摘要: |
随着云计算技术在各重点行业领域的普及推广和企业级 SaaS 业务规模不断扩大, 云环境的安全问题也日益突出。 针对目标云资源的定位是网络攻击的前置步骤, 网络欺骗技术能够有效扰乱攻击者网络嗅探获得的信息, 隐藏重要网络资产的指纹信息(服务端口、操作系统类型等)。然而由于虚假指纹和真实设备之间往往存在对应关系, 高级攻击者可以通过多维信息定位到伪装过的目标设备。基于容器指纹匿名的欺骗方法的原理是试图将重要的敏感业务隐藏到大量普通的非敏感业务中, 利用多种欺骗技术的组合来对抗网络侦察。批量处理的匿名算法会损失云服务快速便捷的特性, 云服务需要采用一种实时强的连续匿名方法。为应对重要云资源被定位追踪的问题, 本文提出一种基于容器指纹匿名的网络欺骗方法, 通过修改云资源池中容器的指纹满足匿名化标准, 制造虚假的云资源视图, 提高攻击者网络侦查与嗅探的难度。为降低容器指纹修改的开销和可能导致服务延时, 提出一种基于语义等级的范畴属性度量方法, 并作为容器指纹匿名算法的优化目标。鉴于需要修改伪装的容器指纹信息是一个持续产生的数据流, 为实现容器指纹的实时在线快速匿名, 提出一种基于数据流匿名的动态指纹欺骗算法 CFDAA, 通过时延控制和簇分割实现容器指纹的快速修改, 保证在线容器始终满足 k-匿名和 l-多样性。实验结果表明, 所提方法能够在开销可控的情况下, 有效提高攻击者定位目标云资源的难度。 |
关键词: 主动防御 网络欺骗 动态指纹 数据流匿名 |
DOI:10.19363/J.cnki.cn10-1380/tn.2022.03.05 |
Received:November 27, 2020Revised:February 27, 2021 |
基金项目:本课题得到国家自然科学基金项目(No.62002383)、国家重点研发计划课题(No.2018YFB0804004)资助。 |
|
An Anonymous Network Deception Method Based on Container Fingerprint Modification for SaaS Applications |
LI Lingshu,WU Jiangxing,LIU Wenyan |
National Digital Program-Controlled Switching center People’s Liberation Army Strategic Support Force Information Engineering University, Zhengzhou 450001, China |
Abstract: |
With the popularization of cloud computing technology in key industries, Software-as-a-Service (SaaS) services are widely used in industries. The security problem of the cloud environment is becoming increasingly prominent. As locating the target cloud resources is the pre-step of a network attack, network deception technology can effectively disrupt the attackers’ network reconnaissance and hide the fingerprint information of important network assets (service port, operating system type, etc.). However, due to the relation between the fake fingerprint and the real device, an advanced attacker can locate the target device through multi-dimensional information. The principle of the deception method based on container fingerprint anonymity is hiding important sensitive services in a large number of ordinary non-sensitive services. Multiple deception techniques are used to counter network reconnaissance. The anonymity algorithm of batch processing will lose the fast and convenient characteristics of cloud services. Cloud services need to adopt a real-time and strong continuous anonymity method. In order to prevent essential cloud resources from locating and tracking, this paper proposes a network deception method based on container fingerprints anonymity. By modifying the containers' fingerprints in the cloud resource pool, false cloud resource views are created to confuse the attacker and improve the difficulty of network detection. In order to reduce the overhead of container fingerprint modification and possible service delay, a category attribute measurement method based on semantic level is proposed as the optimization goal of the container fingerprint anonymity algorithm. Since the container fingerprint information that needs to be modified is a continuously generated data stream, a dynamic fingerprint spoofing algorithm CFDAA based on data stream anonymity is proposed for real-time online processing. It realizes the rapid container fingerprint modification through delay control and cluster segmentation. Moreover, k-anonymity and l-diversity are satisfied. Experimental results show that the proposed method can effectively improve attackers' difficulty of network reconnaissance with controllable overhead. |
Key words: active defense network deception dynamic fingerprint data stream anonymity |