应急响应管理系统的研究与实现
|
摘要
随着互联网技术的不断发展,互联网络上的应用的不断增加,网络安全事件也呈现日益增长的趋势,影响的范围和造成的损失也越来越大。安全事件相关的应急响应在网络安全体系结构中是不可缺少的重要环节,国际上这一领域的研究和服务已经开展了十多年,中国在应急响应方面的研究起步不久,但是已经引起了政府、教育和学术、企业等各界的密切关注。本文以华东(北)地区网络中心为应用背景研究并设计了应急响应管理系统。
安全事件应急响应牵涉到大范围的动作,尽管这些动作中许多是对事件的直接响应,但是还有许多方面涉及到处理事件的准备工作和如何使应急响应人员能够更加有效地工作。因此本文的第一个研究内容是应急响应规程问题。毫无章法的响应动作有可能造成比事件本身更大的损失。采用系统的、合理的和预先定义好的过程来响应安全事件是非常重要的。应急响应规程是应急响应管理系统的重要组成部分。本文根据国际上最权威的应急响应PDCERF六阶段的总体框架,结合华东(北)地区网络中心的安全政策,和华东(北)地区网络中心应急响应小组的响应实践整理并规范设计了华东(北)地区网络中心的应急响应规程,用以改进华东(北)地区网络中心应急响应小组的响应实践工作。
通过应急响应规程可以对事件响应前,事件响应过程中和事件响应后所要作的工作有详细的认识,应急响应规程可以指导响应人员有条不紊地响应安全事件。在事件响应过程中很多不同的响应方式都可以达到相同的安全目标,那么该选择哪种响应方式是最合适的呢?这就是本文的第二个研究问题:响应决策。响应决策算法对报告来的安全事件进行决策并自动生成响应建议,管理员根据生成的响应建议进行事件的响应。本文借鉴了基于分类的响应决策模型和Wenke Lee的成本敏感模型,并综合了响应决策中的一些不确定因素,比如事件报警可信度、攻击目标的安全状态和响应效果的反馈等,提出了基于分类的效益优先的响应决策算法。该模型考虑到了事件的危害、响应的付出和响应效果的反馈,从全局考虑对安全事件选择最优的响应方式。响应效果参与响应决策中可以大大提高响应决策的灵活性和自适应性。该模型涉及三种代价:事件残留损失代价、响应操作代价和响应负面代价。本文给出了事件残留损失代价的具体量化方法,并将其它两种代价转换为事件损失代价的计算,从而实现这三种类型代价的统一量化。响应决策的免疫判断筛选功能把安全事件和攻击目标的安全状态结合起来,筛选掉攻击目标能完全免疫的安全事件,这样就大大减小了入侵检测系统检测安全事件时忽略具体攻击目标特征所带来的负面影响。事件报警可信度参与响应决策也可以减少入侵检测系统事件误报所带来的负面影响。
本文将所提出的响应决策算法实现于应急响应管理系统中。对响应决策算法的分析表明,该算法综合考虑了各种因素,能够对事件进行免疫和代价判断筛选,能够对需要响应的安全事件在所有可行的响应方式内进行响应效益排序,并选择最优的响应方式,最后生成的响应建议具有攻击目标针对性,而且响应政策能够根据环境的变化灵活地进行调整,对响应方式和事件的分类也有着良好的可扩展性。在系统的测试中,响应决策算法在功能上、性能上达到了预期的结果。
论文最后对未来应急响应管理系统的研究进行了展望,指出了制定详细、可行的应急响应规程在事件应急响应工作中的重要意义,指出了将专家系统应用在响应决策中的意义,指出了将复合攻击识别和攻击预测应用在响应决策中的意义。
With the continuous development of Internet technology, applications on the Internet increases ceaselessly, and the number of network security incident also shows the trend of augment, which leads to the expansion of serious influence and loss. The response of related security incident is an essential part of network security architecture, and international research/service in this field has developed for more than ten years. Although this working field is relatively new to China, it had catched the eyesight of the government, education/academic institutions and industries. This thesis studied and designed an Incident Response Information System based on the requirement of Cernet Eastern China(North) Network Center.
