《网路安全核心技术之现况与发展趋势》由会员分享,可在线阅读,更多相关《网路安全核心技术之现况与发展趋势(59页珍藏版)》请在金锄头文库上搜索。
1、网路安全核心技术之现况与发展趋势Stillwatersrundeep.流静水深流静水深,人静心深人静心深Wherethereislife,thereishope。有生命必有希望。有生命必有希望AgendavIntroduction of Network SecurityvContent Inspection TechnologiesvPattern Matching AlgorithmsvFlow Classification by Stateful MechanismvOpen Issues2 - 駭客無所不在駭客無所不在 -v2000/3:駭客利用:駭客利用DDos的網路攻擊方式,引起的網
2、路攻擊方式,引起Yahoo、Amazon、CNN、eBay 等知名網站癱瘓等知名網站癱瘓v2001/7:A 旗下的旗下的 Bibliofind 遭駭客盜走顧客的信用卡資料遭駭客盜走顧客的信用卡資料 v2002 中美駭客大戰中美駭客大戰v2003/1 SQL Slammer 攻擊攻擊v2003/4 大陸大陸流光流光後門程式後門程式v2003/8 Blaster 疾風病毒疾風病毒攻擊攻擊v2003/9 SoBig 老大病毒老大病毒攻擊攻擊v2003/9 大陸大陸網軍網軍攻擊攻擊v2004/3 Netsky 天網病毒攻擊天網病毒攻擊v2004/4 Sasser 殺手病毒攻擊殺手病毒攻擊v2005/5
3、 國內大考中心遭駭客竄改資料國內大考中心遭駭客竄改資料v2005/6 外交部網站遭大陸網軍後門程式竊取外交機密外交部網站遭大陸網軍後門程式竊取外交機密3網路安全的隱憂網路安全的隱憂v網路攻擊技術日新月異,攻擊工具易於取得網路攻擊技術日新月異,攻擊工具易於取得,界面界面淺顯易懂,不需高深技巧,即可進行攻擊。淺顯易懂,不需高深技巧,即可進行攻擊。v網路攻擊已不侷限於侵入動作,許多攻擊行為旨網路攻擊已不侷限於侵入動作,許多攻擊行為旨在在阻斷網站之服務能力。阻斷網站之服務能力。v網路通訊設備安全性不足。路由器及交換器僅能網路通訊設備安全性不足。路由器及交換器僅能檢視封包第三層資訊。檢視封包第三層資訊。
4、v防火牆著重在封包第四層資訊檢查。防火牆著重在封包第四層資訊檢查。v防毒軟體逐漸無法辨識網路攻擊。防毒軟體逐漸無法辨識網路攻擊。4網路攻擊工具範例5網路攻擊種類網路攻擊種類vDenial of Service (DoS), Distributed Denial of Service (DDoS)vNetwork InvasionvNetwork ScanningvNetwork SniffingvTorjan Horse and BackdoorsvWorm6P2P/IM 網安威脅網安威脅vP2P (Peer-to-Peer) 分享程式分享程式vIM (Instant Messenger) 即
5、時通即時通vSpyware 間諜軟體間諜軟體vAdware 廣告軟體廣告軟體vTunneling 私人隧道私人隧道7P2P: A new paradigmvBottleneck of ServervPowerful PCvFlexible, efficient information sharingvP2P changes the way of Web (Internet) 8P2P即將破壞現存的資安架構即將破壞現存的資安架構vP2P 除了檔案分享與即時通訊,也逐漸發展出不同應用,例如除了檔案分享與即時通訊,也逐漸發展出不同應用,例如 SoftEther 和和 Skype。對個人用戶,利多於弊
6、,但對企業,為資訊安。對個人用戶,利多於弊,但對企業,為資訊安全一大隱憂全一大隱憂vP2P 應用潛藏諸多風險,包括應用潛藏諸多風險,包括洩漏企業內部機密資訊洩漏企業內部機密資訊成為病蟲擴散的管道成為病蟲擴散的管道下載非法檔案下載非法檔案侵犯著作權侵犯著作權佔用大量網路頻寬佔用大量網路頻寬影響其他系統正常運作影響其他系統正常運作造成員工分心,降低生產力造成員工分心,降低生產力 9Famous P2P ExamplesvBitTorrentv eZpeervKuroveDonkeyveMulevMLdonkeyvGnutellavKazaa/Morpheusv Shareazav Direct-c
7、onnectv Gnutellav Soulseekv Opennapv Worklinkv Opennextv Jelawatv PP點點通v SoftEtherv iMESHv MIBv WinMixv WinMulev Skype10Instant Messenger (IM)vMSNvYahoo MessengervICQvYamQQvAIM (AOL IM)11網路攻防技術發展趨勢vIDP/IPS (Layer-7)vApplication Firewall (Layer-7)vNetwork Access Control (NAC)Defense-in-Depth/Security
8、 Switch12A Generic Layer-7 EnginevPacket NormalizerMakes sure the integrity of incoming packetsEliminates the ambiguityDecodes URI strings if necessaryvPattern-Matching EnginevPolicy EngineGather information from pattern-matching engine and issue the verdict to allow/drop the packets13Packet Normali
9、zervIntegrity CheckingvIP Fragment ReassemblevTCP Segment ReassembleTCP Segments may come out-of-orderSEQ out of window sizeSegment OverlappingvURI DecodeURI hex code obfuscation (a = %61)URI unicode/UTF-8 obfuscationself-referential directories obfuscation (/././././ = /)directories obfuscation (/a
10、bc/a/./a/./a/ = /abc/a)14Pattern-Matching EnginevThe most computation-intensive task in packet processing. Normally the PM engine needs to process every single byte in packet payload.vIn Snort, the PM routine accounts for 31% of the total execution time15Pattern Matching is Expensive!30 Instructions
11、/ Byte. 45K Instructions/1500 Byte packet50 Instructions/ 1500 Byte packetSource: Intel Corp.16Content Inspection TechnologiesvPattern-Matching AlgorithmsSoftware BasedBoyer-Moore Aho-Corasick (AC)Wu-Manber Hardware BasedBloom-Filter Reconfigure Hardware (FSM)TCAM-based17Pattern Matching Problem Def
12、initionvGiven an input text T = t0, t1, , tn ,and a finite set of strings P = P1, P2, , Pr, the string matching problem involves locating and identifying the substring of T which is identical to Pj = , 1 j r, where ts+i = , 0 i m-1. And this equation can be also denoted aststs+m-1 = G C A T C G C A
