CN105227540A - A kind of MTD guard system of event-triggered and method - Google Patents

A kind of MTD guard system of event-triggered and method Download PDF

Info

Publication number
CN105227540A
CN105227540A CN201510515982.2A CN201510515982A CN105227540A CN 105227540 A CN105227540 A CN 105227540A CN 201510515982 A CN201510515982 A CN 201510515982A CN 105227540 A CN105227540 A CN 105227540A
Authority
CN
China
Prior art keywords
fingerprint detection
detection
event
characteristic value
packet
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201510515982.2A
Other languages
Chinese (zh)
Other versions
CN105227540B (en
Inventor
闫兆腾
黄伟武
芦翔
朱红松
孙利民
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Information Engineering of CAS
Original Assignee
Institute of Information Engineering of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Information Engineering of CAS filed Critical Institute of Information Engineering of CAS
Priority to CN201510515982.2A priority Critical patent/CN105227540B/en
Publication of CN105227540A publication Critical patent/CN105227540A/en
Application granted granted Critical
Publication of CN105227540B publication Critical patent/CN105227540B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/32User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Lock And Its Accessories (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Collating Specific Patterns (AREA)

Abstract

The present invention relates to a kind of MTD guard system and method for event-triggered.First the present invention judges whether request data package is fingerprint detection bag, if judge detection type further, detection event belonging to described detection packet and the fingerprint detection event set prestored are compared, judge whether such detection event exists, if existed, by established methodology, individual features value is modified, if there is no the type of characteristic value is then judged, type according to characteristic value carries out corresponding modify, and then amended characteristic value is packaged into response data packet returns to fingerprint detection side.When present invention achieves the fingerprint detection bag at every turn being received fingerprint detection side by the objective of defense, automatically the corresponding characteristic of this detection item is changed, the fingerprint characteristic that detection side is collected is the information of mistake, thus make to be cheated or obscure as other device types, make some fundamental equipments obtain the preventing mechanism of effective anti-remote fingerprint identification.

