The content of invention
The objective of the invention is to overcome the deficiency that network simulation software can not carry out the network security problem analog simulation targetedly, a kind of network security emulation system and emulation mode thereof are provided, to realize that network security is carried out analog simulation.
Technical scheme of the present invention relates to the content of three aspects, and the one, be the logic function system of network security emulation system, the 2nd, the system configuration of realization network security analog logic function, the 3rd, utilize network security emulation system to carry out the method for safe simulation.Wherein:
One. the logic function of network security emulation system comprises:
The virtual network module is used to carry out the simulation of network attacking and defending simulation and network security;
The attacking and defending dynamic link library is used for providing new attack and defense module with the form of plug-in unit to system, and network attacking and defending analogue system is expanded;
Present module, be used for the pilot process of system's operation and the operation result of system's stage are presented;
System control module is used for the running of system is arranged and dispatched, and coordinates described other several sections and carry out directly mutual.
Above-mentioned network security emulation system, wherein the virtual network module comprises: live network and virtual network, this real network is meant physical network, i.e. local area network (LAN), wide area network or internet; This virtual network is meant the network that carries out emulation on the separate unit main frame.
Above-mentioned network security emulation system, wherein the attacking and defending dynamic link library comprises network attack dynamic link library and cyber-defence dynamic link library, and this attack dynamic link library comprises that packet is intercepted, TCP, operating system are surveyed, leak is attacked, distributed denial of service Dos attacks; This defence dynamic link library comprises antivirus protection, fire compartment wall, intrusion detection.
Above-mentioned network security emulation system presents wherein that module shows and the form that presents The results of running mainly contains running log, process report, computing chart or dynamic image.
Two. the system configuration that realizes network security analog logic function comprises:
Key-course is used for realizing the system logic function is controlled;
The virtual network device layer is used for the situation of analog network on unit, promptly simulates main frame, router, fire compartment wall, network interface card, hub, these basic network equipments of netting twine on unit;
The common interface layer is used for the various function library standardization on the intermediate layer, and the system that makes upwards provides unified calling interface;
The intermediate layer, be used for the system function of bottom function library and basic storehouse are encapsulated the formation function storehouse, this function library comprises third parties such as the attacking and defending function library of moulding, general network attacking and defending function library, network security tool exploitation function library Libnet increase income function library, network selecting transducer and show class libraries;
The bottom function library is used for the own function of call operation system or procotol, and this storehouse comprises that operating system carries function library, analog network function library, basic display function library.
Above-mentioned network security emulation system structure, wherein key-course comprises: network control module, device control module and Subscriber Interface Module SIM, virtual network environment is set up and adjusted to this network control module, the state and the operation of the virtual network device in this device control module control virtual network environment, this Subscriber Interface Module SIM outwards provides unified calling interface.
Above-mentioned network security emulation system structure, wherein the common interface layer comprises: network interface and display interface, this network interface carries out the increase income interface of function library and network selecting transducer of third parties such as the attacking and defending function library of moulding in the described intermediate layer, general network attacking and defending function library, network security tool exploitation function library Libnet integrated and unitized, offers the virtual network device layer to call; This display interface is for the virtual network device layer provides literal demonstration, graphical demonstration, pictorialization shows and dynamic explicit function interface shows calling function.
Three. utilize network security emulation system to carry out the method for safe simulation, carry out according to the following procedure:
(1) sets user program, configuration-system Parameter File, and system is compiled;
(2) compiled system is put carry out simulation run in the operating system environment;
(3) data of emulation are collected;
(4) carry out the network security analysis according to the data of collecting.
Set user program, system for filling parameter configuration files in the said method and system compiled, carry out according to the following procedure:
(1) is the main frame of the attack in the system, the main frame of defence, the specific functional module of main frame appointment of safety detection, writes corresponding user program more according to demand, and carry out related with corresponding apparatus;
(2) fill in quantity kind, topology of networks and the pairing program file of each network equipment of selected network type, selected network equipment;
(3) written program file and configuration file are carried out related in system, and generate the operating file that directly to carry out.
