CN104917757A - Event-triggered MTD protection system and method - Google Patents
Event-triggered MTD protection system and method Download PDFInfo
- Publication number
- CN104917757A CN104917757A CN201510233838.XA CN201510233838A CN104917757A CN 104917757 A CN104917757 A CN 104917757A CN 201510233838 A CN201510233838 A CN 201510233838A CN 104917757 A CN104917757 A CN 104917757A
- Authority
- CN
- China
- Prior art keywords
- detection
- packet
- event
- mtd
- current
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/32—User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Lock And Its Accessories (AREA)
- Collating Specific Patterns (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to an event-triggered MTD protection system and method. According to the invention, through the analysis of an operation system initiative fingerprint identification method and a detection packet, a detection event set is formulated, and event-triggered MTD hidden operation system characteristic protection ideas are designed. Each time a protected target receives the detection data packet of a fingerprinter, a characteristic corresponding to a detection item automatically changes. The fingerprint characteristic collected by the fingerprinter is wrong information, so that being deceived or confused into another device type is realized. Some important basic equipment is provided with an effective remote fingerprint identification resistance protection mechanism.
Description
Technical field
The present invention relates to national fundamental equipments and hide protection field, particularly relate to a kind of MTD guard system and method for event-triggered.
Background technology
Under the present circumstances, information technology system runs in the configuration being based upon relative quiescent.Such as, address, title, software stack, network and various configuration parameter keep relative quiescent within the longer time period.The method of this static state makes intention can have sufficient time search to the assailant that system carries out malice vulnerability exploit (exploit), the information such as the version of detecting and identifying goal systems and configuration, wherein most is representational is exactly operation system fingerprint detecting and identifying (Operating System FingerprintingDetection), namely characteristic (feature) different information by carrying out (active) initiatively or passive (passive) probe data packet to the main frame on network is collected and is determined used operating system, usual victim is as a most important step in information gathering before attack.
MTD (Moving Target Defense) thought is the change based on controlling across multiple system dimensions, the uncertainty of increase system and complexity, thus the attack surface (attacksurface) of reducing assailant and the new ideas increasing intrusion scene and propose.After MTD in 2011 is suggested, develop into the study hotspot in systematic protection field gradually, and by one of White House four macroreticular space safety protection Strategic Technologies being defined as future development.
As a kind of important safety and protection system, in recent years, MTD thought not only obtains application in software systems strick precaution vulnerability scanning and service and version anti-leak, and in antagonism remote operating system fingerprint detection and identification, obtains large-scale popularization gradually.
MTD thought is taking precautions against the research in safety precaution operation system fingerprint recognition system, mainly concentrate on the randomization of IP address configuration in some cycles in 2011, in the time window that fingerprint detection side cannot be converted the IP of destination host, complete information gathering and detection.Research in 2013 starts on the MTD in remote operating system fingerprint recognition field, carries out periodicity amendment and protection to tcp protocol stack characteristic value.But, due to periodic MTD protection itself exist safety defect and potential safety hazard current, if detection side utilizes the method for an only detection characteristic in each cycle, utilize multiple cycle to gather the result of detection of each characteristic, the security mechanism of MTD guard system and performance just can be made greatly to reduce.If consider that fingerprint detection side adopts Distributed probing and information gathering in addition, make the attack surface faced by MTD more be difficult to take precautions against, make the situation of antagonism fingerprint detection more complicated, the defect of periodically MTD protection also highlights more.
Summary of the invention
Technical problem to be solved by this invention is for the deficiencies in the prior art, provides a kind of MTD guard system and method for event-triggered.
The technical scheme that the present invention solves the problems of the technologies described above is as follows: a kind of MTD guard system of event-triggered, comprises fingerprint detection bag decision-making system, fingerprint detection event decision-making system and characteristic value MTD and revises system;
Described fingerprint detection bag decision-making system, when it is for receiving the request data package sent from client, carry out the differentiation of the types such as fingerprint detection bag regular traffic packet being belonged to packet or belongs to detection system characteristic, if it is determined that be normal system service connection request packet, be then left intact and directly respond and do not trigger preventing mechanism; If it is determined that for being intended to the detection packet obtaining current system characteristic and corresponding characteristic value, then triggering preventing mechanism at once, guarantee not leaking of system-specific information;
Described fingerprint detection event decision-making system, it is for collecting, storing and judge the event of fingerprint detection, when judging to have received probe data packet, and first comparison in fingerprint detection event set, whether concentrate in current event, if existed, perform by the processing method correspondence of current event; If do not existed, then detection packet wanted the value of detection feature to carry out randomization amendment, then such detection behavior defined a newly-increased logout and store;
Described characteristic value MTD revises system, it is for after being judged to be fingerprint detection behavior, utilize MTD thought, randomization or boolean's conversion are performed within the specific limits to the value being detected part of properties, then the characteristic value after change is packaged into response data packet and returns to fingerprint detection side.