Description

A kind of MTD guard system of event-triggered and method
Technical field
The present invention relates to national fundamental equipments and hide protection field, particularly relate to a kind of MTD guard system and method for event-triggered.
Background technology
Under the present circumstances, information technology system runs in the configuration being based upon relative quiescent.Such as, address, title, software stack, network and various configuration parameter keep relative quiescent within the longer time period.The method of this static state makes intention can have sufficient time search to the assailant that system carries out malice vulnerability exploit (exploit), the information such as the version of detecting and identifying goal systems and configuration, wherein most is representational is exactly operation system fingerprint detecting and identifying (OperatingSystemFingerprintingDetection), namely characteristic (feature) different information by carrying out (active) initiatively or passive (passive) fingerprint detection bag to the main frame on network is collected and is determined used operating system, usual victim is as a most important step in information gathering before attack.
MTD (MovingTargetDefense) thought is the change based on controlling across multiple system dimensions, the uncertainty of increase system and complexity, thus the attack surface (attacksurface) of reducing assailant and the new ideas increasing intrusion scene and propose.After MTD in 2011 is suggested, develop into the study hotspot in systematic protection field gradually, and by one of White House four macroreticular space safety protection Strategic Technologies being defined as future development.
As a kind of important safety and protection system, in recent years, MTD thought not only obtains application in software systems strick precaution vulnerability scanning and service and version anti-leak, and in antagonism remote operating system fingerprint detection and identification, obtains large-scale popularization gradually.
MTD thought is taking precautions against the research in safety precaution operation system fingerprint recognition system, mainly concentrate on the randomization of IP address configuration in some cycles in 2011, in the time window that fingerprint detection side cannot be converted the IP of destination host, complete information gathering and detection.Research in 2013 starts on the MTD in remote operating system fingerprint recognition field, carries out periodicity amendment and protection to tcp protocol stack characteristic value.But, due to periodic MTD protection itself exist safety defect and potential safety hazard current, if detection side utilizes the method for an only detection characteristic in each cycle, utilize multiple cycle to gather the result of detection of each characteristic, the security mechanism of MTD guard system and performance just can be made greatly to reduce.If consider that fingerprint detection side adopts Distributed probing and information gathering in addition, make the attack surface faced by MTD more be difficult to take precautions against, make the situation of antagonism fingerprint detection more complicated, the defect of periodically MTD protection also highlights more.
Summary of the invention
Technical problem to be solved by this invention is for the deficiencies in the prior art, provides a kind of MTD guard system and method for event-triggered.
The technical scheme that the present invention solves the problems of the technologies described above is as follows: a kind of MTD guard system of event-triggered, comprises fingerprint detection bag decision-making system, fingerprint detection event decision-making system and characteristic value MTD and revises system;
Described fingerprint detection bag decision-making system, it is for receiving and judging whether the request data package that client is sent is fingerprint detection bag, if so, then judge the detection type of described fingerprint detection bag and call fingerprint detection event decision-making system further, otherwise directly returning response data packet;
Described fingerprint detection event decision-making system, it is for judging whether the detection event belonging to described fingerprint detection bag exists in the fingerprint detection event set of corresponding detection type, if existed, the characteristic value of described fingerprint detection incident detection is passed to characteristic value MTD and revise system, otherwise be a newly-increased detection event by the detection event definition of the type, record and be stored in detection event set, the characteristic value of described fingerprint detection incident detection being passed to characteristic value MTD and revise system;
Described MTD revises system, and it carries out fraudulent modification for the characteristic value that will be detected by described fingerprint detection bag, amended characteristic value is packaged into response data packet and returns to fingerprint detection side.
The invention has the beneficial effects as follows: first the present invention judges whether request data package is fingerprint detection bag, if judge detection type further, detection event belonging to described detection packet and the fingerprint detection event set prestored are compared, judge whether such detection event exists, if existed, by established methodology, individual features value is modified, if there is no the type of characteristic value is then judged, type according to characteristic value carries out corresponding modify, and then amended characteristic value is packaged into response data packet returns to fingerprint detection side.Present invention achieves when being received the fingerprint detection bag of fingerprint detection side (Fingerprinter) by the objective of defense (Target) at every turn, automatically the corresponding characteristic of this detection item is changed, the fingerprint characteristic that detection side is collected is the information of mistake, thus make to be cheated or obscure as other device types, make some fundamental equipments obtain the preventing mechanism of effective anti-remote fingerprint identification.
Another technical scheme that the present invention solves the problems of the technologies described above is as follows: a kind of MTD means of defence of event-triggered, comprises the steps:
Step 1, receives and judges whether the request data package that client is sent is fingerprint detection bag, if so, then judge the detection type of described fingerprint detection bag and perform step 2 further, otherwise directly returning response data packet, process ends;
Step 2, judge whether the detection event described in described fingerprint detection bag exists in the detection event set in corresponding detection type, if existed, perform step 3, otherwise be a newly-increased detection event by the detection event definition of the type, record and be stored in detection event set, performing step 3;
Step 3, carries out fraudulent modification by the characteristic value that described fingerprint detection bag will detect, amended characteristic value is packaged into response data packet and returns to fingerprint detection side.
Accompanying drawing explanation
