【作者】 杨天路；

【导师】 杨义先；

【作者基本信息】 北京邮电大学 ， 信号与信息处理， 2010， 博士

【摘要】 随着计算技术的不断发展和网络的不断普及,网络攻击形式越来越多,网络安全问题日益突出,造成的社会影响和经济损失越来越大,为网络威胁检测与防御提出了新的需求和挑战。网络安全是一个螺旋上升的过程,网络威胁检测、网络安全态势指标评估和网络安全动态免疫是网络安全防御的重要环节,采取科学有效的手段可以有效地遏制网络攻击,降低网络安全威胁,保护网络的健康有序的运行,通过对检测、评估和免疫三方面技术的研究,可以有效增强网络安全防御组织的应急响应能力。网络流量异常和主机恶意代码传播是目前主要的网络安全威胁,也是网络安全监测的关键对象。实现对网络异常流量快速准确发现,对恶意代码及时准确捕获、分析、跟踪与监测,可以为网络安全态势指标评估和免疫决策提供知识支撑,从而提高网络安全应急组织的整体响应能力。网络安全态势指标评估是网络安全状况评价的重要工具,是反映整体评估对象安全属性的指示标志,也称作网络安全态势指数；网络安全态势评估指标体系则是根据评估目标和评估内容的要求构建的一组反映网络安全水平的相关指标,据以搜集评估对象的有关信息资料,反映评估对象的网络安全的基本面貌、素质和水平。网络安全态势指数是反映网络安全状况的综合指标,网络安全态势评估指标体系是可以形成对网络安全评价的标准化客观定量分析结论的依据。通过系统补丁、病毒查杀等手段均可以实现信息设备对部分恶意代码的免疫和恢复。从复杂网络的理论而言,全网节点应该采取怎样的免疫策略,从而兼顾免疫效果和实现代价是一个困难的问题。结合随机免疫、目标免疫等静态免疫与动态免疫,形成各类网络免疫手段时空组合的网络免疫策略,能有效缓解各类恶意代码的威胁。本文主要研究了网络流量监测和拒绝服务攻击检测技术,提出了一种SIP VoIP系统泛洪攻击在线实时高速检测技术,设计了基于蜜网技术的恶意代码监测和分析平台,讨论了网络安全态势指标评估方案,分析了恶意代码的网络传播动力特性,结合复杂网络理论,提出了一种基于信息传播的恶意代码动态免疫模型。本文的主要成果如下：1、提出一种针对SIP VoIP系统泛洪攻击的在线实时高速检测算法目前的研究主要是针对协议属性元组和协议状态机的检测,由于没有考虑信令交互的有向性和通话时长的分布特征,从而可能通过伪造流量来欺骗检测系统,而且容易将正常的高话务量情景误判为攻击。通过深入分析SIP VoIP系统泛洪攻击过程,该方法利用了SIP信令交互的有向性和通话时长的统计分布特征,通过卡方值作为距离测度快速有效检测出泛洪攻击,并且能够与正常的高话务量情景进行区分。此方法具有普适性,还可以推广至其他具有会话特性的各类通信协议。2、设计了一种基于蜜罐和蜜狗的大规模分布式恶意代码监测分析系统针对恶意代码诱捕技术、恶意代码分析技术和恶意代码跟踪技术进行深入研究,实现了基于蜜罐站点的恶意代码诱捕技术,基于蜜罐网关的恶意代码网络行为分析技术,基于蜜狗的恶意代码控制服务器追踪技术,形成大规模分布式蜜罐网络,并通过在全国范围内的部署,能够快速捕获恶意代码传播与网络攻击行为,发现黑客网络攻击与恶意代码网络活动特征,追踪恶意代码控制服务器活动,为网络安全监测提供网络特征,为恶意代码免疫提供样本支持,为网络态势评估提供网络威胁基本数据。3、提出基于监测的网络安全态势指标评估方法通过感知信息系统漏洞风险、恶意代码感染威胁、主机资源使用稳定度三类基础数据,在数据归一化处理后,由基于BP神经网络的网络安全态势指数建模评估与预测,最后由主观赋值方法加权求得目标网络的网络安全评价指数,能够综合反映目标网络的整体安全状况,为网络安全管理与决策提供支撑。4、提出一种基于信息传播的恶意代码动态免疫策略模型通过深入分析恶意代码行为特征,在全网层面研究网络免疫策略对恶意代码传播动力的影响,结合复杂网络理论,提出了一种基于信息传播的动态免疫策略,这种免疫策略考虑了恶意代码传播过程和免疫过程的动态交互,实验结果表明,在不需要知道全网信息的情况下就可以达到较好的免疫效果。更多还原

