【作者】 贾卓生；

【导师】 韩臻；

【作者基本信息】 北京交通大学 ， 信息安全， 2021， 博士

【摘要】 随着互联网技术的普及和迅速发展,网络安全问题越来越突出,从个人信息盗取、隐私泄露,到危害社会和国家安全,无处不在。为此,政府和相关单位投入巨大的人力和财力开展网络安全检测与防御方面的研究。如何通过检测分析自动感知网络中存在的安全隐患,对网络信息系统进行研判,准确定位故障点,精准反映各个系统的安全风险值,形成网络安全主动防御体系,成为研究的热点问题。网络安全的研究虽然已经取得了一定的阶段性进展,但在关键技术手段和准确度上仍需要不断完善。目前在企业网中通过安装入侵防御、漏洞扫描、用户行为管理、数据安全审计等设备进行安全分析和防御,但因处理量大、误报率高,在实际环境中往往旁路部署,难以提高防御能力。在面对越来越大的网络流量和分布式内容分发网络以及加密协议的普遍采用,全流量网络安全检测方法难以有效地识别网络攻击行为,也增加了企业和用户隐私数据被窃取的风险。基于日志数据进行安全攻击检测方法往往采用单个设备或系统的日志,数据粒度不够精细,分析滞后,检测效果难以保证,也缺乏与现有网络安全防御设备的反馈和联动机制,且随着数据的不断累积,需要关联分析的数据量越来越大,极大地影响分析效率。针对这些问题,本文提出利用互联网中最基础的域名服务日志数据进行分析挖掘,构建基于知识图谱的网络行为指纹特征库模型,通过聚类分析研究网络攻击行为特征检测算法,检测网络安全风险和网络攻击隐患。并采用网络计费日志作为辅助的细粒度分析和验证手段,进一步提高检测精确度。提出利用域名服务器构建具有主动防御功能的智能域名体系架构,建立事前干预的安全防护体系,在用户和系统无感知的情况下,主动阻止危害网络安全的攻击行为,增强网络安全管理和防御能力。论文主要内容如下:1、构建基于域名服务的主动防御体系架构。在分析网络日志的采集方式、格式类型、数据映射与清洗基础上,研究了域名数据的统计分类方法,以及域名服务面临的解析过程安全、体系安全和网络威胁。对域名集进行统计聚类挖掘,分析域名解析过程中分布式内容分发网络加速和动态地址带来的安全检测问题,在此基础上,提出了一个基于智能域名服务的主动防御体系架构。2、提出一种构建域名指纹图谱的方法。建立基于知识图谱的域名指纹图谱特征库模型,对生成的指纹模型数据特征值进行关联和聚类分析。定义了安全检测分析中各种域名指纹标准数据集合,包括:可供智能域名系统进行安全防御的动态黑白名单集;基于知识图谱的用户访问行为指纹集;采用图神经网络有向图和无向图生成的域名解析指纹集。给出了指纹集建立、生成、存储、比对和可视化分析的方法,并对指纹检测算法进行了实验验证和分析。针对域名服务日志数据粒度不够精细的问题,采用网络计费日志作为辅助的细粒度分析和验证手段,提高检测准确度。3、提出一种网站、用户、操作系统和常用应用软件的正常域名访问行为指纹检测分析方法。通过用户查询行为的合集还原网站所有活跃域名链接,形成网站活跃域名指纹图谱,提出了基于C4.5决策树算法的网站域名指纹特征检测分析方法。通过用户网络访问行为形成用户访问域名特征指纹图谱,在分析用户的固定、变化、异常三种行为模式的基础上,提出了基于粗糙聚类算法FCM的用户访问行为检测分析方法。通过操作系统和常用应用软件域名请求形成特征指纹图谱,提出了操作系统和常用应用软件行为的检测分析方法。实验验证了方法的可行性和有效性。4、提出一种网络攻击行为指纹图谱的检测分析方法。在分析网络攻击行为的基础上,针对典型攻击行为指纹特征,采用隐狄利克雷LDA概率图模型方法进行估值计算,提出了一种基于一阶同质马尔科夫链FHM行为转移概率算法的改进方法,来检测网络攻击行为,提高了对攻击行为的预测和预防能力。以挖矿病毒攻击和网页暗链攻击为例,对该检测分析方法进行了验证。5、实现了一个基于域名服务的网络安全主动防御系统。通过域名日志安全分析系统与智能域名服务器联动,实现网络主动防御。并通过网络代理服务器把可能产生安全问题的流量导向蜜罐系统进行分析和阻断。通过与动态主机配置协议服务器日志的综合分析,实现适应动态地址变化的域名分析系统,满足物联网和IPv6等动态IP地址网络环境下的安全分析和防御。在系统间建立相互反馈机制,验证了检测和预防效果。本文通过对域名服务日志的分析,提出基于域名访问行为指纹图谱的安全检测分析方法,设计并实现了一个网络安全检测与主动防御系统,能够实施闭环控制和统一的威胁管控,并在实际网络环境中得到应用。更多还原

