Snort与防火墙联动防御3G网络信令攻击
|
摘要
3G网络的发展和应用普及,丰富了移动通信服务的内容,给用户带来了诸多便利。越来越多的信息由3G网络承载,随之也带来网络安全方面许多新的问题。近期信令攻击引起了产业界和学术界的重视,这是一种利用3G网络信令平面漏洞的新型拒绝服务攻击。它的基本特征是:低速率、小流量的攻击流、易实现对多目标的攻击、并且危害很大,严重时可造成整个城市的3G网络瘫痪。
针对信令攻击,目前还没有有效的检测和防御手段。这主要是因为传统的拒绝服务攻击都具有高速率,大流量的特征,因此入侵检测系统传统上主要根据这个特征设计并实现攻击检测。这使得低速率、小流量的信令攻击包可轻易地混入正常的数据包中,绕过传统的入侵检测系统。
本文首先介绍3G网络的架构和特点,分析了目前威胁3G网络的主要安全隐患,着重分析了DoS攻击对3G网络危害的严重性;接着给出了信令攻击的模型,并在仿真环境下进行模拟攻击以观测其危害性;然后给出一种CUSUM算法的改进方案:基于时间差统计的信令攻击检测方法,给出检测方法的数学描述,基于开源入侵检测系统Snort,以插件形式在Snort中实现了检测方法;在仿真环境中进行实验验证,观测其防御效果,并提出优化其性能的改进方案。最后,设计并实现了检测系统与防火墙联动的解决方案,使得系统具有阻断信令攻击的能力。
本文的主要工作包括:
1.针对3G网络低速信令攻击,给出一种基于CUSUM算法的改进方案:时间差统计检测法。
2.基于开源的入侵检测系统snort实现了上述检测方法,由于很多商用入侵检测系统是基于snort实现的,本文的实现可以直接应用于这些系统,改善其检测性能。
3.在仿真环境下实验,进行性能评估。上述检测方法可以在信令攻击产生很大的危害之前,就被成功检测出来,表明提出的检测方法达到了预期效果。
4.在实验中,通过对多次检测的结果进行分析比较,为时间差统计检测法的参数选择提供了一定的参考标准。
5.实现集成了检测信令攻击插件的Snort系统与IpTables防火墙的联动,将Snort检测到的恶意IP地址提交给防火墙,让防火墙动态建立相应的过滤规则,使得整个系统具有防御信令攻击的能力。
With the development of 3G wireless network, a variety of mobile services are provided, which brings various kinds of convenience to the users. More and more information are transmitted efficiently, via 3G wireless network. In the meantime, new problems are rising. Recently, Signaling attacking has become increasingly attractive in industrial and academic circles. This kind of attach exploit the leak of control plane in 3G network, which has the characteristic of low-volume and low-rate. Also, it has much mischief and can bring down the entire 3G network in a city.
Currently, there is no efficient method to detect Signaling Attack. The low-volume, low-rate nature of the signaling attack allows it easily been injected into normal packages, and avoid detection by existing intrusion detection algorithms, which are often rate or volume-based. So, it is heightened and considered to be a famous technique problem.
In this article, we will first introduce the architecture of 3G wireless network and analyze its security holes, mainly on the hazard of DOS attack. Then, we identify the signaling attack model, and demonstrate its impact in simulations. After that, we present an detection method: Statistical Time Difference Detection Method, show its mathematical description, and implement it as an add-in in open source Snort system. At last, we evaluate this detection method in trace-driven simulations, and present plans to optimize its performance.
The main work in this article includes:
1. We present a detection method:Statistical Time Difference Detection Method to defend low-rate Signaling attack in 3G wireless network.
2. Implement the method as an add-in in open source Snort system. As many enterprise detection systems are based on Snort, it can be easily integrated into other systems to improve their detection performance.
3. Through the trace-driven simulations, we demonstrate that the algorithm is robust and can identify an attack in its inception, before significant, damage is done.
4. Via the trace-driven simulations, we compared all the result of different chosen parameters, and present how to choose the parameter in the detection method.
5. We present plans to optimize its performance, which provides the references for detecting the variant of Signaling attack in future.
6. Coordinate the firewall, IpTables, with Snort. Create corresponding block rules for the malicious IP addresses detected by Statistical Time Difference Detection Method, to enhance the system's ability of defending signaling attack.
