[go: up one dir, main page]

CN104917757A - Event-triggered MTD protection system and method - Google Patents

Event-triggered MTD protection system and method Download PDF

Info

Publication number
CN104917757A
CN104917757A CN201510233838.XA CN201510233838A CN104917757A CN 104917757 A CN104917757 A CN 104917757A CN 201510233838 A CN201510233838 A CN 201510233838A CN 104917757 A CN104917757 A CN 104917757A
Authority
CN
China
Prior art keywords
detection
packet
event
mtd
data packet
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201510233838.XA
Other languages
Chinese (zh)
Inventor
闫兆腾
黄伟武
芦翔
朱红松
孙利民
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Information Engineering of CAS
Original Assignee
Institute of Information Engineering of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Information Engineering of CAS filed Critical Institute of Information Engineering of CAS
Priority to CN201510233838.XA priority Critical patent/CN104917757A/en
Priority to CN201510515982.2A priority patent/CN105227540B/en
Publication of CN104917757A publication Critical patent/CN104917757A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/32User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Collating Specific Patterns (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Lock And Its Accessories (AREA)

Abstract

The invention relates to an event-triggered MTD protection system and method. According to the invention, through the analysis of an operation system initiative fingerprint identification method and a detection packet, a detection event set is formulated, and event-triggered MTD hidden operation system characteristic protection ideas are designed. Each time a protected target receives the detection data packet of a fingerprinter, a characteristic corresponding to a detection item automatically changes. The fingerprint characteristic collected by the fingerprinter is wrong information, so that being deceived or confused into another device type is realized. Some important basic equipment is provided with an effective remote fingerprint identification resistance protection mechanism.

Description

一种事件触发式的MTD防护系统及方法An event-triggered MTD protection system and method

技术领域technical field

本发明涉及国家重要基础设备隐藏防护领域,尤其涉及一种事件触发式的MTD防护系统及方法。The invention relates to the field of hidden protection of national important infrastructure equipment, in particular to an event-triggered MTD protection system and method.

背景技术Background technique

在当前环境下,信息技术系统是建立在相对静态的配置中运行。例如,地址、名称、软件栈、网络和各种配置参数在较长的时间段内保持相对静态。这种静态的方法使意图对系统进行恶意漏洞利用(exploit)的攻击者可以有充足的时间搜索、探测和识别目标系统的版本和配置等信息,其中最具代表性的就是操作系统指纹探测和识别(Operating System FingerprintingDetection),即通过对网络上的主机进行主动的(active)或被动的(passive)探测数据包的特性(feature)差异信息收集来确定所使用的操作系统,通常被攻击者作为攻击前信息采集中最重要的一步。In the current environment, information technology systems are built to operate in relatively static configurations. For example, addresses, names, software stacks, networking, and various configuration parameters remain relatively static over extended periods of time. This static method allows attackers who intend to exploit malicious vulnerabilities on the system to have sufficient time to search, detect and identify information such as the version and configuration of the target system, the most representative of which is the operating system fingerprint detection and Identification (Operating System Fingerprinting Detection), that is, to determine the operating system used by collecting the feature difference information of the active (active) or passive (passive) detection packets on the host on the network, usually used by attackers as The most important step in information gathering before an attack.

MTD(Moving Target Defense)思想是基于控制跨多个系统维度的变化,增加系统的不确定性和复杂性,从而减少攻击者的攻击表面(attacksurface)和增加攻击成本而提出的一个新概念。自2011年MTD被提出来后,已逐渐发展成系统防护领域的研究热点,并被美国白宫确定为未来发展的四大网络空间安全防护战略技术之一。The idea of MTD (Moving Target Defense) is a new concept based on controlling changes across multiple system dimensions, increasing the uncertainty and complexity of the system, thereby reducing the attacker's attack surface and increasing the attack cost. Since MTD was proposed in 2011, it has gradually developed into a research hotspot in the field of system protection, and has been identified by the White House as one of the four major cyberspace security protection strategic technologies for future development.

作为一种重要的安全防范系统,近年来,MTD思想不仅在软件系统防范漏洞扫描和服务及版本防泄漏方面获得了应用,而且也逐渐在对抗远程操作系统指纹探测和识别上获得了大规模的推广。As an important security protection system, in recent years, the MTD idea has not only been applied in software system vulnerability scanning and service and version leakage prevention, but also gradually obtained large-scale anti-fingerprint detection and identification of remote operating systems. promote.

MTD思想在防范安全防范操作系统指纹识别系统方面的研究,在2011年主要集中在IP地址配置在一定周期内的随机化,使指纹探测方无法对目标主机的IP变换的时间窗口内完成信息采集和探测。在2013年的研究开始在远程操作系统指纹识别领域的MTD上,对TCP协议栈特性值进行周期性修改和防护。但是,由于周期性的MTD防护本身存在的安全缺陷以及安全隐患目前,如果探测方利用每个周期内只探测一个特性的方法,利用多个周期汇总每个特性的探测结果,就可以使MTD防护系统的安全机制和性能大大降低。另外考虑到指纹探测方如果采用分布式探测和信息采集的话,使MTD面对的攻击表面更加难以防范,使对抗指纹探测的情况更加复杂,周期性MTD防护的缺陷也更加凸显。In 2011, the research of MTD thought on the prevention and security of the fingerprint identification system of the operating system mainly focused on the randomization of the IP address configuration within a certain period, so that the fingerprint detection party could not complete the information collection within the time window of the IP conversion of the target host. and probing. In 2013, the research began to periodically modify and protect the characteristic values of the TCP protocol stack on the MTD in the field of remote operating system fingerprinting. However, due to the security flaws and hidden dangers of the periodic MTD protection itself, if the detection party uses the method of detecting only one feature in each cycle, and uses multiple cycles to summarize the detection results of each feature, the MTD protection can be The security mechanism and performance of the system are greatly reduced. In addition, if the fingerprint detection party adopts distributed detection and information collection, the attack surface faced by MTD will be more difficult to prevent, the situation against fingerprint detection will be more complicated, and the defects of periodic MTD protection will be more prominent.

发明内容Contents of the invention

本发明所要解决的技术问题是针对现有技术的不足,提供一种事件触发式的MTD防护系统及方法。The technical problem to be solved by the present invention is to provide an event-triggered MTD protection system and method for the deficiencies of the prior art.

