通信学报 ›› 2017, Vol. 38 ›› Issue (12): 128-143.doi: 10.11959/j.issn.1000-436x.2017281
贾召鹏1,2,方滨兴1,3,4,刘潮歌2,5,刘奇旭2,5,林建宝1,2
修回日期:
2017-08-16
出版日期:
2017-12-01
发布日期:
2018-01-19
作者简介:
贾召鹏(1988-),男,河北邢台人,北京邮电大学博士生,主要研究方向为网络安全、网络欺骗。|方滨兴(1960-),男,江西万年人,中国工程院院士,广州大学教授,主要研究方向为计算机体系结构、计算机网络与信息安全。|刘潮歌(1986-),男,吉林长春人,中国科学院信息工程研究所助理研究员、博士生,主要研究方向为Web安全、网络欺骗、追踪溯源。|刘奇旭(1984-),男,江苏徐州人,博士,中国科学院信息工程研究所副研究员,中国科学院大学副教授,主要研究方向为网络攻防技术、网络安全评测。|林建宝(1992-),男,山东威海人,北京邮电大学硕士生,主要研究方向为网络安全、网络欺骗。
基金资助:
Zhao-peng JIA1,2,Bin-xing FANG1,3,4,Chao-ge LIU2,5,Qi-xu LIU2,5,Jian-bao LIN1,2
Revised:
2017-08-16
Online:
2017-12-01
Published:
2018-01-19
Supported by:
摘要:
网络攻防不对称是当前网络安全面临的核心问题之一。基于欺骗的防御技术是防御方为改变这种不对称格局而引入的一种新思路,其核心思想是通过干扰攻击者的认知以促使攻击者采取有利于防御方的行动,从而记录攻击者的活动与方法、增加其实施攻击的代价、降低其攻击成功的概率。首先,对网络欺骗进行形式化定义并依据欺骗环境构建方法将其划分为4种。同时,将网络欺骗的发展历程概括为3个阶段,分析各个阶段特点。然后,提出网络欺骗的层次化模型并对已有研究成果进行介绍。最后,对网络欺骗对抗手段进行分析与总结并介绍网络欺骗技术发展趋势。
中图分类号:
贾召鹏,方滨兴,刘潮歌,刘奇旭,林建宝. 网络欺骗技术综述[J]. 通信学报, 2017, 38(12): 128-143.
Zhao-peng JIA,Bin-xing FANG,Chao-ge LIU,Qi-xu LIU,Jian-bao LIN. Survey on cyber deception[J]. Journal on Communications, 2017, 38(12): 128-143.
表2
部分安全公司产品及融资情况"
公司 | 国家 | 产品/方案 | 防御功能 | 融资情况 |
Illusive Networks | 以色列 | Deceptions Everywhere? | 伪装欺骗 | 2015年6月获得500万美元融资 |
2015年10月获得2 200万美元融资 | ||||
Cymmetria | 以色列 | MazeRunner | 伪装欺骗 | 2015年累计获得1 050万美元融资 |
TrapX | 美国 | DeceptionGrid Platform | 伪装欺骗 | 2014年1月获得500万美元融资 |
2015年7月获得900万美元融资 | ||||
Attivo | 美国 | ThreatMatrix Platform | 伪装欺骗 | 2015年4月获得800万美元融资 |
Allure | 美国 | Novo Platform | 伪装欺骗 | —— |
长亭科技 | 中国 | 谛听威胁感知系统 | 伪装欺骗 | 2015年9月获得600万元天使轮投资 |
黙安科技 | 中国 | 幻盾 | 伪装欺骗 | 2017年获得3 000万元投资 |
表4
入侵杀伤链中各个阶段可以采取的网络欺骗技术"
欺骗类型 | 侦查和武器化 | 投送 | 漏洞利用和安装 | 命令控制与武器执行 |
应用欺骗 | Glastopf、HIHAT、Kippo | HoneyMonkey、Capture-HPC、PhoneyC | uvauth、honey-patches | ── |
数据欺骗 | Honeywords、Detecting traffic snooping in Tor using decoys | ── | ── | PII、honeyfile、Siren |
网络结构欺骗 | Honeyd、honeynet、混杂蜜罐、OpenFire | Network Address Space Randomization、MUTE(mutable networks)、CINDAM、RDAM | ── | |
设备欺骗 | DTK、HoneyBow、Argos、Operating System Obfuscation、FPH | ── | fake honeypot | ── |
[1] | 蔡桂林, 王宝生, 王天佐 ,等. 移动目标防御技术研究进展[J]. 计算机研究与发展, 2016,53(5): 968-987. |
CAI G L , WANG B S , WANG T Z ,et al. Research and development of moving target defense technology[J]. Journal of Computer Research and Development, 2016,53(5): 375-378 | |
[2] | ZHUANG R , ZHANG S , DELOACH S A ,et al. Simulation-based approaches to studying effectiveness of moving-target network defense[C]// National Symposium on Moving Target Research. 2012. 1-12 |
[3] | JAJODIA S , SUBRAHMANLAN V S , SWARUP V ,et al. Cyber deception[M]. Springer, 2016. |
[4] | CANALI D , BALZAROTTI D . Behind the scenes of online attacks:an analysis of exploitation behaviors on the Web[C]// 20th Annual Network & Distributed System Security Symposium (NDSS 2013). 2013. |