The invention has the beneficial effects as follows: the invention has the beneficial effects as follows: the present invention adopts event-triggered MTD to resist operation system fingerprint recognition mechanism, by the analysis to operating system active fingerprinting methods and detection packet, formulate detection event set, the MTD designing a kind of event-triggered (hides the protection thought of operating system features.Thus when realizing being received the probe data packet of fingerprint detection side (Fingerprinter) by the objective of defense (Target) at every turn, automatically the corresponding characteristic of this detection item is changed, the fingerprint characteristic that detection side is collected is the information of mistake, thus make to be cheated or obscure as other device types, finally make some fundamental equipments obtain the preventing mechanism of an effective anti-remote fingerprint identification.
Another technical scheme that the present invention solves the problems of the technologies described above is as follows: a kind of MTD means of defence of event-triggered, comprises the steps:
When utilizing fingerprint detection bag decision-making system to receive the request data package sent from client, carry out the differentiation of the types such as fingerprint detection bag regular traffic packet being belonged to packet or belongs to detection system characteristic, if it is determined that be normal system service connection request packet, be then left intact and directly respond and do not trigger preventing mechanism; If it is determined that for being intended to the detection packet obtaining current system characteristic and corresponding characteristic value, then triggering preventing mechanism at once, guarantee not leaking of system-specific information;
Utilize fingerprint detection event decision-making system to collect, store and judge the event of fingerprint detection, when judging to have received probe data packet, whether first comparison in fingerprint detection event set, concentrate in current event, if existed, performs by the processing method correspondence of current event; If do not existed, then detection packet wanted the value of detection feature to carry out randomization amendment, then such detection behavior defined a newly-increased logout and store;
Utilization level value MTD revises system after being judged to be fingerprint detection behavior, utilize MTD thought, randomization or boolean's conversion are performed within the specific limits to the value being detected part of properties, then the characteristic value after change is packaged into response data packet and returns to fingerprint detection side.
Accompanying drawing explanation
Fig. 1 is the MTD guard system schematic diagram of a kind of event-triggered of the present invention;
Fig. 2 is fingerprint detection bag decision-making system schematic diagram of the present invention;
Fig. 3 is fingerprint detection event decision-making system schematic diagram of the present invention;
Fig. 4 is that characteristic value MTD of the present invention revises service system schematic diagram;
Fig. 5 is the MTD means of defence flow chart of a kind of event-triggered of the present invention;
Fig. 6 is fingerprint detection bag decision-making system program flow diagram of the present invention;
Fig. 7 is fingerprint detection event decision procedure flow chart of the present invention;
Fig. 8 is characteristic value MTD update routine flow chart of the present invention.
Embodiment
Be described principle of the present invention and feature below in conjunction with accompanying drawing, example, only for explaining the present invention, is not intended to limit scope of the present invention.
Invention relates to MTD (the Moving Target Defense) guard system of a kind of event-triggered antagonism remote operating system fingerprint recognition (RemoteOperating System Fingerprinting).By the analysis to operating system active fingerprinting methods and detection packet, formulate detection event set, the MTD designing a kind of event-triggered hides the protection thought of operating system features.When realizing being received the probe data packet of fingerprint detection side (Fingerprinter) by the objective of defense (Target) at every turn, automatically the corresponding characteristic of this detection item is changed, the fingerprint characteristic that detection side is collected is the information of mistake, thus make to be cheated or obscure as other device types, finally make some fundamental equipments obtain the preventing mechanism of an effective anti-remote fingerprint identification.
As shown in Figure 1, a kind of MTD guard system of event-triggered, comprise fingerprint detection main frame (fingerprinter), detected target main frame (target) and fingerprint detection MTD guard system, wherein fingerprint detection MTD guard system is deployed on detected target main frame, comprises fingerprint detection bag decision-making system, fingerprint detection event decision-making system and characteristic value MTD and revises system.
