【作者】 王颖杰；

【导师】 张子瑜；

【作者基本信息】 南京师范大学 ， 计算机应用技术， 2008， 硕士

【摘要】 蜜罐是一种用来发现攻击工具、攻击策略与攻击者攻击动机的知名技术。它是近年来兴起的一项全新的、从战争欺骗思想发展而来的网络安全技术,其目的在于被探测、攻击和摧毁。它们直接或间接地有助于保护产品系统和网络免受攻击。蜜罐技术在追踪钓鱼网络、僵尸网络等方面发挥了很大的作用。随着防火墙、反病毒引擎等一系列基础性安全技术不断成熟,使得攻击者们在传统的攻击渠道上收效甚少,于是黑客们转向了客户端攻击,通过这种更简单且无安全保护措施的攻击途径将其恶意软件安装到终端用户机上,以此收集用户的敏感信息。针对客户端攻击,一种新型的蜜罐一客户端蜜罐被提了出来。客户端蜜罐在网络中与众多服务器交互,根据其服务的恶意行为的特性将它们分类。本文沿着客户端蜜罐的方向,研究了基于恶意网页检测的低交互客户端蜜罐。通过对低交互客户端蜜罐系统设计思想和实现机制的具体分析,总结出了低交互客户端蜜罐系统各模块详细的结构与运作流程,对系统进行了实现。同时为了能更好的检测到隐藏的恶意页面代码,针对目前恶意网页使用实施技术,在系统实现过程中进行了相应的改进。针对低交互客户端蜜罐在恶意网页的检测速度上不够理想的缺陷,本文提出了利用线程池的技术提高系统的检测速度。实验表明,线程池技术的使用,明显的提高了系统的检测速度。同时,本文利用操作系统中最不经常使用页面置换算法的思想,提出了一种理论算法来解决实验中得出的通过增加签名匹配规则提高检测的精确度,会导致系统检测速度变慢的问题。更多还原

【Abstract】 Honeypot is a well known technique for discovering the tools, tactics, and motives of attackers. It is a completely new network security technology that is emerging in recent years based on the ideas of cheating in the war. It is intended to be probed, attacked, and compromised. Directly or indirectly, it helps protect your production systems and networks against attackers. The honeypot technology has played the very major role in analysising Phishing attacks and tracking BotNets. Since attackers have a tendency to take the path of least resistance and many traditional attack paths are barred by a basic set of unceasingly maturely security measures, such as firewalls or anti-virus engines, the (?)tlack hats(?) re turning to client-side attacks. Through these easily unprotected attack paths, they place their malware onto the end user(?)machine and collecting sensitive data by the malware. A new type of client honeypot has been proposed. It can detect the client-side attacks. Client honeypots crawl the network, interact with servers, and classify servers with respect to their malicious nature.This paper studies the low interaction client honeypot which is based on the malicious web detection by employing client honeypot. By analysing the systematic design theories and implementation mechanism of the low interaction client honeypot, we summerise the honeypot’s detailed structures of each module and the operation process. Additionally, in order to detect the codes of hidden mallicious web, it makes improvement during the implementation of the system in accodance with the technologies the malicious web involve.To eliminate the speed flaws of the honeypot’s detecting mallicious web, the paper recommends the thread pool technique to accerlerate the speed. Experiments have proved that the usage of the thread pool technique has significantly accerlerate the system’s detection speed. This paper also comes out with the theoretical algorithms by using the least frequently use page replacement algorithms in the operating system to slove a problem which obtains from the experiments. This problem is that improving the accuracy of detection by increasing the signature-based matching rules will lead to the slow down of the detection speed.更多还原