军队计算机网络安全体系的研究
|
摘要
当前,军队信息化建设持续快速发展,信息网络安全问题日益凸显,加速构建一个技术先进、管理高效、平战结合、安全可靠的信息网络安全体系已十分必要。当今世界军队建设的实践表明,一支军队的信息化水平越高,对网络系统的依赖性就越强,信息网络安全问题就越突出,网络系统只有安全有效,才能真正发挥其应有的军事效益。针对现有军队计算机信息网络安全体系和实施标准的不足,论文紧密围绕分层、分级、动态纵深防御、蜜罐体系和网络欺骗等关键技术开展研究,主要研究工作如下:
1)深入研究了军队计算机网络当前和未来面临的主要安全问题,从实体层、能量层、信息层(逻辑层)和感知层的计算机网络对抗四个方面,探讨了军队计算机网络针对不同层次的对抗以及计算机网络防御应采取的相应对策。
2)提出了军队计算机网络的整体安全防护策略,对人、技术、行为三个方面以及分层次对信息网络安全策略进行详细阐述。
3)采用了纵深防御安全体系框架的思想,对三维安全体系结构、DISSP的DGSA和P2DR安全体系模型进行扩展,提出了动态纵深防御安全体系模型。
4)分析了蜜罐及蜜网系统,研究了在军队计算机网络中入侵检测与响应蜜罐系统的应用。
5)分析了基于会话重定向和“中间人”的攻击思想,以及对未知攻击的捕获,在此基础上设计并实现了分布式会话重定向的蜜罐体系。
论文所提出的安全体系模型、网络欺骗等,已经在军队某部“一体化联合作战训练建设探索”中得到了应用。所设计的基于会话重定向的蜜罐体系在信息对抗中能起到事半功倍、转换角色的功能,并在一体化作战训练建设探索的试点任务中得到了应用,为一体化作战训练信息网络安全建设探索了路子,为今后一体化作战训练信息网络安全标准的建设打下了坚实的基础。
Currently, with the military’s informationization rapid development, the problem of information network security is increasing evidently. So it is necessary to construct rapidly a system of the information network security whose technique is advanced, management is high effective, peacetime and wartime can be combined, and which is secure and reliable. The military’s informationization in the world nowadays has indicated that the higher the informationization level of a military has, the more dependent on the network system it is, and the more evident the problem of security of information network is. Only building a security and effective the network system can really exert present its benefit on military affairs. Aiming at the disadvantages of the military computer information network security system and the standard carrying into execution in existence, this dissertation studies with the technique of gradation, hierarchy, defense in dynamic and depth, honey-pot architecture, network cheat and so on. The main contents of research are described as following:
1) Lucubrating the main security problems which the military computer network faces nowadays and in the future. And basing on four ways of the computer network confrontations on the levels of substantiality, energy, information (logic) and apperceive, discussing the relevant countermeasures which the computer network defense should take when the military computer network aims at the confrontations of different levels.
2) Bringing forward the whole security defense tactics of the military computer network. Delaminating expatiates about the information network security tactics by basing on the three ways of human, technology and behavior.
3) Adopting the idea of depth defense system framework, expands the three-dimension security system architecture, DGSA of DISSP and P2DR security system model, bringing forward the Defense-in-Dynamic and Depth architecture.
4) Analyzing honey-pot and honey-network system, and researching on application of the honey-pot in the intrusion detection and the response in the military computer network.
5) Analyzing the ideas which are based on the session re-directive and“Man-in-The-Middle”attack, and the catch to the unknown attacks. Base on it, designing and realizing the honey-pot and honey-farm system which are distributed session redirection.
