CN103092680A - Computer network defense scheme simulation execution system - Google Patents

Abstract

A computer network defense scheme simulation execution system comprises the steps of (1) designing and achieving a formalized computer network defense scheme description language (CNDSDL) with context-free grammar, providing an extended backus naur form (EBNF), designing a language interpreter based on the CNDSDL; (2) proposing a scheme arrangement method based on the CNDSDL, wherein the method comprises a deadlock detection and scheduling algorithm for tasks in a defense scheme, guaranteeing correctness of the defense scheme; and (3) achieving simulation of the defense scheme in a GT net simulation platform, wherein the simulation comprises simulation of an identification section (IDS), a firewall, backups, recovering and linkage tasks among the IDS, a bug library and the firewall.

Description

Computer network defense scheme emulated execution system

Technical field

The present invention has designed and Implemented a kind of computer network defense scheme emulated execution system, belongs to the computer network security technology field, relates to the description problem of computer network defense scheme, the deployment issue of scheme, and the Realization of Simulation of scheme.

Background technology

Due to diversity, opening and the computer system of internet itself and many software and hardware leaks of network equipment existence, and the reasons such as complexity day by day of the growth of network size and structure, cause the relation of various piece in system complicated, various, the network attack means also present the diversity development, people are faced with all multi-risk Systems that network security problem brings, thereby computer network defense is put forward larger challenge.In order to adapt to the demand of the large-scale Computer Networks ﹠ Their Application security of system of this guarantee, must study the deployment that how automatically to realize defense schemes on network and deal with complicated attack.

Safety is not an isolated problem, rely on any single safety product all can't ensure the safety of computer network and information, the kind of Network Security Device is ever-changing, and collocation method is different, and traditional manual configuration network security defense schemes is day by day unable to do what one wishes.In the cyber-defence scheme, safety equipment link and defend to have become a kind of conventional means.By various safety equipment are interconnected, carry out intercommunication and the integration of security information, the advantage of each system's utilization oneself makes up the deficiency of other system, can more effectively realize the cyber-defence scheme.

Be vulnerable to the restriction of network size owing to building physical network, and have accurately rendering data, data are easily lost, the reasons such as mistake processing, and therefore, the method for modeling and simulation is widely used in research network attack and defense.A kind of important way and the means of modeling and simulation research network security problem.

By the analysis to above present Research, can find that there are the following problems.

(1) at present the research of the formalized description of scheme is focused mostly in military field, lack the research towards the scheme formalized description method of computer network defense.The language level interface that namely lacks a kind of unified loose coupling is described, thereby can express the defensive missions of safety equipment, and the interlock defensive missions between equipment;

(2) lack the dispositions method that defense schemes automatically performs.The problem such as existing deadlock in can the checking defense schemes of robotization, and can be with the emulation of its automatic deployment implementation to the emulation platform;

(3) simulation study of cyber-defence is multiplex in safety assessment and training exercise, and the emulated execution mechanism of the automatic deployment of realizing defense schemes is remained further research, particularly realizes the emulation of the interlock defense schemes of various defensive equipments interlock defensive missions.

Summary of the invention

Technology of the present invention is dealt with problems: overcome the deficiencies in the prior art, a kind of computer network defense scheme emulated execution system is provided, defense schemes can more effectively be described, defense schemes is deployed on emulation platform emulation with implementation, thereby has greatly improved the efficient of computer network defense.

Technical solution of the present invention: computer network defense scheme emulated execution system is characterized in that comprising: scheme explanation module, plan implementation module, scheme emulation module and execution result display module thereof, wherein:

The scheme explanation module: defense schemes is to be made of the temporal and logic relation between defensive missions and task.Defensive missions are to be made of task main body, operation set, execution time and execution result.Comprise protection task, Detection task, analysis task, response task and recovery tasks.Operation is to be made of action, action object and input parameter.At first design and Implement a kind of grammatical form simple, clear in structure, the computer network defense scheme descriptive language CNDSDL with ease for operation and extensibility provides the EBNF normal form of this language.Then computer-oriented cyber-defence scheme descriptive language CN DSDL, design and Implement the defense schemes interpreter based on Flex and Bison, identification resolved in the CNDSDL statement, thereby the parameter of various statements is delivered in interface function.Interpreter carries out respectively lexical analysis, grammatical analysis and semantic analysis, finally identifies respectively global variable definition statement, task description statement, task relationship description statement.Its detailed process is for resolving the computer network defense scheme description document of input, parse protection, detection, analysis, response and recovery defensive missions in defense schemes, and the order between task and, order or, parallel with, walk abreast or and XOR relation.

