跳到主要內容

簡易檢索 / 詳目顯示

研究生: 林子翔
Lin, Zih-Siang
論文名稱: 網路偵查攻擊之封包式欺騙防禦
DEFIC: Defensive Packet Deception on Reconnaissance Attack
指導教授: 郁方
Yu, Fang
口試委員: 蕭舜文
Hsiao, Shun-Wen
陳孟彰
Chen, Meng-Chang
學位類別: 碩士
Master
系所名稱: 商學院 - 資訊管理學系
Department of Management Information System
論文出版年: 2022
畢業學年度: 110
語文別: 英文
論文頁數: 56
中文關鍵詞: 網路殺攻擊鍊網路偵查欺騙式防禦作業系統指紋連接埠掃描
外文關鍵詞: Cyber kill chain, Network reconnaissance, Defensive deception, OS fingerprint, Port scanning
DOI URL: http://doi.org/10.6814/NCCU202200748
相關次數: 點閱:220下載:7
分享至:
查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報
  • 網絡偵查是網絡攻擊鏈的第一階段,攻擊方進行主機發現、端口掃描和作業系統檢測,試圖從遠端主機獲取關鍵資源。
    在網絡偵查階段誤導對手可以提供主動保護機制,而非在攻擊實際發生後才採取應對措施,此舉可防止後續階段的武器化和攻擊者的漏洞利用。

    在本文中,我們提出了一種新的封包式欺騙防禦框架DEFIC,可用於對抗 Nmap 等第三方網路偵查工具的常見偵查攻擊。
    我們所提出的欺騙式防禦框架可以偽造針對連接埠和系統組態之掃描封包的欺騙式回應,以在網絡偵查期間混淆攻擊者,從而使目標主機能夠偽裝其正在運行防禦端所指定的作業系統。
    除此之外,我們建構了幾個作業系統模板,可動態針對系統實時狀態、掃描封包的細微差異包與作業系統欺騙策略生成一系列的偽造回應。

    初步結果表明,Nmap 很有可能會誤判被我們如隱形斗篷一般的DEFIC所覆蓋的遠程主機。


    Network reconnaissance stands the first stage of a cyber kill chain, where adversaries conduct host discovery, port scanning, and operating system detection in order to obtain critical information from remote hosts.
    Misleading an adversary in the network reconnaissance phase can provide orthogonal protection in the first place, preventing subsequent phases of weaponization and exploitation from attackers.
    In this paper, we propose a novel packet-level defensive deception framework against common reconnaissance attacks that can be employed by third-party reconnaissance tools such as Nmap.
    Specifically, we propose DEFIC, a deceptive firewall that can forge fake responses to unknown requests on port and system status to confuse attackers during network reconnaissance and hence provide the target host the ability to pretend running with a designated operating system.
    We build several templates of response packets that can be used to reconstruct packets with the desired information and synthesize a sequence of fake packets according to different OS strategies.
    Our preliminary results show that the Nmap tool has a high chance of miss-guessing remote hosts that are covered with our invisibility cloak.

    摘要 i
    Abstract ii
    Contents iv
    List of Figures vii
    List of Tables viii
    1 Introduction 1
    2 Related Work 4
    2.1 Active deception 4
    2.1.1 Deception-based cyber defense 4
    2.1.2 Moving target defense 6
    3 Network Reconnaissance 7
    3.1 Port scanning 7
    3.1.1 TCP connect Scan 7
    3.1.2 TCP SYN Port Scan 8
    3.2 OS detection . 9
    3.3 Reconnaissance attack process 10
    4 Defensive packet deception 14
    4.1 Objective 14
    4.2 Implementation 15
    4.3 Deceptive packet synthesis 17
    4.3.1 Reconnaissance simulation 17
    4.3.2 Packet sniffer 17
    4.3.3 Extract packet diff 19
    4.3.4 Template synthesis 20
    4.4 Deceiver 22
    4.4.1 Port deceiver 22
    4.4.2 OS Deceiver 25
    5 Experiments 30
    5.1 Environment setting 30
    5.2 OS template synthesis experiment 31
    5.3 OS deceiver experiment 33
    5.3.1 Experiment on Window 7 33
    5.3.2 Experiment on Win10 35
    5.3.3 Experiment on CentOS8 37
    5.3.4 Experiment on Idle IP 39
    5.3.5 Result summarize 42
    6 Traffic Maintenance 44
    6.1 Public service traffic 44
    6.1.1 The impact on public service traffic 44
    6.1.2 Turn off the deception on public service ports 47
    6.2 Legal user traffic 48
    7 Discussion And Future Work 50
    7.1 Facing diverse attacks 50
    7.2 Deception Tactic Reinforcement 50
    7.2.1 Research on reconnaissance tools 50
    7.2.2 Automation 51
    7.3 Practical Implementation 51
    8 Conclusions 53
    Reference 54

