CN105227540B - The MTD guard systems and method of a kind of event-triggered - Google Patents
The MTD guard systems and method of a kind of event-triggered Download PDFInfo
- Publication number
- CN105227540B CN105227540B CN201510515982.2A CN201510515982A CN105227540B CN 105227540 B CN105227540 B CN 105227540B CN 201510515982 A CN201510515982 A CN 201510515982A CN 105227540 B CN105227540 B CN 105227540B
- Authority
- CN
- China
- Prior art keywords
- fingerprint detection
- event
- detection
- characteristic value
- fingerprint
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 230000001960 triggered effect Effects 0.000 title claims abstract description 28
- 238000000034 method Methods 0.000 title claims abstract description 17
- 238000001514 detection method Methods 0.000 claims abstract description 337
- 230000004044 response Effects 0.000 claims abstract description 20
- 230000004048 modification Effects 0.000 claims description 54
- 238000012986 modification Methods 0.000 claims description 54
- 230000005540 biological transmission Effects 0.000 claims description 11
- 238000005538 encapsulation Methods 0.000 claims description 5
- 235000013399 edible fruits Nutrition 0.000 claims description 2
- 230000007246 mechanism Effects 0.000 abstract description 7
- 230000008859 change Effects 0.000 abstract description 6
- 230000007123 defense Effects 0.000 abstract description 5
- 238000010586 diagram Methods 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 3
- 238000011160 research Methods 0.000 description 3
- 230000015572 biosynthetic process Effects 0.000 description 2
- 230000006854 communication Effects 0.000 description 2
- 238000003786 synthesis reaction Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 239000012141 concentrate Substances 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000000737 periodic effect Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 230000009897 systematic effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/32—User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Lock And Its Accessories (AREA)
- Collating Specific Patterns (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention relates to the MTD guard systems and method of a kind of event-triggered.The present invention first determines whether request data package is fingerprint detection bag, if determine whether detection type, by detection event belonging to the detection bag compared with the fingerprint detection event set prestored, judge whether such detection event is existing, modify if existing by established methodology to individual features value, if there is no the type for then judging characteristic value, accordingly changed according to the type of characteristic value, and then amended characteristic value is packaged into response data packet and returns to fingerprint detection side.When the present invention realizes the fingerprint detection bag for being received fingerprint detection side every time by the objective of defense, automatically change the detection item and correspond to characteristic, make the information that the fingerprint characteristic that detection side is collected into is mistake, so that being spoofed or obscuring for other equipment type, some fundamental equipments are made to obtain the preventing mechanism of effective anti-remote fingerprint identification.
Description
Technical field
The present invention relates to national fundamental equipments to hide protection field, more particularly to a kind of MTD of event-triggered prevents
Protecting system and method.
Background technology
Under the present circumstances, information technology system is built upon in the configuration of relative quiescent and runs.For example, address, title,
Software stack, network and various configuration parameters keep relative quiescent in longer time section.This static method makes intention pair
The attacker that system carries out malice vulnerability exploit (exploit) can have sufficient time search, detection and identification goal systems
Version and configuration etc. information, wherein most it is representational is exactly operation system fingerprint detection and identify (Operating
System Fingerprinting Detection), i.e. (active) or passive by carrying out active to the host on network
Characteristic (feature) different information of (passive) fingerprint detection bag collect to determine used operating system, usually quilt
Attacker is as a most important step in information gathering before attack.
MTD (Moving Target Defense) thought is the change across multiple system dimensions based on control, increases system
Uncertainty and complexity so that reduce attacker attack surface (attack surface) and increase intrusion scene and carry
The new concept gone out.From after being suggested MTD in 2011, the research hotspot in systematic protection field has been developing progressively, and by
White House is determined as one of four big network space safety protection Strategic Technologies of future development.
As a kind of important safety and protection system, in recent years, MTD thoughts not only software systems take precautions against vulnerability scanning and
Applied in terms of service and version anti-leak, and gradually obtained in confrontation remote operating system fingerprint detection and identification
Obtained large-scale popularization.
Research of the MTD thoughts in terms of safety precaution operation system fingerprint identifying system is taken precautions against, it is main in 2011 to concentrate
The randomization in some cycles is configured in IP address, the time window for making fingerprint detection side can not be converted to the IP of destination host
Interior completion information gathering and detection.Research in 2013 starts on the MTD in remote operating system fingerprint recognition field, right
TCP protocol stack characteristic value carries out periodicity modification and protection.But due to periodic MTD protection, existing safety lacks in itself
Fall into and security risk is current, if detection side utilizes multiple cycles using the method that a characteristic is only detected in each cycle
Collect the result of detection of each characteristic, so that it may so that the security mechanism and performance of MTD guard systems substantially reduce.In addition consider
Fingerprint detection side makes if using Distributed probing and information gathering, making the attack surface that MTD is faced more be difficult to take precautions against
The defects of situation of fingerprint detection is more complicated, and periodicity MTD is protected is resisted also more to highlight.
