基于蜜网技术联动性的研究与设计
摘要
蜜罐是近几年兴起的一种主动安全技术。它是一种安全资源,它的价值在于被扫描、攻击和攻陷。蜜网是在蜜罐的基础上发展起来的欺骗性网络,一般是由防火墙、入侵检测系统和蜜罐主机等多个设备组成的网络系统,但也可以借助于虚拟机软件在一台物理主机上实现虚拟蜜网。到目前为止已经从蜜罐系统经历了第一代蜜网技术,第二代蜜网技术到第三代蜜网的发展历程,甚至出现了大规模的蜜场技术。但是蜜网作为一种新的技术,和其他新兴技术一样,也同样存在着缺陷。
蜜网系统内部的蜜罐与传统的防火墙、入侵检测技术的联动性不够,不具有对入侵规则的自我学习能力。本文针对这个问题设计了一种新的蜜网体系架构,该体系结构增加了数据分析模块,也使得部署蜜网的作用得到充分发挥。并且本文成功部署了一个蜜网系统,除了满足数据控制、数据捕获、数据分析基本需求外,还把数据挖掘技术运用到数据分析模块,具体过程是采用数据挖掘里经典的无监督聚类算法K-MEANS算法对数据进行标记分类,用分类算法C4.5算法对已标记的数据提取入侵规则,并将入侵规则存放到入侵检测规则库中,从而真正意义上实现蜜网的联动性和学习性。同时,在具体实现蜜网系统时,充分考虑了对于日志信息的安全可靠性,设计了异地存储模式,并且利用网桥的思想加强了网络管理模块的安全性。
Honeypot technology is a new merging technology in recent years, it is one kind of security resources, whose value lies in being scanned, attacked and compromised. Honeynet is a sort of the fraudulent network which developed on the basis of the Honeypot technology. As a network system, honeynet generally consists of firewall, intrusion detection system (IDS), one or more honeypot machines, but it can also be constructed on a physical host by virtual machine softwares. So far it had already experienced from the first generation of honeynet technology, second generation of honeynet technology to the third generation honeynet's development process on the honeypot technology, even presented the large-scale Honey Farm technology. But the Honeynet is one kind of new technology, also has the limitations as other new technologies.
The Honeynet system has the disadvantage of infirmness linkage between honeypot, firewall and IDS, which does not have self-learning capability to the intrusion rules .This thesis has designed a sort of new honeynet system architecture in view of the problem, this architecture added the data analysis module, and it also enables the deployment honeynet's function to obtain the full display. This thesis has successfully deployed a honeynet system, which meets apart from the data control, the data capture, the data analysis demand. And also the data analysis module is realized with the data mining technology, Specifically using the classical non-surveillance cluster algorithm of K-MEANS to carry on the mark classification specifically to the data, also using the sorting algorithm of C4.5 to pick up intrusion rule of the data which is already marked. And it will keep the intrusion rule into IDS rule sets, thus realizes the honeynet's linkage and the training ability in the true sense. At the same time, when realizing the honeynet system specifically, The system has designed the different storage pattern on the base fully considering the log information's security and reliability, and using bridge's thought to strengthen security of the network management module.
蜜网系统内部的蜜罐与传统的防火墙、入侵检测技术的联动性不够,不具有对入侵规则的自我学习能力。本文针对这个问题设计了一种新的蜜网体系架构,该体系结构增加了数据分析模块,也使得部署蜜网的作用得到充分发挥。并且本文成功部署了一个蜜网系统,除了满足数据控制、数据捕获、数据分析基本需求外,还把数据挖掘技术运用到数据分析模块,具体过程是采用数据挖掘里经典的无监督聚类算法K-MEANS算法对数据进行标记分类,用分类算法C4.5算法对已标记的数据提取入侵规则,并将入侵规则存放到入侵检测规则库中,从而真正意义上实现蜜网的联动性和学习性。同时,在具体实现蜜网系统时,充分考虑了对于日志信息的安全可靠性,设计了异地存储模式,并且利用网桥的思想加强了网络管理模块的安全性。
Honeypot technology is a new merging technology in recent years, it is one kind of security resources, whose value lies in being scanned, attacked and compromised. Honeynet is a sort of the fraudulent network which developed on the basis of the Honeypot technology. As a network system, honeynet generally consists of firewall, intrusion detection system (IDS), one or more honeypot machines, but it can also be constructed on a physical host by virtual machine softwares. So far it had already experienced from the first generation of honeynet technology, second generation of honeynet technology to the third generation honeynet's development process on the honeypot technology, even presented the large-scale Honey Farm technology. But the Honeynet is one kind of new technology, also has the limitations as other new technologies.