13、G A G A G T A T A C A G T A A GTextG C A G A G A G18Aho-Corasick (AC) AlgorithmvAC is a classic solution to exact set matching. It works in time O(n + m + z) where z is number of patterns occurrences in T.vAC is based on a refinement of a keyword tree.vAC is a deterministic algorithm. That is, the p
14、erformance is independent of the number of patterns.19An Example of AC AlgorithmvExample: P = ab, ba, babb, bb20An example of AC AlgorithmDashed: fail transitions; those not shown leads to the rootheehrsisshershe, shehisshsheh!=h,sPatterns:hershisshe21An example of AC AlgorithmheehrsissText: h e i s
15、 h i sheishis22Reconfigure Hardware (FSM) vImplement the AC FSM in configurable Logic Elements (LEs) of FPGA.vAchieve multiple gigabit performance. (Depends on the FPGA model)vA powerful FPGA is necessary to accommodate thousands of patterns, so that its not practical and visible in commercial marke
16、t.23FPGA-based pattern matchingvFPGA-based24Bloom FiltervGiven a string X, the Bloom filter computes k hash functions on it producing k hash values ranging from 1 to m. The same procedure is repeated for all the members of the pattern set.vThe input text is verified by generating k hash values in th
17、e same way. If at least one of these k bits is found not set then the string is declared to be impossible to match.vPatterns in Length n are grouped into Bn.25Bloom Filter (Cont.) 1 2 3 4 5 6 7 8 9 Payload StreamA B C D E F G H I JB2B3B4BwFalse positive :Mim f = (0.5)K, while m = (k x n) / Ln2_ So,
18、total space, sum(Bi) = m x (w - 1)_ if k = 1, n = 2048, m = 3072 bits k = 1, n = 3072, m = 4608 bits _ if k = 4, f = 0.0625 k = 5, f = 0.0313 k = 6, f = 0.0156 Bloom Filter (B4) Bloom Filter (B3) Bloom Filter (B2)11110m0m0mH1H2H3Hk0m11111111Group signature by length :G2 (X)G3 (X)G4 (X)K Hash functio
19、ns H1, H2, , Hk26TCAM fundamentalTCAM stores data with three logic values: 0, 1, X (dont care) Multiple match modes are needed.27Policy EnginevCollect the matching events from Pattern-Matching Engine.vClarify the relationship between matched patterns:Ordered: A policy may consists more than one patt
20、ern and should be matched in order.Offset, Depth: The matched position should be within a certain range or location.Distance, Within: The distance between two matched patterns should be taken into consideration also.vTrace Application StatesvSome applications are difficult to identify by using only
21、one signature (e.g. P2P). Policy Engine needs to track the connection state like the following diagram:S0S1S2S3Msg ExchangeRequest FileData Exchange28Content Inspection TechnologiesvOur Pattern Matching AlgorithmsHierarchical Matching Algorithm (HMA) for Intrusion Detection Systems (IEEE Globecom200
22、5)A Time and Memory Efficient String Matching Algorithm for Intrusion Detection Systems (IEEE Globecom2006)A Pattern Matching Coprocessor for Deep and Large Signature Set in Network Security System (IEEE Globecom2005)A Fast Pre-filtering Algorithm for Pattern Matching (IEEE Globecom2006)vFlow Classi
23、fication by Stateful MethodsIM/P2P Classification 29Hierarchical Matching Algorithm (HMA) for Intrusion Detection Systems vHMA is a two-tier and cluster-wise matching algorithm vReduce the amount of external memory access Reduce the access delayReduce the required processing cycle timeImprove the pe