The content of the invention
The technical problems to be solved by the invention are in view of the deficiencies of the prior art, there is provided a kind of MTD of event-triggered
Guard system and method.
The technical solution that the present invention solves above-mentioned technical problem is as follows:A kind of MTD guard systems of event-triggered, including
Fingerprint detection bag decision-making system, fingerprint detection event decision-making system and characteristic value MTD modification systems;
The fingerprint detection bag decision-making system, it is used to receive and judges whether the request data package that client is sent to be finger
Line detection bag, if it is, determining whether the detection type of the fingerprint detection bag and calling fingerprint detection event to judge system
Unite, otherwise direct returning response data packet;
The fingerprint detection event decision-making system, it is used to judge detection event belonging to the fingerprint detection bag corresponding
It is whether existing in the fingerprint detection event set of detection type, if it does, the characteristic value by the fingerprint detection incident detection
Characteristic value MTD modification systems are passed to, the detection event of the type are otherwise defined as a newly-increased detection event, record is simultaneously
It is stored in detection event set, the characteristic value of the fingerprint detection incident detection is passed into characteristic value MTD modification systems;
The MTD changes system, it is used for the characteristic value to be detected by the fingerprint detection bag and carries out fraudulent modification,
Amended characteristic value is packaged into response data packet and returns to fingerprint detection side.
The beneficial effects of the invention are as follows:The present invention first determines whether request data package is fingerprint detection bag, if into
One step judges detection type, by detection event belonging to the detection bag compared with the fingerprint detection event set prestored,
Judge whether such detection event is existing, modify if existing by established methodology to individual features value, if not
In the presence of the type for then judging characteristic value, accordingly changed according to the type of characteristic value, and then amended characteristic value is encapsulated
Fingerprint detection side is returned into response data packet.The present invention is realized receives fingerprint detection side every time by the objective of defense (Target)
(Fingerprinter) during fingerprint detection bag, the detection item is changed automatically and corresponds to characteristic, make the fingerprint that detection side is collected into special
Sign is the information of mistake, so that being spoofed or obscuring for other equipment type, some fundamental equipments is obtained effectively
The preventing mechanism of anti-remote fingerprint identification.
Another technical solution that the present invention solves above-mentioned technical problem is as follows:A kind of MTD means of defences of event-triggered,
Include the following steps:
Step 1, receive and judge whether the request data package that client is sent is fingerprint detection bag, if it is, into one
Step judges the detection type of the fingerprint detection bag and performs step 2, and otherwise direct returning response data packet, terminates flow;
Step 2, judge the detection event described in the fingerprint detection bag in the accordingly detection event set of detection type
It is whether existing, if it does, performing step 3, the detection event of the type is otherwise defined as a newly-increased detection event,
It is recorded and stored in detection event set, performs step 3;
Step 3, the characteristic value that the fingerprint detection bag to be detected carries out fraudulent modification, by amended characteristic value
It is packaged into response data packet and returns to fingerprint detection side.
Brief description of the drawings
Fig. 1 is a kind of MTD guard system schematic diagrames of event-triggered of the present invention;
Fig. 2 is fingerprint detection bag decision-making system schematic diagram of the present invention;
Fig. 3 is fingerprint detection event decision-making system schematic diagram of the present invention;
Fig. 4 changes system schematic for characteristic value MTD of the present invention;
Fig. 5 is a kind of MTD means of defence flow charts of event-triggered of the present invention;
Fig. 6 is fingerprint detection bag decision-making system program flow diagram of the present invention;
Fig. 7 is fingerprint detection event decision procedure flow chart of the present invention;
Fig. 8 changes program flow diagram for characteristic value MTD of the present invention.
Embodiment
The principle and features of the present invention will be described below with reference to the accompanying drawings, and the given examples are served only to explain the present invention, and
It is non-to be used to limit the scope of the present invention.
The present invention relates to a kind of event-triggered confrontation remote operating system fingerprint recognition (Remote Operating
System Fingerprinting) MTD (Moving Target Defense) guard systems and method.By being to operation
The analysis of system active fingerprinting methods and detection bag, formulates and detects event set, design a kind of MTD of event-triggered and hide behaviour
Make the protection thought of system features.Realize and fingerprint detection side (Fingerprinter) is received by the objective of defense (Target) every time
Fingerprint detection bag when, change the detection item automatically and correspond to characteristic, make the fingerprint characteristic that detection side is collected into be mistake information,
So that being spoofed or obscuring for other equipment type, some fundamental equipments are finally made to obtain an effective anti-remotely finger
The preventing mechanism of line identification.
As shown in Figure 1, a kind of MTD guard systems of event-triggered, including fingerprint detection host
(fingerprinter), detected target host (target) and fingerprint detection MTD guard systems, wherein fingerprint detection MTD prevent
Protecting system is deployed on detected target host, including fingerprint detection bag decision-making system, fingerprint detection event decision-making system and spy
Property value MTD modification system.