Fig. 1 is the MTD guard system schematic diagram of a kind of event-triggered of the present invention;
Fig. 2 is fingerprint detection bag decision-making system schematic diagram of the present invention;
Fig. 3 is fingerprint detection event decision-making system schematic diagram of the present invention;
Fig. 4 is that characteristic value MTD of the present invention revises system schematic;
Fig. 5 is the MTD means of defence flow chart of a kind of event-triggered of the present invention;
Fig. 6 is fingerprint detection bag decision-making system program flow diagram of the present invention;
Fig. 7 is fingerprint detection event decision procedure flow chart of the present invention;
Fig. 8 is characteristic value MTD update routine flow chart of the present invention.
Embodiment
Be described principle of the present invention and feature below in conjunction with accompanying drawing, example, only for explaining the present invention, is not intended to limit scope of the present invention.
The present invention relates to MTD (MovingTargetDefense) guard system and the method for a kind of event-triggered antagonism remote operating system fingerprint recognition (RemoteOperatingSystemFingerprinting).By the analysis to operating system active fingerprinting methods and detection packet, formulate detection event set, the MTD designing a kind of event-triggered hides the protection thought of operating system features.When realizing being received the fingerprint detection bag of fingerprint detection side (Fingerprinter) by the objective of defense (Target) at every turn, automatically the corresponding characteristic of this detection item is changed, the fingerprint characteristic that detection side is collected is the information of mistake, thus make to be cheated or obscure as other device types, finally make some fundamental equipments obtain the preventing mechanism of an effective anti-remote fingerprint identification.
As shown in Figure 1, a kind of MTD guard system of event-triggered, comprise fingerprint detection main frame (fingerprinter), detected target main frame (target) and fingerprint detection MTD guard system, wherein fingerprint detection MTD guard system is deployed on detected target main frame, comprises fingerprint detection bag decision-making system, fingerprint detection event decision-making system and characteristic value MTD and revises system.
Described fingerprint detection bag decision-making system, it is for receiving and judging whether the request data package that client is sent is fingerprint detection bag, if so, then judge the detection type of described fingerprint detection bag and call fingerprint detection event decision-making system further, otherwise directly returning response data packet;
Described fingerprint detection event decision-making system, it is for judging whether the detection event belonging to described fingerprint detection bag exists in the fingerprint detection event set of corresponding detection type, if existed, the characteristic value of described fingerprint detection incident detection is passed to characteristic value MTD and revise system, otherwise be a newly-increased detection event by the detection event definition of the type, record and be stored in detection event set, the characteristic value of described fingerprint detection incident detection being passed to characteristic value MTD and revise system;
Described MTD revises system, and it carries out fraudulent modification for the characteristic value that will be detected by described fingerprint detection bag, amended characteristic value is packaged into response data packet and returns to fingerprint detection side.
As shown in Figure 2, described fingerprint detection bag decision-making system comprises packet parsing module, type of data packet judge module, data packet destination port judge module, packet content judge module and detection type judging module; Described packet parsing module, it is for resolving the request data package received; The encapsulation of taking bag apart, to check the packet header, destination address, destination interface, type of data packet, packet content etc. of packet, is the module providing source data of follow-up judgement; Described type of data packet judge module, it is for judging the protocol type of described request packet according to the request data package of having resolved; Described data packet destination port judge module, it is for judging the target port of described request packet according to the request data package of having resolved; Described packet content judge module, it is for judging the content of described request packet according to the request data package of having resolved; Described type of data packet judge module, data packet destination port judge module and the packet content judge module described request packet that cooperatively interacted is regular traffic packet or is the judgement of fingerprint detection bag; Described detection type judging module, it is for judging the detection type of described fingerprint detection bag further.
Described type of data packet judge module, data packet destination port judge module and the packet content judge module described request packet that cooperatively interacted is regular traffic packet or is the judgement of fingerprint detection bag, judge that when being judged as fingerprint detection bag the detection type of described fingerprint detection bag is specially further: described type of data packet judge module judges the protocol type of described request packet, if ICMP agreement, be directly fingerprint detection bag by described request packet definitions, and detected type label and be defined as ICMP; If TCP or udp protocol, then calling data bag target port judge module, if IP agreement, then calling data bag content judgment module; Described data packet destination port judge module judges in described request packet, whether target port opens, if open, then and calling data bag content judgment module; If closed, be then fingerprint detection bag by described request packet definitions, and detected type label and be defined as TCP or UDP; Described packet content judge module judges that whether described request packet data part is empty, if data division be sky, is then fingerprint detection bag by current request packet definitions, is detected type label and be defined as TCP, UDP or IP; If data division is not empty, then judge that current request packet is as regular traffic packet; Described detection type judging module is classified by protocol type to fingerprint detection bag, and type label is divided into ICMP, IP, TCP and UDP tetra-kinds, fingerprint detection bag is passed to fingerprint detection event decision-making system and carries out subsequent operation.
As shown in Figure 3, described fingerprint detection event decision-making system comprises detection event data storehouse and detection event sort module; Described detection event data storehouse, for prestoring fingerprint detection event set corresponding to different agreement type (being mainly IP, TCP, UDP and ICMP) fingerprint detection bag; Described detection event sort module, for the detection event belonging to described fingerprint detection bag is mated with the fingerprint detection event set of corresponding detection type, if there is the fingerprint detection event matched, then revise system to characteristic value MTD and send the instruction carrying out the amendment of such fingerprint detection event feature value, if there is no the fingerprint detection event matched, then increase described detection event newly an event rules by the form in detection event data storehouse, the characteristic value that described detection event will detect is passed to characteristic value MTD and revise system.
