基于Honeyd的Web攻击诱捕系统
摘要
随着互联网行业的飞速发展,网络与信息安全的重要性日趋增强,大至军事、国防、政府、银行等关键行业,小至一般的企业乃至个人,都面临着网络攻击,蠕虫泛滥,隐私泄漏等风险。与此同时,网络攻击又呈现手段多样化、技术平民化、周期缩短化的态势,为了不被突如其来的网络攻击弄得手足无措,我们必须要化被动为主动,探究可能存在的网络漏洞,研究黑客们正在或者可能采用的最新的攻击方法。
蜜罐技术是一种诱骗入侵者攻击以达到采集黑客攻击方法和保护真实主机目标的技术。不同于大多数传统的安全技术,蜜罐的核心价值在于被探测、被攻击、或者被威胁,以此达到对这些攻击活动的检测与分析,从而了解攻击者的目的,掌握他们的攻击手段、技巧、战术、甚至于心理和习惯等,最终实现从攻击者的行为中学习到更深层次的信息保护的方法。
Honeyd是最为常见的一种蜜罐系统,通过在网络上创建和配置虚拟主机,使其看起来是在运行某种特定的操作系统。Honeyd可以用一台主机在局域网中模拟出多个主机及地址以满足网络实验环境的要求,虚拟主机可以被ping通,也可以被路由跟踪。通过对配置文件进行设置可以使之模拟运行各种服务。
本文首先对课题的研究背景和意义以及国内外的研究现状进行了介绍,随后对本文所涉及的一些基本技术进行了介绍,包括蜜罐的基本原理和应用,Web体系结构,常见的网络通信协议,常见的网络攻击手段及原理等知识。随后选定了当前最为常见和流行的一款开源蜜罐软件Honeyd作为研究平台,分析其工作原理及体系结构,针对不同的Web攻击手段,研究并设计了相应的诱捕引擎及模块,使之能够实现对各种典型Web攻击做出响应并捕获攻击数据。最后,针对建立在虚拟环境上的诱捕系统进行了实验,验证系统的功能,并提出系统改进的思路和方案。
As the fast development of the internet industry, the network information security is playing a more and more important role. From the key industry such as the military, the native defense, the government, and the bank, to the corporation and individuals, are facing the risks of the network attacks. At the same time, the network attacks are diversified with short period and low technical barrier. In case of being confused by the sudden attacking, we must be active instead of passive, to find out the possible weakness, and research the latest attack methods of the hackers.
Honeypot technology is used to trap attacks in order to collect the information of the attacks and protect the real host. Unlike the traditional security technologies, the core value of the honeypot is to be detected, attacked and threatened. Through that we can analyze the attacks, know their attack purpose, means and strategies, and finally we can learn deeper information protection methods from that.
Honeyd is one of the most popular honeypot systems. By create and configure with the virtual host, it seems that we are running on the specific operating system. Honeyd can create multiple virtual hosts in the local area network to meet with the network experimental environment. We can ping the virtual host and trace the route. With those features, we can simulate varieties of services by making different configuration.
This article firstly introduces the research background and meanings, and the current environment of the research throughout the inside and outside of the country. And then, it introduces some basic technologies related with the article, including theory of the honeypot , Web architecture, common network communication protocols and so on. After that, it chooses one of the most popular honeypot program Honeyd as the research platform, studying its detail, designing the trapping engine and module due to different web attack means, so that it can capture the attack information by the typical Web attacks. Last, there is experiment to identify the functions of the trapping system and find out some improvement ideas for the system.
