| In the situation that traditional network security techniques can not completely keep the intrusion outside the system, survivability technique was proposed. It emphasizes that, when the system is under intrusion, it will still be able to timely provide its key services. Currently main work about survivability technique is still mostly theoretical study, lack of overall design thought for survivable system, has no concrete design and realization to system structural model.Therefore, this paper presents a universal state transition model of survivable system. The model describes all possible states which survivable system may be in under different environments, and the transition relations between states, has universal instruction significance for in-depth studying the specific realization method of survivability technique. Under the guidance of this model, combining characteristics of survivable system, this paper focuses on the specific realization method and key techniques in recognition, recovery and evolution.In the recognition and the evolution aspect, according to the difference between attack types, this paper proposes two methods: the method based on BP neural network to recognize flow-based attacks, and the method based on improved Snort to recognize content-based attacks. The characteristics of flow-based attack are mainly reflected in the flow statistic attributes, and the BP neural network has numerical input, good learning and memory ability. Using BP neural network to learn and recognize this type of attacks, not only can well recognize known type attacks, but also has good recognition to variant attacks and unknown attacks. Snort itself has good effect in the recognition of content-based attacks, based on this point, this paper adds breadth - first strategy to Snort rule match process, improves the performance of Snort, and adds special string match degree strategy to pattern match process, increases the ability of Snort to recognize variant attack and unknown attacks.In the recovery aspect, this paper has studied the method to discover and recover from abnormalities in view of single server node. Mainly through monitoring the use of resources to find abnormity, carry out resource redistribution according to the importance factor of services, and assistance by integrity check, ending illegal process, thus ensures the quality of key service when the server lack of resource or with abnormity. |
PDF Full Text Request