Policy Tree Based Proactive Defense Model For Network Security

Requirement for Security is changing from information security to information assurance. Traditional passive protection can't adapt to this new situation, then enhanced defense and proactive defense are proposed. Enhanced defense offers promotion on robusticity and survivability of information system. It prevents attacker from damaging system even he already has broken through one or several but not all layers of the system. Proactive defense integrates enhanced defense and shows the activeness greatly in contrast with traditional defense. It actively predicts intrusion trend and attains attacker's information, dynamically evaluates and responds intrusion. This shows the counteracting property of network security. At the present time, building a proactive defense system is a challenge, because there are no well-established theories to support it.This dissertation has conducted research on the proactive defense for its supporting theories and technologies. It covers policy-tree-based proactive defense model, large-scale intrusion detection method, threat assessment metrics for coordinated attacks, early warning scheme for network security, active and passive response technologies, and applications of the proactive defense model. The contributions of this dissertation include:Proposing a formal model for proactive defense based on policy treeThe model is formally defined in Z language. Completeness, correctness and consistency are analyzed. A completely building method, an abstract for correctness validating and a consistency checking method on security policy are proposed. Policy-tree model gives theoretical and methodological support for proactive defense. Proactive defense system based on this model can detect known attacks and large-scale intrusions, predict unknown attacks and security trend, and respond effectively according to threat assessment.Proposing an detection method for large-scale intrusionBased on traditional intrusion detection, NASTQ is proposed to represent net segment distribution, service distribution and attack type distribution of intrusion accident. NASTQ makes alert simpler and more comprehensive. The threat assessment metrics for coordinated intrusion evaluate threat according to initial value, attacker distribution, attacks frequency and the value of protected target.Proposing an early warning scheme for network securityThe scheme consists of Intrusion-Event-based Early Warning method (IEEW) and Sampling-Measurement-based Early Warning method (SMEW). They suit to long time and short time security trends prediction respectively. The former predicts future occurrence of intrusions according to statistical data. It gains better performance on periodical attacks over non-periodical attacks. IEEW is more suitable to DoS attacks. By constructing characters on normal flow, SMEW predicts unknown attacks with anomaly flow.Proposing an Intrusion Response Technical Architecture (IRTA)Most of active intrusion response technologies are covered. They are remarked according to the control of attacker and protection of target. IP-trace-back based on packet marking, attacks interdiction, attacks sorption and redirection, honeypot and service switching are included. Effective intrusion response system can be established based on proactive defense model and IRTA.Building applications based on the above proactive defense modelThe proactive defense system, strategic early warning and monitoring & administration system for network system are investigated. New methodology of proactive defense ability assessment is proposed. Auto attacking system in information warfare is designed as opposite application of proactive defense model.