本发明解决上述技术问题的技术方案如下:一种事件触发式的MTD防护系统,包括指纹探测包判定系统、指纹探测事件判定系统和特性值MTD修改系统;The technical solution of the present invention to solve the above-mentioned technical problems is as follows: an event-triggered MTD protection system, including a fingerprint detection packet judgment system, a fingerprint detection event judgment system and a characteristic value MTD modification system;

所述指纹探测包判定系统,其用于收到来自客户端发来的请求数据包时,进行对数据包是属于正常业务数据包还是属于探测系统特性的指纹探测包等类型的判别,如果判定为正常系统业务连接请求数据包,则不做任何处理直接响应而不触发防护机制;如果判定为旨在获取当前系统特性及对应特性值的探测包,则立刻触发防护机制,确保系统特性信息的不外泄;The fingerprint detection packet judging system is used to judge whether the data packet belongs to a normal service data packet or a fingerprint detection packet belonging to the characteristics of the detection system when receiving a request packet sent from a client, if it is determined If the data packet is requested for a normal system business connection, it will respond directly without any processing without triggering the protection mechanism; if it is determined to be a detection packet aimed at obtaining the current system characteristics and corresponding characteristic values, the protection mechanism will be triggered immediately to ensure the integrity of the system characteristic information. Do not leak;

所述指纹探测事件判定系统,其用于收集、存储和判断指纹探测的事件,在判定收到了探测数据包时,首先在指纹探测事件集中比对,是否已在当前事件集中,如果已存在则按当前事件的处理方法对应执行;如果未存在,则将探测包想要探测特性的值进行随机化修改,然后将这种类型的探测行为定义一条新增事件记录并存储;The fingerprint detection event judging system is used to collect, store and judge fingerprint detection events. When it is judged that the detection data packet has been received, it first compares in the fingerprint detection event set, whether it is already in the current event set, and if it exists, then Execute according to the processing method of the current event; if it does not exist, randomize and modify the value of the detection package’s desired detection characteristics, and then define a new event record for this type of detection behavior and store it;

所述特性值MTD修改系统,其用于在判定为指纹探测行为后,利用MTD思想,对被探测部分特性的值在一定范围内执行随机化或布尔变换,然后将更改后的特性值封装成响应数据包返回给指纹探测方。The characteristic value MTD modification system is used to perform randomization or Boolean transformation on the value of the detected part of the characteristic within a certain range by using the MTD idea after it is determined to be a fingerprint detection behavior, and then encapsulate the changed characteristic value into The response packet is returned to the fingerprint detection party.

本发明的有益效果是:本发明的有益效果是:本发明采用事件触发式MTD对抗操作系统指纹识别机制,通过对操作系统主动指纹识别方法和探测包的分析,制定探测事件集,设计一种事件触发式的MTD(隐藏操作系统特征的防护思想。从而实现被防护目标(Target)每次收到指纹探测方(Fingerprinter)的探测数据包时,自动更改该探测项对应特性,使探测方收集到的指纹特征是错误的信息,从而使被欺骗或混淆为其他设备类型,最终使一些重要基础设备得到一个有效的抗远程指纹识别的防护机制。The beneficial effects of the present invention are: the beneficial effects of the present invention are: the present invention adopts the event-triggered MTD against the operating system fingerprint identification mechanism, through the analysis of the operating system active fingerprint identification method and the detection packet, formulates the detection event set, and designs a Event-triggered MTD (the protection idea of hiding the characteristics of the operating system. In this way, each time the protected target (Target) receives the detection data packet from the fingerprint detection party (Fingerprinter), it will automatically change the corresponding characteristics of the detection item, so that the detection party collects The detected fingerprint features are wrong information, so that they can be deceived or confused as other types of equipment, and finally some important basic equipment can obtain an effective anti-remote fingerprint identification protection mechanism.

本发明解决上述技术问题的另一技术方案如下:一种事件触发式的MTD防护方法,包括如下步骤:Another technical solution of the present invention to solve the above-mentioned technical problems is as follows: an event-triggered MTD protection method includes the following steps:

利用指纹探测包判定系统收到来自客户端发来的请求数据包时,进行对数据包是属于正常业务数据包还是属于探测系统特性的指纹探测包等类型的判别,如果判定为正常系统业务连接请求数据包,则不做任何处理直接响应而不触发防护机制;如果判定为旨在获取当前系统特性及对应特性值的探测包,则立刻触发防护机制,确保系统特性信息的不外泄;Use the fingerprint detection packet to determine when the system receives the request data packet from the client, it will judge whether the data packet belongs to the normal business data packet or the fingerprint detection packet that belongs to the detection system characteristics, and if it is determined to be a normal system business connection If the data packet is requested, it will respond directly without any processing without triggering the protection mechanism; if it is determined to be a detection packet aimed at obtaining the current system characteristics and corresponding characteristic values, the protection mechanism will be triggered immediately to ensure that the system characteristic information is not leaked;

利用指纹探测事件判定系统收集、存储和判断指纹探测的事件,在判定收到了探测数据包时,首先在指纹探测事件集中比对,是否已在当前事件集中,如果已存在则按当前事件的处理方法对应执行;如果未存在,则将探测包想要探测特性的值进行随机化修改,然后将这种类型的探测行为定义一条新增事件记录并存储;Use the fingerprint detection event judgment system to collect, store and judge fingerprint detection events. When it is judged that the detection data packet has been received, it will first be compared in the fingerprint detection event set to see if it is already in the current event set. If it exists, it will be processed according to the current event. The method corresponds to the execution; if it does not exist, randomize and modify the value of the detection feature that the detection package wants to detect, and then define a new event record for this type of detection behavior and store it;

利用特性值MTD修改系统在判定为指纹探测行为后,利用MTD思想,对被探测部分特性的值在一定范围内执行随机化或布尔变换,然后将更改后的特性值封装成响应数据包返回给指纹探测方。Using characteristic value MTD to modify the system After determining that it is a fingerprint detection behavior, use the MTD idea to perform randomization or Boolean transformation on the value of the detected part of the characteristic within a certain range, and then encapsulate the changed characteristic value into a response packet and return it to Fingerprint detector.

附图说明Description of drawings

图1为本发明一种事件触发式的MTD防护系统示意图;Fig. 1 is a schematic diagram of an event-triggered MTD protection system of the present invention;

图2为本发明所述指纹探测包判定系统示意图;Fig. 2 is a schematic diagram of the fingerprint detection package determination system of the present invention;

图3为本发明所述指纹探测事件判定系统示意图;Fig. 3 is a schematic diagram of the fingerprint detection event judging system of the present invention;

图4为本发明所述特性值MTD修改系统系统示意图;Fig. 4 is a schematic diagram of the characteristic value MTD modification system system of the present invention;

图5为本发明所述一种事件触发式的MTD防护方法流程图;5 is a flowchart of an event-triggered MTD protection method according to the present invention;

图6为本发明所述指纹探测包判定系统程序流程图;Fig. 6 is a program flow chart of the fingerprint detection package judging system of the present invention;

图7为本发明所述指纹探测事件判定程序流程图;Fig. 7 is a flow chart of the fingerprint detection event judging program of the present invention;

图8为本发明所述特性值MTD修改程序流程图。Fig. 8 is a flow chart of the program for modifying the characteristic value MTD according to the present invention.

具体实施方式Detailed ways

以下结合附图对本发明的原理和特征进行描述,所举实例只用于解释本发明,并非用于限定本发明的范围。The principles and features of the present invention are described below in conjunction with the accompanying drawings, and the examples given are only used to explain the present invention, and are not intended to limit the scope of the present invention.

