Available online at www.sciencedirect.com Available online at www.sciencedirect.com
Procedia Engineering
ProcediaProcedia Engineering 00 (2011) Engineering 29 000–000 (2012) 1584 – 1589 www.elsevier.com/locate/procedia
2012 International Workshop on Information and Electronics Engineering (IWIEE)
The Technology Research of Dynamic Network Active Defense in Network Management Wei-ming Hong∗ Department of Computer Science, Zhanjiang Normal College, Guangdong 524048, PR China
Abstract With the rapid development of network, the demanding of network security are increasingly, but the traditional network security mechanism for network attack is passive defense, which gradually become ambition in the face of various protean intrusion. Therefore, this paper suggests adopting active dynamic defense of network security strategy, change the passive safety status quo, solve the imbalance between attack and defensive, at the same time improve the network security.
© 2011 Published by Elsevier Ltd. Selection and/or peer-review under responsibility of Harbin University of Science and Technology Open access under CC BY-NC-ND license. Keywords:active dynamic network; network security; security and defense
1. Introduction With the development of network security technology, the defensive mechanisms of network security technology are more and more mature. The passive defense mechanisms are adopted in the traditional network security technology such as firewall, intrusion detection, loophole , etc, but the inherent limitations of these means and methods are becoming increasingly obvious for not enough to cope with protean network attacks. On the other hand, the network administrators are more likely to commit vast mistakes which are difficult to repair because of the arduous work facing the complicated network environment. Therefore, it’s worth to study for more scholars about how to make the defensive measures from passive into initiative, the defensive mechanisms from static into dynamic, and set up an effective defense technology mechanism.
∗ Corresponding author. Tel.: +86-759-3183980. E-mail address:
[email protected].
1877-7058 © 2011 Published by Elsevier Ltd. Open access under CC BY-NC-ND license. doi:10.1016/j.proeng.2012.01.177
2
Wei-ming – 1589 Wei-mingHong Hong/ /Procedia ProcediaEngineering Engineering2900(2012) (2011)1584 000–000
2. The active dynamic network defense technology overview 2.1. The concepts of active dynamic network defense technology Active dynamic defense of network security technology refers to in the dynamic network, directly monitor the network information, and can successfully lead attack honeypot network, contain and transfer hacker attacking real business. At the same time control the data transmission, analysis the network flow data captured, and then understand hackers means, obtain evidence according to the corresponding rules of network intrusion collecting, eventually traceback attack source[1]. Active dynamic defense of network security technology popularly is discovery suffering attack and timely trying to stop the attacker to achieve purpose, so minimize the loss of the users in various methods and technologies. 2.2. The classification of active dynamic network defense technology Active dynamic defense of network security technology in general can be divided into three broad categories, as follows: The first kind is various dynamic network security technology which use intrusion detection as a representative. This kind of technique is mainly taking attacker attack as the premise, real-time detect attack behavior real-time and then use dynamic network defense, mainly including various vulnerabilities detection technology, data identification technology, flow analysis technology, log audit technology, etc. The second is all sorts of dynamic network security technology taking network disguised as a representative which can be divided into two categories: active and passive camouflage technology disguise. When hackers are distinct spots ready to attack, network camouflage technology adding false information in true information so that hackers can't take the right attack means and methods. Hackers need according to the network environment, the network state, then take corresponding network attack means. Once a false information joined, the attacker can not succeed carry out attacks . The third kind is characterized by network cajoles in various dynamic network security technology. Which can be roughly divided into five categories: network trap, network deceive, Trojan horses, honeypot technology and Honeynet. Network cajoles technology relative to network camouflage technology is also a kind of active defense technology. From literal meaning is actively setting traps, attract target hacker, hackers attracted into predefined trap will be monitored, constantly obtain the hacker's information, and analyze the hackers behavior, accumulate material of the crack hackers technical. At the same time can attack source to retrospectively reviewed positioning, at the right time give hackers alerted. 2.3. The key technology of active dynamic network defense: In active dynamic defense of network security, there must be related key technology to support, in recent years the main technology is dynamic network security technology, camouflage technology, network technology and so on. Below is the simple introduction respectively: 1) dynamic network security technology The principle chart of dynamic network security model DPFT is as follows:
1585
1586
Wei-ming / Procedia Engineering 29 (2012) 1584 – 1589 Wei-ming HongHong / Procedia Engineering 00 (2011) 000–000
Subject
Tracking
Feedback
Protection
Object
Detection
Figure1. The DPFT Model of Dynamic Network Security