蜜罐技术是一种诱骗入侵者攻击以达到采集黑客攻击方法和保护真实主机目标的技术。不同于大多数传统的安全技术,蜜罐的核心价值在于被探测、被攻击、或者被威胁,以此达到对这些攻击活动的检测与分析,从而了解攻击者的目的,掌握他们的攻击手段、技巧、战术、甚至于心理和习惯等,最终实现从攻击者的行为中学习到更深层次的信息保护的方法。
Honeyd是最为常见的一种蜜罐系统,通过在网络上创建和配置虚拟主机,使其看起来是在运行某种特定的操作系统。Honeyd可以用一台主机在局域网中模拟出多个主机及地址以满足网络实验环境的要求,虚拟主机可以被ping通,也可以被路由跟踪。通过对配置文件进行设置可以使之模拟运行各种服务。
本文首先对课题的研究背景和意义以及国内外的研究现状进行了介绍,随后对本文所涉及的一些基本技术进行了介绍,包括蜜罐的基本原理和应用,Web体系结构,常见的网络通信协议,常见的网络攻击手段及原理等知识。随后选定了当前最为常见和流行的一款开源蜜罐软件Honeyd作为研究平台,分析其工作原理及体系结构,针对不同的Web攻击手段,研究并设计了相应的诱捕引擎及模块,使之能够实现对各种典型Web攻击做出响应并捕获攻击数据。最后,针对建立在虚拟环境上的诱捕系统进行了实验,验证系统的功能,并提出系统改进的思路和方案。
As the fast development of the internet industry, the network information security is playing a more and more important role. From the key industry such as the military, the native defense, the government, and the bank, to the corporation and individuals, are facing the risks of the network attacks. At the same time, the network attacks are diversified with short period and low technical barrier. In case of being confused by the sudden attacking, we must be active instead of passive, to find out the possible weakness, and research the latest attack methods of the hackers.
Honeypot technology is used to trap attacks in order to collect the information of the attacks and protect the real host. Unlike the traditional security technologies, the core value of the honeypot is to be detected, attacked and threatened. Through that we can analyze the attacks, know their attack purpose, means and strategies, and finally we can learn deeper information protection methods from that.
Honeyd is one of the most popular honeypot systems. By create and configure with the virtual host, it seems that we are running on the specific operating system. Honeyd can create multiple virtual hosts in the local area network to meet with the network experimental environment. We can ping the virtual host and trace the route. With those features, we can simulate varieties of services by making different configuration.
This article firstly introduces the research background and meanings, and the current environment of the research throughout the inside and outside of the country. And then, it introduces some basic technologies related with the article, including theory of the honeypot , Web architecture, common network communication protocols and so on. After that, it chooses one of the most popular honeypot program Honeyd as the research platform, studying its detail, designing the trapping engine and module due to different web attack means, so that it can capture the attack information by the typical Web attacks. Last, there is experiment to identify the functions of the trapping system and find out some improvement ideas for the system.
引文
[1]欧莉.互联网的发展趋势[J].技术与市场, 2010(01):53.
[2]柴育梅.也谈网络与信息安全[J].电脑应用技术, 2009(76):38-40.
[3] Lance Spitzner. The Honeynet Project: Trapping the Hackers[C]. IEEE Security & Privacy, Volume 1, Issue 2, 2003, pp, 15-23.
[4]李必云,石俊萍. Web攻击及安全防护技术研究[J].电脑知识与技术, 2009, 15(31):8647-8649.
[5]王斌君,吉增瑞.信息安全技术体系研究[J].计算机应用, 2009(06):35-37.
[6]姚传军. WPDRRC信息安全模型在安全等级保护中的应用[J].光通信研究, 2010(05):27-29.
[7] The Honeynet Project. Know Your Enemy. http://www.honeynet.org.
[8]诸葛建伟.蜜罐与蜜罐系统技术简介[R].北大狩猎女神项目组技术报告, 2006:21-26.
[9] Clifford Stoll. Stalking the wily hacker. Communications of ACM, Volume 31, Issue 5, 1988, pp, 484-497.
[10]江森林.蜜罐软件Honeyd的研究[D].江南大学硕士学位论文, 2005.
[11]匡华,李祥.基于DTK的网络蜜罐设计与应用[J].信息安全与通信保密, 2005(08):109-111.
[12]朱一帅,吴礼发.基于Sebek的蜜罐识别机制研究[J].信息技术, 2009(01):83-86.
[13] Dorothy E.Denning. An Intrusion-Detection Model. IEEE Transactions on Software Engineering, SE-13(2):222~232, February 1987
[14]刘科,卢涵宇,王华军. Phishing攻击技术研究及防范对策[J].电脑知识与技术, 2010(16):4399.
[15]魏丹. Web服务器性能与Web框架应用的研究[D].河南大学, 2006.
[16]叶强.超文本传输协议--HTTP/1.0[J].科技情报开发与经济, 2004(08):266-267.
[17] W.Richard Stevens. TCP/IP详解:卷1协议[M].北京,机械工业出版社, 2000.
[18]邓友良. HTTP报文监测和过滤技术研究[D].西南交通大学, 2007.