Described fingerprint detection event decision-making system also comprises detection event definition module, it is for when the detection to multiple characteristic value drawn together by a described fingerprint detection handbag, the detection of each characteristic value is defined as a fingerprint detection event, and then mate separately with fingerprint detection event set, carry out separately the MTD amendment of characteristic value.
As shown in Figure 4, described characteristic value MTD amendment system comprises characteristic value type judging module and characteristic value modified module; Described characteristic value type judging module, it, for when receiving the characteristic value that fingerprint detection event decision-making system sends, judging that the characteristic value that described fingerprint detection bag will detect is numerical value or Boolean, and judged result is sent to characteristic value modified module; Described characteristic value modified module, it is for when receiving the instruction of such fingerprint detection event feature value of carrying out amendment that fingerprint detection event decision-making system sends, according to established methodology, characteristic value is modified, or when receiving the judged result that characteristic value type judging module sends, according to judged result amendment characteristic value, if characteristic value is a numerical value, then in specified scope, perform randomization amendment; If characteristic value is a Boolean, then current Boolean is carried out inverse or XOR, by amended result by the encapsulation of response data packet format, return to fingerprint detection side.
System is revised when being Boolean type to characteristic value at characteristic value MTD, current inverse not only can be adopted to change characteristic value, the randomization of the computings such as non-, XOR can also be adopted, make detection Fang Gengneng to Boolean type characteristic value fingerprint recognition by the operating system of protecting.Described detection event set is as table 1.
Table 1
Core of the present invention is whether current data packet belongs to detection packet and belong to the detection of which kind of type.
As shown in Figure 5, a kind of MTD means of defence of event-triggered, comprises the steps:
Step 1, receives and judges whether the request data package that client is sent is fingerprint detection bag, if so, then judge the detection type of described fingerprint detection bag and perform step 2 further, otherwise directly returning response data packet, process ends;
Step 2, judge whether the detection event described in described fingerprint detection bag exists in the detection event set in corresponding detection type, if existed, perform step 3, otherwise be a newly-increased detection event by the detection event definition of the type, record and be stored in detection event set, performing step 3;
Step 3, carries out fraudulent modification by the characteristic value that described fingerprint detection bag will detect, amended characteristic value is packaged into response data packet and returns to fingerprint detection side.
Be regular traffic packet or for fingerprint detection bag according to the protocol type of described request packet, data packet destination port and packet content comprehensive descision described request packet in step 1.
As shown in Figure 6, being implemented as follows of step 1:
Step 1.1: decapsulation is carried out to request data package;
Described request packet definitions, if ICMP agreement, is directly fingerprint detection bag by step 1.2: the protocol type judging described request packet, and is detected type label and be defined as ICMP; If TCP or udp protocol, then perform step 1.3, if IP agreement, perform step 1.4;
Step 1.3: judge in described request packet, whether target port opens, if open, performs step 1.4; If closed, be then fingerprint detection bag by described request packet definitions, and detected type label and be defined as TCP or UDP;
Step 1.4: judge that whether described request packet data part is empty, if data division be sky, is then fingerprint detection bag by current request packet definitions, is detected type label and be defined as TCP, UDP or IP; If data division is not empty, then judge that current request packet is as regular traffic packet;
Step 1.5: classify by protocol type to fingerprint detection bag, type label is divided into ICMP, IP, TCP and UDP tetra-kinds, fingerprint detection bag is passed to fingerprint detection event decision-making system and carries out subsequent operation.
As shown in Figure 7, being implemented as follows of step 2:
Detection event belonging to described fingerprint detection bag is mated with the fingerprint detection event set of corresponding detection type, if there is the fingerprint detection event matched, then revise system to characteristic value MTD and send the instruction carrying out the amendment of such fingerprint detection event feature value, if there is no the fingerprint detection event matched, then increase described detection event newly an event rules by the form in detection event data storehouse, the characteristic value that described detection event will detect is passed to characteristic value MTD and revise system.Detection type tag according to fingerprint detection bag mates with detection event data storehouse, if known detection event, perform a step switch coupling, corresponding MTD characteristic modify steps is performed according to dissimilar tag, such as TCP detects event, then perform the initial sequence number (ISN, initialsequencenumber) by producing characteristic value in current TCP etc. and perform the amendment of MTD characteristic; If the detection event of the unknown, then current detection type is pressed the newly-increased event rules of form of event database, the MTD finally characteristic that this detection type will detect being passed to next step characteristic value revises system.
Affiliated step 2 also comprises when the detection to multiple characteristic value drawn together by a described fingerprint detection handbag, the detection of each characteristic value is defined as a fingerprint detection event, and then mates separately with fingerprint detection event set, carries out separately the MTD amendment of characteristic value.The detection of several characteristic value under described fingerprint detection bag may comprise a kind of agreement simultaneously, and namely main idea of the present invention is by the detection of each characteristic value being defined as an event, the judgement of each detection event and MTD deception amendment are opened with other indie incidents, thus makes to be that the comprehensive multiple detection event result of representative reduces greatly to the possibility detecting the correct fingerprint of current operation system with Nmap.