Security incident response relates to many actions. Though most of them are the direct responses of incidents, they also relate with the preparation part of dealing incidents and how to make people work more efficiently, so incident response regulation become the first research content. Irregular response actions may result in more serious loss than incidents themselves, so it’s very important to adopt systemic, reasonable, and pre-defined process to handle security incidents. The procedure of incidents response is an important part of Incidents Response Information System. This thesis brings forward a set of incident response procedures that fit for the requirement of Cernet Eastern China(North) Network Center, based on the whole frame of the most authoritative PDCERF six phases incident response procedure in the world, the pre-defined security policies, and the practice of NJCERT in Cernet Eastern China(North) Network Center.
Through the incidents response regulation, we can have detailed knowledge of the work before, in, and after the response process. It can guide related people to response security incidents in an orderly way. Then which response actions are the most suitable ones in response process? So the second research topic is response decision. Response decision algorithm makes decisions for reported security incidents and builds response proposals, then administrators handle those incidents based on the proposals. This thesis gives out a Response Decision Model based on classifying and Wenke Lee’s cost sensitive model, integrates some uncertain factors in response decision process such as: incidents alert confidence, security state of attacked objects, and feedback of response benefit etc, and puts forward an optimized response decision algorithm based on classifying. This algorithm considers the harmness of incidents, the cost of response and the feedback of response effect, and selects the best solution from the entire consideration. With the response effect involves in response decision, it can greatly enhance the agility and adaptability of response decision. Three classes of cost are considered. They are residue damage cost, response operation cost and response negative cost. This thesis offers the concrete quantification method of residue damage cost, and converts the quantification of the other two costs into damage cost, so as to unifies the quantification of all three classes of cost. The immunity judgment filter function of response decision can combine the securitystate of incidents with that of attacked objects, filter security incidents totally immune from attacked objects, which reduces the side effect brought on by IDS’s neglect of concrete attacked object features in detecting security incidents. Incident alert confidence revolving in response decision can reduce this side effect, too.
This thesis realizes the offered response decision algorithm in Incidents Response Information System. The analysis shows that this algorithm considers various factors, and can judge the immunity and cost of incidents to make response benefit sequence for all feasible response ways of security incidents that need response, in order to select the best-fit response actions. The produced response proposal has attacked objects pertinence, it can adapt easily according to the change of environment, and has good possibility to extend for new response actions. The tests show that this response decision algorithm reached the expected results both in functions and capabilities.
At the end of the thesis, we make an expectation for the research of future incident response information system, pointing out that looking for detailed, feasible response regulations is key to the response actions. Furthermore, expert system technology and compound attack recognition and early warning could be applied in the response decision making process.
安全事件应急响应牵涉到大范围的动作,尽管这些动作中许多是对事件的直接响应,但是还有许多方面涉及到处理事件的准备工作和如何使应急响应人员能够更加有效地工作。因此本文的第一个研究内容是应急响应规程问题。毫无章法的响应动作有可能造成比事件本身更大的损失。采用系统的、合理的和预先定义好的过程来响应安全事件是非常重要的。应急响应规程是应急响应管理系统的重要组成部分。本文根据国际上最权威的应急响应PDCERF六阶段的总体框架,结合华东(北)地区网络中心的安全政策,和华东(北)地区网络中心应急响应小组的响应实践整理并规范设计了华东(北)地区网络中心的应急响应规程,用以改进华东(北)地区网络中心应急响应小组的响应实践工作。