Described fingerprint detection bag decision-making system, when it is for receiving the request data package sent from client, carries out the differentiation of the types such as the fingerprint detection bag belonging to regular traffic packet to packet or belong to detection system characteristic.If it is determined that be normal system service connection request packet, be then left intact and directly respond and do not trigger preventing mechanism; If it is determined that for being intended to the detection packet obtaining current system characteristic and corresponding characteristic value, then triggering preventing mechanism at once, guarantee not leaking of system-specific information;
Described fingerprint detection event decision-making system, it is for collecting, storing and judge the event of fingerprint detection, when judging to have received probe data packet, and first comparison in fingerprint detection event set, whether concentrate in current event, if existed, perform by the processing method correspondence of current event; If do not existed, then detection packet wanted the value of detection feature to carry out randomization amendment, then such detection behavior defined a newly-increased logout and store;
Described characteristic value MTD revises system, it is for after being judged to be fingerprint detection behavior, utilize MTD thought, randomization or boolean's conversion are performed within the specific limits to the value being detected part of properties, then the characteristic value after change is packaged into response data packet and returns to fingerprint detection side.
System is revised when being Boolean type to characteristic value at characteristic value MTD, current inverse not only can be adopted to change characteristic value, the randomization of the computings such as non-, XOR can also be adopted, make detection Fang Gengneng to Boolean type characteristic value fingerprint recognition by the operating system of protecting.Described detection event set is as table 1.
Table 1
Core of the present invention is whether current data packet belongs to detection packet and belong to the detection of which kind of type.
As shown in Figure 2, described fingerprint detection bag decision-making system comprises packet parsing module, type of data packet discrimination module, data packet destination port discrimination module, packet content discrimination module and packet feature decision module; Described packet parsing module is for resolving the request data package received, and the encapsulation of taking bag apart, to check the packet header, destination address, destination interface, type of data packet, packet content etc. of packet, is the module providing source data of follow-up differentiation; Described type of data packet discrimination module, the packet that cooperatively interacted between data packet destination port discrimination module and packet content discrimination module are the judgements of regular traffic bag or fingerprint detection packet, thus determine whether trigger fingerprint detection event set and MTD amendment system; Described packet feature decision module is the source data provided in conjunction with type of data packet discrimination module, data packet destination port discrimination module and packet content discrimination module and packet feature decision module etc., judges current finger print detection belongs to which kind of detection type.
As shown in Figure 3, described fingerprint detection event decision-making system comprises detection type identification module, detection event data storehouse and detection event sort module; Described detection type identification module, classifies by protocol type to probe data packet, and type label (tag) is mainly divided into ICMP, IP, TCP and UDP tetra-kinds, and then probe data packet passes to fingerprint detection event decision-making system and carries out subsequent operation.Described detection event data storehouse, the affair character collection of IP, TCP, UDP and ICMP different agreement stored in advance detection; Described detection event sort module, for the data of detection type identification module judgement and detection event data storehouse are matched, if with wherein one the match is successful, then perform the execution step that MTD corresponding to this event revises system, if can not with wherein one the match is successful, then current detection type is pressed the newly-increased event rules of form of event database, the MTD finally characteristic that this detection type will detect being passed to next step characteristic value revises system.
As shown in Figure 4, described characteristic value MTD revises the value change module that system comprises corresponding characteristic; The MTD of described characteristic value revises system, is that the characteristic value that current detection packet will be detected carries out fraudulent modification, if a numerical value, then in specified scope, performs randomization; If a Boolean, then current Boolean is carried out inverse.Finally amended result is encapsulated by response data packet format, return to fingerprint detection side.
As shown in Figure 5, a kind of MTD means of defence of event-triggered, comprises the steps:
When utilizing fingerprint detection bag decision-making system to receive the request data package sent from client, carry out the differentiation of the types such as fingerprint detection bag regular traffic packet being belonged to packet or belongs to detection system characteristic, if it is determined that be normal system service connection request packet, be then left intact and directly respond and do not trigger preventing mechanism; If it is determined that for being intended to the detection packet obtaining current system characteristic and corresponding characteristic value, then triggering preventing mechanism at once, guarantee not leaking of system-specific information;
Utilize fingerprint detection event decision-making system to collect, store and judge the event of fingerprint detection, when judging to have received probe data packet, whether first comparison in fingerprint detection event set, concentrate in current event, if existed, performs by the processing method correspondence of current event; If do not existed, then detection packet wanted the value of detection feature to carry out randomization amendment, then such detection behavior defined a newly-increased logout and store;
Utilization level value MTD revises system after being judged to be fingerprint detection behavior, utilize MTD thought, randomization or boolean's conversion are performed within the specific limits to the value being detected part of properties, then the characteristic value after change is packaged into response data packet and returns to fingerprint detection side.