Plan implementation module: carry out Deadlock Detection and task scheduling to explaining the various defensive missions in defense schemes out.Build task image according to the relation between task, adopt graph-based task deadlock detection algorithm, by figure is carried out closure operation, if find that there is reverse edge in any directed edge, there is mutually the sequential dependence in two tasks, and expression scheme meeting produce of deadlock is refused the execution of scheme; Otherwise it is deployed to corresponding simulation node carries out.

Scheme emulation module: the defensive missions in defense schemes are deployed in realize emulation on emulation platform, and show the information of node in topology.The distributed emulation device GTNetS that employing drives based on discrete event, to the IDS Detection task, the access control task of fire wall, the vulnerability scanning task, backup tasks, recovery tasks, system's patch installing and restart task, I DS, the interlock task between drain sweep and fire wall is carried out emulation.

The execution result display module: the fire wall task simulation will be presented at the Access Control List (ACL) of fire wall deploy, and I DS artificial tasks will show the detection rule of disposing; These artificial tasks show the information of each simulation node the most at last with the form of command console.

The specific implementation process of described scheme explanation module: (1) designs and Implements a kind of computer network defense scheme descriptive language, provide the EBN F normal form of this language, with protection, detection, analysis, response and the recovery tasks in this language performance defense schemes, and the order between task and, order or, parallel with, walk abreast or and XOR relation.(2) designed CN DSDL interpreter.Input computer network defense scheme description document is resolved, parse defensive missions in defense schemes and the relation between task, and the main body in every task, operational set, execution time, execution result, and task restriction, action, action object, action input parameter tlv triple that operation comprises.At first identification resolved in the CNDSDL statement, comprise lexical analysis and grammatical analysis, completed by Flex and Bison instrument respectively, thereby the parameter of various statements is delivered in interface function.Then carry out semantic analysis, describe according to the EBNF normal form in CNDSDL, identify respectively global variable definition statement, task description statement, task relationship description statement.And different statements is called corresponding api interface, and parameter is passed to correlation module in analogue system, complete final scheme by analogue system and carry out.Interpreter has been realized parsing to the CNDSDL source file by above flow process;

The specific implementation process of described plan implementation module: the various types of defensive missions that obtain after explaining are carried out the Deadlock Detection of task, adopt graph-based task deadlock detection algorithm.(1) at first according to the order between task or relation and order and relation structure task image.(2) by figure is carried out closure operation, if find that there is reverse edge in any directed edge, there is mutually the sequential dependence in two tasks, the expression scheme can produce of deadlock (3) otherwise, the scheduling in-degree is 0 node from task image, if this node has all forward direction the Logic of Tasks execution result failures of order or relation, this task must be carried out, run succeeded with all forward direction the Logic of Tasks execution results of relation if this node has order, this task can be carried out;