The security system and network cheat brought forward by this dissertation have been
1)深入研究了军队计算机网络当前和未来面临的主要安全问题,从实体层、能量层、信息层(逻辑层)和感知层的计算机网络对抗四个方面,探讨了军队计算机网络针对不同层次的对抗以及计算机网络防御应采取的相应对策。
2)提出了军队计算机网络的整体安全防护策略,对人、技术、行为三个方面以及分层次对信息网络安全策略进行详细阐述。
3)采用了纵深防御安全体系框架的思想,对三维安全体系结构、DISSP的DGSA和P2DR安全体系模型进行扩展,提出了动态纵深防御安全体系模型。
4)分析了蜜罐及蜜网系统,研究了在军队计算机网络中入侵检测与响应蜜罐系统的应用。
5)分析了基于会话重定向和“中间人”的攻击思想,以及对未知攻击的捕获,在此基础上设计并实现了分布式会话重定向的蜜罐体系。
论文所提出的安全体系模型、网络欺骗等,已经在军队某部“一体化联合作战训练建设探索”中得到了应用。所设计的基于会话重定向的蜜罐体系在信息对抗中能起到事半功倍、转换角色的功能,并在一体化作战训练建设探索的试点任务中得到了应用,为一体化作战训练信息网络安全建设探索了路子,为今后一体化作战训练信息网络安全标准的建设打下了坚实的基础。
Currently, with the military’s informationization rapid development, the problem of information network security is increasing evidently. So it is necessary to construct rapidly a system of the information network security whose technique is advanced, management is high effective, peacetime and wartime can be combined, and which is secure and reliable. The military’s informationization in the world nowadays has indicated that the higher the informationization level of a military has, the more dependent on the network system it is, and the more evident the problem of security of information network is. Only building a security and effective the network system can really exert present its benefit on military affairs. Aiming at the disadvantages of the military computer information network security system and the standard carrying into execution in existence, this dissertation studies with the technique of gradation, hierarchy, defense in dynamic and depth, honey-pot architecture, network cheat and so on. The main contents of research are described as following:
1) Lucubrating the main security problems which the military computer network faces nowadays and in the future. And basing on four ways of the computer network confrontations on the levels of substantiality, energy, information (logic) and apperceive, discussing the relevant countermeasures which the computer network defense should take when the military computer network aims at the confrontations of different levels.
2) Bringing forward the whole security defense tactics of the military computer network. Delaminating expatiates about the information network security tactics by basing on the three ways of human, technology and behavior.
3) Adopting the idea of depth defense system framework, expands the three-dimension security system architecture, DGSA of DISSP and P2DR security system model, bringing forward the Defense-in-Dynamic and Depth architecture.
4) Analyzing honey-pot and honey-network system, and researching on application of the honey-pot in the intrusion detection and the response in the military computer network.
5) Analyzing the ideas which are based on the session re-directive and“Man-in-The-Middle”attack, and the catch to the unknown attacks. Base on it, designing and realizing the honey-pot and honey-farm system which are distributed session redirection.
The security system and network cheat brought forward by this dissertation have been
引文
[1] 巨乃歧等. 信息安全一网络世界的保护神[M] . 军事科学出版社 2003.
[2] 戴清民等. 计算机网络战综述[M]. 解放军出版社. 2001.
[3] 董学贞. 解读信息作战、信息战与信息化战争[M]. 军事学术. 2000(11)
[4] 李显尧,周碧松等. 信息战争[M]. 解放军出版社. 1998.
[5] 蔡虹. 网络安全保密基础[M]. 军事科学出版社. 1999.
[6] 张斌,刘晨. 黑客与网络安全[M]. 机械工业出版社. 2003.
[7] 徐小岩等. 网络战与国防安全[M]. 军事科学出版社. 2002.
[8] 曾占元等. 信息战于计算机网络攻防[M]. 军事科学出版社. 2004.
[9] 黄肠,胡伟栋,陈克非. 网络攻击与安全防护的分类研究[J],计算机工程,2002.
[10] Lance Spitzner.Know Your Enemy:Revealing the Security Tools, Tactics, and Motives of the Blackhat Community[J],Addison-Wesley,2002.
[11] Eagle, Liam. Enabling the Defense in Depth Security Strategy[C]. The Web Host Industry Review. 16 April 2003. (6 Jan. 2004).
[12] 肖庭治,王应泉. 网络安全防御体系研究(C). 2001 信息安全体系学术研讨会,82-86
[13] 蒋频,胡华平,王奕. 计算机信息系统安全体系设计[J],计算机工程与科学. 2003, 25(1):3841
[14] 胡华平,黄遵国,庞立会等. 网络安全深度防御与保障体系研究[J],计算机工程与科学. 2002, 24(6):710
[15] 陈海涛,胡华平,徐传福等. 动态网络安全的框架模型[J]. 国防科技大学报,2003.19:563-569.
[16] CIDF work group. Communication in common intrusion detection Framework [EB/OL]. Http://www.ietf.org/ietf 1998.06.
[17] honeypots.net. Website for honeypot[EB/OL]. http://www.honeypots.net/.