In the said method compiled system put and carries out simulation run in the operating system environment, carry out as follows:
(1) analogue system is carried out initialization;
(2) parameter in the analogue system is set dynamically, promptly from the system parameters configuration file, read corresponding numerical value the parameter in the analogue system is carried out assignment, comprise the division of subnet, the Internet Protocol IP of each main frame (InternetProtocol) address setting, fire compartment wall IP address setting, each Port IP address of router, and detection rule, the router policy of fire compartment wall are set;
(3) according to the parameter that sets the logical correctness of network is verified,, the error message feedback is configured again and sets, till network can true(-)running if set incorrectly;
(4) adjust each network equipment to ready state, system's l-G simulation test that brings into operation is till all finishing emulation.
In the said method analogue system is carried out initialization, carries out according to the following procedure:
(1) reads in CONFIG.SYS, configuration file is resolved, the various parameters in the extraction system;
(2) according to the parameter that is extracted, the needed environment of judgement system is simulated environment or true environment; To required simulated environment, be virtual network with system initialization, and the setting network interface is a virtual network interface; To required live network, be single main frame with system initialization, and the setting network interface is the live network interface;
(3) show selected network environment and init state information;
(4) activate the network equipment, the connectedness between the adjacent network equipment is tested, the adjacent network equipment is interconnected.
The present invention has following characteristics compared with prior art:
Need design and realize because the logic function of secure network analogue system of the present invention is the analog simulation at network security, solved the problem of network security problem research simulated environment and emulation platform; Simultaneously because the system configuration of the invention process logic function with very similar, very easy to use in the operation of real network environment, can utilize system and method for the present invention to carry out the technical research and the Simulation Application of computer network and network safety filed; Can carry out the secondary code exploitation as required because the designed network security emulation system of the present invention comprises attacking and defending dynamic link library and display part in addition, improve the expandability of native system and method greatly.
Embodiment
One. system configuration
With reference to Fig. 1, network security emulation system logical construction of the present invention is by virtual network module, attacking and defending dynamic link library, system control module, present these four parts of module and cooperate mutually and form the logical construction of a network security emulation system.Wherein:
The virtual network module is platform and the basic environment that carries out the network security simulation, and the simulation of network security is carried out in virtual network.Virtual network comprises real stand-alone environment and virtual network environment.Real stand-alone environment is meant the stand-alone environment that is arranged in the actual physics network, and the real network here can be local area network (LAN), wide area network or internet.Virtual network environment is meant the network environment of emulation on the separate unit main frame.
The attacking and defending dynamic link library comprises network attack dynamic link library and cyber-defence dynamic link library.Because network security roughly is divided into attack on the network and the defence on the network, attack on the network roughly is divided into passive attack and active attack two big classes, comprises that packet is intercepted, TCP, operating system are surveyed, leak is attacked, distributed denial of service Dos attacks etc.Therefore, the attack on the network can be carried out careful division, each single attack technology is all made the dynamic link library that other programs can be called.Defense technique on the network is also a lot, comprises antivirus protection, firewall technology, Intrusion Detection Technique etc.These defense techniques are compiled into the dynamic link library that other programs can be called, and dynamic link library offers system with the form of plug-in unit, have guaranteed the autgmentability and the flexibility of system.Also can provide new attack and defense module to come network attacking and defending analogue system is expanded in this way very easily.
Present module, be similar to user interface, finish that mainly the pilot process of system's operation and the operation result of system's stage are presented.The form that presents is more versatile and flexible, can be running log, process report, computing chart or dynamic image.Its requirement is, the displaying of visualization should be arranged, and again data carried out statistical analysis.
System control module is finished other parts is carried out total control, and it is directly mutual to coordinate other several sections, and the running of system is arranged and dispatched.Under the unified control and scheduling of system control module, the network equipments such as main frame in the virtual network module call attack and the defense module in the attacking and defending dynamic link library, these are attacked and defense module is the attack concrete in the live network and the playback of defence, they finish the function of attacking and defending automatically in virtual network environment, the result of attacking and defending is by presenting module and be apparent on the user interface or be recorded in the customer documentation the most at last, thereby finishes the analog simulation of network attacking and defending.
With reference to Fig. 2, network security emulation system implementation structure schematic diagram of the present invention comprises key-course, virtual network device layer, common interface layer, intermediate layer and five functional hierarchies of bottom function library.These five functional hierarchies are the specific implementations to Fig. 1 logical construction.Wherein, system control module is corresponding to key-course, the virtual network module is mainly corresponding to the relevant portion in virtual network device layer and the bottom function library, attacking and defending dynamic link library correspondence is in the intermediate layer, process demonstration/object module corresponds respectively to the relevant portion in virtual network device layer, common interface layer, intermediate layer and the bottom function library, and is as shown in table 1.