As shown in Figure 8, being implemented as follows of step 3:
Step 3.1: when receiving the instruction of such fingerprint detection event feature value of carrying out amendment that fingerprint detection event decision-making system sends, according to established methodology, characteristic value being modified, performing step 3.3; When receiving the characteristic value that fingerprint detection event decision-making system sends, judging that the characteristic value that described fingerprint detection bag will detect is numerical value or Boolean, performing step 3.2;
Step 3.2, if characteristic value is a numerical value, then performs randomization amendment in specified scope; If characteristic value is a Boolean, then current Boolean is carried out inverse or carry out XOR, performing step 3.3;
Step 3.3: amended characteristic value is packaged into response data packet and returns to fingerprint detection side.
By current characteristic value in one the not normal scope of influential system, carry out randomizing transform, make result of detection not have rule at every turn, realize obscuring result of detection.
Utilize the MTD guard system of event-triggered of the present invention, can realize being protected main frame and can cheat and obscure the operation system fingerprint detecting and identifying of attacker.According to the communication process connected by protection main frame and other main frames, all protection process are divided into generally three scenes:
I.e. scene 1 (the request TCP of regular traffic data communication Client related protocol connects Target, not being detection packet, returning to Client by normal response bag detecting confirmation current data packet through MTD guard system);
(it is that the SYN detection packet of sky is to destination host Target that fingerprint detection side Fingerprinter sends data in Transmission Control Protocol to scene 2, confirming that current data packet is detection packet through the detection of MTD guard system, trigger fingerprint recognition MTD system, after being modified by the characteristic value of corresponding detection, encapsulation returns to Fingerprinter);
(fingerprint detection side Fingerprinter sends detection packet in udp protocol to scene 3, wherein target port is the port that Target main frame cuts out, confirming that current data packet is detection packet through the detection of MTD guard system, trigger fingerprint recognition MTD system, modify as open state by the port of corresponding detection incident detection, the corresponding bag of encapsulation UDP returns to Fingerprinter).
Scene 1, normal Client request and destination host are set up and are communicated and do not trigger MTD preventing mechanism, and concrete steps are as follows:
1) first Client sends TCPSYN bag to destination host Target;
2) Target carries out decapsulation by the packet parsing module in the MTD guard system of event-triggered to packet;
3) type of data packet judge module identification current data packet is Transmission Control Protocol type;
4) packet content judge module identification current tcp data bag content is not empty, non-detection packet, thus need not trigger detection event detection and preventing mechanism;
5) finally TCPSYN bag is returned Packet type by regular traffic and return ACK+SYN bag.
Scene 2, Target resists the TCPSYN detection packet of Fingerprinter, and concrete steps are as follows:
1) Fingprinter sends TCPSYN detection packet to destination host Target, and wherein data division data is empty;
2) Target carries out decapsulation by the packet parsing module in the MTD guard system of event-triggered to packet;
3) type of data packet judge module identification current data packet is Transmission Control Protocol type;
4) target port of data packet destination port determination module identification current data packet is open;
5) packet content judge module identification current tcp data bag content is empty, and then judges it is detection packet, triggers detection event detection and preventing mechanism;
6) the type tag of current detection packet is defined as TCPSYN detection by packet feature judge module, and by Parameter transfer to fingerprint detection event decision-making system;
7) fingerprint detection event decision-making system is according to the TCPSYN detection in the tag of detection packet, mates learn that current detection event is current known detection event with detection event data storehouse;
8) fingerprint detection event decision-making system is mated through switch, and the characteristic value current TCPSYN being detected the detection of event correspondence comprises ISN (initialsequencenumber, 32bit), ACKnumber
(32bit), urgentpointer (16bit), SYN (1bit), checksum (16bit) in windowsize (16bit), flags, Parameter transfer revises system to the MTD of characteristic value;
9) MTD of characteristic value revises whether system is that Boolean judges to SYN in ISN, ACKnumber, urgentpointer, windowsize, flags (1bit), each characteristic of checksum, judge to only have SYN in flags (1bit) as Boolean, other characteristic is all numerical value;
10) the MTD amendment system of characteristic value carries out inverse to the SYN value in current flags, performs randomization calculate the value of other characteristics;
11) the MTD amendment system of characteristic value is packaged into ACK+SYN to amended characteristic value and returns to Fingerprinter.
Scene 3, Target resists the UDP of Fingerprinter to the detection packet of closing target port, specifically comprises following operation:
1) Fingprinter sends UDP detection packet to destination host Target, and wherein target port is Target close port;
2) Target carries out decapsulation by the packet parsing module in the MTD guard system of event-triggered to packet;
3) type of data packet judge module identification current data packet is udp protocol type;
4) target port of data packet destination port determination module identification current data packet is closed, and current data packet is defined as detection packet;
5) the type tag of current detection packet is defined as UDP detection by packet feature judge module, and by Parameter transfer to fingerprint detection event decision-making system;
6) fingerprint detection event decision-making system is mated through switch, the characteristic value current TCPSYN being detected the detection of event correspondence includes IPID (identification, 16bit) with length (16bit), Parameter transfer revises system to the MTD of characteristic value;
7) MTD of characteristic value revises whether system is that Boolean judges to these two characteristics of IPID and length, and characteristic is all numerical value;
8) MTD of characteristic value revises system and performs randomization calculating to the value of current properties;
9) the MTD amendment system of characteristic value is packaged into UDP respond packet to amended characteristic value and returns to Fingerprinter.
The foregoing is only preferred embodiment of the present invention, not in order to limit the present invention, within the spirit and principles in the present invention all, any amendment done, equivalent replacement, improvement etc., all should be included within protection scope of the present invention.