通过应急响应规程可以对事件响应前,事件响应过程中和事件响应后所要作的工作有详细的认识,应急响应规程可以指导响应人员有条不紊地响应安全事件。在事件响应过程中很多不同的响应方式都可以达到相同的安全目标,那么该选择哪种响应方式是最合适的呢?这就是本文的第二个研究问题:响应决策。响应决策算法对报告来的安全事件进行决策并自动生成响应建议,管理员根据生成的响应建议进行事件的响应。本文借鉴了基于分类的响应决策模型和Wenke Lee的成本敏感模型,并综合了响应决策中的一些不确定因素,比如事件报警可信度、攻击目标的安全状态和响应效果的反馈等,提出了基于分类的效益优先的响应决策算法。该模型考虑到了事件的危害、响应的付出和响应效果的反馈,从全局考虑对安全事件选择最优的响应方式。响应效果参与响应决策中可以大大提高响应决策的灵活性和自适应性。该模型涉及三种代价:事件残留损失代价、响应操作代价和响应负面代价。本文给出了事件残留损失代价的具体量化方法,并将其它两种代价转换为事件损失代价的计算,从而实现这三种类型代价的统一量化。响应决策的免疫判断筛选功能把安全事件和攻击目标的安全状态结合起来,筛选掉攻击目标能完全免疫的安全事件,这样就大大减小了入侵检测系统检测安全事件时忽略具体攻击目标特征所带来的负面影响。事件报警可信度参与响应决策也可以减少入侵检测系统事件误报所带来的负面影响。
本文将所提出的响应决策算法实现于应急响应管理系统中。对响应决策算法的分析表明,该算法综合考虑了各种因素,能够对事件进行免疫和代价判断筛选,能够对需要响应的安全事件在所有可行的响应方式内进行响应效益排序,并选择最优的响应方式,最后生成的响应建议具有攻击目标针对性,而且响应政策能够根据环境的变化灵活地进行调整,对响应方式和事件的分类也有着良好的可扩展性。在系统的测试中,响应决策算法在功能上、性能上达到了预期的结果。
论文最后对未来应急响应管理系统的研究进行了展望,指出了制定详细、可行的应急响应规程在事件应急响应工作中的重要意义,指出了将专家系统应用在响应决策中的意义,指出了将复合攻击识别和攻击预测应用在响应决策中的意义。
With the continuous development of Internet technology, applications on the Internet increases ceaselessly, and the number of network security incident also shows the trend of augment, which leads to the expansion of serious influence and loss. The response of related security incident is an essential part of network security architecture, and international research/service in this field has developed for more than ten years. Although this working field is relatively new to China, it had catched the eyesight of the government, education/academic institutions and industries. This thesis studied and designed an Incident Response Information System based on the requirement of Cernet Eastern China(North) Network Center.
Security incident response relates to many actions. Though most of them are the direct responses of incidents, they also relate with the preparation part of dealing incidents and how to make people work more efficiently, so incident response regulation become the first research content. Irregular response actions may result in more serious loss than incidents themselves, so it’s very important to adopt systemic, reasonable, and pre-defined process to handle security incidents. The procedure of incidents response is an important part of Incidents Response Information System. This thesis brings forward a set of incident response procedures that fit for the requirement of Cernet Eastern China(North) Network Center, based on the whole frame of the most authoritative PDCERF six phases incident response procedure in the world, the pre-defined security policies, and the practice of NJCERT in Cernet Eastern China(North) Network Center.
Through the incidents response regulation, we can have detailed knowledge of the work before, in, and after the response process. It can guide related people to response security incidents in an orderly way. Then which response actions are the most suitable ones in response process? So the second research topic is response decision. Response decision algorithm makes decisions for reported security incidents and builds response proposals, then administrators handle those incidents based on the proposals. This thesis gives out a Response Decision Model based on classifying and Wenke Lee’s cost sensitive model, integrates some uncertain factors in response decision process such as: incidents alert confidence, security state of attacked objects, and feedback of response benefit etc, and puts forward an optimized response decision algorithm based on classifying. This algorithm considers the harmness of incidents, the cost of response and the feedback of response effect, and selects the best solution from the entire consideration. With the response effect involves in response decision, it can greatly enhance the agility and adaptability of response decision. Three classes of cost are considered. They are residue damage cost, response operation cost and response negative cost. This thesis offers the concrete quantification method of residue damage cost, and converts the quantification of the other two costs into damage cost, so as to unifies the quantification of all three classes of cost. The immunity judgment filter function of response decision can combine the securitystate of incidents with that of attacked objects, filter security incidents totally immune from attacked objects, which reduces the side effect brought on by IDS’s neglect of concrete attacked object features in detecting security incidents. Incident alert confidence revolving in response decision can reduce this side effect, too.