[18] D. Barbara, J. Couto, S. Jajodia, and N. Wu. Special section on data mining for intrusion detection and threat analysis: Adam: a testbed for exploring the use of data mining in intrusion detection[J]. ACM SIGMOD Record, vol. 30, pp. 15–24, Dec. 2001.
[19] D. Barbara, N. Wu, and S. Jajodia. Detecting novel network intrusions using bayes estimators[J]. In Proceedings of the First SIAM International Conference on Data Mining (SDM 2001), Chicago, USA, Apr.2001.
[20] M. Botha and R. von Solms. Utilising fuzzy logic and trend analysis for effective intrusion detection[J]. Computers & Security, vol. 22, no. 5, pp. 423–434,2003.
[21] Susan M. Bridges and M. Vaughn Rayford. Fuzzy data mining and genetic algorithms applied to intrusion detection[J]. In Proceedings of the Twenty-third National Information Systems Security Conference.National Institute of Standards and Technology, Oct.2000.
[22] M. Bilodeau and D. Brenner. Theory of multivariate statistics[J]. Springer - Verlag : New York, 1999.Electronic edition at ebrary, Inc.
[23] D. Bulatovic and D. Velasevic. A distributed intrusion detection system based on bayesian alarmnetworks[J]. Lecture Notes in Computer Science (Secure Networking CQRE (Secure) 1999), vol. 1740,pp. 219–228, 1999.
[24] P. Z. Hu and Malcolm I. Heywood. Predicting intrusions with local linear model[J]. InProceedings of the International Joint Conference on Neural Networks, vol. 3, pp. 1780–1785. IEEE, IEEE, July 2003.
[25] H. Gunes Kayacik, A. Nur Zincir-Heywood, and Malcolm I. Heywood. On the capability of an som based intrusion detection system[M]. In Proceedings of the International Joint Conference on Neural Networks, vol. 3, pp. 1808–1813. IEEE, July 2003.
[26] G. Ramachandran and D. Hart. A p2p intrusion detection system based on mobile agents[J]. In Proceedings of the 42nd annual Southeast regional conference, pp. 185–190. ACM Press New York, NY, USA,Apr. 2004.
[27] G. Vigna, F. Valeur, and Richard A. Kemmerer. Designing and implementing a family of intrusion detection systems[J]. In Proceedings of the 9th European software engineering conference held jointly with 10th ACM IGSOFT international symposium on Foundations of software engineering, pp. 88–97, Helsinki,Finland, 2003. Source: ACM Portal.
[28] N. Krawetz. Anti-honey pot technology, IEEE SECURITY & PRIVACY, vol. 2, pp. 76–79, Jan.-Feb.2004.
[29] I. Kuwatly, M. Sraj, Z. Al Masri, and H. Artail. Adynamic honeypot design for intrusion detection[C]. in Proceedings of the IEEE/ACS International Conference on Pervasive Services (ICPS04), pp. 95–104. IEEE, IEEE Computer Society, July 2004.
[30] Jay Beale,James C. Foster,Jeffrey Posluns, Ryan Russell,and Brian Caswell. Snort 2.0 Intrusion Detection[C]. Syngress, 2003.
[31] W. La Cholter et al. IBAN: Intrusion Blocker based on Active Networks[J]. In Proc. of Dance 2002.
[32] A. Hess, M. Jung, and G. Sch¨afer. FIDRAN: A flexible Intrusion Detection and Response Framework for Active Networks[C]. In Proc. of 8th IEEE Symposium on Computers and Communications (ISCC’2003), July 2003.
[33] A. Hess and G. Sch¨afer. ISP-Operated Protection of Home Networks with FIDRAN[C]. In First IEEE Consumer Communications and Networking Conference (CCNC’2004), January 2004.
[34] Lance Spitzner. Honeypots: Tracking Hackers[J]. Addison-Wesley, 2003.
[35] Andre von Raison and Lukas Grunwald. Wireless Honeypot auf der Cebit[J], Messe-Trend Mobile Hacking. iX, 5:16, 2003
[36] Niels Provos. Honeyd - A Virtual Honeypot Daemon[C]. In 10th DFN-CERT Workshop, Hamburg, Germany, Februrary 2003.
[37] Alberto Gonzalez Jack Whitsitt. Bait’n’Switch. Technical report[EB/OL], Team Violating. http://baitnswitch.sf.net.
[38] Miyake Takemori, Rikitake and Nakao. Intrusion trap system: An efficient platform for gathering intrusion related information[C]. Technical report, KDDI R and D Laboratories Inc., 2003.