The Honeynet system has the disadvantage of infirmness linkage between honeypot, firewall and IDS, which does not have self-learning capability to the intrusion rules .This thesis has designed a sort of new honeynet system architecture in view of the problem, this architecture added the data analysis module, and it also enables the deployment honeynet's function to obtain the full display. This thesis has successfully deployed a honeynet system, which meets apart from the data control, the data capture, the data analysis demand. And also the data analysis module is realized with the data mining technology, Specifically using the classical non-surveillance cluster algorithm of K-MEANS to carry on the mark classification specifically to the data, also using the sorting algorithm of C4.5 to pick up intrusion rule of the data which is already marked. And it will keep the intrusion rule into IDS rule sets, thus realizes the honeynet's linkage and the training ability in the true sense. At the same time, when realizing the honeynet system specifically, The system has designed the different storage pattern on the base fully considering the log information's security and reliability, and using bridge's thought to strengthen security of the network management module.
引文
[1]张世永.网络安全原理与应用[M].科学出版社.2003.5
[2]蔡立军.网络安全技术[M].清华大学出版社.2006.9
[3]刘东华等.网络与通信安全技术[M].人民邮电出版社.2002.11
[4]王铁方等.蜜网与防火墙及入侵检测的无缝结合的研究与实现[J].四川师范大学学报.2005.28(1):119-122
[5]Lance Spitzner.Honeypots-Definition and Value of Honepots[J/OL].http://www.enteract.com/lspitz/honeypot.html.Oct.2001
[6]曲向丽,潘莉译.黑客大解密[M].北京:中国电力出版社.2003
[7]诸葛建伟.蜜罐与蜜网技术简介[J/OL].http://www.icst.pku.edu.cn/honevnetweb/honevnetcn/.2004.9
[8]狩猎女神项目组研究发展与实践[R].http://www.honeynet.org.cn
[9]Lance Spitzaner.Tracking Hackers[J/OL].Pearson Education.2003
[10]The Honeynet Project.Honeynet Definitions,Requirements,and Standards [R].http://project.honeynet.org/alliance/requirements.html.2004
[11]The honeynet project.Know your enmy:the honeynet[J/OL].http://www.honeyd.org/papers/kownyourenmy.htm.2003
[12]贺庆涛.蜜罐技术研究及蜜网设计[D].西南交通大学硕士论文.2005.5
[13]Ryan Talabis.The GenⅡ & GenⅢ Honeynet Architecture[J].The Philippine Honeynet Project.2006
[14]阮航等.第三代蜜网体系研究与分析[J].莆田学院学报.2006,13(5):54-57
[15]李声.防火墙与入侵检测系统联动技术的研究与实现[D].南京航空航天大学硕士论文.2007.1
[16]王新梅.防火墙与入侵检测系统的联动分析[J].信息安全与通信保密2002(18)
[17]梁琳等.基于策略的安全智能联动模型[J].信息安全与通信保密2004.2
[18]Grossman R,Kasif S,Moore R,etal.Report of three NSF Workshops on Mining Lange,Massive and Distributed Data[R].NewYork:AAA1 Press.1999
[19]Jiawei Han,Micheline Kamber著.数据挖掘概念与技术[M].范明,孟小峰 等译.北京:机械工业出版社.2001
[20]Steve Suehring著.Linux防火墙[M].何泾沙等译.机械工业出版社.2006.6
[21]使用netfilter/iptables为linux配置防火墙[EB].http://www-900.ibm.corn/developerWorks/cn/linux/network/s-netip/index.s html.2002.9
[22]Brian Caswell著.Snort2.0入侵检测[M].宋劲松等译.国防工业出版社.2004.1
[23]江森林等.HONEYD解析[J].计算机工程与设计.2005.3:682-685
[24]周莲英等.虚拟蜜罐系统Honeyd的分析与研究[J].计算机工程与应用.
[25]翟继强等.虚拟蜜罐Honeyd的分析和研究[J].计算机信息与技术.2006.3:35-37
[26]梁建明等.基于honeyd的蜜罐系统研究[J].成都大学学报.2007(2)
[27]Netfilter,Iptalbes[EB].Netfilter.org.www.netfilter.org.
[28]汪培庄著.模糊集合论及应用[M].上海科学技术出版社.1983
[29]罗敏,王丽娜,张焕国.基于无监督分类的入侵检测方法[J].电子学报.2003.31(11):1713-1716
[30]KDD Cup 1999 Data[EB/OL].http://kdd.ics.uci.edu/databases/kddcup 99.html
[31]汪洋,王能.入侵检测系统设计方案的改进[J].计算机应用研究.2004.7:208-213.