This thesis realizes the offered response decision algorithm in Incidents Response Information System. The analysis shows that this algorithm considers various factors, and can judge the immunity and cost of incidents to make response benefit sequence for all feasible response ways of security incidents that need response, in order to select the best-fit response actions. The produced response proposal has attacked objects pertinence, it can adapt easily according to the change of environment, and has good possibility to extend for new response actions. The tests show that this response decision algorithm reached the expected results both in functions and capabilities.
At the end of the thesis, we make an expectation for the research of future incident response information system, pointing out that looking for detailed, feasible response regulations is key to the response actions. Furthermore, expert system technology and compound attack recognition and early warning could be applied in the response decision making process.
引文
【1】“CERT/CC Statistics, 1988-2004”; http://www.cert.org/stats/cert_stats.html
【2】ICSA LABS,computer virus prevalence survey: http://www.ontrack.co.uk/special/ICSAlabs_VirusSurvey2004.pdf
【3】http://www.cert.org.cn
【4】马欣,张玉清,顾新.一种面向响应的网络安全事件分类方法.计算机工程,2004,6:p103-105
【5】Schultz E E.段海新译 网络安全事件响应 北京人民邮电出版社,2002
【6】Howard J D, Longsta T A. A Common Language for Computer Security Incidents. Technical Report SAND98-8667, Sandia National Laboratories, 1998-10
【7】www.first.org
【8】段海新. 计算机网络安全的应急响应.电信技术,2002,12:p11-13
【9】Incident response procedure:http://www.visa-asia.com/secured/includes/ VisaAP_Inc_Resp_Procedv1_2_2004.pdf
【10】Julia H.Allen著.周赟译 CERT安全指南.ISBN 7-302-06021-5 北京:清华大学出版社;2002
【11】段海新, 张千里. CERNET 网络安全应急响应服务. http ://www2. ccw. com.
【12】Kevin Mandia,Chris Prosise 著 常晓波译 应急响应计算机犯罪调查 清华大学出版社,2002
【13】ERIC Maiwald著.天宏工作室译 网络安全实用指南.ISBN 7-302-06197-1 北京:清华大学出版社 2003
【14】 an Schnackenberg, Kelly Djahandari, Dan Sterne; “Infrastructure for Intrusion Detection and Response”; Proceedings of the DARPA Information Survivability Conference and Exposition; Jan, 2000
【15】 Computer Security Incident Response Planning:http://documents.iss.net/whitepapers/csirplanning.pdf
【16】Moira J. West-Brown。Don Stikvoort。Klaus-Peter Kossakowski Handbook for Computer Security Incident Response Teams (CSIRTs) www.cert.org/archive/pdf/csirt-handbook.pdf
【17】丁勇, 龚俭, 虞平;自动入侵响应系统的研究;计算机科学Vol.30, No.10, 2003; p160-162
【18】Niels Provos. A Virtual Honeypot Framework: http://www.citi.umich.edu/techreports/reports/citi-tr-03-1.pdf
【19】Computer Evidence Processing Good Documentation Is Essential:http://www.forensics-intl.com/art10.html
【20】loggeden,pslist,listdlls:http://www.sysinternals.com
【21】fport,afind,ntlast,sfind:http://www.foundstone.com
【22】md5sum:http://www.cygnus.com
【23】pwdump:http://packetstorm.security.com/Cracker/NT/pwdump2.zip