The corresponding relation of table 1 Fig. 1 and Fig. 2
4 modules among Fig. 1 | Relevant portion among pairing Fig. 2 |
System control module | Key-course |
The virtual network module | Virtual network device layer and bottom function library |
The attacking and defending dynamic link library | The intermediate layer |
Present module | Virtual network device layer, common interface layer, intermediate layer and bottom function library |
Composition of each layer and function are as follows respectively:
1. key-course
Key-course is finished the initialization of whole system, the initialization of each module, in the running of system each module is controlled, and some senior calling interfaces are provided.This key-course is made up of three concrete modules, is respectively network control module, device control module and Subscriber Interface Module SIM.Network control module is responsible for the foundation and the adjustment of virtual network environment, the state and the operation of the virtual network device in the device control module control virtual network environment, Subscriber Interface Module SIM outwards provide unified calling interface to make the exploitation based on system are more prone to.
The virtual network device layer: the situation when being mainly used on unit analog network, the common equipment in the network is simulated.The transmission of all data is finished by internal system in the analog network, be not related with live network, but is the same from the angle of using with live network, the data of a plurality of network layers are provided for the user according to demand, for example, can provide Ether frame, IP bag, TCP bag, UDP bag etc.Like this, just need simulate basic virtual network devices such as main frame, router, fire compartment wall, network interface card, hub, netting twine on unit, the specific implementation of these virtual network devices as shown in Figure 3.
These virtual network devices all comprise three functional modules except that netting twine and hub, be respectively data forwarding module, data processing module and network attacking and defending module.Wherein, data forwarding module is realized by network interface card; Data processing module is different because of different equipment, but its function is identical with the real network equipment, and for example main frame needs comprehensive data processing function, router needs the function of routing forwarding, the function that fire compartment wall needs data filter etc.; Just realize the equipment of corresponding attack or defence type for different attack module of different equipment interpolations or defense module, mainly be meant main frame and fire compartment wall, these attack modules and defense module is exactly directly calling or comprehensively calling the attacking and defending class libraries of moulding and general attacking and defending analog function storehouse.
Network interface card in the described virtual network device, its function are reception and the forwardings of finishing data, and to the data that arrive according to certain feature, information such as IP address for example, simply discerning, selectively transmit data then, is that these virtual network devices need jointly.The essential information of network interface card has IP address, medium access control MAC Address, data buffer zone, data forwarding functional module.
Hub in the described virtual network device and netting twine equipment are realized based on network interface card, promptly are the network interface cards of oversimplifying.The function of hub is the mode of data by broadcasting that will arrive, and sends to all main frames that are connected with this hub, if do not belong to the scope of this hub, just it is transmitted to another hub.This hub is the network interface card of having oversimplified, and its attribute has the host information record that is connected with this hub and with the recording of information of another hub of this hub cascade etc.This netting twine also is the network interface card of having oversimplified, and netting twine is all directly transmitted for any data that arrive, and promptly by the indiscriminate other end that sends to of this end of netting twine, what equipment what do not consider that the other end of netting twine connects is.Hub has data buffer zone and data forwarding functional module, and netting twine has only the data forwarding functional module.
Main frame in the described virtual network device comprises a network interface card, and this network interface card is attached to main frame and is responsible for exchanges data in self main frame calcaneus rete network.Network interface card in the main frame has four kinds of essential informations of network interface card: IP address, MAC Address, data buffer zone, data forwarding functional module, and the MAC Address of Network Card of the network interface card IP of main frame and main frame is exactly the IP and the MAC Address of its network interface card of comprising for the main frame that only comprises a network interface card.The function of main frame in network may be varied, considers the function of native system, and the function that is had on the main frame simply is divided into: transmission, the reception of packet, the generation to packet attacked, this four big function of defensive attack.In order to realize these functions, give the certain attribute of host definition, make it can in virtual environment, realize these functions.These attributes mainly comprise the basic operating system information of Hostname, main frame, the network interface card IP of main frame, the MAC Address of Network Card of main frame and its connection topology information.Main frame also needs to load as required dynamic functional module, and these functional modules mainly are the function libraries that can call for main process equipment of dynamic attacking and defending chained library and other etc.
