蜜罐技术在入侵检测系统中的应用
摘要
随着Internet的迅猛发展和网络社会化的到来,互联网面向商业用户和普通公众开放,网络通信和业务量以滚雪球的方式增长。同时,由于Internet本身安全方面的缺陷,黑客网络攻击与入侵行为、安全信息泄漏等网络安全事件呈现出迅猛递增的趋势。
现有的安全措施主要是基于已知的事实和攻击模式,采取被动防御的方法,这些方法对于复杂而多变的黑客攻击显得力不从心。如何使网络安全防御体系由静态转为动态,防御措施从被动变为主动是我们要研究的新课题。由此,另一种更主动的有效的信息安全技术正渐渐地进入人们的视野,那就是蜜罐技术。
蜜罐是网络安全的一个全新领域。它通过构造一个有着明显安全漏洞的系统来引诱入侵者对其进行攻击,并在攻击的过程中对入侵者的入侵动机、入侵手段、使用工具等信息进行详细地记录。根据收集到的入侵者信息,我们就可以分析得到入侵者所使用的最新技术、发现系统中的安全漏洞,从而对系统中存在的问题及时予以解决。
论文详细分析了蜜罐的原理、结构、特点、设计和实现,并构建一个虚拟蜜罐系统来全面论证了蜜罐的功能。本文中主要论述了如下几个方面:
一、介绍了蜜罐的起源与发展,蜜罐的定义和分类,分析蜜罐的安全价值,论述相对于其他安全工具蜜罐所特有的优势和弱点。
二、分析了蜜罐的相关技术,包括蜜罐的伪装、信息采集、风险控制、数据分析等几个部分。
三、在深入地剖析了国内外传统和前沿蜜罐技术之后,总结了蜜罐技术主要存在的技术难点和缺陷。随后沿着提出问题,解决问题的思路,提出了对现有蜜罐技术的拓展方法——结合其他信息安全技术的综合解决方案。设计了一个Honeypot和IDS结合的安全防御系统,并详细描述了该系统的实现过程。
四、对蜜罐系统进行了功能测试和性能测试。作者通过搭建一个虚拟的蜜罐系统,使用常用的攻击方法对其进行了测试,结果符合预计的系统设计目标。
通过理论的证明和试验的验证,得出结论:蜜罐可以迷惑攻击者,转移攻击目标,消耗攻击者资源,发现系统漏洞和新的攻击方式。和现有网络安全手段如入侵检测系统和防火墙结合使用,可以有效的提高系统的安全性。
Along with the Internet swift and furious development and the network socialization arrival, the Internet has opened her door to the commercial users and the ordinary public.The network commanication and business volume experiencing a rolling snowball type growth. ,At the same time, as a result of the security flaws hacker's network attacks and of the Internet itself, invasion behavior. the increasing security of the Information highway raised the public alarm.
The available countermeasures are primarily based on known facts and known attack patterns and mainly are passsive defence means. All these means seem too less able to handle complex and swiftly changing attach methods. How to make the network security defense system dynamic and to change measure actively but not passively are the new research task.. The effective information safe practice more voluntarily of another kind has been entering people's vision gradually, that is technology of the honeyed pot.
Honeypot is a new concept in the field of network security. It allures attacker by some obvious security holes, at the same time, monitors the hacker's behavior and records all the information for further analysis. According the log data, we can look up the latest intrusion behaviors and security holes, so accordingly we can build more security into the whole system.
The thesis discusses the theory, structure, characteristic, design and implementation of Honeypot in detail. Constructing a virtual Honeypot demonstrate the honeypot's functions. It can be concluded in some aspect of this article.
The first, this thesis introduce the origins, development, the definition and categories of Honeypot. And value of security, special advantage and weakness of Honeypot are discussed.
The second, And correlative concepts and ideas are analyzed completely, The implement technologies of honeypot system include disguise,information gather,risk control,data analysis.
The third, after deep analysis domestic and international tradition and technology of the honeypot of front, have summarized technological difficult point and defect existing mainly of the technology of the honeypot .In line with the question of putting forward afterwards, solve the thinking of the problem, has proposed it to the technology expansion method of the existing honeypot—Combine the comprehensive solution of the safe practice of other information. And one virtual Honeypot is constructed used honeypot together with IDS to validate the concept and implementation of Honeypot.
At last, the function test and performance test of the honeypot.
According to the conclusion of this thesis, we can claim that honeypot can puzzle adversaries, devert an attack from their real targets, exhaust attacker resources discover vulnerabilities and new attacking methodes. Worked with IDS and FireWall the computer network security will be enhanced effectively.
