file service contents are identical, by server A Ftp outwards are provided service under the default situation.To the MDTM Overflow Vulnerability of Serv-U Ftp, phagocytic process mainly is divided into three parts: the one, and service scan is obtained information such as Ftp service software title and version; The 2nd, weak passwurd is attacked, and obtains Ftp username and password (necessary condition of using the MDTM attack tool to invade); Use the MDTM attack tool to carry out flooding.It is as shown in Figure 8 that whole invasion thread is assessed the risk situation of getting off; In fact at the weak passwurd phase of the attack; The risk of invasion thread has surpassed 0.8, has at this moment caused the risk equalizer and has carried out the service platform conversion, and the Ftp service after the conversion is provided by server B; And this Ftp application service system of VSFtpd does not have the MDTM leak, uses the MDTM attack tool to carry out flooding and can't succeed.

Find integrated treatment in the experiment through reporting to the police; The most false alarm of system's filtering preferably; Even those are not reported by mistake formed warning thread by filtering, its risk often neither be very high, is not enough to cause the transfer that the risk equalizer is served thread.Fig. 9 is the result that a thread of being made up of 20 false alarms is carried out risk assessment, and there is very little risk (the greateset risk index also has only 0.28) can to find out it.Even so, carry out the service platform conversion, still can be obtained corresponding network service by the user of " misunderstanding " even this wrong report thread has caused the risk equalizer.Therefore, system not only has tolerance and anti-noise ability preferably to the wrong report incident, has also reduced the negative effect of response well.

In the experiment, with intrusion detection part, risk assessment and response decision-making (comprising alarm integrated processing) partly, the balanced enforcement of risk partly carried out distributed deployment, solved all kinds of bottleneck problems of network communication and host process preferably.If developed special-purpose hardware chip, system also can carry out centralized deployment as UTM.Under the network environment of high bandwidth, desirable deployment and occupation mode are shown in figure 10.

Can find out that through experiment what risk was balanced does not directly block invasion,, eliminate the successful necessary condition of invasion, continue when the user provides service, to have realized defence invasion just through the conversion of service platform.This change " blocking-up " is the response mode of " dredging ", has solved the validity of intrusion response and the contradiction between the intrusion response negative effect well, and eliminated intrusion detection wrong report, fail to report with repetition of alarms and give the invasion influence that response is brought.The risk equilibrium has realized the dynamic security defence, meets the network security technology development trend, is a kind of network security defence method that is worthy to be popularized.

Claims

1. one kind based on the balanced webserver defence method of risk, and its step comprises:

(1) utilizing the online risk evaluating system of network intrusions stratification that the warning process is carried out risk quantification calculates.

(2) risk index after utilization quantizes carries out the parameter decision of risk equalizing system, realizes the transfer of risk.

2. like the described method of claim 1, it is characterized in that utilizing the risk assessment of network intrusions dynamic multilevel to carry out risk quantification, its process is following:

(1) utilize the warning information comprehensive processing module to warning report to the police checking, association and filtration treatment; Form warning thread, and accomplish the study and the calculating of report to the police in the warning degree of correlation, the warning order of severity, the warning thread quantity, type of alarm quantity and confidence level to same attack process.

(2) use the D-S evidence theory to merge the also invasion risk index of calculation services level.

3. like the described method of claim 2, it is characterized in that, obtain five and the bigger factor information of attacker's correlation through integrated treatment to warning message.These five factors are not for being:

(1) the warning quantity in the warning thread (Amount of alerts) A _k, this parameter had both been represented the intensity of invasion, had also reflected the situation of be sure oing of invasion from another point of view.This parameter value can be obtained by the warning relating module.

(4) attack the order of severity (Rank of alert severity) Pr ₀, be the indicated attack order of severity of up-to-date warning among the warning thread k.The value of the order of severity directly obtains by reporting to the police, and most of IDS embodies in warning with the such parameter of similar alert levels attacking the order of severity, and concrete regulation which rank report to the police be more serious, which is serious and very serious.

4. like the described method of claim 2; It is characterized in that using the D-S evidence theory to merge above-mentioned five and the bigger factor of attacker's correlation; Risk to invasion is caused is carried out assessment objectively, and combining target assets importance degree carries out the invasion risk assessment of service layer then.

5. want 4 described methods like right, at first utilize fuzzy membership functions to obtain the elementary probability partition function of each burnt unit, then merge of the judge of these five different assessment factors security risk.Again based on being given each destination host corresponding importance degree by the servicing property that moves on each main frame in the protecting network, and the based target importance degree, definite target risk distributes.

6. like the described method of claim 1, it is characterized in that utilizing risk index after the quantification to carry out the parameter decision of risk equalizing system, native system adopts the method for network address translation NAT.The legitimate purpose address of access request bag is become privately owned address of certain server and port in the server zone with port translation; And packet issued this server; Server process access request thus, and give a response, the bag of response must turn back to the risk equalizer.