CN102916934A - Network camouflage system on basis of topology and operating system - Google Patents
Network camouflage system on basis of topology and operating system Download PDFInfo
- Publication number
- CN102916934A CN102916934A CN2011102217033A CN201110221703A CN102916934A CN 102916934 A CN102916934 A CN 102916934A CN 2011102217033 A CN2011102217033 A CN 2011102217033A CN 201110221703 A CN201110221703 A CN 201110221703A CN 102916934 A CN102916934 A CN 102916934A
- Authority
- CN
- China
- Prior art keywords
- camouflage
- network
- passive
- address
- service
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a network camouflage system on the basis of topology and an operating system. The network camouflage system is applied to the field of information security and comprises OS (operating system) camouflage, service camouflage, topological structure camouflage, data packet camouflage and data stream camouflage. The network camouflage system has the advantages that theories of camouflage of the traditional network and an implementation technology of the theories are mainly studied, so that the security of the network is improved, highlighted security problems in the network are solved, and DoS (denial of service) attack can be prevented by network camouflage; active and passive remote detection for the type of the operating system, a network topological structure and the like and attack to the operating system, the topological structure and the like can be stopped; and propagation of spam mails can be detected and stopped, characteristics of worm viruses can be detected, and the like.
Description
Technical field
Patent of the present invention belongs to the information applied technical field, especially relates to a kind of network spoofing technology.
Background technology
Theory and realization technology thereof that how the main research of network spoofing part pretended legacy network, thus improve the fail safe of network and solve some outstanding safety problems in the network, as by network spoofing, can avoid being subject to DoS attack; Can stop detection and the attack of active and passive remote operating system type, network topology structure etc.; Can detect and stop the propagation of spam, the feature of detection worm-type virus etc.
The patent of invention content
Patent of the present invention technical problem to be solved is for the deficiency in the above-mentioned existing technology, provide a kind of advanced technology, powerful, high security, high-adaptability, be easy to dispose and manage pass through initiatively camouflage, namely the packet that flows out is pretended, make the passive detection softwares such as POF can't correctly identify the OS Type of main frame, or obtain other type different from real OS Type; By passive camouflage, namely assailant's active probe information is distinguished, and surveyed purpose according to it and return corresponding camouflage information, thereby make the assailant obtain other type different from real OS Type.
For addressing the above problem, the technical scheme that patent of the present invention adopts is: by the network service of some camouflages is set, can follow the tracks of assailant's behavior such as the Telnet of simulation, and its attack is analyzed, to find the new attack method; As simulate the attack that some system vulnerabilities detect worm-type virus etc.; Inveigle, detect spam such as model SMTP, and the propagation of prevention spam etc.
Above-mentioned network security network spoofing technology is done unified planning to the safety of the whole network, realizes the network spoofing service.For the camouflage network service, by the login process of Telnet as can be known, different login modes has just embodied the otherness of login process.If similarly service state and event driven status change are sorted out, then can greatly simplify the above-mentioned network spoofing technology of camouflage network service [0006] of describing based on the event-driven status change, it is characterized in that: use for reference colored Petri network, be the similar service state abstraction (class) service state, different elements (service state) wherein are by distinguishing for it adds different colors
Above-mentioned network spoofing technology, it is characterized in that: equally similar event driven service state transition abstract be the transition of (class) service state, transition have wherein just formed the network service simulation model based on coloured event-driven status change by distinguishing for it adds different colors
Above-mentioned network security is worked in coordination with defence system, it is characterized in that: the service state set that is made of the service state after abstract then is a finite aggregate.Define thus and realized the Changes of attack and based on the quantified controlling model of the camouflage network service of adjacency matrix.
Above-mentioned network security is worked in coordination with defence system, it is characterized in that: use a kind of virtual interface technology, make the IP address of simulation and real host IP address have same behavioral trait, make anti-sniffle think that the IP address of simulation is real host IP address.