24、rformance of IDSLow memory requirement 1.763 times better than the state-of-the-art algorithms Enable an efficient and cost-effective real-time IDS 30Pre-filterFast SearchCluster-wise String SearchNarrow Searching Domain31Hierarchical Matching Algorithm (HMA) for Intrusion Detection SystemsHMABM-PHB
25、MHAC-CMemory 326.75 KB16.013 MB313.2 KB439 KB32SystemArchitecturePattern Matching Coprocessor for Deep and Large Signature Set in Network Security System33CentralControlUnitPattern Matching Coprocessor for Deep and Large Signature Set in Network Security System34ModuleResource UsageSelector530 LEs (
26、 1% of total LEs)PE15032 Les ( 26% of total LEs)Pattern Table22K bits ( 9% of memory )I/O Pin210 ( 50% of total pins)FPGAImplementationResultsSimulationResultsPattern Matching Coprocessor for Deep and Large Signature Set in Network Security System35Pre-filter: Search Filter ModelvAll the substrings
27、that filtered by the filter are clear and impossible to contain any of the defined patterns. vAnd those substrings passed to the pattern matching algorithm may or may not contain pre-defined patterns. vThus, the search filter may generate false positive but not false negative.The false positive here
28、 refers to the case that a substring without any pre-defined patterns is falsely detected and accepted as with. vAn exact string matching mechanism is essential for finding out which patterns are included in the accepted substring. 36Pre-filter: Search Filter Model37Super-Symbol FiltervThe basic ide
29、a of the proposed Super-Symbol Filter (SSF) algorithm is to treat two bytes data as a super-symbol, and the using of bitmap to indicate the occurrence of each super-symbol in the pre-defined patterns.For example, for the 8-bit ASCII-code, there are 65536 combinations of two bytes data, and a bitmap
30、vector of 65536 entries is used.Match Vector Constructing 38Filtering phase in SSF-1 Algorithm Input String Text= ABOD CODING IS FOODDOCDOOFBADOBitmapAAABCODEFOODOOZZ001101010101010000ABBOODDCCOODDIINNGGIISSFFOOOODABBOODDCCOODDIINNGGIISSFFOOOOD10100110000000011139SSF-2 AlgorithmvTo have better accur
31、acy and less number of false positives, the extended SSF-2 algorithm, two match vectors are employed.vThe First Match Vector (FMV) is used for the super-symbols being conjugated by the first two symbols in each of the patterns.vThe Rest Match Vector (RMV) is used for the rest super-symbols in the pa
32、tterns except those in the FMV. 40SSF-2 AlgorithmvThe algorithm looks up the FMV and RMV and detects whether the corresponding bit of each super-symbol is 1.vSince “AB” and “OD” are not the beginning super-symbol of any patterns (by checking FMV), the filter algorithm only outputs two substrings “CO
33、D” and “FOOD”. And only one substring “COD” is false positive in this case.41EvaluationvTo evaluate the scalability and flexibility, the popular Snort IDS signatures are employed. vIn case most bits of the bitmap are set as 1, we can expect that the SSF filtering performance will be impacted dramati
34、cally as the “hit rate” will be very high.vFortunately, by tracking the growing paths of Snort rule patterns, the percentage of setting bits for the MV, FMV, and RMV is still very small (less than 5%). Thus, the proposed approaches have a great chance to adopt the fast growth of Snort releases.Numbe
35、r of Released PatternsSSF-1MV bitmapSSF-2FMVbitmapSSF-2RMV bitmapSnort-2.0 206632136953027Snort-2.1 261734788133296Snort-2.2 266435758353382Snort-2.3 267936118453413Snort-2.4 26803611845341342Defcon9 TraceFilter-AlgorithmPassed by Filter Filter outpercentageFilter cost timeACsearchcost timeTotal cos