[19]齐英,杨松,毛期俭.基于协议分析技术的TCP安全研究[J].重庆邮电学院学报, 2006(S3):186-189.
[20]李京顺.口令安全管理[J].电脑与信息技术, 2006(04):76-78.
[21]阿牛. Win XP登录口令破解一法[J].计算机与网络, 2002(17):16.
[22]邓立武.针对SQL攻击的数据库防护系统的设计与研究[D].华北电力大学, 2010.
[23]徐陋,姚国祥. SQL注入攻击全面预防办法及其应用[J].微计算机信息, 2006(09) :10-12.
[24]郑志勇.文件上传漏洞模拟[J].电脑迷, 2004(10):6-8.
[25]郭健. DDoS攻击原理及其检测方法探究[J].电脑知识与技术, 2009(12):3103-3104.
[26]刘旭勇. DDoS攻击及主动防御模型研究[J].计算机技术与发展, 2008, 18(7): 143-146.
[27] Kevin Curran. Monitoring hacker activity with a Honeynet. International Journal of Network Management, 2005-15
[28]翟继强,叶飞.利用Honeyd构建虚拟网络[J].计算机安全, 2006(03):27-29.
[29]周莲英,曹登元,年轶.虚拟蜜罐系统框Honeyd的分析与研究[J].计算机工程与应用, 2005(27):137-140.
[30] McClure, Stuart, Scambray Joel. TCP fingerprinting solutions for Linux offer another way to gather security data. InfoWorld, 1998,Vol.20.
[31]蔡岚岚.蜜罐指纹技术的研究与实现[D].南京理工大学, 2006 .
[32]张琦.操作系统指纹识别工具Nmap与Xprobe的分析和研究[J].科技传播, 2010(08):87-89.
[33]王婷.基于Honeyd的蜜罐技术研究与设计[D].西南交通大学硕士学位论文, 2007.
[34]张家喜.论Honeynet数据捕获技术[J].安庆师范学院学报, 2005, 11(4):34-37.
[35]潘文婵,章韵. Wireshark在TCP/IP网络协议教学中的应用[J].计算机教育, 2009(06):158-159.
[36] Cooper G, Herskovits E. A Bayesian Method for the induction of Probabilistic Networks from data[J]. Machine Learning(S0885-6125), 1992, 122(9):309-347.
[37]谢柏青,佘晓歌.算法与数据结构[M].北京,高等教育出版社, 2003.
[38]李伟生.信息融合系统中态势估计技术研究[D].西安电子科技大学, 2004.
[39]魏锦慧.用于Nmap的攻击工具集的设计与实现[D].吉林大学, 2006.
[40]袁新海,陈家琪.基于系统和网络特征的蜜罐识别技术[J].计算机工程与设计, 2008,(07) .
[41]程晓伟,杨百龙.基于蜜罐特征的蜜罐识别技术[J].现代电子技术, 2009,(15) .
[42]蒋欣,薛质.针对Honeypot的指纹识别及其防御对策[J].信息安全与通信保密, 2005,(10) .
[43] Peter Jay Salzman, Ori Pomerantz. The Linux Kernel Module Programming Guide[EB/OL] .
[44]顾夏申.轻量级文件隐藏技术[D].上海交通大学, 2010.
[2]柴育梅.也谈网络与信息安全[J].电脑应用技术, 2009(76):38-40.
[3] Lance Spitzner. The Honeynet Project: Trapping the Hackers[C]. IEEE Security & Privacy, Volume 1, Issue 2, 2003, pp, 15-23.
[4]李必云,石俊萍. Web攻击及安全防护技术研究[J].电脑知识与技术, 2009, 15(31):8647-8649.
[5]王斌君,吉增瑞.信息安全技术体系研究[J].计算机应用, 2009(06):35-37.
[6]姚传军. WPDRRC信息安全模型在安全等级保护中的应用[J].光通信研究, 2010(05):27-29.
[7] The Honeynet Project. Know Your Enemy. http://www.honeynet.org.
[8]诸葛建伟.蜜罐与蜜罐系统技术简介[R].北大狩猎女神项目组技术报告, 2006:21-26.
[9] Clifford Stoll. Stalking the wily hacker. Communications of ACM, Volume 31, Issue 5, 1988, pp, 484-497.
