Research On Dynamic Hybrid Virtual Network For Proactive Intrusion Prevention

With the rapid development of computer network, the hacker’s attacking technologies become more and more sophisticated and volatile, obtaining attack tools and launching attacks more easily, intrusion activities are increasingly prevalent, result in the network security issues are serious and prominent progressively. The current available network security defense measures principally comprise firewall, intrusion detection system, authentication, data encryption and decryption, vulnerability scanning and anti-virus software, etc. Whereas any single security technology has been unable to ensure that the network and system security and most of security technology are passive and delayed.Focus on the aforementioned problems, this dissertation proposes that integrating five network security technologies including network visualization, honeypot, automatic attack signature generation, Snort intrusion detection and firewall linkage technology to design and implement the dynamic hybrid virtual network framework which could be used in all levels of network to provide proactive and real-time intrusion prevention.The main research achievements of this thesis are outlined as follows:(1) The passive server discovery method based on NetFlow is presented to continuously and accurately detect the entire population of servers of a given network, which defines and program six heuristic judgement functions reassemble unidirectional flows are into connection-oriented bidirectional flows, then the three types of flow are analyzed to output, thus the four types of end points are extracted. This approach provides a simple and efficient solution to gain services visibility in the large scale networks.(2) The scanning module of the framework constructed by integrating the active probe with passive detection techniques is proposed. The influence of Nmap active scanning interval, number of concurrent threads and other parameters on the scanning convergence time, required resources and physical network is emphatically analyzed, which ensures the cooperative scans to identificate the physical network topology and host configurations rapidly and accurately. to track changes of the physical network configuration automatically, at the same time to reduce the impact on the physical network and consumption of system resources as much as possible. Furthermore, according to the output of the scanning module, the front-end low-interaction honeypots network based on Honeyd is configurate and update automatically, then how the number of free IP addresses and percentage of reserved IP addresses to affect the probability of the virtual network attracting attacking is investigated particularly. Thus based on circumstance of physical network to determine the number of virtual network hosts, IP address, operating system and open ports and service configuration of each virtual hosts, the virtual network could be assured to be deceptive and fidelity.(3) The virtual network composed of the large number of front-end low interaction honeypots and a small amount of high-interaction honeypots is presented to attract attacks and gather information effectively. Multi-module combinational decision strategy including six basic decision modules is developed to transparently forward the valuable data of front-end low-interaction honeypots beyond interaction limit to the back-end high-interaction honeypots. The front-end and back-end honeypots of virtual network simultaneous extract attacking signatures to implement the complementary of automatic signature generation, and a novel signature refinement algorithm is introduced to reduce the number of generated signature by delete petitious signature, to eliminate the redundant information of signatures. The empirical results reveal that the virtual network framework can effectively extract attacking signatures, compress signature size, and improve availability of the generated signatures.(4) Focus on Windows platform, that linkage module is designed and developed using Snort intrusion detection system based on Windows host and Cisco router respectively to actively prevent intrusion is presented. On host-side Snort utilizes the IPSec filter or firewall embedded in Windows to implement linkage response, as long as Snort detect dangerous alerts, the linkage module automatically configures IP Filter or firewall to filter the corresponding inbound and outbound packets. The experimental results indicate this cooperation approach can block dangerous traffics effectively without using any the third party firewalls or amending any Windows system kernel. On the other hand based on access control list of router, as Snort detect the dangerous alarm, the linkage module automatically selects the router of appropriate location in network topology, updates and modifies the corresponding router ACL to block malicious traffics from the attacker. By testing with three kind of intrusion IP, the result shows that the linkage mechanism based on Cisco router successfully insulate and control data packets coming from dangerous IP without modifying the existing topology structure nor adding any new hardware.The virtual network framework designed and implemented in this dissertation can actively decoy network attacks with specific purpose, confuse attacker to distinguish real targets, glue attacking in virtual hosts and networks as enduring as possible, resist diverse network attacks including network scanning, DoS and DDoS etc., deplete the attacker’s resources, gain time to protect the real network, expand the scope of active defense. Meanwhile this framework can effectively collect and analyze information about the hacker’s attacking, acquire attack motivation, attack tools, activity rule of hackers and hacker community, catch viruses and worms, afford data support to analyze and counter complicated hacker’s attack include the distributed denial of service attack. Forthermore, the virtual network can detect new attack and extract corresponding attack signature automatically to supplement the rules library of Snort. According to these new rules, Snort configurate the firewall or router by firewall linkage technology to shield intrusion data and filter dangerous packets so as to achieve active intrusion prevention and enhance the security of holistic system.