As shown in Figure 6, described packet parsing module, type of data packet discrimination module, the packet that cooperatively interacted between data packet destination port discrimination module and packet content discrimination module are that the decision process of regular traffic packet or malice detection packet is as follows:
Step 1.1: packet parsing module module carries out decapsulation to packet;
Step 1.2: type of data packet discrimination module is belong to which kind of protocol type packet in ICMP, TCP, UDP, IP to differentiate to current data packet.If ICMP agreement, directly current data packet is defined as detection packet, performs step 1.5 and current detection packet type label (tag) is defined as ICMP; If IP agreement, perform the packet content discrimination module of step 1.4; If TCP or udp protocol, then perform step 1.3 data packet destination port discrimination module;
Step 1.3: whether data packet destination port discrimination module opens target port in packet differentiates, if open, performs step 1.4 packet content discrimination module; If close, then current data packet is defined as detection packet, performs step 1.5, and according to protocol type, current detection packet type label (tag) is defined as TCP or UDP;
Step 1.4: packet content discrimination module differentiates the data division in packet, if data are empty, is then defined as detection packet by current data packet, performs step 1.5; If packet is not empty, then think that current data packet is that normal business data packet also normally returns response data packet;
Step 1.5: detection type identification module is classified by protocol type to probe data packet, type label (tag) is mainly divided into ICMP, IP, TCP and UDP tetra-kinds, and then probe data packet passes to fingerprint detection event decision-making system and carries out subsequent operation.
As shown in Figure 7, described detection event data storehouse is the affair character collection of the different agreement detections such as IP, TCP, UDP and the ICMP stored in advance.Described detection event sort module, for the data of detection type identification module judgement and detection event data storehouse are matched, if with wherein one the match is successful, then perform the execution step that MTD corresponding to this event revises system, if can not with wherein one the match is successful, then current detection type is pressed the newly-increased event rules of form of event database, the MTD finally characteristic that this detection type will detect being passed to next step characteristic value revises system;
Described a kind of fingerprint detection event decision-making system, is characterized in that, it is as follows that described detection event sort module and detection event data storehouse belong to current probe data packet the process which kind of detection event judges:
Step 2.1: the detection type tag according to probe data packet mates with detection event data storehouse, if known detection event, then perform step 2.2, if the detection event of the unknown, then current detection type is pressed the newly-increased event rules of form of event database, the MTD finally characteristic that this detection type will detect being passed to next step characteristic value revises system;
Step 2.2: to mate with detection event data storehouse according to the detection type tag in step 2.1 and judge that current detection event comprises known detection event in current database, perform a step switch coupling, perform corresponding MTD characteristic modify steps according to dissimilar tag; Such as TCP detects event, then perform and the initial sequence number (ISN, initial sequencenumber) etc. producing characteristic value in current TCP is performed the amendment of MTD characteristic.
As shown in Figure 8, the MTD of described characteristic value revises system, is that the characteristic value that current detection packet will be detected carries out fraudulent modification, if a numerical value, then in specified scope, performs randomization; If a Boolean, then current Boolean is carried out inverse.Finally amended result is encapsulated by response data packet format, return to fingerprint detection side.
The MTD of described a kind of characteristic value revises system, it is characterized in that, described various detection event correspondence wants the characteristic value detected, and the process realizing fascinating amendment is:
Step 3.1: whether the characteristic value of detection event correspondence detection is that Boolean type differentiates;
Step 3.2: if Boolean type, then perform a step inverse, by current characteristic value changeabout, thus realize the deception to result of detection, if not Boolean type, in execution step 3.3;
Step 3.3: judge that the characteristic value of current detection is not Boolean type by step 3.2, but a numerical value, then perform randomized algorithm, by current characteristic value in one the not normal scope of influential system, carry out randomizing transform, make result of detection not have rule at every turn, realize obscuring result of detection;
Step 3.4: amended characteristic value is carried out being packaged into packet and returns to detection side.
The MTD guard system of described a kind of event-triggered, it is characterized in that, the detection of several characteristic value under described probe data packet may comprise a kind of agreement simultaneously, and namely main idea of the present invention is by the detection of each characteristic value being defined as an event, the judgement of each detection event and MTD deception amendment are opened with other indie incidents, thus makes to be that the comprehensive multiple detection event result of representative reduces greatly to the possibility detecting the correct fingerprint of current operation system with Nmap.