发明涉及一种事件触发式对抗远程操作系统指纹识别(RemoteOperating System Fingerprinting)的MTD(Moving Target Defense)防护系统。通过对操作系统主动指纹识别方法和探测包的分析,制定探测事件集,设计一种事件触发式的MTD隐藏操作系统特征的防护思想。实现被防护目标(Target)每次收到指纹探测方(Fingerprinter)的探测数据包时,自动更改该探测项对应特性,使探测方收集到的指纹特征是错误的信息,从而使被欺骗或混淆为其他设备类型,最终使一些重要基础设备得到一个有效的抗远程指纹识别的防护机制。The invention relates to an event-triggered MTD (Moving Target Defense) protection system against Remote Operating System Fingerprinting. Through the analysis of the active fingerprint identification method and the detection package of the operating system, the detection event set is formulated, and an event-triggered MTD protection idea of hiding the characteristics of the operating system is designed. Realize that the protected target (Target) automatically changes the corresponding characteristics of the detection item every time it receives the detection data packet from the fingerprint detection party (Fingerprinter), so that the fingerprint characteristics collected by the detection party are wrong information, so that it is deceived or confused. For other types of equipment, some important basic equipment will finally get an effective protection mechanism against remote fingerprint identification.

如图1所示,一种事件触发式的MTD防护系统,包括指纹探测主机(fingerprinter)、被探测目标主机(target)和指纹探测MTD防护系统,其中指纹探测MTD防护系统部署在被探测目标主机上,包括指纹探测包判定系统、指纹探测事件判定系统和特性值MTD修改系统。As shown in Figure 1, an event-triggered MTD protection system includes a fingerprint detection host (fingerprinter), a detected target host (target) and a fingerprint detection MTD protection system, wherein the fingerprint detection MTD protection system is deployed on the detected target host Above, it includes the fingerprint detection package determination system, the fingerprint detection event determination system and the characteristic value MTD modification system.

所述指纹探测包判定系统,其用于收到来自客户端发来的请求数据包时,进行对数据包是属于正常业务数据包还是属于探测系统特性的指纹探测包等类型的判别。如果判定为正常系统业务连接请求数据包,则不做任何处理直接响应而不触发防护机制;如果判定为旨在获取当前系统特性及对应特性值的探测包,则立刻触发防护机制,确保系统特性信息的不外泄;The fingerprint detection packet judging system is used for judging whether the data packet belongs to a normal service data packet or a fingerprint detection packet belonging to a detection system characteristic when receiving a request data packet from a client. If it is determined to be a normal system service connection request packet, it will respond directly without any processing without triggering the protection mechanism; if it is determined to be a detection packet aimed at obtaining the current system characteristics and corresponding characteristic values, the protection mechanism will be triggered immediately to ensure the system characteristics non-disclosure of information;

所述指纹探测事件判定系统,其用于收集、存储和判断指纹探测的事件,在判定收到了探测数据包时,首先在指纹探测事件集中比对,是否已在当前事件集中,如果已存在则按当前事件的处理方法对应执行;如果未存在,则将探测包想要探测特性的值进行随机化修改,然后将这种类型的探测行为定义一条新增事件记录并存储;The fingerprint detection event judging system is used to collect, store and judge fingerprint detection events. When it is judged that the detection data packet has been received, it first compares in the fingerprint detection event set, whether it is already in the current event set, and if it exists, then Execute according to the processing method of the current event; if it does not exist, randomize and modify the value of the detection package’s desired detection characteristics, and then define a new event record for this type of detection behavior and store it;

所述特性值MTD修改系统,其用于在判定为指纹探测行为后,利用MTD思想,对被探测部分特性的值在一定范围内执行随机化或布尔变换,然后将更改后的特性值封装成响应数据包返回给指纹探测方。The characteristic value MTD modification system is used to perform randomization or Boolean transformation on the value of the detected part of the characteristic within a certain range by using the MTD idea after it is determined to be a fingerprint detection behavior, and then encapsulate the changed characteristic value into The response packet is returned to the fingerprint detection party.

在特性值MTD修改系统在对特性值为布尔型时,不仅可以采用当前的非运算来更改特性值,还可以采用非、异或等运算的随机化,使探测方更能对布尔型特性值指纹识别被防护的操作系统。所述探测事件集如表1。When the characteristic value MTD modification system is Boolean, it can not only use the current non-operation to change the characteristic value, but also use the randomization of non-, exclusive-or and other operations, so that the detection party can better understand the Boolean characteristic value Fingerprints the protected operating system. The detection event set is shown in Table 1.

表1Table 1

本发明核心在于当前数据包是否属于探测包及属于哪种类型的探测。The core of the present invention is whether the current data packet belongs to the detection packet and which type of detection it belongs to.

如图2所示,所述指纹探测包判定系统包括数据包解析模块、数据包类型判别模块、数据包目标端口判别模块、数据包内容判别模块和数据包特征判别模块;所述数据包解析模块是用于解析收到的请求数据包,拆开包的封装来查看数据包的包头、目的地址、目的端口、数据包类型、数据包内容等,为后续判别的模块提供源数据;所述数据包类型判别模块、数据包目标端口判别模块和数据包内容判别模块之间相互配合完成数据包是正常业务包还是指纹探测数据包的判定,从而决定是否触发指纹探测事件集和MTD修改系统;所述数据包特征判别模块是结合数据包类型判别模块、数据包目标端口判别模块和数据包内容判别模块以及数据包特征判别模块等提供的源数据,判断当前指纹探测是属于哪种探测类型。As shown in Figure 2, described fingerprint detection packet judging system comprises data packet parsing module, data packet type discriminating module, data packet destination port discriminating module, data packet content discriminating module and data packet feature discriminating module; Described data packet parsing module It is used to analyze the received request data packet, unpack the packet to view the packet header, destination address, destination port, data packet type, data packet content, etc., and provide source data for subsequent identification modules; the data The packet type discrimination module, the data packet destination port discrimination module and the data packet content discrimination module cooperate with each other to complete the determination of whether the data packet is a normal service packet or a fingerprint detection data packet, thereby deciding whether to trigger the fingerprint detection event set and the MTD modification system; The data packet feature discrimination module is combined with the source data provided by the data packet type discrimination module, the data packet destination port discrimination module, the data packet content discrimination module and the data packet feature discrimination module, etc., to determine which detection type the current fingerprint detection belongs to.

如图3所示,所述指纹探测事件判定系统包括探测类型判别模块、探测事件数据库和探测事件分类模块;所述探测类型判别模块,对探测数据包按协议类型进行分类,类型标签(tag)主要分为ICMP、IP、TCP和UDP四种,然后探测数据包传递给指纹探测事件判定系统进行后续操作。所述探测事件数据库,事先存储好的IP、TCP、UDP和ICMP不同协议探测的事件特征集;所述探测事件分类模块,用于将探测类型判别模块判断的数据与探测事件数据库相匹配,如果与其中一项匹配成功,则执行该事件对应的MTD修改系统的执行步骤,如果不能与其中一项匹配成功,则将当前探测类型按事件数据库的格式新增一条事件规则,最后将本次探测类型所要探测的特性传递给下一步的特征值的MTD修改系统。As shown in Figure 3, the fingerprint detection event judgment system includes a detection type discrimination module, a detection event database and a detection event classification module; It is mainly divided into four types: ICMP, IP, TCP and UDP, and then the detection data packet is passed to the fingerprint detection event determination system for subsequent operations. The detection event database is a pre-stored event feature set detected by different protocols of IP, TCP, UDP and ICMP; the detection event classification module is used to match the data judged by the detection type discrimination module with the detection event database, if If it matches one of the items successfully, execute the execution steps of the MTD modification system corresponding to the event. If it cannot match one of the items successfully, add an event rule to the current detection type according to the format of the event database, and finally save this detection The type of feature to be probed is passed to the next step of the MTD modification system for feature values.

如图4所示,所述特性值MTD修改系统包括对应特性的值更改模块;所述特征值的MTD修改系统,是将当前探测包所要探测的特性值进行欺骗性修改,如果是一个数值,则在指定范围内执行随机化;如果是一个布尔值,则将当前的布尔值进行非运算。最后将修改后的结果按响应数据包格式封装,返回给指纹探测方。As shown in Figure 4, the characteristic value MTD modification system includes a value modification module of the corresponding characteristic; the MTD modification system of the characteristic value is to deceptively modify the characteristic value to be detected by the current detection packet, if it is a value, Then perform randomization within the specified range; if it is a Boolean value, the current Boolean value will be negated. Finally, the modified result is encapsulated in the response packet format and returned to the fingerprint detection party.

如图5所示,一种事件触发式的MTD防护方法,包括如下步骤:As shown in Figure 5, an event-triggered MTD protection method includes the following steps:

利用指纹探测包判定系统收到来自客户端发来的请求数据包时,进行对数据包是属于正常业务数据包还是属于探测系统特性的指纹探测包等类型的判别,如果判定为正常系统业务连接请求数据包,则不做任何处理直接响应而不触发防护机制;如果判定为旨在获取当前系统特性及对应特性值的探测包,则立刻触发防护机制,确保系统特性信息的不外泄;Use the fingerprint detection packet to determine when the system receives the request data packet from the client, it will judge whether the data packet belongs to the normal business data packet or the fingerprint detection packet that belongs to the detection system characteristics, and if it is determined to be a normal system business connection If the data packet is requested, it will respond directly without any processing without triggering the protection mechanism; if it is determined to be a detection packet aimed at obtaining the current system characteristics and corresponding characteristic values, the protection mechanism will be triggered immediately to ensure that the system characteristic information is not leaked;

利用指纹探测事件判定系统收集、存储和判断指纹探测的事件,在判定收到了探测数据包时,首先在指纹探测事件集中比对,是否已在当前事件集中,如果已存在则按当前事件的处理方法对应执行;如果未存在,则将探测包想要探测特性的值进行随机化修改,然后将这种类型的探测行为定义一条新增事件记录并存储;Use the fingerprint detection event judgment system to collect, store and judge fingerprint detection events. When it is judged that the detection data packet has been received, it will first be compared in the fingerprint detection event set to see if it is already in the current event set. If it exists, it will be processed according to the current event. The method corresponds to the execution; if it does not exist, randomize and modify the value of the detection feature that the detection package wants to detect, and then define a new event record for this type of detection behavior and store it;

利用特性值MTD修改系统在判定为指纹探测行为后,利用MTD思想,对被探测部分特性的值在一定范围内执行随机化或布尔变换,然后将更改后的特性值封装成响应数据包返回给指纹探测方。Using characteristic value MTD to modify the system After determining that it is a fingerprint detection behavior, use the MTD idea to perform randomization or Boolean transformation on the value of the detected part of the characteristic within a certain range, and then encapsulate the changed characteristic value into a response packet and return it to Fingerprint detector.

如图6所示,所述数据包解析模块、数据包类型判别模块、数据包目标端口判别模块和数据包内容判别模块之间相互配合完成数据包是正常业务数据包还是恶意探测包的判定过程如下:As shown in Figure 6, the data packet analysis module, the data packet type discrimination module, the data packet destination port discrimination module and the data packet content discrimination module cooperate with each other to complete the determination process of whether the data packet is a normal service data packet or a malicious detection packet as follows:

步骤1.1:数据包解析模块模块对数据包进行解封装;Step 1.1: The data packet parsing module module decapsulates the data packet;

步骤1.2:数据包类型判别模块对当前数据包是属于ICMP、TCP、UDP、IP中哪种协议类型数据包进行判别。如果是ICMP协议,直接将当前数据包定义为探测包,执行步骤1.5并将当前探测包类型标签(tag)定义为ICMP;如果是IP协议,执行步骤1.4的数据包内容判别模块;如果是TCP或UDP协议,则执行步骤1.3数据包目标端口判别模块;Step 1.2: The data packet type discrimination module judges which protocol type data packet among ICMP, TCP, UDP and IP the current data packet belongs to. If it is the ICMP protocol, directly define the current packet as a detection packet, perform step 1.5 and define the current detection packet type label (tag) as ICMP; if it is the IP protocol, perform the packet content discrimination module of step 1.4; if it is TCP or UDP protocol, then perform step 1.3 data packet destination port discrimination module;

步骤1.3:数据包目标端口判别模块对数据包中目标端口是否开放进行判别,如果是开放,执行步骤1.4数据包内容判别模块;如果是关闭的,则将当前数据包定义为探测包,执行步骤1.5,并根据协议类型将当前探测包类型标签(tag)定义为TCP或UDP;Step 1.3: The data packet target port discrimination module judges whether the target port in the data packet is open, if it is open, execute the step 1.4 data packet content discrimination module; if it is closed, then define the current data packet as a detection packet, and execute the step 1.5, and define the current detection packet type label (tag) as TCP or UDP according to the protocol type;

步骤1.4:数据包内容判别模块对数据包中的数据部分进行判别,如果数据为空,则将当前数据包定义为探测包,执行步骤1.5;如果数据包不为空,则认为当前数据包为正常的业务数据包并正常返回响应数据包;Step 1.4: The data packet content discrimination module discriminates the data part in the data packet, if the data is empty, then the current data packet is defined as a detection packet, and step 1.5 is performed; if the data packet is not empty, then the current data packet is considered to be Normal business data packets and normal return response data packets;

步骤1.5:探测类型判别模块对探测数据包按协议类型进行分类,类型标签(tag)主要分为ICMP、IP、TCP和UDP四种,然后探测数据包传递给指纹探测事件判定系统进行后续操作。Step 1.5: The detection type discrimination module classifies the detection data packet according to the protocol type, and the type label (tag) is mainly divided into four types: ICMP, IP, TCP and UDP, and then the detection data packet is passed to the fingerprint detection event determination system for subsequent operations.

如图7所示,所述探测事件数据库,是已经事先存储好的IP、TCP、UDP和ICMP等不同协议探测的事件特征集。所述探测事件分类模块,用于将探测类型判别模块判断的数据与探测事件数据库相匹配,如果与其中一项匹配成功,则执行该事件对应的MTD修改系统的执行步骤,如果不能与其中一项匹配成功,则将当前探测类型按事件数据库的格式新增一条事件规则,最后将本次探测类型所要探测的特性传递给下一步的特征值的MTD修改系统;As shown in FIG. 7 , the detection event database is a pre-stored event signature set of different protocols such as IP, TCP, UDP and ICMP. The detection event classification module is used to match the data judged by the detection type discrimination module with the detection event database, if the matching is successful with one of them, then execute the execution steps of the MTD modification system corresponding to the event, if it cannot be matched with one of them If the item matches successfully, add an event rule according to the format of the event database for the current detection type, and finally pass the characteristics to be detected by this detection type to the MTD modification system of the next feature value;

所述一种指纹探测事件判定系统,其特征在于,所述探测事件分类模块与探测事件数据库对当前探测数据包属于哪种探测事件进行判定的过程如下:The said a fingerprint detection event judging system is characterized in that the process of the detection event classification module and the detection event database judging which detection event the current detection data packet belongs to is as follows:

步骤2.1:根据探测数据包的探测类型tag与探测事件数据库进行匹配,如果是已知的探测事件,则执行步骤2.2,如果是未知的探测事件,则将当前探测类型按事件数据库的格式新增一条事件规则,最后将本次探测类型所要探测的特性传递给下一步的特征值的MTD修改系统;Step 2.1: Match the detection type tag of the detection data packet with the detection event database. If it is a known detection event, perform step 2.2. If it is an unknown detection event, add the current detection type according to the format of the event database An event rule, and finally pass the characteristics to be detected of this detection type to the MTD modification system of the characteristic value in the next step;

步骤2.2:根据步骤2.1中的探测类型tag与探测事件数据库匹配判定当前探测事件是当前数据库中包含已知的探测事件,执行一步switch匹配,根据不同类型的tag执行相对应的MTD特性修改步骤;例如TCP探测事件,则执行将当前TCP中产生特性值的初始序列号(ISN,initial sequencenumber)等执行MTD特性修改。Step 2.2: According to the matching of the detection type tag in step 2.1 and the detection event database, it is determined that the current detection event is a known detection event contained in the current database, a step of switch matching is performed, and the corresponding MTD characteristic modification steps are performed according to different types of tags; For example, when a TCP detects an event, the MTD characteristic modification is performed by modifying the initial sequence number (ISN, initial sequence number) of the characteristic value generated in the current TCP.

如图8所示,所述特征值的MTD修改系统,是将当前探测包所要探测的特性值进行欺骗性修改,如果是一个数值,则在指定范围内执行随机化;如果是一个布尔值,则将当前的布尔值进行非运算。最后将修改后的结果按响应数据包格式封装,返回给指纹探测方。As shown in Figure 8, the MTD modification system of the characteristic value is to deceptively modify the characteristic value to be detected by the current detection packet. If it is a numerical value, randomization is performed within a specified range; if it is a Boolean value, Then the current Boolean value is negated. Finally, the modified result is encapsulated in the response packet format and returned to the fingerprint detection party.

所述一种特性值的MTD修改系统,其特征在于,所述各种探测事件对应想探测的特性值,实现迷惑性修改的过程为:The MTD modification system of a characteristic value is characterized in that, the various detection events correspond to the characteristic values that want to be detected, and the process of realizing deceptive modification is as follows:

步骤3.1:探测事件对应探测的特性值是否为布尔型进行判别;Step 3.1: Determine whether the characteristic value corresponding to the detection event is Boolean or not;

步骤3.2:如果是布尔型,则执行一步非运算,将当前的特性值变成相反的,从而实现对探测结果的欺骗,如果不是布尔型,在执行步骤3.3;Step 3.2: If it is a Boolean type, perform a one-step negation operation to reverse the current characteristic value, thereby deceiving the detection result. If it is not a Boolean type, perform step 3.3;

步骤3.3:由步骤3.2判定当前探测的特征值不是布尔型,而是一个数值,则执行随机化算法,将当前的特性值在一个不影响系统正常的范围内,进行随机化变换,使探测结果每次都不具有规律,实现对探测结果的混淆;Step 3.3: According to step 3.2, it is determined that the characteristic value of the current detection is not a Boolean type, but a numerical value, then execute the randomization algorithm, and perform a randomization transformation on the current characteristic value within a range that does not affect the normal system, so that the detection result Every time there is no law, to achieve confusion on the detection results;

步骤3.4:将修改后的特性值进行封装成数据包返回给探测方。Step 3.4: Encapsulate the modified characteristic value into a data packet and return it to the detecting party.

所述一种事件触发式的MTD防护系统,其特征在于,所述探测数据包可能同时包含一种协议下几个特性值的探测,而本发明的要旨即是通过将每个特性值的探测定义为一个事件,使每个探测事件的判定和MTD欺骗修改与其他事件独立开,从而使以Nmap为代表的综合多种探测事件结果来检测当前操作系统正确指纹的可能性大大降低。Described a kind of event-triggered MTD protection system is characterized in that, the detection packet may contain the detection of several characteristic values under a protocol at the same time, and the gist of the present invention is to pass the detection of each characteristic value Defined as an event, the determination of each detection event and MTD spoofing modification are independent from other events, so that the possibility of detecting the correct fingerprint of the current operating system by synthesizing the results of multiple detection events represented by Nmap is greatly reduced.

如图1所示,利用本发明所述事件触发式的MTD防护系统,可实现被防护主机能够欺骗和混淆攻击方的操作系统指纹探测和识别。根据被防护主机与其他主机建立连接的通信过程,将所有的防护过程总体上分为三个场景:As shown in FIG. 1 , using the event-triggered MTD protection system of the present invention, the protected host can deceive and confuse the attacker's operating system fingerprint detection and identification. According to the communication process of establishing connections between the protected host and other hosts, all the protection processes are generally divided into three scenarios:

即场景1(正常业务数据通信Client相关协议的请求TCP连接Target,在经过MTD防护系统检测确认当前数据包不是探测包,按正常响应包返回给Client);That is, Scenario 1 (normal business data communication Client-related protocol request TCP connection Target, after the MTD protection system detects that the current data packet is not a detection packet, it will be returned to the Client as a normal response packet);

场景2(指纹探测方Fingerprinter发送TCP协议中数据为空的SYN探测包给目标主机Target,在经过MTD防护系统检测确认当前数据包是探测包,触发指纹识别MTD系统,将相应探测的特性值进行修改后,封装返回给Fingerprinter);Scenario 2 (the fingerprint detection party Fingerprinter sends a SYN detection packet with empty data in the TCP protocol to the target host Target, after the MTD protection system detects that the current data packet is a detection packet, triggers the fingerprint identification MTD system, and performs the corresponding detection characteristic value After modification, the package is returned to Fingerprinter);

场景3(指纹探测方Fingerprinter发送UDP协议中探测包,其中目标端口为Target主机上关闭的端口,在经过MTD防护系统检测确认当前数据包是探测包,触发指纹识别MTD系统,将相应探测事件探测的端口进行修改为开放状态,封装UDP相应包返回给Fingerprinter)。Scenario 3 (the fingerprint detection party Fingerprinter sends a detection packet in the UDP protocol, in which the target port is a closed port on the Target host, after the MTD protection system detects that the current data packet is a detection packet, triggers the fingerprint recognition MTD system, and detects the corresponding detection event Modify the port to be open, encapsulate the corresponding UDP package and return it to Fingerprinter).

场景1,正常Client请求与目标主机建立通信而未触发MTD防护机制,具体步骤如下:Scenario 1, normal Client requests to establish communication with the target host without triggering the MTD protection mechanism, the specific steps are as follows:

1)Client首先向目标主机Target发送TCP SYN包;1) Client first sends a TCP SYN packet to the target host Target;

2)Target通过事件触发式的MTD防护系统中的数据包解析模块对数据包进行解封装;2) Target decapsulates the data packet through the data packet analysis module in the event-triggered MTD protection system;

3)数据包类型判别模块识别当前数据包为TCP协议类型;3) the data packet type discrimination module identifies that the current data packet is a TCP protocol type;

4)数据包内容判别模块识别当前TCP数据包内容不为空,非探测包,从而不必触发探测事件检测和防护机制;4) The data packet content discrimination module identifies that the content of the current TCP data packet is not empty and is not a detection packet, so that it is not necessary to trigger detection and protection mechanisms for detection events;

5)最后将TCP SYN包按正常业务返回包类型返回ACK+SYN包。5) Finally, return the TCP SYN packet to the ACK+SYN packet according to the normal business return packet type.

场景2,Target对抗Fingerprinter的TCP SYN探测包,具体步骤如下:Scenario 2, Target against Fingerprinter's TCP SYN detection packet, the specific steps are as follows:

1)Fingprinter向目标主机Target发送TCP SYN探测包,其中数据部分data为空;1) Fingprinter sends a TCP SYN detection packet to the target host Target, in which the data part data is empty;

2)Target通过事件触发式的MTD防护系统中的数据包解析模块对数据包进行解封装;2) Target decapsulates the data packet through the data packet analysis module in the event-triggered MTD protection system;

3)数据包类型判别模块识别当前数据包为TCP协议类型;3) the data packet type discrimination module identifies that the current data packet is a TCP protocol type;

4)数据包目标端口判定模块识别当前数据包的目标端口是开放的;4) the target port of the data packet target port judging module identifying the current packet is open;

5)数据包内容判别模块识别当前TCP数据包内容为空,进而判定是探测包,触发了探测事件检测和防护机制;5) The data packet content discrimination module recognizes that the content of the current TCP data packet is empty, and then determines that it is a detection packet, which triggers the detection and protection mechanism of the detection event;

6)数据包特征判别模块将当前探测包的类型tag定义为TCP SYN探测,并将参数传递给指纹探测事件判定系统;6) The data packet feature discrimination module defines the type tag of the current detection packet as TCP SYN detection, and passes the parameters to the fingerprint detection event judgment system;

7)指纹探测事件判定系统根据探测包的tag中的TCP SYN探测,与探测事件数据库中匹配得知当前探测事件是当前已知的探测事件;7) The fingerprint detection event judgment system detects according to the TCP SYN detection in the tag of the detection packet, matches with the detection event database and learns that the current detection event is a currently known detection event;

8)指纹探测事件判定系统经过switch匹配,将当前TCP SYN探测事件对应探测的特性值包括ISN(initial sequence number,32bit)、ACK number(32bit)、urgent pointer(16bit)、window size(16bit)、flags中SYN(1bit)、checksum(16bit),参数传递给特性值的MTD修改系统;8) The fingerprint detection event judgment system matches the switch, and the characteristic values corresponding to the current TCP SYN detection event include ISN (initial sequence number, 32bit), ACK number (32bit), urgent pointer (16bit), window size (16bit), SYN (1bit), checksum (16bit) in flags, the parameters are passed to the MTD modification system of the characteristic value;

9)特性值的MTD修改系统对ISN、ACK number、urgent pointer、windowsize、flags中SYN(1bit)、checksum每个特性进行是否为布尔值进行判别,判别只有flags中SYN(1bit)为布尔值,其他的特性都是数值;9) MTD modification of characteristic values The system judges whether each characteristic of ISN, ACK number, urgent pointer, windowsize, and SYN (1bit) and checksum in flags is a Boolean value. Only the SYN (1bit) in flags is judged to be a Boolean value. All other properties are numeric values;

10)特性值的MTD修改系统对当前的flags中的SYN值进行非运算,对其他特性的值执行随机化计算;10) The MTD modification system of characteristic values performs negation on the SYN value in the current flags, and performs randomized calculation on the values of other characteristics;

11)特性值的MTD修改系统对修改后的特性值进行封装成ACK+SYN返回给Fingerprinter。11) MTD modification of characteristic value The system encapsulates the modified characteristic value into ACK+SYN and returns it to Fingerprinter.

场景3,Target对抗Fingerprinter的UDP对关闭目标端口的探测包,具体包括以下操作:Scenario 3, Target resists Fingerprinter's UDP to close the detection packet of the target port, including the following operations:

1)Fingprinter向目标主机Target发送UDP探测包,其中目标端口是Target关闭端口;1) Fingprinter sends a UDP detection packet to the target host Target, where the target port is the closed port of the Target;

2)Target通过事件触发式的MTD防护系统中的数据包解析模块对数据包进行解封装;2) Target decapsulates the data packet through the data packet analysis module in the event-triggered MTD protection system;

3)数据包类型判别模块识别当前数据包为UDP协议类型;3) the data packet type discrimination module identifies that the current data packet is a UDP protocol type;

4)数据包目标端口判定模块识别当前数据包的目标端口是关闭的,将当前数据包定义为探测包;4) the destination port of the data packet target port judgment module identifies that the target port of the current data packet is closed, and the current data packet is defined as a detection packet;

5)数据包特征判别模块将当前探测包的类型tag定义为UDP探测,并将参数传递给指纹探测事件判定系统;5) The data packet feature discrimination module defines the type tag of the current detection packet as UDP detection, and passes the parameters to the fingerprint detection event determination system;

6)指纹探测事件判定系统经过switch匹配,将当前TCP SYN探测事件对应探测的特性值包括了IPID(identification,16bit)和length(16bit),参数传递给特性值的MTD修改系统;6) The fingerprint detection event determination system passes switch matching, and the characteristic values corresponding to the detection of the current TCP SYN detection event include IPID (identification, 16bit) and length (16bit), and the parameters are passed to the MTD modification system of the characteristic value;

7)特性值的MTD修改系统对IP ID和length这两个特性进行是否为布尔值进行判别,特性都是数值;7) The MTD modification system of the characteristic value judges whether the two characteristics of IP ID and length are Boolean values, and the characteristics are all numerical values;

8)特性值的MTD修改系统对当前特性的值执行随机化计算;8) The MTD modification system of the characteristic value performs randomized calculation on the value of the current characteristic;

9)特性值的MTD修改系统对修改后的特性值进行封装成UDP响应包返回给Fingerprinter。9) MTD modification of characteristic value The system encapsulates the modified characteristic value into a UDP response packet and returns it to Fingerprinter.

以上所述仅为本发明的较佳实施例,并不用以限制本发明,凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。The above descriptions are only preferred embodiments of the present invention, and are not intended to limit the present invention. Any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of the present invention shall be included in the protection of the present invention. within range.

Claims (9)

1. a MTD guard system for event-triggered, is characterized in that, comprises fingerprint detection bag decision-making system, fingerprint detection event decision-making system and characteristic value MTD and revises system;
Described fingerprint detection bag decision-making system, when it is for receiving the request data package sent from client, carry out the differentiation of the types such as fingerprint detection bag regular traffic packet being belonged to packet or belongs to detection system characteristic, if it is determined that be normal system service connection request packet, be then left intact and directly respond and do not trigger preventing mechanism; If it is determined that for being intended to the detection packet obtaining current system characteristic and corresponding characteristic value, then triggering preventing mechanism at once, guarantee not leaking of system-specific information;
Described fingerprint detection event decision-making system, it is for collecting, storing and judge the event of fingerprint detection, when judging to have received probe data packet, and first comparison in fingerprint detection event set, whether concentrate in current event, if existed, perform by the processing method correspondence of current event; If do not existed, then detection packet wanted the value of detection feature to carry out randomization amendment, then such detection behavior defined a newly-increased logout and store;
Described characteristic value MTD revises system, it is for after being judged to be fingerprint detection behavior, utilize MTD thought, randomization or boolean's conversion are performed within the specific limits to the value being detected part of properties, then the characteristic value after change is packaged into response data packet and returns to fingerprint detection side.
2. the MTD guard system of a kind of event-triggered according to claim 1, it is characterized in that, described fingerprint detection bag decision-making system comprises packet parsing module, type of data packet discrimination module, data packet destination port discrimination module, packet content discrimination module and packet feature decision module;
Described packet parsing module is for resolving the request data package received, and the encapsulation of taking bag apart, to check the packet header, destination address, destination interface, type of data packet, packet content etc. of packet, is the module providing source data of follow-up differentiation;
Described type of data packet discrimination module, the packet that cooperatively interacted between data packet destination port discrimination module and packet content discrimination module are the judgements of regular traffic bag or fingerprint detection packet, thus determine whether trigger fingerprint detection event set and MTD amendment system;
Described packet feature decision module is the source data provided in conjunction with type of data packet discrimination module, data packet destination port discrimination module and packet content discrimination module and packet feature decision module etc., judges current finger print detection belongs to which kind of detection type.
3. the MTD guard system of a kind of event-triggered according to claim 1, is characterized in that, described fingerprint detection event decision-making system comprises detection type identification module, detection event data storehouse and detection event sort module;
Described detection type identification module, for classifying by protocol type to probe data packet, passes to fingerprint detection event decision-making system by probe data packet;
Described detection event data storehouse, the affair character collection of IP, TCP, UDP and ICMP different agreement stored in advance detection;
Described detection event sort module, for the data of detection type identification module judgement and detection event data storehouse are matched, if with wherein one the match is successful, then perform the execution step that MTD corresponding to this event revises system, if can not with wherein one the match is successful, then current detection type is pressed the newly-increased event rules of form of event database, the MTD finally characteristic that this detection type will detect being passed to next step characteristic value revises system.
4. the MTD guard system of a kind of event-triggered according to claim 1, is characterized in that, described characteristic value MTD revises the value change module that system comprises corresponding characteristic; The MTD of described characteristic value revises system, is that the characteristic value that current detection packet will be detected carries out fraudulent modification, if a numerical value, then in specified scope, performs randomization; If a Boolean, then current Boolean is carried out inverse.Finally amended result is encapsulated by response data packet format, return to fingerprint detection side.
5. a MTD means of defence for event-triggered, is characterized in that, comprise the steps:
When utilizing fingerprint detection bag decision-making system to receive the request data package sent from client, carry out the differentiation of the types such as fingerprint detection bag regular traffic packet being belonged to packet or belongs to detection system characteristic, if it is determined that be normal system service connection request packet, be then left intact and directly respond and do not trigger preventing mechanism; If it is determined that for being intended to the detection packet obtaining current system characteristic and corresponding characteristic value, then triggering preventing mechanism at once, guarantee not leaking of system-specific information;
Utilize fingerprint detection event decision-making system to collect, store and judge the event of fingerprint detection, when judging to have received probe data packet, whether first comparison in fingerprint detection event set, concentrate in current event, if existed, performs by the processing method correspondence of current event; If do not existed, then detection packet wanted the value of detection feature to carry out randomization amendment, then such detection behavior defined a newly-increased logout and store;
Utilization level value MTD revises system after being judged to be fingerprint detection behavior, utilize MTD thought, randomization or boolean's conversion are performed within the specific limits to the value being detected part of properties, then the characteristic value after change is packaged into response data packet and returns to fingerprint detection side.
6. the MTD means of defence of a kind of event-triggered according to claim 5, is characterized in that, decision data bag is that the decision process of regular traffic packet or malice detection packet is as follows:
Step 1.1: packet parsing module module carries out decapsulation to packet;
Step 1.2: the protocol type of type of data packet discrimination module to current data packet differentiates, if ICMP agreement, directly current data packet is defined as detection packet, performs step 1.5 and current detection packet type label is defined as ICMP; If IP agreement, perform the packet content discrimination module of step 1.4; If TCP or udp protocol, then perform step 1.3 data packet destination port discrimination module;
Step 1.3: whether data packet destination port discrimination module opens target port in packet differentiates, if open, performs step 1.4 packet content discrimination module; If close, then current data packet is defined as detection packet, performs step 1.5, and according to protocol type, current detection packet type label is defined as TCP or UDP;
Step 1.4: packet content discrimination module differentiates the data division in packet, if data are empty, is then defined as detection packet by current data packet, performs step 1.5; If packet is not empty, then think that current data packet is that normal business data packet also normally returns response data packet;
Step 1.5: detection type identification module is classified by protocol type to probe data packet, and type label is mainly divided into ICMP, IP, TCP and UDP tetra-kinds, then probe data packet passes to fingerprint detection event decision-making system and carries out subsequent operation.
7. the MTD means of defence of a kind of event-triggered according to claim 5, is characterized in that, judges that current probe data packet belongs to the process of which kind of detection event as follows:
Step 2.1: the detection type tag according to probe data packet mates with detection event data storehouse, if known detection event, then perform step 2.2, if the detection event of the unknown, then current detection type is pressed the newly-increased event rules of form of event database, the MTD finally characteristic that this detection type will detect being passed to next step characteristic value revises system;
Step 2.2: to mate with detection event data storehouse according to the detection type tag in step 2.1 and judge that current detection event comprises known detection event in current database, perform a step switch coupling, perform corresponding MTD characteristic modify steps according to dissimilar tag.
8. the MTD means of defence of a kind of event-triggered according to claim 5, is characterized in that, described various detection event correspondence wants the characteristic value detected, and realizing fascinating process is:
Step 3.1: whether the characteristic value of detection event correspondence detection is that Boolean type differentiates;
Step 3.2: if Boolean type, then perform a step inverse, by current characteristic value changeabout, thus realize the deception to result of detection, if not Boolean type, then perform step 3.3;
Step 3.3: judge that the characteristic value of current detection is not Boolean type by step 3.2, but a numerical value, then perform randomized algorithm, by current characteristic value in one the not normal scope of influential system, carry out randomizing transform, make result of detection not have rule at every turn, realize obscuring result of detection;
Step 3.4: amended characteristic value is carried out being packaged into packet and returns to detection side.
9. the MTD means of defence of a kind of event-triggered according to claim 5, it is characterized in that, the detection of described probe data packet several characteristic value under simultaneously comprising a kind of agreement, by the detection of each characteristic value is defined as an event, the judgement of each detection event and MTD deception amendment are opened with other indie incidents.
CN201510233838.XA 2015-05-08 2015-05-08 Event-triggered MTD protection system and method Pending CN104917757A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201510233838.XA CN104917757A (en) 2015-05-08 2015-05-08 Event-triggered MTD protection system and method
CN201510515982.2A CN105227540B (en) 2015-05-08 2015-08-20 The MTD guard systems and method of a kind of event-triggered

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510233838.XA CN104917757A (en) 2015-05-08 2015-05-08 Event-triggered MTD protection system and method

Publications (1)

Publication Number Publication Date
CN104917757A true CN104917757A (en) 2015-09-16

Family

ID=54086463

Family Applications (2)

Application Number Title Priority Date Filing Date
CN201510233838.XA Pending CN104917757A (en) 2015-05-08 2015-05-08 Event-triggered MTD protection system and method
CN201510515982.2A Expired - Fee Related CN105227540B (en) 2015-05-08 2015-08-20 The MTD guard systems and method of a kind of event-triggered

Family Applications After (1)

Application Number Title Priority Date Filing Date
CN201510515982.2A Expired - Fee Related CN105227540B (en) 2015-05-08 2015-08-20 The MTD guard systems and method of a kind of event-triggered

Country Status (1)

Country Link
CN (2) CN104917757A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110113333A (en) * 2019-04-30 2019-08-09 中国人民解放军战略支援部队信息工程大学 A kind of ICP/IP protocol fingerprint mobilism processing method and processing device
CN110431374A (en) * 2017-01-18 2019-11-08 瑞尼斯豪公司 Machine tool device
CN113765728A (en) * 2020-06-04 2021-12-07 深信服科技股份有限公司 Network detection method, device, equipment and storage medium

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112702363A (en) * 2021-03-24 2021-04-23 远江盛邦(北京)网络安全科技股份有限公司 Node hiding method, system and equipment based on deception

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2507202B (en) * 2011-04-11 2014-11-19 Bluecava Inc Thick client and thin client integration
CN103312689B (en) * 2013-04-08 2017-05-24 西安电子科技大学 Network hiding method for computer and network hiding system based on method
CN104519068A (en) * 2014-12-26 2015-04-15 赵卫伟 Moving target protection method based on operating system fingerprint jumping

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110431374A (en) * 2017-01-18 2019-11-08 瑞尼斯豪公司 Machine tool device
US11209258B2 (en) 2017-01-18 2021-12-28 Renishaw Plc Machine tool apparatus
US11674789B2 (en) 2017-01-18 2023-06-13 Renishaw Plc Machine tool apparatus
CN110113333A (en) * 2019-04-30 2019-08-09 中国人民解放军战略支援部队信息工程大学 A kind of ICP/IP protocol fingerprint mobilism processing method and processing device
CN113765728A (en) * 2020-06-04 2021-12-07 深信服科技股份有限公司 Network detection method, device, equipment and storage medium

Also Published As

Publication number Publication date
CN105227540A (en) 2016-01-06
CN105227540B (en) 2018-05-08

Similar Documents

Publication Publication Date Title
CN107135093B (en) Internet of things intrusion detection method and detection system based on finite automaton
Paudel et al. Detecting DoS attack in smart home IoT devices using a graph-based approach
US7835390B2 (en) Network traffic identification by waveform analysis
KR102222377B1 (en) Method for Automatically Responding to Threat
US8042182B2 (en) Method and system for network intrusion detection, related network and computer program product
Düssel et al. Cyber-critical infrastructure protection using real-time payload-based anomaly detection
KR101236822B1 (en) Method for detecting arp spoofing attack by using arp locking function and recordable medium which program for executing method is recorded
US20030084326A1 (en) Method, node and computer readable medium for identifying data in a network exploit
CN105429963A (en) Intrusion Detection and Analysis Method Based on Modbus/Tcp
KR102244036B1 (en) Method for Classifying Network Asset Using Network Flow data and Method for Detecting Threat to the Network Asset Classified by the Same Method
EP2517437A1 (en) Intrusion detection in communication networks
CN113079150B (en) Intrusion detection method for power terminal equipment
CN109600362B (en) Zombie host recognition method, device and medium based on recognition model
Kiflay et al. A network intrusion detection system using ensemble machine learning
CN113765846B (en) Intelligent detection and response method and device for network abnormal behaviors and electronic equipment
CN104917757A (en) Event-triggered MTD protection system and method
KR101488271B1 (en) Apparatus and method for ids false positive detection
Li et al. ZPA: A smart home privacy analysis system based on ZigBee encrypted traffic
CN112367315A (en) Endogenous safe WAF honeypot deployment method
CN113079180B (en) Execution context based firewall fine-grained access control method and system
KR100977827B1 (en) Connection detection device and method of malicious web server system
CN106878338B (en) Remote control equipment gateway firewall integrated machine system
KR100951930B1 (en) Method and apparatus for classifying inappropriate packet
KR102847939B1 (en) A method and an appratus for mail security firewall
Chen et al. A novel network intrusion prevention system based on Android platform

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C02 Deemed withdrawal of patent application after publication (patent law 2001)
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20150916