[39] C. Kreibich and J. Crowcroft. Honeycomb - Creating Intrusion Detection Signatures Using Honeypots[C]. In 2nd Workshop on Hot Topics in Networks (HotNets-II), 2003.
[40] A. Hess and G. Sch¨afer. Realizing a flexible access control mechanism for active nodes based on active networking technology[C]. In IEEE International Conference on Communications (ICC 2004), Paris, France, June 2004.
[41] Vade 79. Xdune an exploit for the Dune http server[EB/OL]. http://downloads.securityfocus-. com/vulnerabilities/exploits/xdune.c, 2003.
[42] 印鉴,张钢,陈忆群. 基于 HONEYNET 的网络入侵模式挖掘[J],计算机工程与应用,2004.
[43] 赵战生,中国信息安全体系结构基本框架域构想,计算机安全. 2002.1(11):44-47
[44] Henry H. Shelton. Joint Doctrine for Information Operations[M]. Joint Pub 3-13. 9 October 1998
[45] 周绍荣等. 通信网络组织与运用[M]. 国防工业出版社. 2005.5
[46] Walter Kross. Joint Doctrine for Military Deception[M]. Joint Pub 3-58. 31 May 1996.
[2] 戴清民等. 计算机网络战综述[M]. 解放军出版社. 2001.
[3] 董学贞. 解读信息作战、信息战与信息化战争[M]. 军事学术. 2000(11)
[4] 李显尧,周碧松等. 信息战争[M]. 解放军出版社. 1998.
[5] 蔡虹. 网络安全保密基础[M]. 军事科学出版社. 1999.
[6] 张斌,刘晨. 黑客与网络安全[M]. 机械工业出版社. 2003.
[7] 徐小岩等. 网络战与国防安全[M]. 军事科学出版社. 2002.
[8] 曾占元等. 信息战于计算机网络攻防[M]. 军事科学出版社. 2004.
[9] 黄肠,胡伟栋,陈克非. 网络攻击与安全防护的分类研究[J],计算机工程,2002.
[10] Lance Spitzner.Know Your Enemy:Revealing the Security Tools, Tactics, and Motives of the Blackhat Community[J],Addison-Wesley,2002.
[11] Eagle, Liam. Enabling the Defense in Depth Security Strategy[C]. The Web Host Industry Review. 16 April 2003. (6 Jan. 2004).
[12] 肖庭治,王应泉. 网络安全防御体系研究(C). 2001 信息安全体系学术研讨会,82-86
[13] 蒋频,胡华平,王奕. 计算机信息系统安全体系设计[J],计算机工程与科学. 2003, 25(1):3841
[14] 胡华平,黄遵国,庞立会等. 网络安全深度防御与保障体系研究[J],计算机工程与科学. 2002, 24(6):710
[15] 陈海涛,胡华平,徐传福等. 动态网络安全的框架模型[J]. 国防科技大学报,2003.19:563-569.
[16] CIDF work group. Communication in common intrusion detection Framework [EB/OL]. Http://www.ietf.org/ietf 1998.06.
[17] honeypots.net. Website for honeypot[EB/OL]. http://www.honeypots.net/.
[18] D. Barbara, J. Couto, S. Jajodia, and N. Wu. Special section on data mining for intrusion detection and threat analysis: Adam: a testbed for exploring the use of data mining in intrusion detection[J]. ACM SIGMOD Record, vol. 30, pp. 15–24, Dec. 2001.
[19] D. Barbara, N. Wu, and S. Jajodia. Detecting novel network intrusions using bayes estimators[J]. In Proceedings of the First SIAM International Conference on Data Mining (SDM 2001), Chicago, USA, Apr.2001.
[20] M. Botha and R. von Solms. Utilising fuzzy logic and trend analysis for effective intrusion detection[J]. Computers & Security, vol. 22, no. 5, pp. 423–434,2003.
[21] Susan M. Bridges and M. Vaughn Rayford. Fuzzy data mining and genetic algorithms applied to intrusion detection[J]. In Proceedings of the Twenty-third National Information Systems Security Conference.National Institute of Standards and Technology, Oct.2000.
[22] M. Bilodeau and D. Brenner. Theory of multivariate statistics[J]. Springer - Verlag : New York, 1999.Electronic edition at ebrary, Inc.
[23] D. Bulatovic and D. Velasevic. A distributed intrusion detection system based on bayesian alarmnetworks[J]. Lecture Notes in Computer Science (Secure Networking CQRE (Secure) 1999), vol. 1740,pp. 219–228, 1999.