[32]Edward Balas.Towards a Third Generation Data Capture Architecture for Honeynets[J].IEEE.2005:27-28
[33]王向辉.虚拟蜜网系统研究与设计[D].哈尔滨工程大学硕士论文.2006,3
[34]张家喜.论Honeynet体系结构.计算机工程与设计[J].2006.27(11):1957-1960
[35]Lyad Kuwatly.A Dynamic Honeypot Design for Intrusion Detection[J].IEEE.2004:95-104
[36]戴云平等.诱骗网络中管理控制系统的设计与实现[J].南京邮电学院学报.2005.10:70-74
[37]Tephan Riebach.Efficient Deployment of Honeynets for Statistical and Forensic Analysis of Attacks from the Internet.Networking[J].2006:757-767
[38]Carlos Henrique,P.C.Chaves.Honeynet Maintenance Procedure and Tools [J].IEEE.2005:252-257
[39]George Reese等著.MySQL 权威指南[M].林琪等译.中国电力出版社.2003.5
[40]Stephen G.Kochan等著.Unix Shell编程[M].袁科萍等译.中国铁道出版社.2000.4
[41]苏宪利.基于Linux蜜网的防御系统的实现[J].长春师范学院学报.2005.24(6):55-57
[42]杨宏宇等.网络入侵诱骗技术-蜜罐系统的应用[J].计算机工程.2006.32(13):176-178
[43]wellsty的专栏.Linux系统日志介绍[EB].http://blog.csdn.net/wellsty/archive/2004/O7/30/56206.aspx.2004.7
[44]曾华燊.现代网络通信技术[M].西南交通大学出版社.2004.1
[45]Jeff Kloet.A Honeypot Based Worm Alerting System[J].SANS institute.Jan.2005
[46]彭长艳等.Honeypot及其安全增强技术研究[J].电子工程师.2004.30(12):59-62
[47]Honeynet Project.Know Your Enmy:Honeynet in Universities[J/OL].http://www.honeynet.org/papers/edu/.2004
[48]Robert McGrew.Experiences With Honeypot Systems:Development,.Deployment,and Analysis[J].IEEE.2006:1-9
[49]L.Spitzner.Honeypots:Catching the Insider Threat[J/OL].Proceedings of the 19th Annual Computer Security Applications Conference.http://www.acsac.org/2003/papers/spitzner.pdf.2003
[50]Piazza P.Honeynet Attracts Hacker Attention.Security Management[J].2001
[51]The Honeynet Project.Know Your Enemy A Profile[J/OL].http://project.honeynet.org/papers/profiles/cc-fraud.pdf.2003
[52]Angel Eduardo Avila.Analyzing intrusions of a hybrid virtual honeynet[M].The University of Texas at Ei Paso.2005
[53]Michael O'Leary.Development of a Honeynet Laboratory:a Case Study[J].IEEE.2006:
[2]蔡立军.网络安全技术[M].清华大学出版社.2006.9
[3]刘东华等.网络与通信安全技术[M].人民邮电出版社.2002.11
[4]王铁方等.蜜网与防火墙及入侵检测的无缝结合的研究与实现[J].四川师范大学学报.2005.28(1):119-122
[5]Lance Spitzner.Honeypots-Definition and Value of Honepots[J/OL].http://www.enteract.com/lspitz/honeypot.html.Oct.2001
[6]曲向丽,潘莉译.黑客大解密[M].北京:中国电力出版社.2003
[7]诸葛建伟.蜜罐与蜜网技术简介[J/OL].http://www.icst.pku.edu.cn/honevnetweb/honevnetcn/.2004.9
[8]狩猎女神项目组研究发展与实践[R].http://www.honeynet.org.cn
[9]Lance Spitzaner.Tracking Hackers[J/OL].Pearson Education.2003
[10]The Honeynet Project.Honeynet Definitions,Requirements,and Standards [R].http://project.honeynet.org/alliance/requirements.html.2004
[11]The honeynet project.Know your enmy:the honeynet[J/OL].http://www.honeyd.org/papers/kownyourenmy.htm.2003
[12]贺庆涛.蜜罐技术研究及蜜网设计[D].西南交通大学硕士论文.2005.5
[13]Ryan Talabis.The GenⅡ & GenⅢ Honeynet Architecture[J].The Philippine Honeynet Project.2006
[14]阮航等.第三代蜜网体系研究与分析[J].莆田学院学报.2006,13(5):54-57
[15]李声.防火墙与入侵检测系统联动技术的研究与实现[D].南京航空航天大学硕士论文.2007.1
[16]王新梅.防火墙与入侵检测系统的联动分析[J].信息安全与通信保密2002(18)
[17]梁琳等.基于策略的安全智能联动模型[J].信息安全与通信保密2004.2
[18]Grossman R,Kasif S,Moore R,etal.Report of three NSF Workshops on Mining Lange,Massive and Distributed Data[R].NewYork:AAA1 Press.1999
[19]Jiawei Han,Micheline Kamber著.数据挖掘概念与技术[M].范明,孟小峰 等译.北京:机械工业出版社.2001
[20]Steve Suehring著.Linux防火墙[M].何泾沙等译.机械工业出版社.2006.6
[21]使用netfilter/iptables为linux配置防火墙[EB].http://www-900.ibm.corn/developerWorks/cn/linux/network/s-netip/index.s html.2002.9
[22]Brian Caswell著.Snort2.0入侵检测[M].宋劲松等译.国防工业出版社.2004.1
[23]江森林等.HONEYD解析[J].计算机工程与设计.2005.3:682-685
[24]周莲英等.虚拟蜜罐系统Honeyd的分析与研究[J].计算机工程与应用.