The specific implementation process of described scheme emulation module: will call in through the task of Deadlock Detection and realize emulation in emulation platform, distributed emulation device (discreteevent-driven simulator) GTNetS that employing drives based on discrete event conveniently simulates big-and-middle-sized network; To store the I DS that produces in vulnerability information and simulation process in database and detect the access control rule of rule and fire wall.Its concrete task simulation comprises following three parts: (1) adopts GTNetS to realize the emulation of a kind of based on network intrusion detection (NIDS), and pays close attention to feature detection wherein.NIDS is placed in the important network segment, ceaselessly monitors the various packets in the network segment, and each packet or suspicious data are carried out signature analysis.If packet is consistent with rule, intruding detection system can be sent warning, or responds, and as sending the leak confirmation to leak, or emits the task of blocking-up packet to fire wall; (2) adopt GTNetS to realize the access control emulation of fire wall.Fire wall in safe simulation is mainly used in Packet Filtering, and Packet Filtering is divided into static packet filtering and according to the filtration of state to packet.At first static packet filter firewall when interface is received packet, determines whether ACL has been applied to this interface.If no, normal this packet of route.If have, process ACL.For output acl, process is similar.Status firewall mainly filters by the status information that record connects, for IP, TCP, UDP, ICMP agreement, a kind of feasible scheme is will obtain join dependency information to carry out Hash when connecting, whether fire wall is return flow according to Hash matching judgment flow, thereby reaches the effect of filtration.(3) adopt GTNetS to realize the emulation of other defensive missions.Realized that backup tasks in the protection task and the leak in Detection task confirm the emulation of task, backup is the mapping that target arrives its copy, by the data in system and file are backed up, in the face of attack and threat the time, can in time adopt recovery tasks to carry out the recovery of data, thereby ensure the security of network.Leak confirms that task is mainly to hang down the false drop rate of IDS.Attack signature to IDS detects carries out vulnerability scanning, and searches in the leak knowledge base, thereby confirms whether to exist in network the attack of this kind leak.By the description of scheme descriptive language, finally realized a kind of consideration IDS, the linkage simulation between fire wall and vulnerability scanning system.

The specific implementation process of described execution result display module: the emulated execution result that will defend artificial tasks shows with the form of command console, the emulation phenomenon that obtains according to the scheme emulation module, click the topological node in emulation, the emulated execution result of this node can be shown.For example click fire wall, will show the Access Control List (ACL) after the access control task of disposing fire wall, click IDS, will show the detection rule of disposing after the IDS Detection task.

The present invention is with the beneficial effect that existing technical method is compared:

(1) the present invention proposes a kind of computer network defense scheme descriptive language.For the computer network defense task; adopt a kind of computer network defense scheme descriptive language CNDSL; protection in computer network defense, detection, analysis, response and recovery tasks can be unified to describe in this language, and the order between these tasks and, order or, parallel with, walk abreast or and 5 kinds of temporal and logic relations of XOR.Like this defensive missions of various safety equipment can be described, and the composite defense task that mutually links of various safety equipment.So greatly improved the efficient of computer network defense.

(2) the present invention has provided explanation and the dispositions method of defense schemes.Designed and Implemented a kind of interpreter of CN DSDL language, in conjunction with its EBN F normal form, analytical Calculation machine cyber-defence scheme.And designed a kind of Deadlock Detection Algorithm and task scheduling algorithm of defense schemes, and can verify defense schemes like this, prevent from existing in described defense schemes the task of conflict.Guaranteed the correctness of defense schemes.The most correct plan implementation is on emulation platform.

(3) the present invention has provided the emulation of defense schemes.Realization is based on the emulation of the I DS task of distributed GTNetS emulation platform, and the emulation of firewall access control task is backed up the emulation of recovery tasks, the emulation of vulnerability scanning, and the linkage simulation of IDS, vulnerability database and the various defensive missions of fire wall.

Description of drawings

Fig. 1 is CND defense schemes emulated execution systematic functional structrue figure of the present invention;

Fig. 2 is the grammar tree of CN D scheme of the present invention;

Fig. 3 is that CND task deadlock of the present invention detects and the dispatching algorithm process flow diagram;

Fig. 4 is that Snort intruding detection system of the present invention is to the packet processing flow chart;

Fig. 5 is that list (ACL) logical flow chart is controlled in input reference of the present invention;

Fig. 6 is that list (ACL) logical flow chart is controlled in output access of the present invention.

Embodiment

As shown in Figure 1, computer network defense scheme emulated execution of the present invention system is input as defense schemes, is output as the defense schemes reports on the implementation, comprises scheme explanation module, plan implementation module, scheme emulation module and execution result display module thereof.

Whole implementation procedure is as follows:

(1) scheme explanation module

The cyber-defence scheme that designs a calculating machine descriptive language CNDSDL and interpreter thereof carry out lexical analysis, grammatical analysis and semantic analysis to the defense schemes that adopts CDNSDL to describe, and explain to generate the various defensive missions that meet the defense schemes syntax format.