As shown in Figure 1, utilize the MTD guard system of event-triggered of the present invention, can realize being protected main frame and can cheat and obscure the operation system fingerprint detecting and identifying of attacker.According to the communication process connected by protection main frame and other main frames, all protection process are divided into generally three scenes:
I.e. scene 1 (the request TCP of regular traffic data communication Client related protocol connects Target, not being detection packet, returning to Client by normal response bag detecting confirmation current data packet through MTD guard system);
(it is that the SYN detection packet of sky is to destination host Target that fingerprint detection side Fingerprinter sends data in Transmission Control Protocol to scene 2, confirming that current data packet is detection packet through the detection of MTD guard system, trigger fingerprint recognition MTD system, after being modified by the characteristic value of corresponding detection, encapsulation returns to Fingerprinter);
(fingerprint detection side Fingerprinter sends detection packet in udp protocol to scene 3, wherein target port is the port that Target main frame cuts out, confirming that current data packet is detection packet through the detection of MTD guard system, trigger fingerprint recognition MTD system, modify as open state by the port of corresponding detection incident detection, the corresponding bag of encapsulation UDP returns to Fingerprinter).
Scene 1, normal Client request and destination host are set up and are communicated and do not trigger MTD preventing mechanism, and concrete steps are as follows:
1) first Client sends TCP SYN bag to destination host Target;
2) Target carries out decapsulation by the packet parsing module in the MTD guard system of event-triggered to packet;
3) type of data packet discrimination module identification current data packet is Transmission Control Protocol type;
4) packet content discrimination module identification current tcp data bag content is not empty, non-detection packet, thus need not trigger detection event detection and preventing mechanism;
5) finally TCP SYN bag is returned Packet type by regular traffic and return ACK+SYN bag.
Scene 2, Target resists the TCP SYN detection packet of Fingerprinter, and concrete steps are as follows:
1) Fingprinter sends TCP SYN detection packet to destination host Target, and wherein data division data is empty;
2) Target carries out decapsulation by the packet parsing module in the MTD guard system of event-triggered to packet;
3) type of data packet discrimination module identification current data packet is Transmission Control Protocol type;
4) target port of data packet destination port determination module identification current data packet is open;
5) packet content discrimination module identification current tcp data bag content is empty, and then judges it is detection packet, triggers detection event detection and preventing mechanism;
6) the type tag of current detection packet is defined as TCP SYN and detects by packet feature decision module, and by Parameter transfer to fingerprint detection event decision-making system;
7) fingerprint detection event decision-making system detects according to the TCP SYN in the tag of detection packet, mates learn that current detection event is current known detection event with detection event data storehouse;
8) fingerprint detection event decision-making system is mated through switch, the characteristic value current TCP SYN being detected the detection of event correspondence comprises ISN (initial sequence number, 32bit), ACK number (32bit), urgent pointer (16bit), SYN (1bit), checksum (16bit) in window size (16bit), flags, Parameter transfer revises system to the MTD of characteristic value;
9) MTD of characteristic value revises whether system is that Boolean differentiates to SYN (1bit), each characteristic of checksum in ISN, ACK number, urgent pointer, windowsize, flags, differentiating only has SYN in flags (1bit) to be Boolean, and other characteristic is all numerical value;
10) the MTD amendment system of characteristic value carries out inverse to the SYN value in current flags, performs randomization calculate the value of other characteristics;
11) the MTD amendment system of characteristic value is packaged into ACK+SYN to amended characteristic value and returns to Fingerprinter.
Scene 3, Target resists the UDP of Fingerprinter to the detection packet of closing target port, specifically comprises following operation:
1) Fingprinter sends UDP detection packet to destination host Target, and wherein target port is Target close port;
2) Target carries out decapsulation by the packet parsing module in the MTD guard system of event-triggered to packet;
3) type of data packet discrimination module identification current data packet is udp protocol type;
4) target port of data packet destination port determination module identification current data packet is closed, and current data packet is defined as detection packet;
5) the type tag of current detection packet is defined as UDP detection by packet feature decision module, and by Parameter transfer to fingerprint detection event decision-making system;
6) fingerprint detection event decision-making system is mated through switch, the characteristic value current TCP SYN being detected the detection of event correspondence includes IPID (identification, 16bit) with length (16bit), Parameter transfer revises system to the MTD of characteristic value;
7) MTD of characteristic value revises whether system is that Boolean differentiates to these two characteristics of IP ID and length, and characteristic is all numerical value;
8) MTD of characteristic value revises system and performs randomization calculating to the value of current properties;
9) the MTD amendment system of characteristic value is packaged into UDP respond packet to amended characteristic value and returns to Fingerprinter.