The fingerprint detection bag decision-making system, it is used to receive and judges whether the request data package that client is sent to be finger
Line detection bag, if it is, determining whether the detection type of the fingerprint detection bag and calling fingerprint detection event to judge system
Unite, otherwise direct returning response data packet;
The fingerprint detection event decision-making system, it is used to judge detection event belonging to the fingerprint detection bag corresponding
It is whether existing in the fingerprint detection event set of detection type, if it does, the characteristic value by the fingerprint detection incident detection
Characteristic value MTD modification systems are passed to, the detection event of the type are otherwise defined as a newly-increased detection event, record is simultaneously
It is stored in detection event set, the characteristic value of the fingerprint detection incident detection is passed into characteristic value MTD modification systems;
The MTD changes system, it is used for the characteristic value to be detected by the fingerprint detection bag and carries out fraudulent modification,
Amended characteristic value is packaged into response data packet and returns to fingerprint detection side.
As shown in Fig. 2, the fingerprint detection bag decision-making system includes resolve packet module, type of data packet judges mould
Block, data packet destination port judgment module, packet content judgment module and detection type judging module;The resolve packet
Module, it is used to parse received request data package;The encapsulation of bag is dismantled to check packet header of data packet, destination address, purpose
Port, type of data packet, packet content etc., the module subsequently to judge provide source data;The type of data packet judges mould
Block, it is used for the protocol type that the request data package is judged according to the request data package parsed;The data packet destination end
Mouth judgment module, it is used for the target port that the request data package is judged according to the request data package parsed;The data
Bag content judgment module, it is used for the content that the request data package is judged according to the request data package parsed;The data
Packet type judgment module, data packet destination port judgment module and data packet content judgment module, which cooperate, completes the request
Data packet is regular traffic data packet or is the judgement of fingerprint detection bag;The detection type judging module, it is used for into one
Step judges the detection type of the fingerprint detection bag.
The type of data packet judgment module, data packet destination port judgment module and data packet content judgment module are mutual
Coordinate and complete the request data package and be regular traffic data packet or be the judgement of fingerprint detection bag, when being judged as fingerprint detection
The detection type that the fingerprint detection bag is determined whether during bag is specially:The type of data packet judgment module judges described ask
Seek the protocol type of data packet, if ICMP agreements, the request data package be directly defined as fingerprint detection bag, and by its
Detection type label is defined as ICMP;If TCP or udp protocol, then data packet destination port judgment module is called, if
IP agreement, then call packet content judgment module;Data packet destination port judgment module judges the request data package
Whether middle target port opens, if open, calls packet content judgment module;If turned off then by the number of request
It is fingerprint detection bag according to package definition, and is detected type label and be defined as TCP or UDP;The packet content judgment module
Judge whether the request data package data portion is empty, if data portion is sky, is by current request packet definitions
Fingerprint detection bag, is detected type label and is defined as TCP, UDP or IP;If data portion is not sky, currently please judge
It is regular traffic data packet to seek data packet;The detection type judging module classifies fingerprint detection bag by protocol type,
Type label is divided into tetra- kinds of ICMP, IP, TCP and UDP, after fingerprint detection bag is passed to the progress of fingerprint detection event decision-making system
Continuous operation.
As shown in figure 3, the fingerprint detection event decision-making system includes detection event data storehouse and detection event category mould
Block;The detection event data storehouse, is visited for prestoring different agreement type (predominantly IP, TCP, UDP and ICMP) fingerprint
Survey and wrap corresponding fingerprint detection event set;The detection event category module, for by the affiliated spy of the fingerprint detection bag
Survey event is matched with the fingerprint detection event set of corresponding detection type, if there is the fingerprint detection event to match, then
The instruction for carrying out the modification of such fingerprint detection event feature value is sent to characteristic value MTD modification systems, if there is no matching
Fingerprint detection event, then increase the detection event newly an event rules by the form in detection event data storehouse, will described in
The detection event characteristic value to be detected passes to characteristic value MTD modification systems.
The fingerprint detection event decision-making system further includes detection event definition module, it is used for when a fingerprint is visited
When surveying bag includes the detection to multiple characteristic values, the detection of each characteristic value is defined as a fingerprint detection event, Jin Eryu
Fingerprint detection event set is individually matched, and individually carries out the MTD modifications of characteristic value.
As shown in figure 4, the characteristic value MTD modifications system includes characteristic value type judging module and characteristic value modification mould
Block;The characteristic value type judging module, it is used to, when receiving the characteristic value of fingerprint detection event decision-making system transmission, judge
The fingerprint detection bag characteristic value to be detected is numerical value or Boolean, and will determine that result is sent to characteristic value modification mould
Block;The characteristic value modified module, it is used for when progress such fingerprint spy that receive the transmission of fingerprint detection event decision-making system
When surveying the instruction of event feature value modification, modify according to established methodology to characteristic value, or sentence receiving characteristic Value Types
During the judging result that disconnected module is sent, characteristic value is changed according to judging result, if characteristic value is a numerical value, in specified model
Enclose interior perform and be randomized modification;If characteristic value is a Boolean, current Boolean is subjected to inverse or exclusive or
Computing, by amended result by response data packet format encapsulation, returns to fingerprint detection side.