Define 1 scheme: scheme is two tuples that are made of the set of relationship between set of tasks and task.Be designated as:

$\left\{\begin{array}{c}\mathrm{Scheme}::=(\mathrm{\ζ},R);\\ \mathrm{\ζ}::\left\{{\mathrm{Task}}_i\right|1\≤i\≤n\};\\ R\⊆\mathrm{\ζ}\×\mathrm{\ζ}.\end{array}\right.$

Wherein ζ refers to set of tasks, and R refers to the set of relationship between task and task.

Define 2 tasks: task is by main body, operational set, and the execution time, execution result, and the five-tuple of task restriction formation, formalization representation is:

$\left\{\begin{array}{c}\mathrm{Task}::=(\mathrm{sub},\mathrm{Operation},\mathrm{time},\mathrm{effect},\mathrm{Constrain});\\ \mathrm{sub}\&Element;\mathrm{Subject};\\ \mathrm{Operation}::=\{{\mathrm{<figure-callout\; id="1"\; label="ope\; i"\; filenames="HDA00002786756100021.png"\; state="\{\{state\}\}">ope</figure-callout>}}_{i}1\&le;i\&le;n\};\\ \mathrm{time}\&Element;\mathrm{TIME};\\ \mathrm{effect}\&Element;\mathrm{Effect};\\ \mathrm{Contrain}\&SubsetEqual;\mathrm{Condition};\end{array}\right.$

Wherein, Subject refers to all main bodys that can execute the task in network; Operation is the operation that this task comprises; TIME refers to the time of tasks carrying; Effect refers to the result of tasks carrying, comprises two kinds of success and failures; When Condition referred to tasks carrying, executive agent itself needed satisfied constraint condition.

Define 3 main bodys: main body refers to all software and hardware resources of participating computer network security defence, is the set of protection, detection, response and recovery main body.

Subject::=Subject _protect∪Subject _detect∪Subject _respond∪Subject _recover

Definition 4 operations: be the tlv triple that is consisted of by action, action object, action input parameter.Be designated as:

$\left\{\begin{array}{c}\mathrm{ope}::=(\mathrm{action},\mathrm{object},\mathrm{inPara});\\ \mathrm{action}\&Element;\mathrm{Action};\\ \mathrm{object}\&Element;\mathrm{Object};\\ \mathrm{inPara}\&SubsetEqual;\mathrm{InPara};\end{array}\right.$

Wherein, Action is the set of action, and Object is the set of action object, and InPara is the set of input parameter, and input parameter is that key-value pair consists of, InPara::={ (key, value) | key ∈ strig, value ∈ strig}

Define relation between 5 tasks: the pass between task means sequential and the logical relation between task, comprises order and relation, order or relation, parallel and relation, parallel or relation, XOR relation.Be designated as:

R _task::={r _{seq_and},r _{seq_or},r _{concu_and},r _{concu_or},r _xor}

The below is introduced respectively every kind of relation:

r _{Seq_and}If: seq_and (task ₁, task ₂), task is first carried out in expression ₁If, task ₁Run succeeded, then carry out task ₂, and task ₁, task ₂All run succeeded, the expression scheme runs succeeded.

r _{Seq_or}If: fruit seq_or (task ₁, task ₂), task is first carried out in expression ₁If, task ₁Run succeeded, task ₂Can carry out, if task ₁Carry out unsuccessfully, task ₂Must carry out, and task is depended in the success or not of scheme ₂Whether can successful execution.

r _{Concu_and}If: concu_and (task ₁, task ₂), expression task ₁And task ₂Must carry out simultaneously, and task ₁, task ₂All run succeeded, scheme can be successful.

r _{Concu_or}If: concu_or (task ₁, task ₂), expression task ₁And task ₂Must carry out simultaneously, and if a tasks carrying success, scheme runs succeeded.

r _xorIf: xor (task ₁, task ₂), expression task ₁And task ₂Have and only have a meeting to carry out, and the success or not of this task directly determine the success and failure of scheme.

The EBNF of defense schemes is defined as follows:

Defensive missions are by the tasks carrying main body, the operation that task comprises, and task execution time, and the constraint condition of tasks carrying consists of.