Router in the described virtual network device is a data routing forwarding equipment, and router has several ports just to comprise several network interface cards, and the network interface card in the router is responsible in router and extraneous exchanges data.In addition, router also designs the data buffer zone and is used for buffer memory and carries out the data of routing forwarding, and design has routing table, and design has algorithm and the strategy that carries out routing forwarding.Each network interface card in the router has four kinds of essential informations of network interface card: IP address, MAC Address, data buffer zone, data forwarding functional module.
Fire compartment wall in the described virtual network device adopts the dual-homed host structure, comprises two network interface cards, and network interface card and outer network interface card in these two network interface cards may be defined as respectively are responsible for the exchange of intranet data and outer net data.Simultaneously, fire compartment wall has also designed the detection engine and has detected rule, and the detection engine of fire compartment wall and detection rule can design realization according to concrete needs, for example can be packet filtering and rule-based detection.Each network interface card in the fire compartment wall has four kinds of essential informations of network interface card: IP address, MAC Address, data buffer zone, data forwarding functional module.
Each virtual network device connected just form virtual network, because other network equipments except that netting twine all comprise one or polylith network interface card, with netting twine the network interface card between the distinct device being coupled together also becomes network with regard to accordingly these equipment being linked together.It is identical that the characteristics of this connection network are followed in real network environment with mode.When realizing, concrete program can utilize the method for pointer or the method for function call that the data transmission interface of the port of netting twine and network interface card is connected, and so just can be from the interoperability of data between the network bottom layer assurance equipment.The state of each virtual network device shows as Fig. 4.Every kind equipment wherein all will show certain state information and procedural information according to its needs.These information display settings in the virtual network device object, are configured the relevant information of these equipment with the form of graphical, interfaceization and show dynamically at key-course, increase the visualization and the visualize of safe analogue system.Shown information comprises static information and multidate information two parts, and the static information indicating equipment itself has some attributes, for example the IP address of the title of equipment, equipment, the ready flag of equipment; Multidate information is dynamically to present in the process of system operation of equipment, and for example equipment is subjected to reaction, equipment after network analog is attacked to the defence presentation information of attacking etc.
2. common interface layer
The common interface layer is the standardization of the function library of Fig. 2 each layer below the common interface layer to be offered system carry out unified calling interface.This common interface comprises network interface and display interface two parts, this network interface carries out the interface of increase income third party's function library and network selecting transducers such as the attacking and defending function library of the moulding in Fig. 2 intermediate layer, general network attacking and defending function library, network security tool exploitation function library Libnet integrated and unitized, offers last layer and calls.Display interface has the literal demonstration for last layer provides the demonstration calling function of some necessity, these Presentation Functions, graphically shows, pictorialization shows and dynamic explicit function interface.
3. intermediate layer
The intermediate layer is that the system function of bottom and basic storehouse are encapsulated formed function library, the function library that this function library comprises has: the attacking and defending function library of moulding, general network attacking and defending function library, network security tool are developed the third party's function libraries of increasing income such as function library Libnet, and these function libraries comprise that function library Libnet is constructed and sent to packet, network packet is caught function library Libpcap, universal network safe function storehouse Libdnet, network invasion monitoring function library Libnids, SSL function library OpenSSL etc., network selecting transducer and shown class libraries.These function libraries are announced details, can come with carrying out secondary development.Wherein, the attacking and defending class libraries of moulding is to be compiled into the dynamic link library that can directly be called execution with having the integration of common attack and defensive measure and method now, and these are attacked and defensive measure designs as required.For example, once complete Port Scan Attacks, once complete operating system is surveyed and is attacked, and the defence of surveying at TCP and operating system.General network attacking and defending function library than the attacking and defending function library of moulding more near operating system, it is the public function of the attacking and defending class library call of moulding, because the network attack of moulding or defence have a lot of similar or identical operations at the preparatory stage or the initial period of defence or attack, for example for the analysis of IP address, for simple parsing of network packet or the like, finish this type of work so design general network attacking and defending function library.The function library that Libnet, Libpcap, Libdnet, OpenSSL etc. increase income than the function of general network attacking and defending function library more specifically and details, network attacking and defending analogue system is provided these function libraries of increasing income and more the operating system and the network interface of low layer partly carry out mutual numerous functions.The network selecting transducer is provided at the function of changing between real network and the virtual network, real network is meant the physical network of reality, can be that local area network (LAN) also can be a wide area network, virtual network is meant the network of using the virtual network device analogue simulation fully, and the design of network selecting transducer makes the environment for use of system be expanded in the real network.Show that class libraries provides Presentation Function commonly used, have basic text display, graphical display and chart to show.
