节点文献
客户端蜜罐研究与应用扩展
Client Honeypot Research and Application Extension
【作者】 樊迅;
【导师】 何德全;
【作者基本信息】 上海交通大学 , 通信与信息系统, 2008, 硕士
【摘要】 随着计算机网络的飞速发展,网络渗透,敏感信息盗取等攻击行为每天都发生在我们的身边。黑客利用各种服务器软硬件漏洞,获得服务器的控制权,并继续渗透入侵,以获得他们需要的信息。认识到黑客常用的这些入侵方式,安全研究人员不断的研究与开发对抗它们的方法与产品。防火墙,入侵检测系统的广泛使用,使得黑客们常用的以使用服务器端软硬件漏洞为主的入侵方式成功率越来越低,因此攻击者开始使用新的,更加简便的攻击方式,客户端攻击。客户端攻击以客户端软件漏洞为攻击目标,在各类客户端软件被广泛使用的今天,已经逐渐成为黑客们常用的攻击方式。在对抗传统攻击的过程中,安全研究人员提出了极富创造力的蜜罐理论并开发出各类不同的蜜罐系统,为研究和检测传统攻击方式做出了巨大的贡献。然而,新的客户端攻击方式的出现,使得针对传统攻击的蜜罐系统失去了作用,因此,安全研究人员提出了针对客户端攻击的客户端蜜罐系统。客户端蜜罐系统用来检测客户端攻击。现在以检测恶意网页和恶意服务器为主。客户端蜜罐主动与网页服务器交互,并检测服务器返回的数据中是否包含攻击用户浏览器及插件的行为。目前,客户端蜜罐系统对恶意网页及服务器的检测技术已经比较成熟。然而,客户端软件不仅仅只有浏览器一种,众多的其他的客户端软件如办公文档软件,播放器,P2P资源共享软件等都存在不同的软件漏洞。客户端蜜罐系统在检测针对这些客户端软件的攻击上还略显不足。本文首先对客户端攻击的原理,攻击途径和影响力进行了总结回顾。然后对客户端蜜罐系统使用的各种技术进行了研究,包括URL获取技术,客户端软件自动控制技术,客户端攻击判定技术。接着将现有的几个客户端蜜罐系统从系统结构到实现技术都进行了深入的分析。考虑到现有客户端蜜罐系统的设计和实现都主要是以检测恶意网页为主,而对其他客户端软件的支持较少,所以在本次研究中,作者以开源的Capture-HPC系统为基础,为Capture-HPC系统开发出一个WinWord插件,使得Capture系统能够检测针对Word客户端的攻击。
【Abstract】 With the quick development of Internet, network attack and stealing of sensitive information happens everyday. Hackers make use of different soft and hardware vulnerabilities to gain control of servers, as well as penetration. In the knowledge of attacking skills, security researchers continuously do research in developing counter-method to the invasion activities. With the wide use of Firewall and Intrusion Detection Systems, traditional attack path of server-side attack faces the reduction on succeed ratio. As a result, attackers turn to a easier, and more convenient way of client-side attack.Traditional honeypot systems focus on detection of server-side attack, so that they are less usable in detection of client-side attack. In order to research and detect client-side attack, security researchers announce client honeypot.Client honeypots crawl the network, interact with servers, and classify servers with respect to their malicious nature. It simulates, or drives client-side software and does not expose server based services to be attacked. It cannot lure attacks to itself, but rather it must actively interact with remote servers to be attacked. Whereas all accesses to the traditional honeypot are malicious, the client-side honeypot must discern which server is malicious and which is benign.This paper researches on client honeypots, introduced its principle, and has extended the application of client honeypot to be able to detect a wider range of client-side attack.