现有的安全措施主要是基于已知的事实和攻击模式,采取被动防御的方法,这些方法对于复杂而多变的黑客攻击显得力不从心。如何使网络安全防御体系由静态转为动态,防御措施从被动变为主动是我们要研究的新课题。由此,另一种更主动的有效的信息安全技术正渐渐地进入人们的视野,那就是蜜罐技术。
蜜罐是网络安全的一个全新领域。它通过构造一个有着明显安全漏洞的系统来引诱入侵者对其进行攻击,并在攻击的过程中对入侵者的入侵动机、入侵手段、使用工具等信息进行详细地记录。根据收集到的入侵者信息,我们就可以分析得到入侵者所使用的最新技术、发现系统中的安全漏洞,从而对系统中存在的问题及时予以解决。
论文详细分析了蜜罐的原理、结构、特点、设计和实现,并构建一个虚拟蜜罐系统来全面论证了蜜罐的功能。本文中主要论述了如下几个方面:
一、介绍了蜜罐的起源与发展,蜜罐的定义和分类,分析蜜罐的安全价值,论述相对于其他安全工具蜜罐所特有的优势和弱点。
二、分析了蜜罐的相关技术,包括蜜罐的伪装、信息采集、风险控制、数据分析等几个部分。
三、在深入地剖析了国内外传统和前沿蜜罐技术之后,总结了蜜罐技术主要存在的技术难点和缺陷。随后沿着提出问题,解决问题的思路,提出了对现有蜜罐技术的拓展方法——结合其他信息安全技术的综合解决方案。设计了一个Honeypot和IDS结合的安全防御系统,并详细描述了该系统的实现过程。
四、对蜜罐系统进行了功能测试和性能测试。作者通过搭建一个虚拟的蜜罐系统,使用常用的攻击方法对其进行了测试,结果符合预计的系统设计目标。
通过理论的证明和试验的验证,得出结论:蜜罐可以迷惑攻击者,转移攻击目标,消耗攻击者资源,发现系统漏洞和新的攻击方式。和现有网络安全手段如入侵检测系统和防火墙结合使用,可以有效的提高系统的安全性。
Along with the Internet swift and furious development and the network socialization arrival, the Internet has opened her door to the commercial users and the ordinary public.The network commanication and business volume experiencing a rolling snowball type growth. ,At the same time, as a result of the security flaws hacker's network attacks and of the Internet itself, invasion behavior. the increasing security of the Information highway raised the public alarm.
The available countermeasures are primarily based on known facts and known attack patterns and mainly are passsive defence means. All these means seem too less able to handle complex and swiftly changing attach methods. How to make the network security defense system dynamic and to change measure actively but not passively are the new research task.. The effective information safe practice more voluntarily of another kind has been entering people's vision gradually, that is technology of the honeyed pot.
Honeypot is a new concept in the field of network security. It allures attacker by some obvious security holes, at the same time, monitors the hacker's behavior and records all the information for further analysis. According the log data, we can look up the latest intrusion behaviors and security holes, so accordingly we can build more security into the whole system.
The thesis discusses the theory, structure, characteristic, design and implementation of Honeypot in detail. Constructing a virtual Honeypot demonstrate the honeypot's functions. It can be concluded in some aspect of this article.
The first, this thesis introduce the origins, development, the definition and categories of Honeypot. And value of security, special advantage and weakness of Honeypot are discussed.
The second, And correlative concepts and ideas are analyzed completely, The implement technologies of honeypot system include disguise,information gather,risk control,data analysis.
The third, after deep analysis domestic and international tradition and technology of the honeypot of front, have summarized technological difficult point and defect existing mainly of the technology of the honeypot .In line with the question of putting forward afterwards, solve the thinking of the problem, has proposed it to the technology expansion method of the existing honeypot—Combine the comprehensive solution of the safe practice of other information. And one virtual Honeypot is constructed used honeypot together with IDS to validate the concept and implementation of Honeypot.
At last, the function test and performance test of the honeypot.
According to the conclusion of this thesis, we can claim that honeypot can puzzle adversaries, devert an attack from their real targets, exhaust attacker resources discover vulnerabilities and new attacking methodes. Worked with IDS and FireWall the computer network security will be enhanced effectively.