【24】Holt Sorenson,Incident Response Tools For Unix, Part One: System Tools:http://www.securityfocus.com/infocus/1679
【25】Holt Sorenson,Incident Response Tools For Unix, Part Two: File-System Tools:http://www.securityfocus.com/infocus/1738
【26】Holt Sorenson,Incident Response Tools For Unix, Part Three: network Tools:http://www.securityfocus.com/infocus/1821
【27】Warren G.Druse II,Jay G.Heiser 著. 段海新,刘武,赵乐南;译计算机取证:应急响应精要;ISBN: 7-115-10875-7 北京:人民邮电出版社;2003
【28】陈祖义,龚俭,徐晓琴;计算机取证的工具体系;计算机工程;2005,3:p162-164
【29】段海新. CERNET 网络安全应急响应服务:http://www.bjnet-pku.edu.cn/lectures/security.ppt
【30】张冰.互联网网络安全应急工作回顾与展望: http://www.edu.cn/download/11thcernetppt/zhangbin.ppt
【31】RFC2350:ftp://ftp.isi.edu/in-notes/rfc2350.txt
【32】E.A. Fisch, “Intrusion Damage Control and Assessment:A Taxonomy and Implementation of Automated Response to Intrusive Behavior”. PhD Dissertation, Texas A&M University, College Station, TX, 1996
【33】U. Lindqvist and E. Jonsson, “How to systematically classify computer security intrusions”, Proc. 1997, IEEE Symp. On Security and Privacy, Oakland, CA, May 4-7, 1997, pp. 154-163
【34】Curtis A. Carver, John M.D. Hill, and Udo W. Pooch; “Limiting Uncertainty in Intrusion Response”; Proceedings of the IEEE Workshop on Information Assurance and Security, 2001
【35】C. A. Carver and U. W. Pooch; “An Intrusion Response Taxonomy and its Role in Automatic Intrusion Response”; Proceedings of the 2000 IEEE Workshop on Information Assurance and Security, United States Military Academy, West Point, NY, June 6-7, 2000; pp. 129-135
【36】Wenke Lee, Wei Fan, Matthew Miller, Sal Stolfo and Erez Zadok;Toward Cost-Sensitive Modeling for Intrusion Detection and Response;Journal of Computer Security, 2002, 10, 1: 318-336.
【37】Thomas Toth and Christopher Kruegel;evaluating the impact of automated intrusion response mechanisms;http://www.infosys.tuwien.ac.at/staff/tt/publications/ Evaluating_ the_Impact_of_Automated_Intrusion_Response_Mechanisms.pdf
【38】张俭.可回卷的动态反馈自动入侵响应系统[D].[博士毕业论文]. 南京:东南大学.计算机系.2004
【39】王慧强,徐东,曹翊.自适应入侵响应系统响应效果评价研究.哈尔滨工程大学学报,2004,10:p639-643
【40】丁勇.自动入侵响应系统的研究[D].[硕士论文]. 南京:东南大学.计算机系. 2004
【41】张剑,龚俭.可回卷的自动入侵响应系统.电子学报,200,5:p769-773
【42】龚俭,陆晟,王倩;计算机网络安全导论;ISBN7-81050-648-X 南京:东南大学出版社;2000
【2】ICSA LABS,computer virus prevalence survey: http://www.ontrack.co.uk/special/ICSAlabs_VirusSurvey2004.pdf
【3】http://www.cert.org.cn
【4】马欣,张玉清,顾新.一种面向响应的网络安全事件分类方法.计算机工程,2004,6:p103-105
【5】Schultz E E.段海新译 网络安全事件响应 北京人民邮电出版社,2002
【6】Howard J D, Longsta T A. A Common Language for Computer Security Incidents. Technical Report SAND98-8667, Sandia National Laboratories, 1998-10
【7】www.first.org
【8】段海新. 计算机网络安全的应急响应.电信技术,2002,12:p11-13
【9】Incident response procedure:http://www.visa-asia.com/secured/includes/ VisaAP_Inc_Resp_Procedv1_2_2004.pdf
【10】Julia H.Allen著.周赟译 CERT安全指南.ISBN 7-302-06021-5 北京:清华大学出版社;2002
【11】段海新, 张千里. CERNET 网络安全应急响应服务. http ://www2. ccw. com.
