一种基于容器的Cisco IOS-XE系统入侵检测方法  被引量：2

作　　者：杨鹏飞 蔡瑞杰[1,2] 郭世臣 刘胜利 YANG Pengfei;CAI Ruijie;GUO Shichen;LIU Shengli(State Key Laboratory of Mathematical Engineering and Advanced Computing,Zhengzhou 450001 China;Information Engineering University,Zhengzhou 450001,China)

机构地区：[1]数学工程与先进计算国家重点实验室,郑州450001 [2]战略支援部队信息工程大学,郑州450001

出　　处：《计算机科学》2023年第4期298-307,共10页Computer Science

基　　金：科技委基础加强项目(2019-JCJQ-ZD-113)。

摘　　要：IOS-XE网络操作系统被广泛地应用于Cisco核心路由交换节点中,其安全性非常重要。然而由于其设计时专注于数据的快速转发功能,缺少对自身的安全的防护,因而面临重大的风险。此外,现有的针对传统IOS系统的入侵检测方法移植到IOS-XE系统后存在实时性差、检测结果不准确、检测覆盖面不全等问题。为了加强IOS-XE系统自身的安全,提出了一种基于容器的CiscoIOS-XE系统入侵检测方法,通过在路由器上部署检测容器,实时监控路由器状态变化和用户访问请求,解决了配置隐藏攻击检测、路由器https管控流量解密以及路由器状态实时监控等问题,实现了对IOS-XE系统入侵行为的实时检测。实验结果表明,所提方法可有效检测针对IOS-XE路由器的常见攻击行为,包括口令猜解、Web注入、CLI注入、配置隐藏和后门植入等,与已有的检测方法相比具有较高的实时性和准确性,有效提升了IOS-XE路由设备的防护能力。IOS-XE network operating system is widely used in Cisco core routing and switching nodes,and its security is very important.However,its design focuses on the traffic fast-forwarding function and ignores protection for its own security which makes it faces great risks.In addition,the existing intrusion detection methods for traditional IOS system have problems such as poor real-time performance,inaccurate detection results and incomplete detection coverage when transplanted to the IOS-XE system.In order to strengthen the security of the IOS-XE system,this paper proposes a container-based intrusion detection method for Cisco IOS-XE system which can monitor the router states and requests in real time by deploying a detection container on the router.It solves the problems of configuration hidden attack detection,router https control traffic decryption and router state real-time monitor,which helps to detect the intrusion behavior of IOS-XE in real time.Experimental results show that this method can effectively detect common attacks against IOS-XE routers,including password guessing,Web injection,CLI injection,configuration hidden and backdoor implantation.Compared with existing detection methods,the proposed method has higher real-time performance and accuracy,and effectively improves the defense capability of IOS-XE routing devices.

关 键 词：CISCO IOS-XE 容器 配置隐藏攻击 命令注入 入侵检测 

分 类 号：TP393[自动化与计算机技术—计算机应用技术]