The security system proposed by this model take protection, tracking and feedback as four components, all operation of the whole system is protected by protection components. Once the detection parts detected attack, protect components will take steps to prevent attacks. If the object be attacked, then feedback components set signal, protection components change configuration to cope with attack, and the counterattack was started to tracking the address information of attacker, at the same time updates defense control parameters. If the object under attack and has been changed, feedback components can help object restoration. From this we can see it is a kind of superior security model. 2) Camouflage technology Camouflage technology can be divided into network data flow camouflage model, network data submitted to disguise model, IP address camouflage model, operating system and network service camouflage model, network topology structure camouflage model five parts, each part can coordinate with each other, and interact with each other. If the whole camouflage algorithm analysis, camouflage degree of measure, performance evaluation of pseudo and loading prototype can be considerate, dynamic camouflage network security model theory and technical specifications will be finally formed [2]. 3) Web spoofing techniques Each network system has loopholes to be used by the invaders in theory. The web spoofing techniques in network technology is making some mistaken security vulnerabilities to cheat the invaders, and give some steal resources which can be attacked (of course, these resources were false), which will increase their invasion workload and complexity, thus make the invaders don't know its offensive success. Moreover, it allows the tracking and monitoring protection ways to analyze the invaders against intention to keep up with the latest security technology. 3. Hackers tracking technology[3] 1) Access filtering. The direct approach to prevent cheating is restrictions forged IP address. Access filtering refers to a router configuration, which is used to block message transmission of illegal source address. 2) Input debugging. First, the user should realize that is under attack, and can accurate description all attacks message characteristics. Then, report protocol-attacks to network administrator, network administrators installation debugging filter on a input router, which can display all the message of the router input slogans and upstream router address. 3) Reverse flooding type attack. First, ready to network topology structure, then, in the attack occurred from time to time sticks send flooding type messages to upstream routers. Because the router buffer public is limited against message, the packet loss rate will rise probably.
3
4
Wei-ming – 1589 Wei-mingHong Hong/ /Procedia ProcediaEngineering Engineering2900(2012) (2011)1584 000–000
4. Active dynamic defense of network security model 4.1. Active dynamic defense of network security model overview Active dynamic defense of network security model is formed by detecting, cajoles, protective and tracking four modules. 1) detection, through the dynamic testing and monitoring system, on-line monitoring network of illegal packets. 2) lure, build a composite honeypot network, lets each honeypot of network intentionally exist some system vulnerabilities, open some common network service, attract invaders to carry on an attack, the real network can avoid been attacked. 3) protection, accurate response to the detection and analysis data results obtained, show the information to administrator by Overview. 4) track, based on routing of real-time attack source, and adopts backdating "positioning attack node algorithm” to determine the attack source node. 5) log, provide data logging function, put some dangerous network data flow in special log server, adopt a certain data analysis mechanism, the administrator can analysis a the attack means of attackers according to these information, provide information for further security. 4.2. IDS - Snort of DAPT model[4] 1) IDS – Snort, Snort is the latest analysis tool used for network intrusion detection, and it is an open source tool based on fast pattern matching, with inspection rules format which is standard and can be defined, expansibility. Generally it in the front-end of honeypot network. 2) three working way: sniffer mode, packet recorder and network intrusion detection model. Modify the config configuration files, input order to snort work mode tuning for the third kind and realize the intrusion detection alarm. 3) configuration process, first setup configuration server environment in Redhat 9.0, used software for PHP, apache, adodb library, acid, mysql-standard-5.0.27-linux-i-686, jpgraph, zlib; Secondly, reinstall the snort2.0; libpcap, Then, modify snort. Conf configuration files, and to snort import detection rule library. Finally, input commands C:\snort\bin>snort — c c:\snort\etc\snort . Conf-vde-l d:\logs-h 192.168.0.1/254 in CMD, then snort is started, monitoring data, store log information and threat mysql database, walleye read from the database, and then displayed alarm. 4.3. HoneyWall of DAPT model HoneyWall firewall under the Linux is the second line of defence after relay IDS - Snort in a whole defense system with a very important position, which is an essential one module. 1) Build HoneyWall Firewall HoneyWall can be furnished with a honeypot network server and different honeypot mainframe, also can individually configurable firewall in another machine, but the HoneyWall must be equipped after Linux IDS-Snort. The Important reasons is the port redirection also equiped in which configuration. 2) Function The system can control processing network emergency, system security state setting, log, configuration honeypot IP address and scope, and management interface IP address and interface access control strategy, out, the connection restrictions, DNS visit configuration, etc.