<tasks>::=<task>|<tasks>；<task>

<task>::=task<num>‘{‘subject:<subject>actions:‘(‘<actions>‘)’

[time:<time>][constrains:‘{‘<constrains>’}’]

Main body is divided into four kinds, is respectively the protection main body, detects main body, and web response body Web recovers main body.

<subjcet>::=<protection_subject>|<detection_subject>|<response_subject>|<recovery_subject>

Protection main body commonly used is backup server, fire wall and gateway, gateway, encryption equipment, main frame and server etc.

<protection_subject>=back_up_server<num>|fi?rewall<num>|gateway<num>|cryptor<num>|host<num>|server<num>

Detect main body and comprise intruding detection system, Anti-Virus, vulnerability database, auditing system.

<detection_subject>::=IDS<num>|anti_virus_system<num>|vul_base<num>|audit_system<num>

Web response body Web comprises main frame and server.

<response_subject>::＝server<num>|host<num>

Recover main body and comprise backup server, main frame, server etc.

<recovery_subject>::=back_up_server<num>|host<num>|server<num>

Each human subject all can be expanded by increasing key word.

Operate correspondingly with main body, be respectively protection operation, detect operation, operation response, recovery operation.

<actions>::=<action>|<actions>，<action>

<action>::=<protect_action>|<detect_action>|<respond_action>|<recover_action>

Operation comprises action, action object, and input parameter consists of.

<protect_action>::=<protect_act><protect_obj>[inPara:’{‘<protection_inParas>’}’]

The protection action comprises backup, allows, and refusal is encrypted, and authentication etc. can be expanded by increasing key word.

<protect_act>::=bac?k_up|permit|deny|crypt|authenticate

Object of protection comprises file, packet, ip address etc.

<protect_obj>::=<file>|<packet>|ip

Packet comprises the ip bag, TCP bag, U DP bag, ICMP bag.

<packet>::=<ip_packet>|<tcp_packet>|<udp_packet>|<icmp_packet>

Ip comprises former IP address, purpose IP address.

<ip_packet>::=IP<src_ip><dst_ip>

The TCP bag, the UDP bag, ICMP comprises IP address and port numbers.

<tcp_packet>::=TCP<src_ip><ports><dst_ip><ports>

<udp_packet>::=UDP<src_ip><ports><dst_ip><ports>

<icmp_packet>::=ICMP<src_ip><ports><dst_ip><ports>

The I P address comprises ip and mask.

<src_ip>::=(ip/mask)|any

<dst_ip>::=(ip/mask)|any

Port can be a particular port, between ports zone, or with port of comparison operators etc.

<ports>=<port>|<port>:<port>|<port_operator><port>|any

The parameter of protection action mainly contains backup priority, and whether type of backup encrypts, safe transmission, interface index etc.

<protection_inPara>::=priority:<num>|type:(full|addition|offset)|crypt:(Y|N)|secure_trans:(Y|N)|interface:<num>

Detect operation and comprise the detection packet, check virus, scanning leak, the operations such as audit log.

<detection_action>::=<detect_act><detect_obj>[in_Para:’{‘<detection_inParas>’}’

<detect_act>::=detect|check_virus|scan|audit

<detect_obj>::=<IDS_rule>|<virus>|<vul>|<log>

<virus>::=<string>

<vul>::=cve-<cve_year>-<cve_number>

<log>::=<file>

<detection_inPara>::=(host:<num>)|(ip:<ip>)|(service:<service_name>)

<service_name>::=Web|Telnet|Rlogin|Ftp|SMTP

The ids rule comprises rule head and rule body two parts.

<ids_rule>::=<idsRule_head><idsRule_body>

<idsRule_head>::=<idsRule_action><packet>

<idsRule_action>::=alert|pass|log

Rule body comprises detection option.

<idsRule_body>::=’(‘<options>’)’

<options>::=<option>|<options>；<option>

Content is generally bit string or character string, be used for the feature mode coupling, refenrence attacks the vulnerability information that utilizes, the fw parameter is when this rule triggers, the fire wall numbering or the IP address that need interlock, when vbase represents that rule triggers, need vulnerability database numbering or the IP address of interlock.