Claims (12)

1. a MTD guard system for event-triggered, is characterized in that, comprises fingerprint detection bag decision-making system, fingerprint detection event decision-making system and characteristic value MTD and revises system;
Described fingerprint detection bag decision-making system, it is for receiving and judging whether the request data package that client is sent is fingerprint detection bag, if so, then judge the detection type of described fingerprint detection bag and call fingerprint detection event decision-making system further, otherwise directly returning response data packet;
Described fingerprint detection event decision-making system, it is for judging whether the detection event belonging to described fingerprint detection bag exists in the fingerprint detection event set of corresponding detection type, if existed, the characteristic value of described fingerprint detection incident detection is passed to characteristic value MTD and revise system, otherwise be a newly-increased detection event by the detection event definition of the type, record and be stored in detection event set, the characteristic value of described fingerprint detection incident detection being passed to characteristic value MTD and revise system;
Described MTD revises system, and it carries out fraudulent modification for the characteristic value that will be detected by described fingerprint detection bag, amended characteristic value is packaged into response data packet and returns to fingerprint detection side.
2. the MTD guard system of a kind of event-triggered according to claim 1, it is characterized in that, described fingerprint detection bag decision-making system comprises packet parsing module, type of data packet judge module, data packet destination port judge module, packet content judge module and detection type judging module;
Described packet parsing module, it is for resolving the request data package received;
Described type of data packet judge module, it is for judging the protocol type of described request packet according to the request data package of having resolved;
Described data packet destination port judge module, it is for judging the target port of described request packet according to the request data package of having resolved;
Described packet content judge module, it is for judging the content of described request packet according to the request data package of having resolved;
Described type of data packet judge module, data packet destination port judge module and the packet content judge module described request packet that cooperatively interacted is regular traffic packet or is the judgement of fingerprint detection bag;
Described detection type judging module, it is for judging the detection type of described fingerprint detection bag further.
3. the MTD guard system of a kind of event-triggered according to claim 2, it is characterized in that, described type of data packet judge module, data packet destination port judge module and the packet content judge module described request packet that cooperatively interacted is regular traffic packet or is the judgement of fingerprint detection bag, judges that the detection type of described fingerprint detection bag is specially when being judged as fingerprint detection bag further:
Described type of data packet judge module judges the protocol type of described request packet, if ICMP agreement, is directly fingerprint detection bag by described request packet definitions, and is detected type label and be defined as ICMP; If TCP or udp protocol, then calling data bag target port judge module, if IP agreement, then calling data bag content judgment module;
Described data packet destination port judge module judges in described request packet, whether target port opens, if open, then and calling data bag content judgment module; If closed, be then fingerprint detection bag by described request packet definitions, and detected type label and be defined as TCP or UDP;
Described packet content judge module judges that whether described request packet data part is empty, if data division be sky, is then fingerprint detection bag by current request packet definitions, is detected type label and be defined as TCP, UDP or IP; If data division is not empty, then judge that current request packet is as regular traffic packet;
Described detection type judging module is classified by protocol type to fingerprint detection bag, and type label is divided into ICMP, IP, TCP and UDP tetra-kinds, fingerprint detection bag is passed to fingerprint detection event decision-making system and carries out subsequent operation.
4. the MTD guard system of a kind of event-triggered according to claim 1, is characterized in that, described fingerprint detection event decision-making system comprises detection event data storehouse and detection event sort module;
Described detection event data storehouse, for prestoring fingerprint detection event set corresponding to different agreement type fingerprint detection bag;
Described detection event sort module, for the detection event belonging to described fingerprint detection bag is mated with the fingerprint detection event set of corresponding detection type, if there is the fingerprint detection event matched, then revise system to characteristic value MTD and send the instruction carrying out the amendment of such fingerprint detection event feature value, if there is no the fingerprint detection event matched, then increase described detection event newly an event rules by the form in detection event data storehouse, the characteristic value that described detection event will detect is passed to characteristic value MTD and revise system.
5. the MTD guard system of a kind of event-triggered according to claim 4, it is characterized in that, described fingerprint detection event decision-making system also comprises detection event definition module, it is for when the detection to multiple characteristic value drawn together by a described fingerprint detection handbag, the detection of each characteristic value is defined as a fingerprint detection event, and then mate separately with fingerprint detection event set, carry out separately the MTD amendment of characteristic value.