The foregoing is only preferred embodiment of the present invention, not in order to limit the present invention, within the spirit and principles in the present invention all, any amendment done, equivalent replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (9)
1. a MTD guard system for event-triggered, is characterized in that, comprises fingerprint detection bag decision-making system, fingerprint detection event decision-making system and characteristic value MTD and revises system;
Described fingerprint detection bag decision-making system, when it is for receiving the request data package sent from client, carry out the differentiation of the types such as fingerprint detection bag regular traffic packet being belonged to packet or belongs to detection system characteristic, if it is determined that be normal system service connection request packet, be then left intact and directly respond and do not trigger preventing mechanism; If it is determined that for being intended to the detection packet obtaining current system characteristic and corresponding characteristic value, then triggering preventing mechanism at once, guarantee not leaking of system-specific information;
Described fingerprint detection event decision-making system, it is for collecting, storing and judge the event of fingerprint detection, when judging to have received probe data packet, and first comparison in fingerprint detection event set, whether concentrate in current event, if existed, perform by the processing method correspondence of current event; If do not existed, then detection packet wanted the value of detection feature to carry out randomization amendment, then such detection behavior defined a newly-increased logout and store;
Described characteristic value MTD revises system, it is for after being judged to be fingerprint detection behavior, utilize MTD thought, randomization or boolean's conversion are performed within the specific limits to the value being detected part of properties, then the characteristic value after change is packaged into response data packet and returns to fingerprint detection side.
2. the MTD guard system of a kind of event-triggered according to claim 1, it is characterized in that, described fingerprint detection bag decision-making system comprises packet parsing module, type of data packet discrimination module, data packet destination port discrimination module, packet content discrimination module and packet feature decision module;
Described packet parsing module is for resolving the request data package received, and the encapsulation of taking bag apart, to check the packet header, destination address, destination interface, type of data packet, packet content etc. of packet, is the module providing source data of follow-up differentiation;
Described type of data packet discrimination module, the packet that cooperatively interacted between data packet destination port discrimination module and packet content discrimination module are the judgements of regular traffic bag or fingerprint detection packet, thus determine whether trigger fingerprint detection event set and MTD amendment system;
Described packet feature decision module is the source data provided in conjunction with type of data packet discrimination module, data packet destination port discrimination module and packet content discrimination module and packet feature decision module etc., judges current finger print detection belongs to which kind of detection type.
3. the MTD guard system of a kind of event-triggered according to claim 1, is characterized in that, described fingerprint detection event decision-making system comprises detection type identification module, detection event data storehouse and detection event sort module;
Described detection type identification module, for classifying by protocol type to probe data packet, passes to fingerprint detection event decision-making system by probe data packet;
Described detection event data storehouse, the affair character collection of IP, TCP, UDP and ICMP different agreement stored in advance detection;
Described detection event sort module, for the data of detection type identification module judgement and detection event data storehouse are matched, if with wherein one the match is successful, then perform the execution step that MTD corresponding to this event revises system, if can not with wherein one the match is successful, then current detection type is pressed the newly-increased event rules of form of event database, the MTD finally characteristic that this detection type will detect being passed to next step characteristic value revises system.
4. the MTD guard system of a kind of event-triggered according to claim 1, is characterized in that, described characteristic value MTD revises the value change module that system comprises corresponding characteristic; The MTD of described characteristic value revises system, is that the characteristic value that current detection packet will be detected carries out fraudulent modification, if a numerical value, then in specified scope, performs randomization; If a Boolean, then current Boolean is carried out inverse.Finally amended result is encapsulated by response data packet format, return to fingerprint detection side.
5. a MTD means of defence for event-triggered, is characterized in that, comprise the steps:
When utilizing fingerprint detection bag decision-making system to receive the request data package sent from client, carry out the differentiation of the types such as fingerprint detection bag regular traffic packet being belonged to packet or belongs to detection system characteristic, if it is determined that be normal system service connection request packet, be then left intact and directly respond and do not trigger preventing mechanism; If it is determined that for being intended to the detection packet obtaining current system characteristic and corresponding characteristic value, then triggering preventing mechanism at once, guarantee not leaking of system-specific information;
Utilize fingerprint detection event decision-making system to collect, store and judge the event of fingerprint detection, when judging to have received probe data packet, whether first comparison in fingerprint detection event set, concentrate in current event, if existed, performs by the processing method correspondence of current event; If do not existed, then detection packet wanted the value of detection feature to carry out randomization amendment, then such detection behavior defined a newly-increased logout and store;
Utilization level value MTD revises system after being judged to be fingerprint detection behavior, utilize MTD thought, randomization or boolean's conversion are performed within the specific limits to the value being detected part of properties, then the characteristic value after change is packaged into response data packet and returns to fingerprint detection side.
