Research And Implementation Of The Active Network Defense Technology Based On Deception

Network deception is playing a more and more important role in network security. It has been an indispensable part especially in the fields of information warfare and network confrontation. This paper works on network deception technology. It presents a frame of active network defense architecture based on deception and develops a defensive network deception system model according to the practical requirement of military network confrontation and computer network protection. Some key technologies are researched in this paper, including network service simulation, vulnerability forgery and intercepting operations at kernel level. According to the DNDS model, an active network defense system based on deception is implemented and test results of this system are given in detail. The main research work and contributions of this paper include:(1) A frame of active network defense architecture based on deception is proposed. On the basis of the old one, it develops the information assurance architecture with initiative and active elements by combining security defense with deception and counterattack. Deception and control is the core of the architecture.(2) A defensive network deception system (DNDS) model based on deception in depth policy is presented. The model is composed of five layers that are network service simulation, vulnerability forgery, operation control, file system mirror, and information deception. According to the interaction process with hackers, DNDS model implements deception and control at each stage of intrusion activities, which breaks the limitation of a single layer deception used by other general honeypots. This obviously promotes the level of deception, interaction and ensures security.(3) Network service simulation and vulnerability forgery technique is presented. This technique simulates usual network service programs and vulnerabilities to lure and deceive the intruder. It can provide the same accessing, scanning and attacking processes as the real service and vulnerability do. Meanwhile, the intruder's activity is monitored. Test and application results indicate that this technique can not only promote the level of interaction and deception, but also improve security by leading network attacks to a controllable and predefined track.(4) Two techniques of intercepting operations at kernel level are proposed. On the platform of Windows, the interception of Win32 function call is performed with Microsoft Detours package. By capturing the kernel calls in operating system, the control and redirection of intruder's host operations are realized. On the platform of Linux, by using the technology of Chroot and LKM, sensitive system data and process are hidden and a secure and controllable deception environment is built.(5) SJ0225 active network defense system based on deception is implemented. The system can provide WWW and FTP services with several forged typical vulnerabilities and create the deceiving operating environment based both on Windows and Linux. File system mirror and information deception are also implemented. Thus it realizes five layers of deception in depth and control tactics. Furthermore, the technique of benchmark test based on network attack description language (NADL) is proposed. Application and test results show that the system is able to deceive and control the whole process of network intrusion. The deception host allows the intruder enter deception environment only through the specific way it offers for him such as simulated network services and forged vulnerabilities, which makes the intruder's activities of host operation, file system access and information fetch are under control without his awareness.