[10]江森林.蜜罐软件Honeyd的研究[D].江南大学硕士学位论文, 2005.
[11]匡华,李祥.基于DTK的网络蜜罐设计与应用[J].信息安全与通信保密, 2005(08):109-111.
[12]朱一帅,吴礼发.基于Sebek的蜜罐识别机制研究[J].信息技术, 2009(01):83-86.
[13] Dorothy E.Denning. An Intrusion-Detection Model. IEEE Transactions on Software Engineering, SE-13(2):222~232, February 1987
[14]刘科,卢涵宇,王华军. Phishing攻击技术研究及防范对策[J].电脑知识与技术, 2010(16):4399.
[15]魏丹. Web服务器性能与Web框架应用的研究[D].河南大学, 2006.
[16]叶强.超文本传输协议--HTTP/1.0[J].科技情报开发与经济, 2004(08):266-267.
[17] W.Richard Stevens. TCP/IP详解:卷1协议[M].北京,机械工业出版社, 2000.
[18]邓友良. HTTP报文监测和过滤技术研究[D].西南交通大学, 2007.
[19]齐英,杨松,毛期俭.基于协议分析技术的TCP安全研究[J].重庆邮电学院学报, 2006(S3):186-189.
[20]李京顺.口令安全管理[J].电脑与信息技术, 2006(04):76-78.
[21]阿牛. Win XP登录口令破解一法[J].计算机与网络, 2002(17):16.
[22]邓立武.针对SQL攻击的数据库防护系统的设计与研究[D].华北电力大学, 2010.
[23]徐陋,姚国祥. SQL注入攻击全面预防办法及其应用[J].微计算机信息, 2006(09) :10-12.
[24]郑志勇.文件上传漏洞模拟[J].电脑迷, 2004(10):6-8.
[25]郭健. DDoS攻击原理及其检测方法探究[J].电脑知识与技术, 2009(12):3103-3104.
[26]刘旭勇. DDoS攻击及主动防御模型研究[J].计算机技术与发展, 2008, 18(7): 143-146.
[27] Kevin Curran. Monitoring hacker activity with a Honeynet. International Journal of Network Management, 2005-15
[28]翟继强,叶飞.利用Honeyd构建虚拟网络[J].计算机安全, 2006(03):27-29.
[29]周莲英,曹登元,年轶.虚拟蜜罐系统框Honeyd的分析与研究[J].计算机工程与应用, 2005(27):137-140.
[30] McClure, Stuart, Scambray Joel. TCP fingerprinting solutions for Linux offer another way to gather security data. InfoWorld, 1998,Vol.20.
[31]蔡岚岚.蜜罐指纹技术的研究与实现[D].南京理工大学, 2006 .
[32]张琦.操作系统指纹识别工具Nmap与Xprobe的分析和研究[J].科技传播, 2010(08):87-89.
[33]王婷.基于Honeyd的蜜罐技术研究与设计[D].西南交通大学硕士学位论文, 2007.
[34]张家喜.论Honeynet数据捕获技术[J].安庆师范学院学报, 2005, 11(4):34-37.
[35]潘文婵,章韵. Wireshark在TCP/IP网络协议教学中的应用[J].计算机教育, 2009(06):158-159.
[36] Cooper G, Herskovits E. A Bayesian Method for the induction of Probabilistic Networks from data[J]. Machine Learning(S0885-6125), 1992, 122(9):309-347.
[37]谢柏青,佘晓歌.算法与数据结构[M].北京,高等教育出版社, 2003.
[38]李伟生.信息融合系统中态势估计技术研究[D].西安电子科技大学, 2004.
[39]魏锦慧.用于Nmap的攻击工具集的设计与实现[D].吉林大学, 2006.
[40]袁新海,陈家琪.基于系统和网络特征的蜜罐识别技术[J].计算机工程与设计, 2008,(07) .
[41]程晓伟,杨百龙.基于蜜罐特征的蜜罐识别技术[J].现代电子技术, 2009,(15) .
[42]蒋欣,薛质.针对Honeypot的指纹识别及其防御对策[J].信息安全与通信保密, 2005,(10) .
[43] Peter Jay Salzman, Ori Pomerantz. The Linux Kernel Module Programming Guide[EB/OL] .
[44]顾夏申.轻量级文件隐藏技术[D].上海交通大学, 2010.