【作者】 张显峰；

【导师】 那日萨；

【作者基本信息】 大连理工大学 ， 管理科学与工程， 2009， 硕士

【摘要】 近年来,随着互联网技术的飞速发展,网络提供了越来越多的应用和服务,其在给人们带来便利的同时,也给网络安全问题带来巨大的挑战,其受到的安全威胁日益增加,尤其是恶意代码的泛滥给网络及应用造成很大的破坏。在恶意代码中,蠕虫凭借无需人为干预、能够自动传播等特点,其造成的安全威胁最大。如何有效的防范并遏制蠕虫大范围传播成为很迫切的问题?在蠕虫相关研究中,对网络蠕虫结构、扫描策略、攻击方法的分析等是防范蠕虫传播的前提条件,蠕虫传播模型和控制策略的建立是防范蠕虫的根本保证和核心内容。虽然人们在如何有效检测和防范蠕虫传播等进行了一些研究,并开发了如防火墙、入侵检测系统(IDS)和反病毒软件等安全防护系统,但这些系统主要还是基于已有蠕虫进行针对性的防护,在对新型蠕虫的检测和防范方面显得力不从心。蜜罐和蜜网技术的出现,打破了传统的被动防御的局面,使得安全防御转为主动。同时,Internet无标度特性的发现对于深入研究网络蠕虫传播行为,基于网络拓扑结构特性进行针对性防护,树立网络化思维的安全观,对于保障网络安全具有重要作用。蜜罐技术是一种安全资源,其价值在于被扫描、攻击和攻陷。分布式蜜网是在蜜罐基础上逐步发展而来,并融入数据捕获、数据分析和数据控制等工具,按照分布式体系部署由诸多蜜罐及网络所构成的诱骗网络体系。本文正是以目前对分布式蜜网技术的研究为基础,针对网络蠕虫的特有传播机制、工作方式和当前网络蠕虫传播模型和控制策略的不足,将分布式蜜网技术与蠕虫检测及防御技术蠕虫融为一体,引入基于分布式蜜网的蠕虫捕获与控制系统。本文从构建蠕虫传播模型、提出相应的免疫及控制策略和从复杂网络抗毁性的角度构建分布式蜜网部署模型等方面进行研究。本文主要研究内容包括以下三个部分:第一,提出了基于分布式蜜网的蠕虫传播模型。鉴于已有蠕虫传播模型在描述现实网络蠕虫传播存在的不足,考虑到分布式蜜网下的蜜罐主机对蠕虫表现出强诱骗性,能优先感染蠕虫,其对出入的数据流采取“宽进严出”的控制策略等特性和Internet的无标度网络特性,考虑到及时安装补丁等使得主机对蠕虫具有免疫性和由于蠕虫变异、没有及时安装补丁等所导致免疫主机丧失免疫性而重新成为易感染节点等,构建部署分布式蜜网下的网络蠕虫传播模型,并通过模拟实验对其进行研究,并分析蜜罐诱骗级别和蜜罐数目等因素对蠕虫传播的影响。第二,提出基于分布式蜜网的蠕虫免疫及控制策略。基于当前免疫理论,考虑到分布式蜜网下的蜜罐充当“免疫代理”能对邻近的主机进行免疫,蜜罐间通过蜜网共享蠕虫信息,分布式蜜网体系下的蜜罐主机具备“宽进严出”数据控制策略,通过控制部署在网络边界及关键位置的蜜罐主机一定程度上对网络起到分割作用,遏制蠕虫大规模传播等,基于对免疫临界值等进行分析,给出了合理的免疫临界值,以最大程度上遏制蠕虫传播。第三,给出了分布式蜜网部署模型及实现方案。针对分布式蜜网能抑制蠕虫传播,对蠕虫进行免疫等,分布式蜜网部署对于保障网络安全具有十分重要的作用。本节主要考虑分布式蜜网的部署从微观上改变网络结构,研究其对网络抗毁性的影响等,构建分布式蜜网部署模型,通过对模型进行分析,得出一个合理的分布式蜜网部署及实现方案,并通过模拟实验对模型进行验证。更多还原

【Abstract】 In recently years, with the rapid development of Internet, more and more applications and services are provided through the network, at the same time the security of the network also faces the enormous challenge, it is threatened seriously, especially the population of malicious code poses an essential part of these threat sources. Of all the malicious codes, worms are capable of self-propagation without human intervention, which means that more serious underlying disaster. Therefore, how to defend network against worms effectively and prevent it from spreading in the network become a pressing work. In the study of worm, the analysis to worm structure, scanning strategy and attack method etc al is the precondition to prevent worms form spreading in network, establishing worm propagation model and control strategy is essential guarantee and kernel content of defending against worms.A large of research have been done on how to detect and prevent network worms effectively and security systems such as firewall, intrusion detection system and anti-virus defending system had been developed, however, all these systems mainly defend network against worms purposely based on known worm sample, so that they can do nothing when a new style worm arises. The presence of honeypot and honeynet tries to change the passive situation of traditional network security by making the security preventing to active; meanwhile, the discovery of Internet performs obvious scale-free characters in topology is of great significance to research the worm behaviors in depth, protect network from attack on purpose based on network topology, build up network concept in security and ensure network security.Honeypot is a security resource whose value lies in being probed, attacked and compromised. Distributed honeynet is gradually developed based on honeypot, it add up to the tool of date capture, data analysis and data control, which is a honeynet network structure that was make up of by honeypot hosts and honeynet under distributed system. This paper took research on worm propagation and control strategy based on distributed honeynet which has been deployed in the network to defend against worms and hackers etc al. In view of the special propagation mechanism, working of worms and the limitation of present worm propagation model and control strategy in describe worm spread and control, we bring distributed honeynet and anti-worm technology into together and present worm capture and control system based on distributed honeynet. This paper try to construct worm propagation model under distributed honeynet, bring foreword to corresponding worm control strategy and construct the deployment model of distributed honeynet mentioned based on the invulnerability of complex network. This paper is composed of three parts:First, we present a worm propagation model based on distributed honeynet. In view of the limitation of the present worm propagation model in describing worm spread in the reality networks, considering honeypot host perform obvious inveiglement to worms, can be infected by worms at first time and its data control policy-"come in easily, out strictly" under distributed honeynet and the scale-free characters in network topology, we also considers the immunization of host for it install security update in time and the lose of immunity for immunized host for aberrance or other causes, it become susceptible again etc al, we construct worm propagation model under distributed honeynet, validate it over simulation experiment, analysis the effect of network topology, the degree of cajolery for honeypot host and the number of honeypot host in worm spread.Second, we present a worm immunization and control strategy based on distributed honeynet. Based on the present immunity theory, considers honeypot host can act as "immunization agent" to dispense immunity information to its neighbor hosts, honeypot hosts share worm information over honeynet and deploying honeypot at network boundary or key location can dividing network into many parts for its data control policy-"come in easily, out strictly" under distributed honeynet, then we can prevent worm form spreading in large-scale network over control honeypot host; at last ,we give a reasonable scheme with distributed honeynet over analysis, then prevent worm from spreading in the network.Third, we present the deployment model of distributed honeynet and its scheme to realization. Since distributed honeynet can be used in constraining worm propagation and worm immunization, the deployment of distributed honeynet is of great significance in ensuring network security. This section present a deploy model of distributed honeynet and the scheme to realization based on the analysis to distributed honeynet in network dividing and its influence on network invulnerability for the change of microcosmic structure, constructing a deployment model of distributed honeynet, and give its detail scheme to realization; at last, we validate the correctness of the model over simulation experiment.更多还原