【Abstract】 With the rapid development of the Internet,the problem of network security is becoming more and more prominent from identity theft and private information leak to social and national security endangerment.Therefore,improving network security detection and defense has become a major technical problem in the academic community.The government and enterprises have also invested huge human and financial resources.It has become a hot issue in research to perceive the security risks in the network through an automated system,activity analyze and manage the network information system,accurately locate the security failure points,and accurately evaluate the security risk level of each system.Some progress has been made,but the key technology and accuracy still can be improved.At present,devices used for intrusion prevention,vulnerability scanning,user behavior management,data security audit are installed in the Intranet for security analysis and defense.However,due to massive data volume and false positive rate,these defense devices are often installed by-pass as alarms rather than a proactive defense mechanism in the actual environment.Increased network traffic makes commonly-used full-flow network security detection methods difficult to do its job.With the adoption of largescale distributed Content Distribution Network(CDN)and encryption protocol,it is difficult to effectively identify network security behavior,which increase the risk of data leak and violation of enterprises and user privacy.The cyber-attack detection methods that are based on the logs data often uses those of a single device and system,which lacks granularity and has high detection lag,thus cannot accurately reflect the information of network management comprehensively.There is usually no feedback mechanism between the detection results and with the existing network security defense equipment.With the continuous accumulation of data,the amount of data that needs association analysis keeps increasing,which significantly impedes analysis efficiency.To deal with these problems,this paper propose the network behavior fingerprint database model and cluster analysis based on the Knowledge Graph analyzing the big data of the Domain Name Service(DNS)log dataset.We present the method of active awareness of network security risks and network attack hidden dangers by studying the detection algorithm of the attack behavior in network security.The network billing log is used as an auxiliary accurate analysis and verification method to further improve the detection accuracy.At the same time,we propose to use an intelligent DNS with defense function to establish a security protection system with prior intervention,to prevent attacks against network security and enhance the management and defense ability of network security when users and the system have no awareness.The main contents of this paper are as follows:1.Built an active sercurity defense architecture based on DNS.This paper analyzes the collection method and format of network log based on analyzing log data,mapping dataset,system architecture,category division,resolution process and security of DNS,as well as the security extension function of domain name server’s own trust key.Statistical clustering analysis is carried out for the collected domain name set,and the security of CDN acceleration and dynamic IP address in the process of domain name resolution is analyzed based on the whole problems.This paper proposes the architecture of the active defense system based on the function of intelligent DNS.2.Built the fingerprint of DNS based on the research method of the Knowledge Graph.This paper proposes the definitions of various domain name fingerprint data that are used during the research of security active detection situation awareness.And also propose a way to generate the dynamic dataset of blacklist and whitelist that can be used by the intelligent DNS for security defense.And proposes analysis methods for the establishment,generation,storage,comparison,visualization of user query domain name behavior fingerprint datasets based on the Knowledge Graph.The DNS fingerprint and the DNS resolution fingerprint database is generated by using the directed and undirected graph methods of Graph Neural Network(GNN)in a Knowledge Graph.The fingerprint detection algorithm is verified through experiments.To solve the problem that DNS log is not fine-grained enough,network billing log is used as an auxiliary high accuracy analysis and verification method to improve the detection accuracy.3.Proposed the analysis and detection method of fingerprint active detection perception for website,user behavior,and operating system and common application software behavior.The domain name fingerprint is formed by restoring all the active domain name links of the website through each user query.Firstly,this paper proposes a method based on algorithm C4.5 decision tree to analyze and detect the fingerprint characteristics of website domain name behavior.Secondly,we propose a rough clustering algorithm FCM to detect user’s behavior by using the fingerprint of the user’s domain name query network,to analyze three models of users’ fixed,variable,and abnormal behaviors.Finally,we propose the fingerprint of domain name request behavior for all major operating systems and application software,and also present the detection method of this kind of fingerprint by experiment and analysis.4.Proposed analysis and detection method of fingerprint for cyber attack behavior.This paper proposes an algorithm based on the behavior transition probability of the Firstorder Homogeneous Markov chain(FHM)to analyze the cyber attack behavior,by analyzing the characteristics of the typical attack behavior.We conduct experiments to test the common various attack behavior detection,using the Latent Dirichlet Allocation(LDA)probability graph model method to carry on the valuation calculation.Taking mining virus attack and web page hidden hyperlinks attack as examples to test and verify.5.Implemented a network security active defense system based on DNS.Using the coordination between the security analysis system of DNS log and the intelligent DNS,this paper proposes a defense method of the intelligent DNS using the network proxy server to the honeypot system to analyze and block the traffic that may cause security problems.Through the joint analysis with the Dynamic Host Configuration Protocol(DHCP)server log,the domain name analysis system is able to adapt to dynamic addresses,thus meets the requirement of the security analysis and defense under the dynamic IP address network environment such as Internet of Things and IPv6.The mutual feedback mechanism established among the systems can further improve the detection and prevention effect.In a word,through the analysis of DNS log,as well as the research and detection method of domain name access behavior fingerprint,we build an information security detection and active defense system,which also has closed-loop and unified threat control.This system has been applied in real-world network environments.更多还原