针对信令攻击,目前还没有有效的检测和防御手段。这主要是因为传统的拒绝服务攻击都具有高速率,大流量的特征,因此入侵检测系统传统上主要根据这个特征设计并实现攻击检测。这使得低速率、小流量的信令攻击包可轻易地混入正常的数据包中,绕过传统的入侵检测系统。
本文首先介绍3G网络的架构和特点,分析了目前威胁3G网络的主要安全隐患,着重分析了DoS攻击对3G网络危害的严重性;接着给出了信令攻击的模型,并在仿真环境下进行模拟攻击以观测其危害性;然后给出一种CUSUM算法的改进方案:基于时间差统计的信令攻击检测方法,给出检测方法的数学描述,基于开源入侵检测系统Snort,以插件形式在Snort中实现了检测方法;在仿真环境中进行实验验证,观测其防御效果,并提出优化其性能的改进方案。最后,设计并实现了检测系统与防火墙联动的解决方案,使得系统具有阻断信令攻击的能力。
本文的主要工作包括:
1.针对3G网络低速信令攻击,给出一种基于CUSUM算法的改进方案:时间差统计检测法。
2.基于开源的入侵检测系统snort实现了上述检测方法,由于很多商用入侵检测系统是基于snort实现的,本文的实现可以直接应用于这些系统,改善其检测性能。
3.在仿真环境下实验,进行性能评估。上述检测方法可以在信令攻击产生很大的危害之前,就被成功检测出来,表明提出的检测方法达到了预期效果。
4.在实验中,通过对多次检测的结果进行分析比较,为时间差统计检测法的参数选择提供了一定的参考标准。
5.实现集成了检测信令攻击插件的Snort系统与IpTables防火墙的联动,将Snort检测到的恶意IP地址提交给防火墙,让防火墙动态建立相应的过滤规则,使得整个系统具有防御信令攻击的能力。
With the development of 3G wireless network, a variety of mobile services are provided, which brings various kinds of convenience to the users. More and more information are transmitted efficiently, via 3G wireless network. In the meantime, new problems are rising. Recently, Signaling attacking has become increasingly attractive in industrial and academic circles. This kind of attach exploit the leak of control plane in 3G network, which has the characteristic of low-volume and low-rate. Also, it has much mischief and can bring down the entire 3G network in a city.
Currently, there is no efficient method to detect Signaling Attack. The low-volume, low-rate nature of the signaling attack allows it easily been injected into normal packages, and avoid detection by existing intrusion detection algorithms, which are often rate or volume-based. So, it is heightened and considered to be a famous technique problem.
In this article, we will first introduce the architecture of 3G wireless network and analyze its security holes, mainly on the hazard of DOS attack. Then, we identify the signaling attack model, and demonstrate its impact in simulations. After that, we present an detection method: Statistical Time Difference Detection Method, show its mathematical description, and implement it as an add-in in open source Snort system. At last, we evaluate this detection method in trace-driven simulations, and present plans to optimize its performance.
The main work in this article includes:
1. We present a detection method:Statistical Time Difference Detection Method to defend low-rate Signaling attack in 3G wireless network.
2. Implement the method as an add-in in open source Snort system. As many enterprise detection systems are based on Snort, it can be easily integrated into other systems to improve their detection performance.
3. Through the trace-driven simulations, we demonstrate that the algorithm is robust and can identify an attack in its inception, before significant, damage is done.
4. Via the trace-driven simulations, we compared all the result of different chosen parameters, and present how to choose the parameter in the detection method.
5. We present plans to optimize its performance, which provides the references for detecting the variant of Signaling attack in future.
6. Coordinate the firewall, IpTables, with Snort. Create corresponding block rules for the malicious IP addresses detected by Statistical Time Difference Detection Method, to enhance the system's ability of defending signaling attack.
引文
[1]王子原:3G移动通信网络的特点及所面临的威胁
[2]杨骅;李春强;沈伟国;薛峥;刘泽,3G通信发展与应用五人谈:上海信息化2007年12期
[3]SecurityPark. net:Distributed Denial of Service (DDoS) attacks are still the most significant threat to ISPs,2006:12.9
[4]Enck W., Traynor P., McDaniel P., La Porta T.. Exploiting Open Functionality in SMS-Capable Cellular Networks, Proceedings of the 12th ACM Conference on Computer and Communications Security (CCS), November 2005.
[5]Computer Emergency Response Team. Advisory CA-2000-21 denial of service vulnerabilities in TCP/IP stacks.2000. http://wwwlcertlorg/ advisories/CA-2000-21. html
[6]M. Basseville and I. V. Nikiforov. Detection of Abrupt Changes: Theory and Application. Prentice Hall,1993.
[7]D. Kotz and K. Essien. Analysis of a Campus-Wide Network. In Proc. of ACM MOBICOM, Sep 2002.
[8]Jan 2009. IANA. IP Address Services. http://www. iana. org/assignments/ipv4-address-space/
[9]R. Racic, D. Ma, and H. Chen. Exploiting MMS Vulnerabilities to Stealthily Exhaust Mobile Phone's Battery. In Proc. of SecureComm, Aug 2006.
[10]W. Enck, P. Traynor, P. McDaniel, and T. L. Porta. Exploiting Open Functionality in SMS-Capable Cellular Networks. In Proc. of ACM CCS, 2005.