Characteristic value MTD modification system to characteristic value is Boolean type when, not only can be using current inverse come more
Change characteristic value, the randomization of the computings such as non-, exclusive or can also be used, make detection Fang Gengneng to Boolean type characteristic value fingerprint recognition quilt
The operating system of protection.The detection event set such as table 1.
Table 1
Core of the present invention is whether current data packet belongs to detection bag and belong to which type of detection.
As shown in figure 5, a kind of MTD means of defences of event-triggered, include the following steps:
Step 1, receive and judge whether the request data package that client is sent is fingerprint detection bag, if it is, into one
Step judges the detection type of the fingerprint detection bag and performs step 2, and otherwise direct returning response data packet, terminates flow;
Step 2, judge the detection event described in the fingerprint detection bag in the accordingly detection event set of detection type
It is whether existing, if it does, performing step 3, the detection event of the type is otherwise defined as a newly-increased detection event,
It is recorded and stored in detection event set, performs step 3;
Step 3, the characteristic value that the fingerprint detection bag to be detected carries out fraudulent modification, by amended characteristic value
It is packaged into response data packet and returns to fingerprint detection side.
Sentenced in step 1 according to the protocol type of the request data package, data packet destination port and packet content synthesis
The request data package of breaking is regular traffic data packet or is fingerprint detection bag.
As shown in fig. 6, step 1 is implemented as follows:
Step 1.1:Request data package is decapsulated;
Step 1.2:The protocol type of the request data package is judged, if ICMP agreements, directly by the number of request
It is fingerprint detection bag according to package definition, and is detected type label and be defined as ICMP;If TCP or udp protocol, then perform step
Rapid 1.3, if IP agreement, perform step 1.4;
Step 1.3:Judge whether target port opens in the request data package, if open, perform step 1.4;Such as
Fruit is closed, then the request data package is defined as fingerprint detection bag, and detected type label and be defined as TCP or UDP;
Step 1.4:Judge whether the request data package data portion is empty, will be current if data portion is sky
Request data package is defined as fingerprint detection bag, is detected type label and is defined as TCP, UDP or IP;If data portion is not
Sky, then judge that current request data packet is regular traffic data packet;
Step 1.5:Classify to fingerprint detection bag by protocol type, type label is divided into ICMP, IP, TCP and UDP tetra-
Kind, fingerprint detection bag is passed into fingerprint detection event decision-making system and carries out subsequent operation.
As shown in fig. 7, step 2 is implemented as follows:
By the fingerprint detection event set progress of the affiliated detection event of the fingerprint detection bag and corresponding detection type
Match somebody with somebody, if there is the fingerprint detection event to match, then sent to characteristic value MTD modification systems and carry out such fingerprint detection event
The instruction of characteristic value modification, if there is no the fingerprint detection event to match, then by the detection event by detection event number
An event rules are increased newly according to the form in storehouse, and the detection event characteristic value to be detected is passed into characteristic value MTD modifications
System.Matched according to the detection type tag of fingerprint detection bag with detection event data storehouse, if known detection thing
Part, performs step switch matchings, performs corresponding MTD characteristics amendment step according to different types of tag, such as TCP is visited
Survey event, then initial sequence number (ISN, initial sequence number) of characteristic value etc. will be produced by performing in current TCP
Perform the modification of MTD characteristics;If unknown detection event, then current detection type is increased newly one by the form of event database
Bar event rules, the MTD for the characteristic value that this detection type characteristic to be detected finally is passed to next step change system.
Affiliated step 2 is further included when a fingerprint detection bag includes the detection to multiple characteristic values, will be each special
Property value detection be defined as a fingerprint detection event, and then individually matched, individually carried out special with fingerprint detection event set
Property value MTD modification.The fingerprint detection bag may at the same time include a kind of agreement under several characteristic values detection, and the present invention
Main idea is that the judgement and MTD deceptions for making each detection event are repaiied by the way that the detection of each characteristic value is defined as an event
Change and opened with other indie incidents, so that detecting current operation system using Nmap as a variety of detection event results of the synthesis of representative
The possibility of correct fingerprint substantially reduces.
As shown in figure 8, step 3 is implemented as follows:
Step 3.1:When progress such fingerprint detection event feature value for receiving the transmission of fingerprint detection event decision-making system
During the instruction of modification, modify according to established methodology to characteristic value, perform step 3.3;Judge when receiving fingerprint detection event
During the characteristic value that system is sent, judge that the fingerprint detection bag characteristic value to be detected is numerical value or Boolean, perform step
Rapid 3.2;
Step 3.2, if characteristic value is a numerical value, randomization modification is performed within the specified range;If characteristic value
It is a Boolean, then current Boolean is subjected to inverse or carries out XOR operation, perform step 3.3;
Step 3.3:Amended characteristic value is packaged into response data packet and returns to fingerprint detection side.