6. the MTD guard system of a kind of event-triggered according to claim 1, is characterized in that, described characteristic value MTD revises system and comprises characteristic value type judging module and characteristic value modified module;
Described characteristic value type judging module, it, for when receiving the characteristic value that fingerprint detection event decision-making system sends, judging that the characteristic value that described fingerprint detection bag will detect is numerical value or Boolean, and judged result is sent to characteristic value modified module;
Described characteristic value modified module, it is for when receiving the instruction of such fingerprint detection event feature value of carrying out amendment that fingerprint detection event decision-making system sends, according to established methodology, characteristic value is modified, or when receiving the judged result that characteristic value type judging module sends, according to judged result amendment characteristic value, if characteristic value is a numerical value, then in specified scope, perform randomization amendment; If characteristic value is a Boolean, then current Boolean is carried out inverse or XOR, by amended result by the encapsulation of response data packet format, return to fingerprint detection side.
7. a MTD means of defence for event-triggered, is characterized in that, comprise the steps:
Step 1, receives and judges whether the request data package that client is sent is fingerprint detection bag, if so, then judge the detection type of described fingerprint detection bag and perform step 2 further, otherwise directly returning response data packet, process ends;
Step 2, judge whether the detection event described in described fingerprint detection bag exists in the detection event set in corresponding detection type, if existed, perform step 3, otherwise be a newly-increased detection event by the detection event definition of the type, record and be stored in detection event set, performing step 3;
Step 3, carries out fraudulent modification by the characteristic value that described fingerprint detection bag will detect, amended characteristic value is packaged into response data packet and returns to fingerprint detection side.
8. the MTD means of defence of a kind of event-triggered according to claim 7, it is characterized in that, be regular traffic packet or for fingerprint detection bag according to the protocol type of described request packet, data packet destination port and packet content comprehensive descision described request packet in step 1.
9. the MTD means of defence of a kind of event-triggered according to claim 8, is characterized in that, being implemented as follows of step 1:
Step 1.1: decapsulation is carried out to request data package;
Described request packet definitions, if ICMP agreement, is directly fingerprint detection bag by step 1.2: the protocol type judging described request packet, and is detected type label and be defined as ICMP; If TCP or udp protocol, then perform step 1.3, if IP agreement, perform step 1.4;
Step 1.3: judge in described request packet, whether target port opens, if open, performs step 1.4; If closed, be then fingerprint detection bag by described request packet definitions, and detected type label and be defined as TCP or UDP;
Step 1.4: judge that whether described request packet data part is empty, if data division be sky, is then fingerprint detection bag by current request packet definitions, is detected type label and be defined as TCP, UDP or IP; If data division is not empty, then judge that current request packet is as regular traffic packet;
Step 1.5: classify by protocol type to fingerprint detection bag, type label is divided into ICMP, IP, TCP and UDP tetra-kinds, fingerprint detection bag is passed to fingerprint detection event decision-making system and carries out subsequent operation.
10. the MTD means of defence of a kind of event-triggered according to claim 7, is characterized in that, being implemented as follows of step 2:
Detection event belonging to described fingerprint detection bag is mated with the fingerprint detection event set of corresponding detection type, if there is the fingerprint detection event matched, then revise system to characteristic value MTD and send the instruction carrying out the amendment of such fingerprint detection event feature value, if there is no the fingerprint detection event matched, then increase described detection event newly an event rules by the form in detection event data storehouse, the characteristic value that described detection event will detect is passed to characteristic value MTD and revise system.
The MTD means of defence of 11. a kind of event-triggered according to claim 10, it is characterized in that, affiliated step 2 also comprises when the detection to multiple characteristic value drawn together by a described fingerprint detection handbag, the detection of each characteristic value is defined as a fingerprint detection event, and then mate separately with fingerprint detection event set, carry out separately the MTD amendment of characteristic value.
The MTD means of defence of 12. a kind of event-triggered according to claim 7, is characterized in that, being implemented as follows of step 3:
Step 3.1: when receiving the instruction of such fingerprint detection event feature value of carrying out amendment that fingerprint detection event decision-making system sends, according to established methodology, characteristic value being modified, performing step 3.3; When receiving the characteristic value that fingerprint detection event decision-making system sends, judging that the characteristic value that described fingerprint detection bag will detect is numerical value or Boolean, performing step 3.2;
Step 3.2, if characteristic value is a numerical value, then performs randomization amendment in specified scope; If characteristic value is a Boolean, then current Boolean is carried out inverse or carry out XOR, performing step 3.3;
Step 3.3: amended characteristic value is packaged into response data packet and returns to fingerprint detection side.
CN201510515982.2A 2015-05-08 2015-08-20 The MTD guard systems and method of a kind of event-triggered Expired - Fee Related CN105227540B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510515982.2A CN105227540B (en) 2015-05-08 2015-08-20 The MTD guard systems and method of a kind of event-triggered