6. the MTD means of defence of a kind of event-triggered according to claim 5, is characterized in that, decision data bag is that the decision process of regular traffic packet or malice detection packet is as follows:
Step 1.1: packet parsing module module carries out decapsulation to packet;
Step 1.2: the protocol type of type of data packet discrimination module to current data packet differentiates, if ICMP agreement, directly current data packet is defined as detection packet, performs step 1.5 and current detection packet type label is defined as ICMP; If IP agreement, perform the packet content discrimination module of step 1.4; If TCP or udp protocol, then perform step 1.3 data packet destination port discrimination module;
Step 1.3: whether data packet destination port discrimination module opens target port in packet differentiates, if open, performs step 1.4 packet content discrimination module; If close, then current data packet is defined as detection packet, performs step 1.5, and according to protocol type, current detection packet type label is defined as TCP or UDP;
Step 1.4: packet content discrimination module differentiates the data division in packet, if data are empty, is then defined as detection packet by current data packet, performs step 1.5; If packet is not empty, then think that current data packet is that normal business data packet also normally returns response data packet;
Step 1.5: detection type identification module is classified by protocol type to probe data packet, and type label is mainly divided into ICMP, IP, TCP and UDP tetra-kinds, then probe data packet passes to fingerprint detection event decision-making system and carries out subsequent operation.
7. the MTD means of defence of a kind of event-triggered according to claim 5, is characterized in that, judges that current probe data packet belongs to the process of which kind of detection event as follows:
Step 2.1: the detection type tag according to probe data packet mates with detection event data storehouse, if known detection event, then perform step 2.2, if the detection event of the unknown, then current detection type is pressed the newly-increased event rules of form of event database, the MTD finally characteristic that this detection type will detect being passed to next step characteristic value revises system;
Step 2.2: to mate with detection event data storehouse according to the detection type tag in step 2.1 and judge that current detection event comprises known detection event in current database, perform a step switch coupling, perform corresponding MTD characteristic modify steps according to dissimilar tag.
8. the MTD means of defence of a kind of event-triggered according to claim 5, is characterized in that, described various detection event correspondence wants the characteristic value detected, and realizing fascinating process is:
Step 3.1: whether the characteristic value of detection event correspondence detection is that Boolean type differentiates;
Step 3.2: if Boolean type, then perform a step inverse, by current characteristic value changeabout, thus realize the deception to result of detection, if not Boolean type, then perform step 3.3;
Step 3.3: judge that the characteristic value of current detection is not Boolean type by step 3.2, but a numerical value, then perform randomized algorithm, by current characteristic value in one the not normal scope of influential system, carry out randomizing transform, make result of detection not have rule at every turn, realize obscuring result of detection;
Step 3.4: amended characteristic value is carried out being packaged into packet and returns to detection side.