<option>::=(message:<string>)|(content:<bin-str>|<string

>)|(refenrence:<vul>)|(fw:<num>|<ip>)|(vbase:<num>|<ip>)|resp:(rst_all|rst_rcv|rst_sen?d|icmp_all|icmp_host|icmp_net|icmp_port)

Designed the CNDSDL interpreter based on above EBNF.Identification resolved in the CNDSDL statement, thereby the parameter of various statements is delivered in interface function.In the CNDSDL interpreter, lexical analysis and syntax Analysis Module code are namely generated by Flex and Bison instrument respectively, in semantic analysis, describe according to the EBNF normal form in CNDSDL, identify respectively global variable definition statement, task description statement, task relationship description statement, and generate a defense schemes syntax tree, as shown in Figure 2.

(2) plan implementation module

When a scheme can be carried out, the task of this scheme that and if only if does not consist of deadlock, namely there is not mutual sequential dependence between two tasks, so judging task deadlock and selecting correct task run is the key that scheme is carried out, according to relation between above task related notion and task, can analyze and obtain task deadlock and detect and dispatching algorithm.

In this algorithm, at first concern that according to the seq_or between task the seq_and relation builds task image, by figure is carried out closure operation, if find that there is reverse edge in any directed edge, there is mutually the sequential dependence in two tasks, expression scheme meeting produce of deadlock; Otherwise, the scheduling in-degree is 0 node from task image, if this node has all forward direction the Logic of Tasks execution result failures of seq_or relation, this task must be carried out, run succeeded if this node has all forward direction the Logic of Tasks execution results of seq_and relation, this task can be carried out.The process flow diagram of this algorithm is shown in Figure 3.

(3) scheme emulation module

Emulator GTNetS that employing drives based on discrete event, the support distributed emulation carries out emulation to the interlock task of access control task, backup recovery tasks, IDS, drain sweep and the fire wall of IDS Detection task, fire wall.

The IDS Detection task

Emulation is carried out in intrusion detection (NIDS) based on the network of feature detection.The Typical Representative of NIDS is Snort.Snort is the intruding detection system of a lightweight, has the intercept network data message, carries out the network data real-time analysis, the ability of warning and log.The message intercepting of Snort is based on the libpcap storehouse.Snort is comprised of basic modules such as Packet Sniffer, pretreater, detection engine, the outputs of reporting to the police.Snort is specific as follows shown in Figure 4 to the treatment scheme of packet.

At first rule parsing reads rule file, and then reads successively each rule, then it is resolved, and represents with corresponding rule syntax, in internal memory, rule is organized, and sets up the rule syntax tree.

Strictly all rules in Snort is arranged in main chain according to the rule head, then according to RuleOption, rule is inserted in this chain, consist of a rule tree, the ground floor of RTN (RuleTreeNode) node composition rule tree, each option node OTN (OptTreeNode node) is with regard to a corresponding rule like this.

Detecting engine and use method for mode matching that network packet is detected, is mainly to mate according to the information of rule tree and packet, to have judged whether intrusion behavior.

Adopt GTNetS to simulate the flow process of detection and the result of detection.The emulation of IDS comprises smelling spy and decoding of packet, the setting of the setting of inbreak detection rule and detection engine.

The packet that adopts the PeekPDU function in GTNetS to obtain decoding in emulation platform.

Use for reference the implementation of Snort, will detect rule and be divided into two logical gates: rule head and RuleOption.The rule head comprises action, agreement, source and target IP address and the network source code of rule, and the source and target port information; RuleOption partly comprises the concrete part of warning message content and the bag that will check.

Detect the setting of engine part, the rule tree that Snort is realized carries out following modification, and ground floor is ListHead, and this node has comprised a class and attacked corresponding detection rule set.Further organize different chained lists by agreement.The second layer is RTN; The 3rd layer is sign option node; The 4th layer is OTN Idx (OTNIndex) and OTN, is relation one to one between them, and the purpose that OTNIdx is set is in order dynamically to adjust the order of OTN according to the result of retrieval.Carry out the recurrence traversal according to rule tree during rule match.