    [1] E. M. Hutchins, M. J. Cloppert, R. M. Amin et al., “Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains,” Leading Issues in Information Warfare & Security Research, vol. 1, no. 1, p. 80, 2011.
    [2] J. Pawlick, E. Colbert, and Q. Zhu, “A game-theoretic taxonomy and survey of defensive deception for cybersecurity and privacy,” ACM Computing Surveys (CSUR), vol. 52, no. 4, pp. 1–28, 2019.
    [3] T. Yadav and A. M. Rao, “Technical aspects of cyber kill chain,” in International Symposium on Security in Computing and Communication. Springer, 2015, pp. 438–452.
    [4] S. Sengupta, A. Chowdhary, A. Sabur, A. Alshamrani, D. Huang, and S. Kambhampati, “A survey of moving target defenses for network security,” IEEE Communications Surveys & Tutorials, vol. 22, no. 3, pp. 1909–1941, 2020.
    [5] F. J. Stech, K. E. Heckman, and B. E. Strom, “Integrating cyber-d&d into adversary modeling for active cyber defense,” in Cyber deception. Springer, 2016, pp. 1–22.
    [6] M. Zhu, A. H. Anwar, Z. Wan, J.-H. Cho, C. A. Kamhoua, and M. P. Singh, “A survey of defensive deception: Approaches using game theory and machine learning,” IEEE Communications Surveys & Tutorials, vol. 23, no. 4, pp. 2460–2493, 2021.
    [7] D. Ye, T. Zhu, S. Shen, and W. Zhou, “A differentially private game theoretic approach for deceiving cyber adversaries,” IEEE Transactions on Information Forensics and Security, vol. 16, pp. 569–584, 2020.
    [8] M. A. Rahman, M. M. Hasan, M. H. Manshaei, and E. Al-Shaer, “A game-theoretic analysis to defend against remote operating system fingerprinting,” Journal of Information Security and Applications, vol. 52, p. 102456, 2020.
    [9] M. Albanese, E. Battista, and S. Jajodia, “A deception based approach for defeating os and service fingerprinting,” in 2015 IEEE Conference on Communications and Network Security (CNS). IEEE, 2015, pp. 317–325.
    [10] Z. Zhao, F. Liu, and D. Gong, “An sdn-based fingerprint hopping method to prevent fingerprinting attacks,” Security and Communication Networks, vol. 2017, 2017.
    [11] M. S. I. Sajid, J. Wei, M. R. Alam, E. Aghaei, and E. Al-Shaer, “Dodgetron: Towards autonomous cyber deception using dynamic hybrid analysis of malware,” in 2020 IEEE Conference on Communications and Network Security (CNS). IEEE, 2020, pp. 1–9.
    [12] S. Wang, Q. Pei, Y. Zhang, X. Liu, and G. Tang, “A hybrid cyber defense mechanism to mitigate the persistent scan and foothold attack,” Security and Communication Networks, vol. 2020, 2020.
    [13] F. De Gaspari, S. Jajodia, L. V. Mancini, and A. Panico, “Ahead: A new architecture for active defense,” in Proceedings of the 2016 ACM Workshop on Automated Decision Making for Active Cyber Defense, 2016, pp. 11–16.
    [14] J. H. Jafarian, E. Al-Shaer, and Q. Duan, “Adversary-aware ip address randomization for proactive agility against sophisticated attackers,” in 2015 IEEE Conference on Computer Communications (INFOCOM). IEEE, 2015, pp. 738–746.
    [15] ——, “An effective address mutation approach for disrupting reconnaissance attacks,” IEEE Transactions on Information Forensics and Security, vol. 10, no. 12,
    pp. 2562–2577, 2015.
    [16] S.-Y. Chang, Y. Park, and B. B. A. Babu, “Fast ip hopping randomization to secure hop-by-hop access in sdn,” IEEE Transactions on Network and Service Management, vol. 16, no. 1, pp. 308–320, 2018.
    [17] P. K. Manadhata and J. M. Wing, “An attack surface metric,” IEEE Transactions on Software Engineering, vol. 37, no. 3, pp. 371–386, 2010.
    [18] M. F. Hyder and M. A. Ismail, “Securing control and data planes from reconnaissance attacks using distributed shadow controllers, reactive and proactive approaches,” IEEE Access, vol. 9, pp. 21 881–21 894, 2021.
    [19] G. F. Lyon, Nmap network scanning: The official Nmap project guide to network discovery and security scanning. Insecure. Com LLC (US), 2008.
    [20] MITRE, “CVE,” Oct. 19, 2021. [Online]. Available: https://cve.mitre.org/
    [21] I. Brett, N. Satya, and H. Amy, “Microsoft Fiscal Year 2021 Third Quarter Earnings Conference Call,” Apr. 27, 2021. [Online]. Available: https://www.microsoft.com/en-us/Investor/events/FY-2021/earnings-fy-2021-q3.aspx

    QR CODE
    :::