Current characteristic value is not influenced in the normal scope of system at one, randomizing transform is carried out, makes result of detection
Do not have rule every time, realize and result of detection is obscured.
Using the MTD guard systems of event-triggered of the present invention, it can be achieved that can be cheated and be obscured by protection host
The operation system fingerprint detection and identification of attacker., will according to the communication process that connection is established by protection host and other hosts
All protection process are generally divided into three scenes:
I.e. (the request TCP connection Target of regular traffic data communication Client related protocols, prevent scene 1 by MTD
Protecting system detection confirms that current data packet is not detection bag, and Client is returned to by normal response bag);
(fingerprint detection side Fingerprinter sends data in Transmission Control Protocol and gives target master for empty SYN detection bags scene 2
Machine Target, is confirming that current data packet is detection bag by the detection of MTD guard systems, fingerprint recognition MTD systems is being triggered, by phase
After the characteristic value that should be detected is modified, encapsulation returns to Fingerprinter);
(fingerprint detection side Fingerprinter is sent detects bag to scene 3 in udp protocol, wherein target port is Target
The port closed on host, is confirming that current data packet is that detection is wrapped, triggering fingerprint recognition MTD by the detection of MTD guard systems
System, the port of corresponding detection incident detection is modified and is returned to for open state, the corresponding bags of encapsulation UDP
Fingerprinter)。
Scene 1, normal Client requests are established with destination host to communicate and not to trigger MTD preventing mechanisms, and specific steps are such as
Under:
1) Client sends TCP SYN bags to destination host Target first;
2) the resolve packet module in the MTD guard systems that Target passes through event-triggered unseals data packet
Dress;
3) type of data packet judgment module identification current data packet is Transmission Control Protocol type;
4) it is not sky that packet content judgment module, which identifies current TCP data bag content, non-detection bag, from without triggering
Detect event detection and preventing mechanism;
5) TCP SYN bags are finally returned into Packet type by regular traffic and returns to ACK+SYN bags.
Scene 2, the TCP SYN detection bags of Target confrontation Fingerprinter, comprises the following steps that:
1) Fingprinter sends TCP SYN detection bags to destination host Target, and wherein data portion data is sky;
2) the resolve packet module in the MTD guard systems that Target passes through event-triggered unseals data packet
Dress;
3) type of data packet judgment module identification current data packet is Transmission Control Protocol type;
4) target port of data packet destination port determination module identification current data packet is open;
5) packet content judgment module identifies current TCP data bag content as sky, and then judges it is detection bag, triggers
Detect event detection and preventing mechanism;
6) the type tag of current detection bag is defined as TCP SYN detections by data packet feature judgment module, and parameter is passed
Pass fingerprint detection event decision-making system;
7) the TCP SYN in the tag that fingerprint detection event decision-making system is wrapped according to detection are detected, with detection event data storehouse
Middle matching learns that current detection event is currently known detection event;
8) fingerprint detection event decision-making system is matched by switch, and current TCP SYN detection events are corresponded to detection
Characteristic value includes ISN (initial sequence number, 32bit), ACK number
SYN (1bit) in (32bit), urgent pointer (16bit), window size (16bit), flags,
Checksum (16bit), parameter pass to the MTD modification systems of characteristic value;
9) characteristic value MTD modification system to ISN, ACK number, urgent pointer, window size,
SYN (1bit), each characteristics of checksum are made whether to be judged for Boolean in flags, judge there was only SYN in flags
(1bit) is Boolean, and other characteristics are all numerical value;
10) the MTD modification systems of characteristic value carry out inverse to the SYN values in current flags, to the value of other characteristics
Randomization is performed to calculate;
11) the MTD modifications system of characteristic value is packaged into ACK+SYN to amended characteristic value and returns to
Fingerprinter。
Scene 3, the UDP of Target confrontation Fingerprinter specifically include following the detection bag of closing target port
Operation:
1) Fingprinter sends UDP detection bags to destination host Target, and wherein target port is Target shutdown sides
Mouthful;
2) the resolve packet module in the MTD guard systems that Target passes through event-triggered unseals data packet
Dress;
3) type of data packet judgment module identification current data packet is udp protocol type;
4) target port of data packet destination port determination module identification current data packet is to close, by current data packet
It is defined as detection bag;
5) the type tag of current detection bag is defined as UDP detections by data packet feature judgment module, and parameter is passed to
Fingerprint detection event decision-making system;
6) fingerprint detection event decision-making system is matched by switch, and current TCP SYN detection events are corresponded to detection
Characteristic value includes IP ID (identification, 16bit) and length (16bit), and parameter passes to the MTD of characteristic value
Modification system;
7) to IP ID and length, the two characteristics are made whether to sentence for Boolean the MTD modifications system of characteristic value
Disconnected, characteristic is all numerical value;
8) the MTD modification systems of characteristic value perform randomization to the value of current properties and calculate;
9) the MTD modifications system of characteristic value is packaged into UDP response bags to amended characteristic value and returns to
Fingerprinter。
The foregoing is merely presently preferred embodiments of the present invention, is not intended to limit the invention, it is all the present invention spirit and
Within principle, any modification, equivalent replacement, improvement and so on, should all be included in the protection scope of the present invention.