The access control task of fire wall

Use the Packet Filtering process of GTNetS emulation fire wall.Comprise the Packet Filtering of static packet filtering and state-based.

For static packet filtering.Fire wall for the packet of input just like Fig. 5 logic flow:

When interface is received packet, determine at first whether ACL has been applied to this interface.If no, normal this packet of route.If have, process ACL.From first statement, conditions and data bag content is made comparisons.If do not mate, with next statement of processing in list.If coupling is arranged, executable operations: allow or refusal.If default action is refusal, do not mate if looked through whole ACL, packet discard yet; If default action is to allow, do not mate if look through whole ACL, the forwarding data bag yet.

For output acl, process is similar, as shown in Figure 6.When receiving packet, at first route a data packet to output interface, whether then check has ACL output, if do not have, packet is come in formation, send out interface on interface.Otherwise, packet by with acl entry compare processed, as previously described.

Because Access Control List (ACL) can not be followed the tracks of connection status; Therefore, if in Intranet, flow is sent to outer net, then permissible flow returns safely, static fire wall is difficult to accomplish, unless static rule is set, and the packet that such static rule can allow not to be return flow simultaneously passes through, so can cause security breaches.Namely a standard or ACL expansion always filters with static entry the information that has been configured, and needs status firewall to realize at this moment.Status firewall mainly filters by the status information that record connects, for IP, TCP, UDP, ICMP agreement, a kind of feasible scheme is will obtain join dependency information to carry out Hash when connecting, whether fire wall is return flow according to Hash matching judgment flow, thereby reaches the effect of filtration.

Other defensive missions

Realized that backup tasks in the protection task and the leak in Detection task confirm the emulation of task, backup is the mapping that target arrives its copy, by the data in system and file are backed up, in the face of attack and threat the time, can in time adopt recovery tasks to carry out the recovery of data, thereby ensure the security of network.Leak confirms that task is mainly to hang down the false drop rate of IDS.Attack signature to IDS detects carries out vulnerability scanning, and searches in the leak knowledge base, thereby confirms whether to exist in network the attack of this kind leak.By the description of scheme descriptive language, finally realized a kind of consideration IDS, the linkage simulation between fire wall and vulnerability scanning system.

(4) execution result display module

With the defence information of the defence node that draws in step (3), comprise the detection Rule Information of IDS, the Access Control List (ACL) information of fire wall, backup recovery nodes information etc. are shown to the network security management personnel with the form of report.

Claims (5)

1. computer network defense scheme emulated execution system is characterized in that comprising: scheme explanation module, plan implementation module, scheme emulation module and execution result display module, wherein:

Scheme explanation module: design and Implement a kind of computer network defense scheme descriptive language CN DSDL (Computer Network Defense Scheme Description Language), provide EBN F (the Extended Backus-Naur Form) normal form of this language, utilize lexical analyzer Flex and syntax analyzer Bison automatically to resolve described defense schemes file, parse the sequential-logical relation between various defensive missions and task;

Plan implementation module: the various types of defensive missions that explain according to the scheme explanation module, and the sequential-logical relation between task, thereby whether judgement exists mutual sequential dependence between two tasks arbitrarily, if exist, will cause deadlock, if do not exist, scheduling arranges various defensive missions to realize emulation;

Scheme emulation module: the defensive missions of plan implementation module output are input in emulation platform, realize the emulation of defensive missions, thereby obtain defending the emulated execution result of artificial tasks, the emulation of described defensive missions comprises: IDS artificial tasks, fire wall artificial tasks, vulnerability database artificial tasks and backup artificial tasks; The emulation of various defensive missions comprises vulnerability information, IDS (IntrusionDetection Systems) rule and firewall rule with the knowledge in the calling data storehouse;

The execution result display module: the emulated execution result that will defend artificial tasks shows with the form of command console, comprise that the fire wall task simulation will be presented at the Access Control List (ACL) of fire wall deploy, the IDS artificial tasks will show the detection rule of disposing.

