Research On Information Security Situation Awareness Technology Based On Network Data Flow

With the rapid development of information and network,the use of the Internet is more and more frequent.At the same time,the network security situation is not optimistic.Network fraud,web page tampering,backdoor implantation and other network events occur from time to time.Network security situation awareness has realistic and important significance for personal property security and national security.Network security situation awareness is generally divided into three stages: situation element extraction,situation understanding and situation prediction.The extraction of situation elements is the primary link of situation awareness,and the quality of the source of the elements is related to the pros and cons of situation understanding and prediction.This article carries out the research on the situational element extraction technology from the perspective of network data flow.The main research content is divided into two aspects: the design and implementation of the perception element extraction system based on software-defined network(SDN)honeynet;the perception element of No SQL database based on active detection Extraction system design and implementation.1.The design and implementation of a perception system based on a software-defined network(SDN)honeynet.The system is designed on the basis of DPDK,Open v Switch(OVS),and Docker container technology.It mainly implements three functions: response to detection messages,rapid deployment of OVS and Docker containers to achieve real-time generation of dense networks,and attack data Real-time storage statistics of the stream.The core work of the paper is to propose an information response spoofing mechanism based on ARP and PING protocols for network attackers,and induce attackers to take further attacks on honeypots in the dense network;address the problem of full-flow data packet storage,and propose and implement A fast data storage method based on ring queues,which avoids the occurrence of data packet loss due to the storage speed being unable to keep up under the conditions of large traffic attacks;proposes and implements a caching method for fast database query read and write,by reducing The method of database cache invalidation improves database storage performance.At the end of the paper,an actual packet capture example of an SSH attack is used to verify the effectiveness of the system designed in this paper.2.Design and implementation of No SQL database perception system based on active detection.The paper firstly analyzes the vulnerability risks of several popular No SQL databases Mongo DB,Redis,Memcached,and Elastic under the default installation situation,and conducts corresponding verification research on the DDOS amplification attack of Memcached database.Combined with the detectable No SQL database on Shodan's official website,we conducted an experimental analysis and concluded that the security risk is high under the default installation of No SQL.Then,the thesis takes Elastic as an example to further study the risky No SQL database,design and implement the Elastic risk perception system.The paper introduces in detail the overall design ideas of the risk perception system,the realization of multi-threaded modules,the method flow of IP detection,and the realization of sensitive data detection algorithms.Sensitive data detection algorithm accuracy rate is above 96%.Then,the function test of the risk perception system was carried out with the Elastic database detectable on Shodan's official website as the experimental source,and the test results demonstrated the effectiveness of the system.At the end of the thesis,corresponding countermeasures are put forward for the risks of default installation of NoSQL database.