一种基于软件定义网络的主机指纹抗探测模型  被引量：2

作　　者：张涛[1,2] 芦斌 李玎[1,2] 何康 ZHANG Tao;LU Bing;LI Ding;HE Kang(Cyberspace Security Institute,Information Engineering University,Zhengzhou 450001,China;State Key Laboratory of Mathematical Engineering and Advanced Computing,Zhengzhou 450001,China)

机构地区：[1]信息工程大学网络空间安全学院,郑州450001 [2]数学工程与先进计算国家重点实验室,郑州450001

出　　处：《信息网络安全》2020年第7期42-52,共11页Netinfo Security

基　　金：国家自然科学基金[61601517]。

摘　　要：针对主机指纹探测防御困难的问题,文章提出基于软件定义网络的主机指纹抗探测模型。模型构造包含虚假指纹信息的虚拟节点,通过识别指纹探针,按照指纹模板构造响应报文,实现对指纹探测攻击的欺骗。随后提出蜜罐映射与流量牵引技术,结合蜜罐技术将指向虚拟节点的攻击流量重定向到蜜罐,实现对攻击行为的捕获分析。为了分析模型对网络安全带来的收益,建立该模型防御效能的概率模型,量化了探测次数、虚拟节点数量、蜜罐映射规则数、允许损失数、虚拟节点欺骗率和蜜罐检测率等参数对攻击成功概率的影响。最后结合DPDK技术基于X86平台搭建原型系统,实验结果表明该模型与典型的抗识别工具IPMorph相比具备更高的欺骗成功率,且带来的额外性能开销低于5%。Point at the difficulty of host fingerprint detection defense, a host fingerprint antidetection model based on SDN is proposed. The model constructs virtual nodes that contain fake fingerprint information. By identifying fingerprint probes and constructing response messages according to the fingerprint template, it can deceive fingerprint detection attackers. Then put forward honeypot mapping and traffic traction technology, combined with honeypots, redirect the attack traffic directed to the virtual node to the honeypot, and realize the capture and analysis of aggressive behavior. To analyze the benefits of the model for cybersecurity, a probabilistic model of the proposed model’s defense effectiveness was established. The influence of parameters such as the number of detections, the number of virtual nodes, the number of honeypot mapping rules, the number of allowable losses, the virtual node spoofing rate, and the honeypot detection rate on the probability of attack success is quantified. Finally, the DPDK technology is used to build a prototype system based on the X86 platform. The experimental results show that the proposed model has a higher success rate of deception than the typical anti-recognition tool IPMorph, and the additional performance overhead is less than 5%.

关 键 词：主机指纹 网络探测 蜜罐 网络欺骗 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]