2. computer network defense scheme emulated execution according to claim 1 system is characterized in that: the specific implementation process of described scheme explanation module:

(1) design and Implement a kind of computer network defense scheme descriptive language, provide the EBN F normal form of this language, with protection, detection, analysis, response and the recovery tasks in this language performance defense schemes, and the order between task and, order or, parallel with, walk abreast or and the XOR relation; (2) designed the CNDSDL interpreter, input computer network defense scheme description document is resolved, parse defensive missions in defense schemes and the relation between task, and the main body in every task, operational set, execution time, execution result, and task restriction, action, action object, action input parameter tlv triple that operation comprises; At first identification resolved in the CNDSDL statement, comprise lexical analysis and grammatical analysis, completed by Flex and Bison instrument respectively, thereby the parameter of various statements is delivered in interface function; Then carry out semantic analysis, describe according to the EBNF normal form in CNDSDL, identify respectively global variable definition statement, task description statement, task relationship description statement.And different statements is called corresponding api interface, and parameter is passed to correlation module in analogue system, to complete final scheme by analogue system and carry out, interpreter has been realized parsing to the CNDSDL source file by above flow process.

3. computer network defense scheme emulated execution according to claim 1 system is characterized in that: the specific implementation process of described plan implementation module:

The various types of defensive missions that obtain after explaining are carried out the Deadlock Detection of task, adopt graph-based task deadlock detection algorithm, at first according to the order between task or relation and order and relation structure task image; By figure is carried out closure operation, if find that there is reverse edge in any directed edge, there is mutually the sequential dependence in two tasks, expression scheme meeting produce of deadlock; Otherwise, the scheduling in-degree is 0 node from task image, if this node has all forward direction the Logic of Tasks execution result failures of order or relation, this task must be carried out, run succeeded with all forward direction the Logic of Tasks execution results of relation if this node has order, this task can be carried out.

4. computer network defense scheme emulated execution according to claim 1 system, it is characterized in that: the specific implementation process of described scheme emulation module: will call in through the task of Deadlock Detection and realize emulation in emulation platform, distributed emulation device (discreteevent-driven simulator) GTNetS that employing drives based on discrete event conveniently simulates big-and-middle-sized network; To store the I DS that produces in vulnerability information and simulation process in database and detect the access control rule of rule and fire wall, its concrete task simulation comprises following three parts: (1) adopts GTNetS to realize the emulation of a kind of based on network intrusion detection (NIDS), and pay close attention to wherein feature detection, NIDS is placed in the important network segment, ceaselessly monitor the various packets in the network segment, each packet or suspicious data are carried out signature analysis; If packet is consistent with rule, intruding detection system can be sent warning, or responds, and sends the leak confirmation to leak, or emits the task of blocking-up packet to fire wall; (2) adopt GTNetS to realize the access control emulation of fire wall, firewall applications in safe simulation is in Packet Filtering, and Packet Filtering is divided into static packet filtering and according to the filtration of state to packet, static packet filter firewall, when interface is received packet, determine at first whether ACL has been applied to this interface; If no, normal this packet of route.If have, process ACL, for output acl, process is similar; Status firewall mainly filters by the status information that record connects, for IP, TCP, UDP, ICMP agreement, a kind of feasible scheme is will obtain join dependency information to carry out Hash when connecting, whether fire wall is return flow according to Hash matching judgment flow, thereby reaches the effect of filtration; (3) adopt GTNetS to realize the emulation of other defensive missions, realized that backup tasks in the protection task and the leak in Detection task confirm the emulation of task, backup is the mapping that target arrives its copy, by the data in system and file are backed up, in the face of attack and threat the time, in time adopt recovery tasks to carry out the recovery of data, thereby ensured the security of network; Leak confirmation task is to hang down the false drop rate of I DS, and the attack signature to I DS detects carries out vulnerability scanning, and searches in the leak knowledge base, thereby confirms whether to exist in network the attack of this kind leak; By the description of scheme descriptive language, finally realized a kind of consideration I DS, the linkage simulation between fire wall and vulnerability scanning system.

5. computer network defense scheme emulated execution according to claim 1 system, it is characterized in that: the specific implementation process of described execution result display module: the emulated execution result that will defend artificial tasks shows with the form of command console, the emulation phenomenon that obtains according to the scheme emulation module, click the topological node in emulation, the emulated execution result of this node can be shown.

Images