引文
[1] 张世永.网络信息安全.北京,清华大学出版社,2002:18~23
[2] 胡道元,闵京华.网络安全.北京:清华大学出版社,2004:126~139
[3] 韩东海等.入侵检测系统实例剖析.北京,清华大学出版社,2002:36~40
[4] 许榕生,刘宝旭,杨泽东.黑客攻击技术揭秘.机械工业出版社,2002.6:78~89
[5] 唐正军,李建华.入侵检测技术.北京:清华大学出版社,2004:208~213
[6] 裴建.防火墙的局限性和脆弱性及蜜罐技术的研究.科技情报开发与经济,2005.15(5):251~252
[7] The Honeynet Project, http://www.honeynet.org
[8] Lance Spitzner, Honeypots: Tacking Hackers. Addison-Wesley, 2003
[9] 徐桂云.Honeynet最新技术研究.宿州教育学院学报,2006.9(3):130~132
[10] The development of HONEYD. http://www.HONEYD.org
[11] Lance Spitzner. The research of honeynet & honeypot, http://www, honeynet.org
[12] Lance Spitzner. Honeypots-Definitions and value of honeypots, www. spitzner.net. 2002-05-17
[13] Schwabel J, Rohring N, Hall M, et al. Lessons Learned from Deploying a Honey Pot, Information Security Bulletin, 2000: 56~60
[14] 熊华.网络安全——取证与蜜罐.北京:人民邮电出版社,2003:114~122
[15] Honeynet Project. Know Your Enemy: Sebek. http://project.honeynet.org
[16] Honeynet Project. Know Your Enemy: GenⅡ Honeynets http://project.honeynet.org
[17] Honeynet Project. Know Your Enemy: Honeynet. http://project.honeynet.org
[18] 殷联普.主动防护网络入侵蜜罐(Honeypot)技术.计算机系统应用,2004.7:29~31
[19] 赵双红,刘寿强,夏娟.基于诱骗式蜜罐系统设计与应用.计算机安全,2003.10:19~22
[20] 曹爱娟,刘宝旭.网络陷阱与诱捕防御技术综述.计算机工程,2004.30(9):1~3
[21] 张震.入侵诱骗模型的建立与应用.数据通信,2003.2:18~21
[22] 马传龙.论网络入侵诱骗系统honeypot.现代计算机,2003.9:37~40
[23] 蔚晨,高峰,汪昊等.基于Honeynet的黑客行为跟踪系统.计算机工程,2004,30(17):59~61
[24] 张家喜.论Honeynet数据捕获技术.安庆师范学院学报(自然科学版),2005.4:34~37
[25] 王利林,许榕生.基于主动防御的陷阱网络系统.计算机工程与应用,2002.38:177~179
[26] 应锦鑫,曹元大.利用蜜罐技术捕捉来自内部的威胁.网络安全技术与应用,2005.1:27~39
[27] Robert Lemos. Honeypots get stickier for hackers, http://www.news.com
[28] Lance Spitzner. HoneypotsDefinitions and Value of Honeypots.http://www.tracking hackers.com
[29] 刘飞,史晓敏.蜜罐安全技术研究.高性能计算技术,2004.10:14~18
[30] 崔志磊,房岚,陶文林.一种全新的网络安全策略一蜜罐及其技术.计算机应用与软件,2004,21(2):99~101
[31] 马艳丽,赵战生,黄杆.Honeypot-网络陷阱.计算机工程与应用,2003,39(4):162~165
[32] 张家喜.论Honeynet体系结构.计算机工程与设计,2006.27(11):1957~2000
[33] 党瑞.入侵检测和蜜罐的联动技术研究:[硕士学位论文].西安:西北工业大学计算机应用技术,2004
[34] 杨晶.蜜罐技术在IDS中的应用.网络安全技术与应用,2006.1:61~62
[35] 薛强,孙继渊.完善入侵检测蜜罐系统的方法.计算机工程,2004,30(8):111~113
[36] Schwabel J, Rohring N, Hall M, et al. Lessons Learned from Deploying a Honey Pot. Information Security Bulletin, 2000, 12: 23~29
[37] 马传龙,邓亚平.Honeynets及其最新技术.计算机应用研究,2004,7:11~13
[38] 李之棠,徐晓丹.动态蜜罐技术分析与设计.华中科技大学学报(自然科学版),2005,33(2):86~89
[39] 王璐,秦志光.业务蜜网技术与应用.计算机应用,2004.24(3):43~45
[40] 贺庆涛,马永强,唐华安.蜜网系统的研究与设计.成都信息工程学院学报,2005.20(10):559~561