Above-mentioned network security is worked in coordination with defence system, it is characterized in that: the main frame in the same broadcast domain is by collaborative work, IP address in the competition address pool by variation and the detecting periodically of control race condition, realizes dynamically pretending model without the IP of control centre's session Network Based
Above-mentioned network security is worked in coordination with defence system, it is characterized in that: the IP by session Network Based dynamically pretends, and can well prevent from attacking based on the Network Sniffing of IP address statistics.
Above-mentioned network security is worked in coordination with defence system, it is characterized in that: by the competition mechanism of camouflage IP address, same camouflage IP address constantly may be applied to the BlueDrama of different main frames in difference, communicates by letter with phase-split network and the difficulty of Content of Communication thereby increased according to the accurate seat offence target in IP address.
Above-mentioned network security is worked in coordination with defence system, it is characterized in that: two-layer IDS refers to the IDS of kernel Network Based and based on the IDS that uses, the IDS that embeds kernel mainly detects network layer, transport layer header, and mainly the entrained content of datagram is detected based on the IDS that uses, in conjunction with the network service simulation, can well solve detection and prevention to unknown attack simultaneously.
Above-mentioned network security is worked in coordination with defence system, it is characterized in that: two-layer IDS provides the signal of passive camouflage to encourage to the network spoofing core, and namely which type of BlueDrama need to carry out passive camouflage etc.
Patent of the present invention has the following advantages compared with prior art:
(1) network spoofing is when the active and passive detection of defence is attacked, but the envelop of function of Extended ID S and fire compartment wall again
(2) IDS is in the generation that detects active probe and attack, and for passive network spoofing with fire compartment wall sends pumping signal and when making it take corresponding defensive measure, can calculate by network spoofing again the detected characteristics value of unknown attack mode
(3) testing result of fire compartment wall real-time response network spoofing and network attack filtered prevention.
Description of drawings
Fig. 1 is the overall study content of patent of the present invention
1-initiatively pretends
The passive camouflage of 2-
Embodiment
As shown in Figure 1, patent of the present invention is by accepting the control request of computer
1-namely pretends the packet that flows out by initiatively camouflage request, judges that whether the remaining IP of this network segment address is less than certain value K
The remaining IP of this network segment address is worth K less than certain, remaining ip address is selected, and then selected at random K IP value address
2-namely distinguishes assailant's active probe information by passive camouflage, and surveys purpose according to it and return corresponding camouflage information, judges whether the network segment of request does not distribute to other main frame
The network segment of judgement request need to be distributed to other main frame, just distributes to the network segment to requesting host
1 and 2 judge select with the data that distribute and 1 in the KWH ip address selected at random in distributing issue in the lump the computer control end, the IP by session Network Based dynamically pretends, and can well prevent the Network Sniffing attack based on IP address statistics.
In sum, in the practical work process, this figure is the major function exploded view
The above; it only is the preferred embodiment of patent of the present invention; be not that patent of the present invention is imposed any restrictions; every any simple modification that patented technology essence is done above embodiment according to the present invention, change and equivalent structure change, and all still belong in the protection range of patented technology scheme of the present invention.
Claims (4)
1. the detection of operating system being divided into initiatively and passive dual mode, therefore, when operating system is pretended, also is to be undertaken by active and passive dual mode.It is the part that network initiatively pretends that operating system is initiatively pretended.Initiatively pretend function f take the Disguise of OS fingerprint as template, the network characterization value of output datagram is pretended.Need record in the operating system camouflage process, upgrade corresponding camouflage parameter, these parameters are general relevant with concrete camouflage content (fingerprint).The passive camouflage of operating system is the part of the passive camouflage of network.Detection function g detects the datagram of input, and passive camouflage function f is carried out passive camouflage take the Disguise of OS fingerprint as template to the active probe datagram.How to carry out passive camouflage by function f, namely based on camouflage structure of transvers plate response datagram, need to be according to the feature of detection mode
Determine first detection data newspaper and content thereof, then make corresponding response datagram according to concrete detection data newspaper.One of collaborative function that detects embedded intrusion detection system E-IDS in the defence model is to detect the detection scanning datagram.
