Network Threat Source Tracking And Intention Identification

Facing the increasingly severe network security situation and complex network structure,adopting more effective and reasonable security solutions has become the primary task of network security protection.In order to meet the needs of network security under the new form,network security situational awareness has become a new hot research field,and the intent identification of threat sources is an important part of network security situational awareness,and is the premise and basis of threat projection and decision-making response.In order to more effectively identify the intent of the cyber threat source,this article is based on the existing work of the backbone network security system of CERNET(China Education and Research Network),and makes an in-depth analysis of the problem of effective identification of the cyber threat source intent.By studying session identification,threat source behavior modeling and other solutions,we can obtain a wealth of evidence information to achieve the purpose of identifying the intention of network threat sources.The main work of this thesis is as follows:First of all,in order to obtain complete and effective session information,this thesis has made improvements to the current session recognition function in the security system,including solving the problem of incomplete data caused by the session boundary data based on the connection handshake state and timeout mechanism.And through data post-processing operations such as field alignment and data enrichment to supplement missing data.Then,using the results of the session identification,a behavior modeling method for threat source tracking objects was designed and implemented,including the extraction of behavior characteristics of the tracking IP and the discovery of the behavior association between tracking IPs.Among them,methods based on TCP SYN messages,application layer protocol recognition results and port characteristics are used to identify the tracking IP service role,and a rule-based matching method is used to identify the server application type;at the same time,the communication characteristics and transmission characteristics are also proposed.The two dimensions of characteristics describe the behavior characteristics of a single host;finally,the association relationship between tracking IPs is explained from the cooperation relationship and the affiliation relationship.By combining the results of these methods,the purpose of describing the behavior of threat sources in multiple dimensions is achieved.Finally,in order to assist analysts in understanding threat source intentions and achieve the effect of threat source adaptive tracking,a network threat source tracking system was designed and implemented,including the design of the tracking system architecture,the implementation of various modules of the tracking feedback mechanism,and the design of related interfaces.At the same time,the application of tracking results in intent recognition is explained,and the analysis of experimental results proves that the tracking results in this thesis can effectively identify normal service nodes.