Claims (10)
1. the MTD guard systems of a kind of event-triggered, it is characterised in that including fingerprint detection bag decision-making system, fingerprint detection
Event decision-making system and characteristic value MTD modification systems;
The fingerprint detection bag decision-making system, it is used to receive and judges whether the request data package that client is sent to be that fingerprint is visited
Bag is surveyed, if it is, determine whether the detection type of the fingerprint detection bag and call fingerprint detection event decision-making system, it is no
Then direct returning response data packet;
The fingerprint detection event decision-making system, it is used to judge that the detection event belonging to the fingerprint detection bag accordingly to detect
It is whether existing in the fingerprint detection event set of type, if it does, the characteristic value transmission by the fingerprint detection incident detection
System is changed to characteristic value MTD, the detection event of the type is otherwise defined as a newly-increased detection event, records and stores
In event set is detected, the characteristic value of the fingerprint detection incident detection is passed into characteristic value MTD modification systems;
The fingerprint detection event decision-making system includes detection event data storehouse and detection event category module;
The detection event data storehouse, for prestoring the corresponding fingerprint detection event of different agreement type fingerprint detection bag
Collection;
The detection event category module, for by the affiliated detection event of the fingerprint detection bag with accordingly detecting type
Fingerprint detection event set is matched, and if there is the fingerprint detection event to match, is then sent to characteristic value MTD modification systems
The instruction of such fingerprint detection event feature value modification is carried out, if there is no the fingerprint detection event to match, then by described in
Detection event increases an event rules newly by the form in detection event data storehouse, by the detection event characteristic value to be detected
Pass to characteristic value MTD modification systems;
The MTD changes system, it is used for the characteristic value to be detected by the fingerprint detection bag and carries out fraudulent modification, will repair
Characteristic value after changing is packaged into response data packet and returns to fingerprint detection side.
A kind of 2. MTD guard systems of event-triggered according to claim 1, it is characterised in that the fingerprint detection bag
Decision-making system is including in resolve packet module, type of data packet judgment module, data packet destination port judgment module, data packet
Hold judgment module and detection type judging module;
The resolve packet module, it is used to parse received request data package;
The type of data packet judgment module, it is used for the association that the request data package is judged according to the request data package parsed
Discuss type;
Data packet destination port judgment module, it is used to judge the request data package according to the request data package parsed
Target port;
The packet content judgment module, it is used to judge the interior of the request data package according to the request data package parsed
Hold;
The type of data packet judgment module, data packet destination port judgment module and data packet content judgment module cooperate
The request data package is completed to be regular traffic data packet or be the judgement of fingerprint detection bag;
The detection type judging module, it is used for the detection type for determining whether the fingerprint detection bag.
A kind of 3. MTD guard systems of event-triggered according to claim 2, it is characterised in that the type of data packet
Judgment module, data packet destination port judgment module and data packet content judgment module, which cooperate, completes the request data package
For regular traffic data packet or be fingerprint detection bag judgement, determine whether the fingerprint when being judged as fingerprint detection bag
Detecting the detection type wrapped is specially:
The type of data packet judgment module judges the protocol type of the request data package, if ICMP agreements, directly will
The request data package is defined as fingerprint detection bag, and is detected type label and be defined as ICMP;If TCP or UDP associations
View, then call data packet destination port judgment module, if IP agreement, then call packet content judgment module;
Data packet destination port judgment module judges whether target port opens in the request data package, if open,
Then call packet content judgment module;If turned off the request data package then being defined as fingerprint detection bag, and visited
Survey type label and be defined as TCP or UDP;
The packet content judgment module judges whether the request data package data portion is empty, if data portion is
Sky, then be fingerprint detection bag by current request packet definitions, detected type label and be defined as TCP, UDP or IP;If
Data portion is not sky, then judges that current request data packet is regular traffic data packet;
It is described detection type judging module classify to fingerprint detection bag by protocol type, type label be divided into ICMP, IP,
TCP and tetra- kinds of UDP, passes to fingerprint detection event decision-making system by fingerprint detection bag and carries out subsequent operation.
A kind of 4. MTD guard systems of event-triggered according to claim 1, it is characterised in that the fingerprint detection thing
Part decision-making system further includes detection event definition module, it is used for when a fingerprint detection bag is included to multiple characteristic values
During detection, the detection of each characteristic value is defined as a fingerprint detection event, and then individually carry out with fingerprint detection event set
Matching, individually carries out the MTD modifications of characteristic value.