【Abstract】 With the continuous development of computing and spreading of network technology, network security issues become more prominent. More and more types of network attacks cause the growing social impact and economic losses, which bring new requirements and challenges of network security defense work. Network security is a process of spiral. Network security monitoring, security situational awareness, and network immunization are important parts of network defense. Scientific and effective measures can be taken to significantly curb attacks. Protect the network’s healthy and normal orderly operation. By researching on these three techniques, we can enhance emergency response capacity of network security defense organizations.Network traffic anomalies and malicious code are major threat to the network security, so they are the key object to the network security monitoring. To discovery abnormal traffic fast and accurate, to achieve malicious code on the timely and accurate capture, analysis, tracking and monitoring. Indicators for network security posture assessment and support immunization decision-making knowledge to enhance network security emergency response capacity of the organization as a whole.Network security situation assessment index evaluation is an important tool for network security.Indicator reflects the overall assessment of the security properties of an object signage.Also known as network security posture index.Network security situation assessment index system is based on the evaluation objectives and assessment requirements of the contents of a group of construction reflect the level of network security related indicators.According to gather assessment information about the object, the object reflects the assessment of the basic aspects of network security, quality and level of.Network security posture index reflects the comprehensive index of network security situation.Network security situation assessment index system is formed on the standardization of network security assessment based on objective and quantitative analysis of findings.Killing by the virus, patch information device can be realized by means of malicious code and restore the immune.Network immunization strategy is a means of space-time combination of the immune network.From the complex network theory, the whole network node immunization strategy should take what can be achieved both the effectiveness and costs of immunization.At present the main objectives of random immunization and passive immunization immunization strategy, less dynamic Immunity.This paper studies the network traffic monitoring and denial of service attack detection technology, a SIP VoIP system, high-speed flooding attack line real-time detection technology, design techniques based on malicious code Honeynet monitoring and analysis platform to discuss the indicators of network security situation Assessment, analysis of the spread of malicious code, network dynamic properties, combined with complex network theory, a malicious based on information dissemination source dynamic immune model.The main results of this paper is as follows:1.A system for the SIP VoIP flooding attack detection algorithm for online real-time highThe current study focuses on the agreement property per group and the protocol state machine testing.Without considering the interaction of directional signaling and call time distribution.Which may flow through forged to deceive the inspection system.And easy to misjudge the normal high telephone traffic for the attack scenario.By analyzing the INVITE for SIP VoIP system flooding attack,a call duration of VoIP-based flooding attack detectionmethod CDVFD. The method uses the SIP signalinginteraction with isotropic and call the statistical distribution of long, fast and efficient through the Chi-square value to detect flooding attacks, and can be normal to distinguish between high telephone traffic scenarios, experimental results show effectiveness of the method.2.Designed based on honey honey pot sites and malicious code on the dog’s large-scale distributed monitoring and analysis systemTrapping techniques for the malicious code, malicious code and malicious code analysis technology tracking in-depth study.Honeypot site based on the realization of malicious code trapping technology, based on gateway malware honeypot network behavior analysis technology, malicious code based on honey dog control server tracking technology, the formation of large scale distributed honeypot network, and through a nationwide the deployment, to quickly capture the spread of malicious code and network attacks, hacker attacks and found that network activity characteristic of malicious code, malicious code control server to track activities, provide network monitoring for network security features, to provide immunity for the malicious code samples support for Situation Assessment Network to provide basic data network threats.3.Proposed based on monitoring of network security posture assessment indicatorsBy perceived risk information system vulnerabilities, malicious code infection threat to the stability of three types of host resources based on the use of data.After the normalization.Based on BP neural network by the network security posture assessment and prediction modeling Index.Finally obtained by the subjective weight assignment method of the target network of network security assessment index. Can reflect the network’s overall security goals for network security management and decision-making support.4. A malicious code based on the information dissemination model of dynamic immunization strategyA dynamic immunization model based on alarm information mail spreading was proposed to suppress email worms propagation. This model considers interaction between immunization process and worm infection process other than static immunization strategies. The simulation results show that the model can suppress infection process more effectively without understanding the whole network information than target immunization.更多还原