9. the MTD means of defence of a kind of event-triggered according to claim 5, it is characterized in that, the detection of described probe data packet several characteristic value under simultaneously comprising a kind of agreement, by the detection of each characteristic value is defined as an event, the judgement of each detection event and MTD deception amendment are opened with other indie incidents.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510233838.XA CN104917757A (en) | 2015-05-08 | 2015-05-08 | Event-triggered MTD protection system and method |
| CN201510515982.2A CN105227540B (en) | 2015-05-08 | 2015-08-20 | The MTD guard systems and method of a kind of event-triggered |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510233838.XA CN104917757A (en) | 2015-05-08 | 2015-05-08 | Event-triggered MTD protection system and method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104917757A true CN104917757A (en) | 2015-09-16 |
Family
ID=54086463
Family Applications (2)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510233838.XA Pending CN104917757A (en) | 2015-05-08 | 2015-05-08 | Event-triggered MTD protection system and method |
| CN201510515982.2A Active CN105227540B (en) | 2015-05-08 | 2015-08-20 | The MTD guard systems and method of a kind of event-triggered |
Family Applications After (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510515982.2A Active CN105227540B (en) | 2015-05-08 | 2015-08-20 | The MTD guard systems and method of a kind of event-triggered |
Country Status (1)
| Country | Link |
|---|---|
| CN (2) | CN104917757A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110113333A (en) * | 2019-04-30 | 2019-08-09 | 中国人民解放军战略支援部队信息工程大学 | A kind of ICP/IP protocol fingerprint mobilism processing method and processing device |
| CN110431374A (en) * | 2017-01-18 | 2019-11-08 | 瑞尼斯豪公司 | Device for machine tool |
| CN113765728A (en) * | 2020-06-04 | 2021-12-07 | 深信服科技股份有限公司 | Network detection method, device, equipment and storage medium |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112702363A (en) * | 2021-03-24 | 2021-04-23 | 远江盛邦(北京)网络安全科技股份有限公司 | Node hiding method, system and equipment based on deception |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| GB2494098B (en) * | 2011-04-11 | 2014-03-26 | Bluecava Inc | Thick client and thin client integration |
| CN103312689B (en) * | 2013-04-08 | 2017-05-24 | 西安电子科技大学 | Network hiding method for computer and network hiding system based on method |
| CN104519068A (en) * | 2014-12-26 | 2015-04-15 | 赵卫伟 | Moving target protection method based on operating system fingerprint jumping |
-
2015
- 2015-05-08 CN CN201510233838.XA patent/CN104917757A/en active Pending
- 2015-08-20 CN CN201510515982.2A patent/CN105227540B/en active Active
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110431374A (en) * | 2017-01-18 | 2019-11-08 | 瑞尼斯豪公司 | Device for machine tool |
| US11209258B2 (en) | 2017-01-18 | 2021-12-28 | Renishaw Plc | Machine tool apparatus |
| US11674789B2 (en) | 2017-01-18 | 2023-06-13 | Renishaw Plc | Machine tool apparatus |
| CN110113333A (en) * | 2019-04-30 | 2019-08-09 | 中国人民解放军战略支援部队信息工程大学 | A kind of ICP/IP protocol fingerprint mobilism processing method and processing device |
| CN113765728A (en) * | 2020-06-04 | 2021-12-07 | 深信服科技股份有限公司 | Network detection method, device, equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105227540A (en) | 2016-01-06 |
| CN105227540B (en) | 2018-05-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109063745B (en) | Network equipment type identification method and system based on decision tree | |
| CN107135093B (en) | Internet of things intrusion detection method and detection system based on finite automaton | |
| CN105429963B (en) | Intrusion detection analysis method based on Modbus/Tcp | |
| US8839430B2 (en) | Intrusion detection in communication networks | |
| US20230092522A1 (en) | Data packet processing method, apparatus, and electronic device, computer-readable storage medium, and computer program product | |
| US20230224232A1 (en) | System and method for extracting identifiers from traffic of an unknown protocol | |
| CN110401624A (en) | The detection method and system of source net G system mutual message exception | |
| CN106953855B (en) | Method for intrusion detection of GOOSE message of IEC61850 digital substation | |
| CN103428186A (en) | Method and device for detecting phishing website | |
| CN105074717A (en) | Detection of malicious scripting language code in a network environment | |
| CN110661680A (en) | Method and system for detecting data stream white list based on regular expression | |
| CN104917757A (en) | Event-triggered MTD protection system and method | |
| CN113079150B (en) | Intrusion detection method for power terminal equipment | |
| Lima et al. | BP-IDS: Using business process specification to leverage intrusion detection in critical infrastructures | |
| KR101488271B1 (en) | Apparatus and method for ids false positive detection | |
| CN112367315A (en) | Endogenous safe WAF honeypot deployment method | |
| CN107846351A (en) | A kind of chat messages sensitive information encryption method and device | |
| CN116827655A (en) | Flow detection acceleration method and system, electronic equipment and storage medium | |
| CN110381008B (en) | Network security dynamic defense system and method based on big data | |
| CN115883169A (en) | Industrial control network attack message response method and response system based on honeypot system | |
| CN101547127A (en) | Identification method of inside and outside network messages | |
| CN112769847A (en) | Safety protection method, device, equipment and storage medium for Internet of things equipment | |
| CN116506216B (en) | Lightweight malicious flow detection and evidence-storage method, device, equipment and medium | |
| Desnitsky | Approach to machine learning based attack detection in wireless sensor networks | |
| Yuchao et al. | The Construction and Experimental Approach of Anonymous Network Analysis and Control Platform |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20150916 |