2. for the camouflage network service, by the login process of Telnet as can be known, different login modes has just embodied the otherness of login process.If similar service state and event driven status change are sorted out, then can greatly be simplified the camouflage network service of describing based on the event-driven status change.Using for reference colored Petri network, is the similar service state abstraction (class) service state, and different elements (service state) wherein are by distinguishing for it adds different colors; Equally similar event driven service state transition abstract be the transition of (class) service state, transition have wherein just formed the network service simulation model based on coloured event-driven status change by distinguishing for it adds different colors.For network service, the concrete element that comprises in a certain service state after abstract may change owing to the appearance of new leak, but for the overall network service, because finiteness, certainty and the enforceability of institute's working procedure, the service state set that is made of the service state after abstract then is a finite aggregate.Define thus and realized the Changes of attack and based on the quantified controlling model of the camouflage network service of adjacency matrix.
3. use a kind of virtual interface technology, make the IP address of simulation and real host IP address have same behavioral trait, make anti-sniffle think that the IP address of simulation is real host IP address.Network topology camouflage is divided into initiatively camouflage and passive camouflage, and initiatively camouflage refers to the packet that flows out is pretended, make the assailant by smell spy to be not real network topology structure; Passive camouflage refers to assailant's Active Networks topological structure detection is responded, thereby gives the network topology structure of a camouflage of assailant.Network topology camouflage is based on the pseudo-decking of topological structure Network Based to carry out.
4. the main frame in the same broadcast domain is by collaborative work, and the IP address in the competition address pool by variation and the detecting periodically of control race condition, realizes dynamically pretending model without the IP of control centre's session Network Based; By improving the course of work of DHCP, set up an IP based on DHCP control centre and dynamically pretend model.When BlueDrama finished, releasing IP addresses was to address pool.Therefore the IP by session Network Based dynamically pretends, and can well prevent from attacking based on the Network Sniffing of IP address statistics.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011102217033A CN102916934A (en) | 2011-08-03 | 2011-08-03 | Network camouflage system on basis of topology and operating system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011102217033A CN102916934A (en) | 2011-08-03 | 2011-08-03 | Network camouflage system on basis of topology and operating system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102916934A true CN102916934A (en) | 2013-02-06 |
Family
ID=47615168
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2011102217033A Pending CN102916934A (en) | 2011-08-03 | 2011-08-03 | Network camouflage system on basis of topology and operating system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102916934A (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104519068A (en) * | 2014-12-26 | 2015-04-15 | 赵卫伟 | Moving target protection method based on operating system fingerprint jumping |
| CN103701777B (en) * | 2013-12-11 | 2016-08-31 | 长春理工大学 | Based on virtualization and the telecommunication network attacking and defending dummy emulation system of cloud |
| CN106302525A (en) * | 2016-09-27 | 2017-01-04 | 黄小勇 | A kind of cyberspace security defend method and system based on camouflage |
| CN110058565A (en) * | 2019-03-01 | 2019-07-26 | 中国电子科技网络信息安全有限公司 | A kind of Industry Control PLC system fingerprint analogy method based on (SuSE) Linux OS |
| CN110113333A (en) * | 2019-04-30 | 2019-08-09 | 中国人民解放军战略支援部队信息工程大学 | A kind of ICP/IP protocol fingerprint mobilism processing method and processing device |
| CN110855715A (en) * | 2019-11-29 | 2020-02-28 | 国家电网有限公司客户服务中心 | DOS attack and defense simulation method based on stochastic Petri network |
-
2011
- 2011-08-03 CN CN2011102217033A patent/CN102916934A/en active Pending