[25]翟继强等.虚拟蜜罐Honeyd的分析和研究[J].计算机信息与技术.2006.3:35-37
[26]梁建明等.基于honeyd的蜜罐系统研究[J].成都大学学报.2007(2)
[27]Netfilter,Iptalbes[EB].Netfilter.org.www.netfilter.org.
[28]汪培庄著.模糊集合论及应用[M].上海科学技术出版社.1983
[29]罗敏,王丽娜,张焕国.基于无监督分类的入侵检测方法[J].电子学报.2003.31(11):1713-1716
[30]KDD Cup 1999 Data[EB/OL].http://kdd.ics.uci.edu/databases/kddcup 99.html
[31]汪洋,王能.入侵检测系统设计方案的改进[J].计算机应用研究.2004.7:208-213.
[32]Edward Balas.Towards a Third Generation Data Capture Architecture for Honeynets[J].IEEE.2005:27-28
[33]王向辉.虚拟蜜网系统研究与设计[D].哈尔滨工程大学硕士论文.2006,3
[34]张家喜.论Honeynet体系结构.计算机工程与设计[J].2006.27(11):1957-1960
[35]Lyad Kuwatly.A Dynamic Honeypot Design for Intrusion Detection[J].IEEE.2004:95-104
[36]戴云平等.诱骗网络中管理控制系统的设计与实现[J].南京邮电学院学报.2005.10:70-74
[37]Tephan Riebach.Efficient Deployment of Honeynets for Statistical and Forensic Analysis of Attacks from the Internet.Networking[J].2006:757-767
[38]Carlos Henrique,P.C.Chaves.Honeynet Maintenance Procedure and Tools [J].IEEE.2005:252-257
[39]George Reese等著.MySQL 权威指南[M].林琪等译.中国电力出版社.2003.5
[40]Stephen G.Kochan等著.Unix Shell编程[M].袁科萍等译.中国铁道出版社.2000.4
[41]苏宪利.基于Linux蜜网的防御系统的实现[J].长春师范学院学报.2005.24(6):55-57
[42]杨宏宇等.网络入侵诱骗技术-蜜罐系统的应用[J].计算机工程.2006.32(13):176-178
[43]wellsty的专栏.Linux系统日志介绍[EB].http://blog.csdn.net/wellsty/archive/2004/O7/30/56206.aspx.2004.7
[44]曾华燊.现代网络通信技术[M].西南交通大学出版社.2004.1
[45]Jeff Kloet.A Honeypot Based Worm Alerting System[J].SANS institute.Jan.2005
[46]彭长艳等.Honeypot及其安全增强技术研究[J].电子工程师.2004.30(12):59-62
[47]Honeynet Project.Know Your Enmy:Honeynet in Universities[J/OL].http://www.honeynet.org/papers/edu/.2004
[48]Robert McGrew.Experiences With Honeypot Systems:Development,.Deployment,and Analysis[J].IEEE.2006:1-9
[49]L.Spitzner.Honeypots:Catching the Insider Threat[J/OL].Proceedings of the 19th Annual Computer Security Applications Conference.http://www.acsac.org/2003/papers/spitzner.pdf.2003
[50]Piazza P.Honeynet Attracts Hacker Attention.Security Management[J].2001
[51]The Honeynet Project.Know Your Enemy A Profile[J/OL].http://project.honeynet.org/papers/profiles/cc-fraud.pdf.2003
[52]Angel Eduardo Avila.Analyzing intrusions of a hybrid virtual honeynet[M].The University of Texas at Ei Paso.2005
[53]Michael O'Leary.Development of a Honeynet Laboratory:a Case Study[J].IEEE.2006: