微信服务号

微信订阅号

2025年4月14日 5:58 星期一
首页 > 过刊浏览>2017年第28卷第4期 >883-897. DOI:10.13328/j.cnki.jos.005192
PDF HTML阅读 XML下载 导出引用 引用提醒
拟态防御Web服务器设计与实现
作者:
基金项目:

国家重点研发计划(2016YFB0800104);国家自然科学基金(61572520);上海市科学技术委员会科研计划(14DZ1105300)


Design and Implementation of Mimic Defense Web Server
Author:
Fund Project:

National Key R&D Program of China (2016YFB0800104); National Natural Science Foundation of China (61572520); Science and Technology Committee of Shanghai Municipal Research Project (14DZ1105300)

  • 摘要
    • | |
  • 访问统计
    • |
  • 参考文献 [37]
    • |
  • 相似文献 [20]
    • | | |
  • 文章评论
    摘要:

    Web服务器系统作为重要的服务承载和提供平台,面临的安全问题日益严重.已有的防御技术主要基于已知攻击方法或漏洞信息进行防御,导致难以很好地应对未知攻击的威胁,从而难以全面防护Web服务器系统的安全.首先提出了攻击链模型,对已有技术的问题和不足进行了深入的分析.在此基础上,提出了基于“动态异构冗余”结构的拟态防御模型,并描述了拟态防御模型的防御原理和特点.基于拟态防御模型构建了拟态防御Web服务器,介绍了其架构,分析了拟态原理在Web服务器上的实现.安全性和性能测试结果显示,拟态防御Web服务器能够在较小开销的前提下防御测试中的全部攻击类型.说明拟态防御Web服务器能够有效地提升系统安全性,验证了拟态防御技术的有效性和可行性.最后讨论了拟态防御技术今后的研究前景和挑战.

    Abstract:

    The Web server system, being the most important platform of supporting and providing network services, is facing serious security problem. The existing defending technologies mainly deal with the known attacking methods or the known vulnerabilities, and therefore are not effective in case of the unknown threats and do not provide overall defense. This paper first proposes an attacking model to analyze the shortcomings of existing defending technologies. Next, a dynamic heterogeneous redundancy structure based mimic defending model is proposed, and its defending principles and the characteristics are interpreted. Then, the mimic defending Web server is designed on the mimic defending model, and the structure and the implementation principles in the Web server design are introduced. The results of security and performance tests show that the presented mimic defending Web server can defend against all kinds of attacks in the tests with little performance loss, which verifies the effectiveness and the practicability of the mimic defending technology. Finally a perspective of the future work and challenges of mimic defending technology is discussed.

    参考文献
    [1] Internet Society of China, CNCERT/CC. China network sites developing situation and security report (2016). 2016(in Chinese). http://tech.163.com/16/0320/15/BIK212JA00094P25.html
    [2] Fang SW, Portante A, Husain MI. Moving target defense mechanisms in cyber-physical systems. In:Securing Cyber-Physical Systems. CRC Press, 2015. 63. https://books.glgoo.com/books?hl=zh-CN&lr=&id=wB6vCgAAQBAJ&oi=fnd&pg=PA63&ots=bkQgsF0K0T&sig=NMqbYCLX0YGm329DhO-0zLmxSIc#v=onepage&q&f=false
    [3] Subrahmanian VS, Ovelgonne M, Dumitras T, Prakash BA. The Global Cyber-Vulnerability Report. Springer Int'l Publishing, 2015. 33-64.[doi:10.1007/978-3-319-25760-0]
    [4] China Information Technology Security Evaluation Center. China national vulnerability database of information security. 2015(in Chinese). http://www.cnnvd.org.cn/vulnerability/statistics
    [5] Xu H, Chen X, Zhou J, Wang Z. Research on basic problems of cognitive network intrusion prevention. In:Proc. of the 9th Int'l Conf. on Computational Intelligence and Security (CIS). 2013. 514-517.[doi:10.1109/CIS.2013.114]
    [6] Chung CJ, Khatkar P, Xing T, Lee J, Huang D. NICE:Network intrusion detection and countermeasure selection in virtual network systems. IEEE Trans. on Dependable and Secure Computing, 2013,10(4):198-211.[doi:10.1109/TDSC.2013.8]
    [7] Madan BB, Goševa-Popstojanova K, Vaidyanathan K, Trivedi KS. A method for modeling and quantifying the security attributes of intrusion tolerant systems. Performance Evaluation, 2004,56(1-4):167-186.[doi:10.1016/j.peva.2003.07.008]
    [8] Okhravi H, Hobson T, Bigelow D, Streilein W. Finding focus in the blur of moving-target techniques. Security & Privacy, 2014,12(2):16-26.[doi:10.1109/MSP.2013.137]
    [9] Vasilomanolakis E, Karuppayah S, User M, Fischer M. Taxonomy and survey of collaborative intrusion detection. ACM Computing Surveys (CSUR), 2015,47(4):55.[doi:10.1145/2716260]
    [10] Liao HJ, Lin CHR, Lin YC, Tung KY. Intrusion detection system:A comprehensive review. Journal of Network and Computer Applications, 2013,36(1):16-24.[doi:10.1016/j.jnca.2012.09.004]
    [11] Whitea JS, Fitzsimmonsb T, Matthewsc JN. Quantitative analysis of intrusion detection systems:Snort and suricata. Proc. of the SPIE, 2013,8757:875704-1.[doi:10.1117/12.2015616]
    [12] Kenkre PS, Pai A, Colaco L. Real time intrusion detection and prevention system. In:Proc. of the 3rd Int'l Conf. on Frontiers of Intelligent Computing:Theory and Applications (FICTA 2014). Springer Int'l Publishing, 2015. 405-411.[doi:10.1007/978-3-319-11933-5_44]
    [13] Ho CY, Lai YC, Chen IW, Wang FY, Tai WH. Statistical analysis of false positives and false negatives from real traffic with intrusion detection/prevention systems. IEEE Communications Magazine, 2012,50:146-154.[doi:10.1109/MCOM.2012.6163595]
    [14] Song J, Takakura H, Okabe Y, Nakao K. Toward a more practical unsupervised anomaly detection system. Information Sciences, 2013,231:4-14.[doi:10.1016/j.ins.2011.08.011]
    [15] Vaidya N, Godbole P. Hardware implementation of key functionalities of NIPS for high speed network. In:Proc. of the Computing and Network Communications. 2015. 892-897.[doi:10.1109/CoCoNet.2015.7411296]
    [16] Wang F, Uppalli R, Killian C. Analysis of techniques for building intrusion tolerant server systems. In:Proc. of the Military Communications Conf., Vol. 2. 2003. 729-734.[doi:10.1109/MILCOM.2003.1290202]
    [17] Powell D, Stroud R. Conceptual model and architecture of MAFTIA. Technical Report, University of Newcastle Upon Tyne Computing Science, 2003. 23-29.
    [18] Wang F, Jou F, Gong F, Sargor C, Gosevapopstojanova K. SITAR:A scalable intrusion-tolerant architecture for distributed services. In:Proc. of the Workshop on Information Assurance and Security. 2003. 38-45.[doi:10.1109/DISCEX.2003.1194957]