4. bottom function library
The bottom function library mainly contains operating system and carries function library, analog network function library, basic display function library and system call.These function libraries or system call are relevant with procotol itself with used operating system.
Two. safe analogy method
The step of using said system to carry out safe simulation comprises system's preparation, system's operation, data collection and interpretation of result.Wherein the work of three aspects is prepared to comprise by system, is respectively to write corresponding user program according to demand, fill in relevant configuration file and system's compiling; System's operation is meant carries out simulation run with compiled system in certain operating system system environments, determine and the running status of the various operational factors of system are subjected to the restriction that back is set; After data collection and interpretation of result are meant system's end of run, carry out the collection of emulated data, and the analysis of carrying out the network security aspect according to the data of collecting.
1. the preparation before system uses
(1) writes corresponding user program according to demand; Be that each main frame in the system specifies specific functional module, for example that main frame is the main frame of attacking, and that main frame is the main frame that is on the defensive, and that main frame is the main frame etc. that carries out safety detection; Also to carry out modular combination accordingly for other network equipments in the system or module, to finish its function corresponding; Carry out related with corresponding apparatus institute's written program file.
(2) fill in the relevant configuration file, this configuration file is used for quantity kind, topology of networks and the pairing program file of each network equipment etc. of the selected network type of recording user, selected network equipment.This network type be meant the user needed be virtual network or live network, virtual network can be selected a plurality of network equipments, and connects the composition network.The corresponding file of each network equipment, file is used for storing the program that the user need carry out.The general user does not need the pairing file of changed network equipment, adopts default value, and advanced level user can the self-defined network equipment, satisfies higher level needs.Network topology structure is the foundation that connects into network of network virtual equipment, and control desk makes up and the initialization network according to topological structure.
(3) system's compiling, this compiling is the same with common program compilation process, compile based on corresponding operating system, the purpose of compiling is to being that first step written program file and configuration file are carried out related in system and generate the operating file that can directly carry out.
2. the actual motion of system
With reference to Fig. 5, the running of network security emulation system of the present invention is as follows:
(1) analogue system is carried out initialization.
This initialization procedure comprises the initialization at control desk master interface and the initialization in display layer storehouse, and control desk master interface is exactly the visual of key-course among Fig. 2, and Adjustment System is to ready state, the operation of products for further.Concrete initialization procedure is:
At first, configuration file is read in system, configuration file is resolved the various parameters in the extraction system; Secondly, root
Judge that according to the parameter that is extracted needed environment is simulated environment or true environment, this judgement is to carry out according to the related content in the configuration file.If needed environment is a simulated environment, be virtual network then, and network interface is set is virtual network interface with system initialization.If needed environment is a live network, be single main frame then, and network interface is set is the live network interface with system initialization.The true environment here is meant actual network environment, local area network (LAN) or internet; Simulated environment is meant the network environment of simulating on unit;
Then, carry out initialization and show, with the demonstration of the correlation behavior information report property in the initialization procedure; At last,
Activate the network equipment, test the connectedness between each network equipment, the adjacent network equipment is interconnected.
(2) carry out network configuration
After initialization is finished, the every network parameter in the system is carried out correct setting, promptly from the system parameters configuration file, read corresponding value the parameter in the analogue system is carried out assignment, the network parameter that needs to set mainly contains, the division rule of subnet, the IP address setting of each main frame, fire compartment wall IP address setting, each Port IP of router are set.Simultaneously, also to set accordingly for the detection rule of fire compartment wall and the routing policy of router as required.
(3) verification of correctness: mainly be that the logical correctness of network is verified.For example, whether IP address format is correct, and whether identical IP is arranged, and whether network connects correct etc.If set incorrect, then with error message feedback, so that network is reconfigured and sets, till network can true(-)running according to feedback information.