【12】Kevin Mandia,Chris Prosise 著 常晓波译 应急响应计算机犯罪调查 清华大学出版社,2002
【13】ERIC Maiwald著.天宏工作室译 网络安全实用指南.ISBN 7-302-06197-1 北京:清华大学出版社 2003
【14】 an Schnackenberg, Kelly Djahandari, Dan Sterne; “Infrastructure for Intrusion Detection and Response”; Proceedings of the DARPA Information Survivability Conference and Exposition; Jan, 2000
【15】 Computer Security Incident Response Planning:http://documents.iss.net/whitepapers/csirplanning.pdf
【16】Moira J. West-Brown。Don Stikvoort。Klaus-Peter Kossakowski Handbook for Computer Security Incident Response Teams (CSIRTs) www.cert.org/archive/pdf/csirt-handbook.pdf
【17】丁勇, 龚俭, 虞平;自动入侵响应系统的研究;计算机科学Vol.30, No.10, 2003; p160-162
【18】Niels Provos. A Virtual Honeypot Framework: http://www.citi.umich.edu/techreports/reports/citi-tr-03-1.pdf
【19】Computer Evidence Processing Good Documentation Is Essential:http://www.forensics-intl.com/art10.html
【20】loggeden,pslist,listdlls:http://www.sysinternals.com
【21】fport,afind,ntlast,sfind:http://www.foundstone.com
【22】md5sum:http://www.cygnus.com
【23】pwdump:http://packetstorm.security.com/Cracker/NT/pwdump2.zip
【24】Holt Sorenson,Incident Response Tools For Unix, Part One: System Tools:http://www.securityfocus.com/infocus/1679
【25】Holt Sorenson,Incident Response Tools For Unix, Part Two: File-System Tools:http://www.securityfocus.com/infocus/1738
【26】Holt Sorenson,Incident Response Tools For Unix, Part Three: network Tools:http://www.securityfocus.com/infocus/1821
【27】Warren G.Druse II,Jay G.Heiser 著. 段海新,刘武,赵乐南;译计算机取证:应急响应精要;ISBN: 7-115-10875-7 北京:人民邮电出版社;2003
【28】陈祖义,龚俭,徐晓琴;计算机取证的工具体系;计算机工程;2005,3:p162-164
【29】段海新. CERNET 网络安全应急响应服务:http://www.bjnet-pku.edu.cn/lectures/security.ppt
【30】张冰.互联网网络安全应急工作回顾与展望: http://www.edu.cn/download/11thcernetppt/zhangbin.ppt
【31】RFC2350:ftp://ftp.isi.edu/in-notes/rfc2350.txt
【32】E.A. Fisch, “Intrusion Damage Control and Assessment:A Taxonomy and Implementation of Automated Response to Intrusive Behavior”. PhD Dissertation, Texas A&M University, College Station, TX, 1996
【33】U. Lindqvist and E. Jonsson, “How to systematically classify computer security intrusions”, Proc. 1997, IEEE Symp. On Security and Privacy, Oakland, CA, May 4-7, 1997, pp. 154-163
【34】Curtis A. Carver, John M.D. Hill, and Udo W. Pooch; “Limiting Uncertainty in Intrusion Response”; Proceedings of the IEEE Workshop on Information Assurance and Security, 2001
【35】C. A. Carver and U. W. Pooch; “An Intrusion Response Taxonomy and its Role in Automatic Intrusion Response”; Proceedings of the 2000 IEEE Workshop on Information Assurance and Security, United States Military Academy, West Point, NY, June 6-7, 2000; pp. 129-135
【36】Wenke Lee, Wei Fan, Matthew Miller, Sal Stolfo and Erez Zadok;Toward Cost-Sensitive Modeling for Intrusion Detection and Response;Journal of Computer Security, 2002, 10, 1: 318-336.
【37】Thomas Toth and Christopher Kruegel;evaluating the impact of automated intrusion response mechanisms;http://www.infosys.tuwien.ac.at/staff/tt/publications/ Evaluating_ the_Impact_of_Automated_Intrusion_Response_Mechanisms.pdf
【38】张俭.可回卷的动态反馈自动入侵响应系统[D].[博士毕业论文]. 南京:东南大学.计算机系.2004
【39】王慧强,徐东,曹翊.自适应入侵响应系统响应效果评价研究.哈尔滨工程大学学报,2004,10:p639-643
【40】丁勇.自动入侵响应系统的研究[D].[硕士论文]. 南京:东南大学.计算机系. 2004
【41】张剑,龚俭.可回卷的自动入侵响应系统.电子学报,200,5:p769-773
【42】龚俭,陆晟,王倩;计算机网络安全导论;ISBN7-81050-648-X 南京:东南大学出版社;2000