[11]H. Wang, D. Zhang, and K. G. Shin. Change-Point Monitoring for Detection of DoS Attacks. IEEE Trans.on Dependable and Secure Computing, 1(4), Dec 2004.
[12]E. S. Page. Continuous Inspection Schemes. Biometrika, 41(1/2):100 C 115, Jun 1954.
[13]V. Yegneswaran, P. Barford, and J. Ullrich. Internet Intrusions: Global Characteristics and Prevalence. In ACM SIGMETRICS, Jun 2003.
[14]徐聚星SNORT入侵检测软件分析黔西南民族师范高等专科学校学报2008年3月
[15]张翔,张吉才,土韬等.开放源代码入侵检测系统一snort的研究.计算机应用2002,22(11):96-97
[16]潘利群,郝锦胜.入侵检测系统中检测分析模块的研究.武汉理工大学学报,2003,25(8):67-70
[17]张悦连,郭文东.snort规则及其规则处理模块的分析.河北科技大学学报,2003,24(4):44-47
[18]胡华平,陈海涛.入侵检测系统研究现状及发展趋势[fJ1.计算机工程与科学.2001.(2):20-25
[19]胡希明毛德操,Linux内核源代码分析(上下册),浙江大学出版社,2001.9
[20]K. Wall, M. Watson, M. Whitis et, al著,GNU/Linux编程指南,王勇王一川林花军甘泉译,清华大学出版社,2000.6
[21]C. Jin, H. Wang, and K. Shin. Hop-Count Filtering:An Effective Defense Against Spoofed DoS Traffic. In ACM International Conference on Computer and Communications Security (CCS), Oct 2003.
[2]杨骅;李春强;沈伟国;薛峥;刘泽,3G通信发展与应用五人谈:上海信息化2007年12期
[3]SecurityPark. net:Distributed Denial of Service (DDoS) attacks are still the most significant threat to ISPs,2006:12.9
[4]Enck W., Traynor P., McDaniel P., La Porta T.. Exploiting Open Functionality in SMS-Capable Cellular Networks, Proceedings of the 12th ACM Conference on Computer and Communications Security (CCS), November 2005.
[5]Computer Emergency Response Team. Advisory CA-2000-21 denial of service vulnerabilities in TCP/IP stacks.2000. http://wwwlcertlorg/ advisories/CA-2000-21. html
[6]M. Basseville and I. V. Nikiforov. Detection of Abrupt Changes: Theory and Application. Prentice Hall,1993.
[7]D. Kotz and K. Essien. Analysis of a Campus-Wide Network. In Proc. of ACM MOBICOM, Sep 2002.
[8]Jan 2009. IANA. IP Address Services. http://www. iana. org/assignments/ipv4-address-space/
[9]R. Racic, D. Ma, and H. Chen. Exploiting MMS Vulnerabilities to Stealthily Exhaust Mobile Phone's Battery. In Proc. of SecureComm, Aug 2006.
[10]W. Enck, P. Traynor, P. McDaniel, and T. L. Porta. Exploiting Open Functionality in SMS-Capable Cellular Networks. In Proc. of ACM CCS, 2005.
[11]H. Wang, D. Zhang, and K. G. Shin. Change-Point Monitoring for Detection of DoS Attacks. IEEE Trans.on Dependable and Secure Computing, 1(4), Dec 2004.
[12]E. S. Page. Continuous Inspection Schemes. Biometrika, 41(1/2):100 C 115, Jun 1954.
[13]V. Yegneswaran, P. Barford, and J. Ullrich. Internet Intrusions: Global Characteristics and Prevalence. In ACM SIGMETRICS, Jun 2003.
[14]徐聚星SNORT入侵检测软件分析黔西南民族师范高等专科学校学报2008年3月
[15]张翔,张吉才,土韬等.开放源代码入侵检测系统一snort的研究.计算机应用2002,22(11):96-97
[16]潘利群,郝锦胜.入侵检测系统中检测分析模块的研究.武汉理工大学学报,2003,25(8):67-70
[17]张悦连,郭文东.snort规则及其规则处理模块的分析.河北科技大学学报,2003,24(4):44-47
[18]胡华平,陈海涛.入侵检测系统研究现状及发展趋势[fJ1.计算机工程与科学.2001.(2):20-25
[19]胡希明毛德操,Linux内核源代码分析(上下册),浙江大学出版社,2001.9
[20]K. Wall, M. Watson, M. Whitis et, al著,GNU/Linux编程指南,王勇王一川林花军甘泉译,清华大学出版社,2000.6
[21]C. Jin, H. Wang, and K. Shin. Hop-Count Filtering:An Effective Defense Against Spoofed DoS Traffic. In ACM International Conference on Computer and Communications Security (CCS), Oct 2003.