5. the MTD guard systems of a kind of event-triggered according to claim 1, it is characterised in that the characteristic value MTD is repaiied
Changing system includes characteristic value type judging module and characteristic value modified module;
The characteristic value type judging module, it is used to, when receiving the characteristic value of fingerprint detection event decision-making system transmission, sentence
The fingerprint detection bag characteristic value to be detected that breaks is numerical value or Boolean, and will determine that result is sent to characteristic value modification
Module;
The characteristic value modified module, it is used for when progress such fingerprint spy that receive the transmission of fingerprint detection event decision-making system
When surveying the instruction of event feature value modification, modify according to established methodology to characteristic value, or sentence receiving characteristic Value Types
During the judging result that disconnected module is sent, characteristic value is changed according to judging result, if characteristic value is a numerical value, in specified model
Enclose interior perform and be randomized modification;If characteristic value is a Boolean, current Boolean is subjected to inverse or exclusive or
Computing, by amended result by response data packet format encapsulation, returns to fingerprint detection side.
6. the MTD means of defences of a kind of event-triggered, it is characterised in that include the following steps:
Step 1, receive and judge whether the request data package that client is sent is fingerprint detection bag, if it is, further sentencing
The detection type of the disconnected fingerprint detection bag simultaneously performs step 2, and otherwise direct returning response data packet, terminates flow;
Step 2, judge detection event described in the fingerprint detection bag in the accordingly detection event set of detection type whether
It is existing, if it does, performing step 3, the detection event of the type is otherwise defined as a newly-increased detection event, is recorded
And be stored in detection event set, perform step 3;
Step 2 is implemented as follows:
The affiliated detection event of the fingerprint detection bag is matched with the fingerprint detection event set of corresponding detection type, such as
There is the fingerprint detection event to match in fruit, then sent to characteristic value MTD modification systems and carry out such fingerprint detection event feature
It is worth the instruction of modification, if there is no the fingerprint detection event to match, then the detection event is pressed into detection event data storehouse
Form increase an event rules newly, by the detection event characteristic value to be detected pass to characteristic value MTD modification system;
Step 3, the characteristic value that the fingerprint detection bag to be detected carries out fraudulent modification, and amended characteristic value is encapsulated
Fingerprint detection side is returned into response data packet.
7. the MTD means of defences of a kind of event-triggered according to claim 6, it is characterised in that in step 1 according to
The protocol type of request data package, data packet destination port and request data package described in packet content comprehensive descision are normal industry
Data packet of being engaged in is fingerprint detection bag.
A kind of 8. MTD means of defences of event-triggered according to claim 7, it is characterised in that the specific implementation of step 1
It is as follows:
Step 1.1:Request data package is decapsulated;
Step 1.2:The protocol type of the request data package is judged, if ICMP agreements, directly by the request data package
Fingerprint detection bag is defined as, and is detected type label and is defined as ICMP;If TCP or udp protocol, then perform step
1.3, if IP agreement, perform step 1.4;
Step 1.3:Judge whether target port opens in the request data package, if open, perform step 1.4;If close
Close, then the request data package is defined as fingerprint detection bag, and detected type label and be defined as TCP or UDP;
Step 1.4:Judge whether the request data package data portion is empty, if data portion is sky, by current request
Packet definitions are fingerprint detection bag, are detected type label and are defined as TCP, UDP or IP;If data portion is not sky,
Then judge that current request data packet is regular traffic data packet;
Step 1.5:To classify to fingerprint detection bag by protocol type, type label is divided into tetra- kinds of ICMP, IP, TCP and UDP,
Fingerprint detection bag is passed into fingerprint detection event decision-making system and carries out subsequent operation.
9. the MTD means of defences of a kind of event-triggered according to claim 6, it is characterised in that affiliated step 2 further includes
When a fingerprint detection bag includes the detection to multiple characteristic values, the detection of each characteristic value is defined as a fingerprint
Detection event, and then individually matched with fingerprint detection event set, individually carry out the MTD modifications of characteristic value.