[24] P. Z. Hu and Malcolm I. Heywood. Predicting intrusions with local linear model[J]. InProceedings of the International Joint Conference on Neural Networks, vol. 3, pp. 1780–1785. IEEE, IEEE, July 2003.
[25] H. Gunes Kayacik, A. Nur Zincir-Heywood, and Malcolm I. Heywood. On the capability of an som based intrusion detection system[M]. In Proceedings of the International Joint Conference on Neural Networks, vol. 3, pp. 1808–1813. IEEE, July 2003.
[26] G. Ramachandran and D. Hart. A p2p intrusion detection system based on mobile agents[J]. In Proceedings of the 42nd annual Southeast regional conference, pp. 185–190. ACM Press New York, NY, USA,Apr. 2004.
[27] G. Vigna, F. Valeur, and Richard A. Kemmerer. Designing and implementing a family of intrusion detection systems[J]. In Proceedings of the 9th European software engineering conference held jointly with 10th ACM IGSOFT international symposium on Foundations of software engineering, pp. 88–97, Helsinki,Finland, 2003. Source: ACM Portal.
[28] N. Krawetz. Anti-honey pot technology, IEEE SECURITY & PRIVACY, vol. 2, pp. 76–79, Jan.-Feb.2004.
[29] I. Kuwatly, M. Sraj, Z. Al Masri, and H. Artail. Adynamic honeypot design for intrusion detection[C]. in Proceedings of the IEEE/ACS International Conference on Pervasive Services (ICPS04), pp. 95–104. IEEE, IEEE Computer Society, July 2004.
[30] Jay Beale,James C. Foster,Jeffrey Posluns, Ryan Russell,and Brian Caswell. Snort 2.0 Intrusion Detection[C]. Syngress, 2003.
[31] W. La Cholter et al. IBAN: Intrusion Blocker based on Active Networks[J]. In Proc. of Dance 2002.
[32] A. Hess, M. Jung, and G. Sch¨afer. FIDRAN: A flexible Intrusion Detection and Response Framework for Active Networks[C]. In Proc. of 8th IEEE Symposium on Computers and Communications (ISCC’2003), July 2003.
[33] A. Hess and G. Sch¨afer. ISP-Operated Protection of Home Networks with FIDRAN[C]. In First IEEE Consumer Communications and Networking Conference (CCNC’2004), January 2004.
[34] Lance Spitzner. Honeypots: Tracking Hackers[J]. Addison-Wesley, 2003.
[35] Andre von Raison and Lukas Grunwald. Wireless Honeypot auf der Cebit[J], Messe-Trend Mobile Hacking. iX, 5:16, 2003
[36] Niels Provos. Honeyd - A Virtual Honeypot Daemon[C]. In 10th DFN-CERT Workshop, Hamburg, Germany, Februrary 2003.
[37] Alberto Gonzalez Jack Whitsitt. Bait’n’Switch. Technical report[EB/OL], Team Violating. http://baitnswitch.sf.net.
[38] Miyake Takemori, Rikitake and Nakao. Intrusion trap system: An efficient platform for gathering intrusion related information[C]. Technical report, KDDI R and D Laboratories Inc., 2003.
[39] C. Kreibich and J. Crowcroft. Honeycomb - Creating Intrusion Detection Signatures Using Honeypots[C]. In 2nd Workshop on Hot Topics in Networks (HotNets-II), 2003.
[40] A. Hess and G. Sch¨afer. Realizing a flexible access control mechanism for active nodes based on active networking technology[C]. In IEEE International Conference on Communications (ICC 2004), Paris, France, June 2004.
[41] Vade 79. Xdune an exploit for the Dune http server[EB/OL]. http://downloads.securityfocus-. com/vulnerabilities/exploits/xdune.c, 2003.
[42] 印鉴,张钢,陈忆群. 基于 HONEYNET 的网络入侵模式挖掘[J],计算机工程与应用,2004.
[43] 赵战生,中国信息安全体系结构基本框架域构想,计算机安全. 2002.1(11):44-47
[44] Henry H. Shelton. Joint Doctrine for Information Operations[M]. Joint Pub 3-13. 9 October 1998
[45] 周绍荣等. 通信网络组织与运用[M]. 国防工业出版社. 2005.5
[46] Walter Kross. Joint Doctrine for Military Deception[M]. Joint Pub 3-58. 31 May 1996.