1587
1588
Wei-ming / Procedia Engineering 29 (2012) 1584 – 1589 Wei-ming HongHong / Procedia Engineering 00 (2011) 000–000
4.4. Honeypot network of DAPT model In order to improve the interactivity, reflect the structural complexity and safety (to prevent being used for attack springboard), presents and design composite Virtual honeypot network (Hybrid j j insgroupsto Hone Ynet). It is an intermediate important segment in DAPT security defense system, can strongly attracted the attacker, against network attack, control and analyzes the means, against worms etc. Composite virtual honeypot network IDS. Each Snort, Honeywall Honeynet and the overall control system can be divided into two levels: the first part is the cooperation control among a Hybrid. IDS.Snort and IDS. J, Hybrid - Snort Honeywall and Honeywall, Hybrid-Honeypot and Honeypot; The second part is the linkage between the Honeypot host IDS, Honeypot and Honeywall. 5. The technology research of virtual simulation nets and hackers tracking 5.1. Network simulation and virtual simulation nets The network simulation is earliest used in measuring the performance evaluation of the network. Network simulation can reduce investment and all aspects cost of the network. So network simulation technology has become the important part of network technology. Communication network simulation is use computer to simulated the communication network to study the specific performance, for communications network planning and system demonstration analysis[5]. Virtual simulation network is composed of one or a few sets of main simulated computers, the number of simulated network can be one or a few, and virtual simulation network can simulate various network service to attract the attention of the hacker and trick source of hacker’s attacks. Virtual simulation network combinated with intrusion detection agent can completely understand hacker attacks of each step constantly, and cut off from the hacker's connection at the right time. 5.2. research on hackers tracking technology. Intrusion detection is the main method of identifying network attack. The existing intrusion detection system can monitor network and main system activity constantly, and then find aggression and adopt corresponding measures (e.g., stop, isolation and system restore etc) constantly, in order to avoid attacks in the occurrence or try to reduce the harm caused by attack. But from the aspects of management and legal ,for punishing the attacker's aggression, it need not only actual security system but also in addition to provide intrusion detection function besides, it is more important to trace the source of attacker's attack, thus to offer evidence to combat computer crime. The existing intrusion detection system prefer to attack the discovery and guard, seldom provides for attackers real source of tracking. In this condition, we develop the hacker monitoring system based on our research and development of the distributed network intrusion detection system, firewall emulated LAN to the whole network of the attacker tracking. For virtual simulation nets of attack of hackers, hackers monitoring and control system of DIDS system will keep record of hackers sources, and offer visual analysis and forecast the hacker's sources. 5.3. Electronic evidence and dynamic response Electronic evidence’s aim is to store record and related equipment perpetrator in computers in crime information, and make them becomes effective action evidence provided to the court. Electronic evidence is generated from the computer system operation process, its record of electromagnetic record objects of content to prove the facts of the case. Form expression of electronic evidence on the computer screen is
5
Wei-ming – 1589 Wei-mingHong Hong/ /Procedia ProcediaEngineering Engineering29 00(2012) (2011)1584 000–000
6
varied, combined the text, graphics, image, animation, audio and video etc. Various media information covers almost all the traditional evidence type. As the same as the traditional evidence, electronic evidence must comply with the laws and regulations. 6. Endnotes This thesis mainly aimed at the problem of defensive failings in current passive safety and the game imbalance in network security offensive, made a thorough study on the active dynamic defense of network security. Specifically introduced the concept of dynamic security and do a technology classification of active dynamic defense in network security, introduces the technical classification key technology, introduced the research status and development trend. And on this basis summarized active dynamic defense of network security model. Acknowledgment The paper is supported by Guangdong Natural Science Fund (GNSF) (No. 9151027501000039) and Science and Technology Key Projects of Zhanjiang City (No. 2007C09017).
Reference [1] Wang LL, Xu RS. Based on active defense trap network system. Computer with Engineering Application 2002; 38(17): 177179. [2] Liu ZH, Yi P. Information hiding technology and its application . Beijing: Science press; 2002. [3] Hu HP, Hou CS, KongT, etc. Equality based on active defense model IP direction tracking method. Journal of huazhong university of science and technology 2005; 33(3): 36-37. [4] Li Y. An research of hacker monitoring technology. Doctoral thesis of Northwestern polytechnical university; 2004. [5] Ruan YP,Yi JB, Zhao ZS. Computer system intrusion detection model methods. Computer Engineering 1999; 25(9): 63-65.
1589
