Intrusion Tracking And Forensic For Network Security Incitents

During "the Eleventh Five-Year" "211 Project" A high-performance network operation management and security assurance system were deployed in the CERNET network center and the 38 backbone nodes.HYDRA is a active security defense prototype system,use SDN to achieve the network attack automation response and malicious sample collection.MONSTER is a intrusion detection and response system,integrated with incident data collection,metadata acquisition,rule-based network intrusion detection and so on.In order to meet the new requirements of incident response processing of network security events,this paper realizes the integration of MONSTER and HYDRA system,and reconstructs the original MONSTER system.The new system is enhanced with the new functions of the forensic acquisition and intrusion tracking,and integrates automatic response technology and multi-core processing under the parallelization of the program design of the relevant technical points to enhance the overall efficiency of the security incident response.The integrated design of MONSTER and HYDRA system is the basis of the research work.This paper divides the integrated design of the system into functional integration,architecture integration and data integration.In the aspect of function integration,the selection and merging of the original functions of the two systems are completed,and the functional components of the integrated system are defined.In the aspect of architecture integration,the original control flow of the two systems is analyzed and unifled into a control flow,and the dependencies between the system components are clarified,then the architecture of the integrated system is clarified.In the process of data integration,the data flow of the original two systems is analyzed and integrated,and the data of the shared data part is realized,and the data of the integrated system is analyzed and achieve format unification.In the aspect of forensic acquisition,this paper realizes the forensic acquisition scheme for multi-response task.The scheme firstly completes the life cycle management and scheduling of the response task,and uses the multi-level queue scheduling strategy and concatenates the thread pool technology,then use the OpenFlow switch's flow table to filter the network traffic,reduce the performance load of the system,use the high-speed packet capture tool PF_RING DNA to fully increase the packet capture capability of the network card,collect the packets on the multi-core of the CPU,and the packets are sorted and sorted according to the acquisition rules.The packets matching the acquisition rules are written into the shared buffer.Finally,the packets in the shared buffer are sorted and stored on the disk.In the aspect of intrusion tracking,this paper designs an intrusion tracking scheme based on application layer semantic analysis.The scheme is based on the detection of offline packets.First,Suricata and Bro are used to detect the packets.Then,the detect logs are preprocessed and formatted.Finally,alert log and protocol activity log semantic are analysised to get the results of the case.The tracking results include IDS fusion alerts,network behavior frequency analysis results,and protocol activity semantic extraction results.Finally,the paper carries on the performance test to the system,and carries on the verification and the detailed explanation of the function of forensic acquisition and intrusion tracking with the actual case of the security system(suspected C&C domain name).The experimental results show that the acquisition and intrusion tracking function in this paper can guarantee the timeliness and correctness of the security event response effectively.