Non-Patent Citations (3)
| Title |
|---|
| WILLIAM WEINSTIN等: "Camouflage of network traffic to resist allack", 《IEEE》 * |
| 何聚厚: "网络拓扑结构伪装模型", 《计算机工程》 * |
| 布日古德: "动态网络伪装安全模型研究", 《中国优秀博硕士学位论文全文数据库 (硕士) 信息科技辑 2006 年》 * |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103701777B (en) * | 2013-12-11 | 2016-08-31 | 长春理工大学 | Based on virtualization and the telecommunication network attacking and defending dummy emulation system of cloud |
| CN104519068A (en) * | 2014-12-26 | 2015-04-15 | 赵卫伟 | Moving target protection method based on operating system fingerprint jumping |
| CN106302525A (en) * | 2016-09-27 | 2017-01-04 | 黄小勇 | A kind of cyberspace security defend method and system based on camouflage |
| CN106302525B (en) * | 2016-09-27 | 2021-02-02 | 黄小勇 | Network space security defense method and system based on camouflage |
| CN110058565A (en) * | 2019-03-01 | 2019-07-26 | 中国电子科技网络信息安全有限公司 | A kind of Industry Control PLC system fingerprint analogy method based on (SuSE) Linux OS |
| CN110113333A (en) * | 2019-04-30 | 2019-08-09 | 中国人民解放军战略支援部队信息工程大学 | A kind of ICP/IP protocol fingerprint mobilism processing method and processing device |
| CN110855715A (en) * | 2019-11-29 | 2020-02-28 | 国家电网有限公司客户服务中心 | DOS attack and defense simulation method based on stochastic Petri network |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Protić | Review of KDD Cup ‘99, NSL-KDD and Kyoto 2006+ datasets | |
| CN102916934A (en) | Network camouflage system on basis of topology and operating system | |
| CN103227798B (en) | A kind of immunological network system | |
| CN104836702B (en) | Mainframe network unusual checking and sorting technique under a kind of large traffic environment | |
| CN102857486B (en) | Application firewall system of future generation and defence method | |
| CN101309180B (en) | Security network invasion detection system suitable for virtual machine environment | |
| CN107070929A (en) | A kind of industry control network honey pot system | |
| CN101262351B (en) | A network tracking system | |
| CN107770199A (en) | It is a kind of towards industry internet with the industry control agreement honey jar of self-learning function and application | |
| CN109347814A (en) | A kind of container cloud security means of defence and system based on Kubernetes building | |
| Kotenko et al. | Agent-based modeling and simulation of botnets and botnet defense | |
| CN105493060A (en) | Honeyport active network security | |
| CN103457909B (en) | A kind of Botnet detection method and device | |
| CN109672671A (en) | Security gateway and security protection system based on intelligent behavior analysis | |
| CN110493195A (en) | A kind of network access control method and system | |
| Hijazi et al. | A new detection and prevention system for ARP attacks using static entry | |
| CN103944887A (en) | Intrusion event detection method based on hidden conditional random field | |
| Raghav et al. | Intrusion detection and prevention in cloud environment: A systematic review | |
| Karthikeyan et al. | Honeypots for network security | |
| Zhang et al. | A study on security framework against advanced persistent threat | |
| Hayatle et al. | A game theoretic investigation for high interaction honeypots | |
| Wang et al. | Distributed denial of service attack defence simulation based on honeynet technology | |
| Prasad et al. | IP traceback for flooding attacks on Internet threat monitors (ITM) using Honeypots | |
| CN115549943B (en) | Four-honey-based integrated network attack detection method | |
| Zhao et al. | Network security model based on active defense and passive defense hybrid strategy |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| DD01 | Delivery of document by public notice |
Addressee: Xi'an Qinma Software Technology Co., Ltd. Document name: Notification of Publication and of Entering the Substantive Examination Stage of the Application for Invention |
|
| C53 | Correction of patent of invention or patent application | ||
| CB02 | Change of applicant information |
Address after: 710077, block 13, building A, Jiayu building, No. 58, Kam Yip Road, Xi'an hi tech Zone, Shaanxi, China Applicant after: Xi'an Qinma Software Technology Co., Ltd. Address before: 710077 Shaanxi city of Xi'an province high tech Zone Jinye Road No. 69 C District No. 1 gazelle Valley E Room 501 Applicant before: Xi'an Qinma Software Technology Co., Ltd. |
|
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20130206 |