(4) the adjustment network equipment is ready
Analogue system is adjusted each network equipment to ready state according to various configuration informations in the network and set information, and waiting system further moves.
(5) system's operation
After ready, system can bring into operation, and this moment, system was according to set program running, until the attacking and defending analog simulation test of user's design is all finished.During this period, the state that the user can the Real Time Observation network also can suspend the network operation and check ruuning situation, recovers the operation of network afterwards again, also can directly end the network operation.
(6) discharge dynamic resource
When system's end of run, the dynamic resource of the operating system at place is discharged.
3. data collection
Behind system's end of run, carry out the collection of emulated data, the channel of data collection has the running log data of each network equipment in the system, the relevant statistics in the system etc.Can take the mode of manual process to carry out for the processing of the data of collecting, just the user of system carries out the processing of certain mode to data.In addition, also can utilize the data processing software tool for processing to analyze related data.
4. network security analysis
Carry out the analysis of network security aspect according to the data of collecting, by the analysis of result being inquired into the rule of network security, the checking network security policy provides the thinking and the method that solve network security problem.
Emulation experiment of the present invention is as follows:
Utilize system of the present invention that the security configuration of certain LAN environment is carried out emulation, purpose is that the rule setting of fire compartment wall and the function of Technology of Network Sniffer are studied.The preparation of experiment is the collection network packet, these network packet of collecting are exactly to need the test data used in the local area network (LAN), its method of obtaining is that the network interface card to certain station server in the local area network (LAN) carries out long-term intercepting and obtains, obtaining real network data, and these network datas are resolved to the form that analogue system directly can be called; Testing used network topology is the simplification of LAN topology; The setting of firewall rule also is that the function of real fire compartment wall in the local area network (LAN) and necessity of rule are simplified in the experiment.
The equipment of building network topology comprises in the experiment: three main process equipments, a hub device, a router device and a firewall box.Wherein first Hostname is Host1, and its IP address is 192.168.33.1; Second Hostname is Host2, and its IP address is 192.168.33.2; The 3rd Hostname is Host3, and its IP address is 192.168.35.3; The name of router is called Router, and it has two network interface cards, and the IP of these two network interface cards is respectively 192.168.33.15 and 192.168.33.16; The name of fire compartment wall is called Firewall, and it also has two network interface cards, and the IP of these two network interface cards is respectively 192.168.35.16 and 192.168.35.15.Annexation between these network equipments is that main frame Host1 directly links to each other with hub with Host2; The IP of hub and router is that the network interface card of 192.168.33.15 links to each other; The IP of router is that the IP of the network interface card of 192.168.33.16 and fire compartment wall is that the network interface card of 192.168.35.16 links to each other; The IP of fire compartment wall is that the network interface card of 192.168.35.15 links to each other with main frame Host3.In virtual network graph topology, added four functional modules in this example, the one, on main frame Host1, add the functional module that sends packet, this module sends packet to the tcp port 2008-2015 of Host3 main frame; The 2nd, on main frame Host2, add the sniffer functional module, all packets of this network segment are caught; The 3rd, on main frame Host3, add the functional module of accepting packet; The 4th, on fire compartment wall Firewall, add firewall rule, to filter all tcp data bag of port numbers 2008 to 2010 that mails to main frame Host3 from main frame Host1.
The result shows:
Main frame Host1 can carry out packet according to predetermined requirement and send; Sniffer on the main frame Host2 also can move normally, can capture all packets of this network segment;
Main frame Host3 has received only the tcp data bag of port from 2011 to 2015, meets the setting of firewall rule, shows that simultaneously the wall of setting fire has filtered out the tcp data bag of port from 2008 to 2010;
Complete errorless arrival of energy of router network packet and forwarding show that router is working properly.
In addition, by the functional module of further each network equipment of analysis and the statistics output information of system, with more network security problems such as checking network security collocation strategies, for example setting of the filtering policy of fire compartment wall, the sniffer effect in network etc.
As seen, system of the present invention and emulation mode are feasible fully, and can finish the analog simulation of network security, result according to emulation, just can study, and the setting of real network environmentAL safety strategy is provided guiding conclusion or method with correct configuration the network security problem of reality.