    [19] Nguyen QL, Sood A. A comparison of intrusion-tolerant system architectures. IEEE Security & Privacy, 2011,9(4):24-31.[doi:10. 1109/MSP.2010.145]
    [20] Yu J, Cheng XG, Li FG, Pan ZK, Kong FY, Hao R. Provably secure intrusion-resilient public-key encryption scheme in the standard model. Ruan Jian Xue Bao/Journal of Software, 2013,24(2):266-278(in Chinese with English abstract). http://www.jos.org.cn/1000-9825/4324.htm[doi:10.3724/SP.J.1001.2013.04324]
    [21] Zhang XY, Li ZB. Overview on moving target defense technology. Communications Technology, 2013,46(6):111-113(in Chinese with English abstract).
    [22] Antonatos S, Akritidis P, Markatos EP, Anagnostakis KG. Defending against hitlist worms using network address space randomization. Computer Networks, 2007,51(12):3471-3490.[doi:10.1016/j.comnet.2007.02.006]
    [23] Huang Y, Ghosh A. Automating intrusion response via virtualization for realizing uninterruptible Web services. In:Proc. of the Network Computing and Applications (NCA 2009). 2009. 114-117.[doi:10.1109/NCA.2009.37]
    [24] Shacham H, Page M, Pfaff B, Goh E-J, Modadugu N, Boneh D. On the effectiveness of address-space randomization. In:Proc. of the 11th ACM Conf. on Computer and Communications Security. 2004. 298-307.[doi:10.1145/1030083.1030124]
    [25] Salamat AG, Franz M. Reverse stack execution in a multivariant execution environment. In:Proc. of the Workshop Compiler and Architectural Techniques for Application Reliability and Security. 2008. 1-7. http://babaks.com/files/catars08.pdf
    [26] Nguyentuong A, Evans D, Knight JC, Cox B, Davidson JW. Security through redundant data diversity. In:Proc. of the IEEE Int'l Conf. on Dependable Systems and Networks with FTCS and DCC (DSN 2008). 2008. 187-196.[doi:10.1109/DSN.2008.4630087]
    [27] Huang Y, Ghosh AK. Introducing diversity and uncertainty to create moving attack surfaces for Web services. In:Proc. of the Moving Target Defense. New York:Springer-Verlag, 2011. 131-159.[doi:10.1007/978-1-4614-0977-9_8]
    [28] Okhravi H, Rabe MA, Mayberry TJ, Leonard WG, Hobson TR, Bigelow D, Streilein WW. Survey of cyber moving targets. Technical Report, No. MIT/LL-TR-1166, Massachusetts Inst of Technology Lexington Lincoln Laboratory, 2013.
    [29] Wang ZY, Yang XJ, Zhou Y. Scalable triple modular redundancy fault tolerance mechanism for MPI-oriented large scale parallel computing. Ruan Jian Xue Bao/Journal of Software, 2012,23(4):1022-1035(in Chinese with English abstract). http://www.jos.org. cn/1000-9825/4011.htm[doi:10.3724/SP.J.1001.2012.04011]
    [30] Wang YN, Wu HR, Huang F. Optimization analysis and research of high concurrency Web application system performance. Computer Engineering and Design, 2014,35(8):2976-2980(in Chinese with English abstract).
    附中文参考文献:
    [1] 中国互联网站发展状况及其安全报告(2016).2016. http://tech.163.com/16/0320/15/BIK212JA00094P25.html
    [4] 中国国家信息安全漏洞库.2015. http://www.cnnvd.org.cn/vulnerability/statistics
    [20] 于佳,程相国,李发根,潘振宽,孔凡玉,郝蓉.标准模型下可证明安全的入侵容忍公钥加密方案.软件学报,2013,24(2):266-278. http://www.jos.org.cn/1000-9825/4324.htm[doi:10.3724/SP.J.1001.2013.04324]
    [21] 张晓玉,李振邦.移动目标防御技术综述.通信技术,2013,46(6):111-113.
    [29] 王之元,杨学军,周云.大规模MPI并行计算的可扩展三模冗余容错机制.软件学报,2012,23(4):1022-1035. http://www.jos.org.cn/1000-9825/4011.htm[doi:10.3724/SP.J.1001.2012.04011]
    [30] 王亚楠,吴华瑞,黄锋.高并发Web应用系统的性能优化分析与研究.计算机工程与设计,2014,35(8):2976-2980.
    引证文献
    网友评论
    网友评论
    分享到微博
    发 布
引用本文

仝青,张铮,张为华,邬江兴.拟态防御Web服务器设计与实现.软件学报,2017,28(4):883-897

复制
分享
文章指标
  • 点击次数:5097
  • 下载次数: 10576
  • HTML阅读次数: 3893
  • 引用次数: 0
历史
  • 收稿日期:2016-06-19
  • 最后修改日期:2016-09-08
  • 在线发布日期: 2017-01-24
文章二维码
友情链接:中国科学院软件研究所中国计算机学会中国科学院国家自然科学基金委员会CCF数字图书馆Int'l J of Softw Info计算机系统应用
您是第19822591位访问者
版权所有:中国科学院软件研究所 京ICP备05046678号-3
地址:北京市海淀区中关村南四街4号,邮政编码:100190
电话:010-62562563 传真:010-62562533 Email:jos@iscas.ac.cn
技术支持:北京勤云科技发展有限公司

京公网安备 11040202500063号