[2] 胡道元,闵京华.网络安全.北京:清华大学出版社,2004:126~139
[3] 韩东海等.入侵检测系统实例剖析.北京,清华大学出版社,2002:36~40
[4] 许榕生,刘宝旭,杨泽东.黑客攻击技术揭秘.机械工业出版社,2002.6:78~89
[5] 唐正军,李建华.入侵检测技术.北京:清华大学出版社,2004:208~213
[6] 裴建.防火墙的局限性和脆弱性及蜜罐技术的研究.科技情报开发与经济,2005.15(5):251~252
[7] The Honeynet Project, http://www.honeynet.org
[8] Lance Spitzner, Honeypots: Tacking Hackers. Addison-Wesley, 2003
[9] 徐桂云.Honeynet最新技术研究.宿州教育学院学报,2006.9(3):130~132
[10] The development of HONEYD. http://www.HONEYD.org
[11] Lance Spitzner. The research of honeynet & honeypot, http://www, honeynet.org
[12] Lance Spitzner. Honeypots-Definitions and value of honeypots, www. spitzner.net. 2002-05-17
[13] Schwabel J, Rohring N, Hall M, et al. Lessons Learned from Deploying a Honey Pot, Information Security Bulletin, 2000: 56~60
[14] 熊华.网络安全——取证与蜜罐.北京:人民邮电出版社,2003:114~122
[15] Honeynet Project. Know Your Enemy: Sebek. http://project.honeynet.org
[16] Honeynet Project. Know Your Enemy: GenⅡ Honeynets http://project.honeynet.org
[17] Honeynet Project. Know Your Enemy: Honeynet. http://project.honeynet.org
[18] 殷联普.主动防护网络入侵蜜罐(Honeypot)技术.计算机系统应用,2004.7:29~31
[19] 赵双红,刘寿强,夏娟.基于诱骗式蜜罐系统设计与应用.计算机安全,2003.10:19~22
[20] 曹爱娟,刘宝旭.网络陷阱与诱捕防御技术综述.计算机工程,2004.30(9):1~3
[21] 张震.入侵诱骗模型的建立与应用.数据通信,2003.2:18~21
[22] 马传龙.论网络入侵诱骗系统honeypot.现代计算机,2003.9:37~40
[23] 蔚晨,高峰,汪昊等.基于Honeynet的黑客行为跟踪系统.计算机工程,2004,30(17):59~61
[24] 张家喜.论Honeynet数据捕获技术.安庆师范学院学报(自然科学版),2005.4:34~37
[25] 王利林,许榕生.基于主动防御的陷阱网络系统.计算机工程与应用,2002.38:177~179
[26] 应锦鑫,曹元大.利用蜜罐技术捕捉来自内部的威胁.网络安全技术与应用,2005.1:27~39
[27] Robert Lemos. Honeypots get stickier for hackers, http://www.news.com
[28] Lance Spitzner. HoneypotsDefinitions and Value of Honeypots.http://www.tracking hackers.com
[29] 刘飞,史晓敏.蜜罐安全技术研究.高性能计算技术,2004.10:14~18
[30] 崔志磊,房岚,陶文林.一种全新的网络安全策略一蜜罐及其技术.计算机应用与软件,2004,21(2):99~101
[31] 马艳丽,赵战生,黄杆.Honeypot-网络陷阱.计算机工程与应用,2003,39(4):162~165
[32] 张家喜.论Honeynet体系结构.计算机工程与设计,2006.27(11):1957~2000
[33] 党瑞.入侵检测和蜜罐的联动技术研究:[硕士学位论文].西安:西北工业大学计算机应用技术,2004
[34] 杨晶.蜜罐技术在IDS中的应用.网络安全技术与应用,2006.1:61~62
[35] 薛强,孙继渊.完善入侵检测蜜罐系统的方法.计算机工程,2004,30(8):111~113
[36] Schwabel J, Rohring N, Hall M, et al. Lessons Learned from Deploying a Honey Pot. Information Security Bulletin, 2000, 12: 23~29
[37] 马传龙,邓亚平.Honeynets及其最新技术.计算机应用研究,2004,7:11~13
[38] 李之棠,徐晓丹.动态蜜罐技术分析与设计.华中科技大学学报(自然科学版),2005,33(2):86~89
[39] 王璐,秦志光.业务蜜网技术与应用.计算机应用,2004.24(3):43~45
[40] 贺庆涛,马永强,唐华安.蜜网系统的研究与设计.成都信息工程学院学报,2005.20(10):559~561