A kind of 10. MTD means of defences of event-triggered according to claim 6, it is characterised in that the specific reality of step 3
It is now as follows:
Step 3.1:When progress such fingerprint detection event feature value modification for receiving the transmission of fingerprint detection event decision-making system
Instruction when, modify according to established methodology to characteristic value, perform step 3.3;When receiving fingerprint detection event decision-making system
During the characteristic value of transmission, it is numerical value or Boolean to judge the fingerprint detection bag characteristic value to be detected, and performs step
3.2;
Step 3.2, if characteristic value is a numerical value, randomization modification is performed within the specified range;If characteristic value is one
A Boolean, then carry out inverse by current Boolean or carry out XOR operation, perform step 3.3;
Step 3.3:Amended characteristic value is packaged into response data packet and returns to fingerprint detection side.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510515982.2A CN105227540B (en) | 2015-05-08 | 2015-08-20 | The MTD guard systems and method of a kind of event-triggered |
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510233838X | 2015-05-08 | ||
| CN201510233838.XA CN104917757A (en) | 2015-05-08 | 2015-05-08 | Event-triggered MTD protection system and method |
| CN201510515982.2A CN105227540B (en) | 2015-05-08 | 2015-08-20 | The MTD guard systems and method of a kind of event-triggered |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105227540A CN105227540A (en) | 2016-01-06 |
| CN105227540B true CN105227540B (en) | 2018-05-08 |
Family
ID=54086463
Family Applications (2)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510233838.XA Pending CN104917757A (en) | 2015-05-08 | 2015-05-08 | Event-triggered MTD protection system and method |
| CN201510515982.2A Expired - Fee Related CN105227540B (en) | 2015-05-08 | 2015-08-20 | The MTD guard systems and method of a kind of event-triggered |
Family Applications Before (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510233838.XA Pending CN104917757A (en) | 2015-05-08 | 2015-05-08 | Event-triggered MTD protection system and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (2) | CN104917757A (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| GB201700879D0 (en) * | 2017-01-18 | 2017-03-01 | Renishaw Plc | Machine tool apparatus |
| CN110113333A (en) * | 2019-04-30 | 2019-08-09 | 中国人民解放军战略支援部队信息工程大学 | A kind of ICP/IP protocol fingerprint mobilism processing method and processing device |
| CN113765728B (en) * | 2020-06-04 | 2023-07-14 | 深信服科技股份有限公司 | Network detection method, device, equipment and storage medium |
| CN112702363A (en) * | 2021-03-24 | 2021-04-23 | 远江盛邦(北京)网络安全科技股份有限公司 | Node hiding method, system and equipment based on deception |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103312689A (en) * | 2013-04-08 | 2013-09-18 | 西安电子科技大学 | Network hiding method for computer and network hiding system based on method |
| CN104519068A (en) * | 2014-12-26 | 2015-04-15 | 赵卫伟 | Moving target protection method based on operating system fingerprint jumping |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| GB2494098B (en) * | 2011-04-11 | 2014-03-26 | Bluecava Inc | Thick client and thin client integration |
-
2015
- 2015-05-08 CN CN201510233838.XA patent/CN104917757A/en active Pending
- 2015-08-20 CN CN201510515982.2A patent/CN105227540B/en not_active Expired - Fee Related
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103312689A (en) * | 2013-04-08 | 2013-09-18 | 西安电子科技大学 | Network hiding method for computer and network hiding system based on method |
| CN104519068A (en) * | 2014-12-26 | 2015-04-15 | 赵卫伟 | Moving target protection method based on operating system fingerprint jumping |
Non-Patent Citations (1)
| Title |
|---|
| 《操作***指纹特征伪装技术研究》;刘长征等;《信息网络安全》;20140531(第5期);第1页-第4页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105227540A (en) | 2016-01-06 |
| CN104917757A (en) | 2015-09-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105429963B (en) | Intrusion detection analysis method based on Modbus/Tcp | |
| CN100556031C (en) | Intelligent integrated network security device | |
| CN103905451B (en) | System and method for trapping network attack of embedded device of smart power grid | |
| CN105227540B (en) | The MTD guard systems and method of a kind of event-triggered | |
| Azeez et al. | Identifying phishing attacks in communication networks using URL consistency features | |
| CN103034807B (en) | Malware detection methods and device | |
| CN109922075A (en) | Network security knowledge map construction method and apparatus, computer equipment | |
| CN110401624A (en) | The detection method and system of source net G system mutual message exception | |
| CN104796261A (en) | Secure access control system and method for network terminal nodes | |
| CN109711171A (en) | Localization method and device, system, storage medium, the electronic device of software vulnerability | |
| CN110225008A (en) | SDN network state consistency verification method under a kind of cloud environment | |
| CN108256321A (en) | A kind of big data safety precaution supervision and aware platform | |
| CN106953855B (en) | Method for intrusion detection of GOOSE message of IEC61850 digital substation | |
| CN107347047A (en) | Attack guarding method and device | |
| ES2546129T3 (en) | Procedure for identifying a protocol at the origin of a data flow | |
| CN111524007A (en) | Embedded intrusion detection method and device for intelligent contract | |
| CN110276195A (en) | A kind of smart machine intrusion detection method, equipment and storage medium | |
| KR101768079B1 (en) | System and method for improvement invasion detection | |
| CN106604023A (en) | Video stream authenticity verification method and video stream authenticity verification system | |
| CN108696535A (en) | Network security protection system based on SDN and method | |
| CN112671801B (en) | Network security detection method and system | |
| Lima et al. | BP-IDS: Using business process specification to leverage intrusion detection in critical infrastructures | |
| KR101488271B1 (en) | Apparatus and method for ids false positive detection | |
| CN106936834B (en) | Method for intrusion detection of IEC61850 digital substation SMV message | |
| CN114124453A (en) | Network security information processing method and device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20180508 |