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
CN201510233838.XA CN104917757A (en) 2015-05-08 2015-05-08 Event-triggered MTD protection system and method
CN201510233838X 2015-05-08
CN201510515982.2A CN105227540B (en) 2015-05-08 2015-08-20 The MTD guard systems and method of a kind of event-triggered

Publications (2)

Publication Number Publication Date
CN105227540A true CN105227540A (en) 2016-01-06
CN105227540B CN105227540B (en) 2018-05-08

Family

ID=54086463

Family Applications (2)

Application Number Title Priority Date Filing Date
CN201510233838.XA Pending CN104917757A (en) 2015-05-08 2015-05-08 Event-triggered MTD protection system and method
CN201510515982.2A Expired - Fee Related CN105227540B (en) 2015-05-08 2015-08-20 The MTD guard systems and method of a kind of event-triggered

Family Applications Before (1)

Application Number Title Priority Date Filing Date
CN201510233838.XA Pending CN104917757A (en) 2015-05-08 2015-05-08 Event-triggered MTD protection system and method

Country Status (1)

Country Link
CN (2) CN104917757A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112702363A (en) * 2021-03-24 2021-04-23 远江盛邦(北京)网络安全科技股份有限公司 Node hiding method, system and equipment based on deception
CN113765728A (en) * 2020-06-04 2021-12-07 深信服科技股份有限公司 Network detection method, device, equipment and storage medium

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB201700879D0 (en) 2017-01-18 2017-03-01 Renishaw Plc Machine tool apparatus
CN110113333A (en) * 2019-04-30 2019-08-09 中国人民解放军战略支援部队信息工程大学 A kind of ICP/IP protocol fingerprint mobilism processing method and processing device

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103312689A (en) * 2013-04-08 2013-09-18 西安电子科技大学 Network hiding method for computer and network hiding system based on method
US20140310773A1 (en) * 2011-04-11 2014-10-16 Bluecava, Inc. Browser access to native code device identification
CN104519068A (en) * 2014-12-26 2015-04-15 赵卫伟 Moving target protection method based on operating system fingerprint jumping

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140310773A1 (en) * 2011-04-11 2014-10-16 Bluecava, Inc. Browser access to native code device identification
CN103312689A (en) * 2013-04-08 2013-09-18 西安电子科技大学 Network hiding method for computer and network hiding system based on method
CN104519068A (en) * 2014-12-26 2015-04-15 赵卫伟 Moving target protection method based on operating system fingerprint jumping

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
刘长征等: "《操作系统指纹特征伪装技术研究》", 《信息网络安全》 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113765728A (en) * 2020-06-04 2021-12-07 深信服科技股份有限公司 Network detection method, device, equipment and storage medium
CN112702363A (en) * 2021-03-24 2021-04-23 远江盛邦(北京)网络安全科技股份有限公司 Node hiding method, system and equipment based on deception

Also Published As

Publication number Publication date
CN104917757A (en) 2015-09-16
CN105227540B (en) 2018-05-08

Similar Documents

Publication Publication Date Title
US20210211369A1 (en) System and method for extracting identifiers from traffic of an unknown protocol
US20230092522A1 (en) Data packet processing method, apparatus, and electronic device, computer-readable storage medium, and computer program product
US11399288B2 (en) Method for HTTP-based access point fingerprint and classification using machine learning
KR101679578B1 (en) Apparatus and method for providing controlling service for iot security
CN100556031C (en) Intelligent integrated network security device
CN105429963A (en) Invasion detection analysis method based on Modbus/Tcp
CN110401624A (en) The detection method and system of source net G system mutual message exception
CN104796261A (en) Secure access control system and method for network terminal nodes
CN106953855B (en) Method for intrusion detection of GOOSE message of IEC61850 digital substation
CN105074717A (en) Detection of malicious scripting language code in a network environment
CN105227540A (en) A kind of MTD guard system of event-triggered and method
CN103428186A (en) Method and device for detecting phishing website
CN104135490A (en) Intrusion detection system (IDS) analysis method and intrusion detection system
US11546295B2 (en) Industrial control system firewall module
CN103368941A (en) User network access scenario-based protection method and device
CN102316087A (en) The detection method that network application is attacked
RU2475836C1 (en) Method for protection of computer networks
CN112685734B (en) Security protection method, device, computer equipment and storage medium
SG184120A1 (en) Method of identifying a protocol giving rise to a data flow
KR20140044970A (en) Method and apparatus for controlling blocking of service attack by using access control list
Lima et al. BP-IDS: Using business process specification to leverage intrusion detection in critical infrastructures
CN105577705A (en) Safety protection method and system for IEC60870-5-104 protocol
CN101547127A (en) Identification method of inside and outside network messages
CN116827655A (en) Flow detection acceleration method and system, electronic equipment and storage medium
CN106936834B (en) Method for intrusion detection of IEC61850 digital substation SMV message

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20180508

CF01 Termination of patent right due to non-payment of annual fee