36、t timeThroughputDefcon-1# of matched patterns : 377,508 times(9,846,572 bytes)PBF1,173,91888%10710710710710710710IDP9,775,9240.8%125,810512,169637,970123AC9,852,3420%0513,081513,081153SSF-11,350,54186%117,00080,374197,374400SSF-2391,02496%126,52329,739156,262504PerformancePentium-4 3.0 GHz personal
37、computer with 1MB level-2 cache, and installed with Intels VTune tool Parallel Bloom Filter (PBF), Database Processor (IDP)43Filter Percentage & ThroughputvThe filtering effectiveness of IDP scheme is pretty bad and is not capable to handle Snorts patterns. This is due to the bitmap used in the IDP
38、scheme has only 256 entries for one byte symbol.vAnd most of the entries of are set as “1” for the Snorts patterns.vBoth PBF and SSF schemes are less sensible to the growth of patterns and have a filtering percentage around 80-98%. 44Filter Percentage & ThroughputvThe PBF is only suitable for hardwa
39、re-based implementation, the throughput of PBF is less than that of AC. vWe can see that for the Defcon-1, the system throughput is around double speed-up (270Mbps vs 141Mbps) compared to that of original AC algorithm, and for Defcon-3, the system throughput is even more than three times speed-up (5
40、04Mbps vs 153Mbps).vThe proposed SSF schemes consume far less memory (cache-resident).45Flow Classification Using Stateful MethodThe FA Example : FTP46The FAs of BitTorrent protocols. 47The FAs of Yahoo Messenger protocol. 48網路安全研究主題vDoS/DDoS vContent Inspection AlgorithmsvZero-day Attacks vWeb Secu
41、rityvNetwork Access Control (NAC)vWireless Security49Zero-day AttacksMS WMF 0-day exploitsMS WMF 0-day exploits10 Jan, 200629 Dec, 200528 Dec, 2005MS WMF exploit publicly releasedBroadWeb released pattern updateMicrosoft released patch Microsoft IE creates TextRange() Vulnerability Microsoft IE crea
42、tes TextRange() Vulnerability 11 April, 200626 Mar, 200624 Mar, 2006Vulnerability was publicly unveiledBroadWeb released pattern updateMicrosoft released patch AttackAttack50MS06-001 WMF 0-day攻擊攻擊v2005.12.28發現發現v針對針對IE瀏覽器的瀏覽器的0-day攻擊攻擊v安裝完整修補程式的安裝完整修補程式的WinXPSP2仍無法倖免仍無法倖免v只要瀏覽含有惡意只要瀏覽含有惡意WMF檔案的網頁,檔案
43、的網頁,不需任何額外操作不需任何額外操作,便會立即遭到入侵感染:便會立即遭到入侵感染:Crackz dot wsunionseek dot comwww.tfcco dot comIframeurl dot bizbeehappyy dot bizmore .51遭遭WMF 0-day攻擊入侵情形攻擊入侵情形52遭遭WMF 0-day攻擊入侵情形攻擊入侵情形53假的防毒軟體出現,協助檢查惡意程式遭遭WMF 0-day攻擊入侵情形攻擊入侵情形54告知試用版功能有限,需透過線上申購完整版,才能移除惡意軟體搭配IE瀏覽器瀏覽器0-day攻擊攻擊社交工程社交工程,企圖詐騙使用者信用卡帳號的新型攻擊手法
44、!遭遭WMF 0-day攻擊入侵情形攻擊入侵情形55Web SecurityvSecurity CodevBuffer Overflow AttackvVulnerability Avoidance56Network Access Control (NAC)vMore than 70% attacks are launched from insidevProvide first mile protectionvNetwork Access ControllervSecurity SwitchesvDefense-in-Depth57Wireless Security Open IssuesvA
45、AA issuesvAd hoc networks (security routing Protocols)vSensor Networks SecurityvWiFi and WiMAX (IEEE 802.16) networks SecurityvWireless Security Switch58vHow to identify and manage encrypted protocols ? such as Skype 2.0 and Winny.Not by signatures (no signatures ?)May be by state machinesvHow to de
46、sign fast content inspection or pattern matching algorithms ?Modified AC algorithm or othersUsing Cache efficientlyPre-filter is goodPost Filter is also necessary (Rules are more complex)vHow to design fast content inspection co-processor ?Regular Expression is necessaryMany commercial products already, such as SafeNet 4850, Sensory Networks C-2000, IDT, Cavium, Netlogic, etcvSecurity Switches provide first mile protectionWireless Security Switch as wellvNetwork Access Control (NAC) is a new emerging trend. Open Issues59