[5] | JUELS A , RIVEST R L . Honeywords:making password-cracking detectable[C]// 2013 ACM SIGSAC conference on Computer &communications security. 2013: 145-160. |
[6] | ARAUJO F , HAMLEN K W , BIEDERMANN S ,et al. From patches to honey-patches:Lightweight attacker misdirection,deception,and disinformation[C]// The 2014 ACM SIGSAC Conference on Computer and Communications Security. 2014: 942-953. |
[7] | KAPRAVELOS A , GRIER C , CHACHRA N ,et al. Hulk:Eliciting malicious behavior in browser extensions[C]// The 23rd Usenix Security Symposium. 2014. |
[8] | GUPTA P , SRINIVASAN B , BALASUBRAMANIYAN V ,et al. Phoneypot:data-driven understanding of telephony threats[C]// 2015 Network and Distributed System Security(NDSS)Symposium. 2015. |
[9] | URIAS V E , STOUT W M , LIN H W . Gathering threat intelligence through computer network deception[C]// 2016 IEEE Symposium on Technologies for Homeland Security(HST). 2016: 1-6. |
[10] | TAN K L G . Confronting cyberterrorism with cyber deception[D]. Monterey,California:Naval Postgraduate School, 2003. |
[11] | JONES J H J , LASKEY K B . Using Bayesian attack detection models to drive cyber deception[C]// The Eleventh UAI Conference on Bayesian Modeling Applications Workshop. 2014: 60-69. |
[12] | 刘宝旭, 许榕生 . 主动型安全防护措施-陷阱网络的研究与设计[J]. 计算机工程, 2002,28(12): 9-11. |
LIU B X , XU R S . Study and design of the proactive security protecting measure-honeynet[J]. Computer Engineering, 2002,28(12): 9-11 | |
[13] | 刘宝旭, 曹爱娟, 许榕生 . 陷阱网络技术综述[J]. 网络安全技术与应用, 2003,(01): 65-69. |
LIU B X , CAO A J , XU R S . Summary of the honeynet technology[J]. Net Security Technologies And Application, 2003,(01): 65-69. | |
[14] | 曹爱娟, 刘宝旭, 许榕生 . 网络陷阱与诱捕防御技术综述[J]. 计算机工程, 2004,(09): 1-3. |
CAO A J , LIU B X , XU R S . Summary of the honeynet and entrapment defense technology[J]. Computer Engineering, 2004,(09): 1-3. | |
[15] | 程杰仁, 殷建平, 刘运 ,等. 蜜罐及蜜网技术研究进展[J]. 计算机研究与发展, 2008,45(S1): 375-378. |
CHENG J R , YIN J P , LIU Y ,et al. Advances in the honeypot and honeynet technologies[J]. Journal of Computer Research and Development, 2008,45(S1): 375-378 | |
[16] | 诸葛建伟, 唐勇, 韩心慧 ,等. 蜜罐技术研究与应用进展[J]. 软件学报, 2013,24(04): 825-842. |
ZHUGE J W , TANG Y , HAN X H ,et al. Honeypot technology research and application[J]. Journal of Software, 2013,24(4): 825-842. | |
[17] | WHALEY B . Toward a general theory of deception[J]. The Journal of Strategic Studies, 1982,5(1): 178-192. |
[18] | 韩枫 . 军事欺骗行为仿真研究[D]. 郑州:解放军信息工程大学, 2006. |
HAN F . Research on emulate of the military deception[D]. Zhengzhou:Information Engineering University, 2006 | |
[19] | YUILL J J . Defensive computer-security deception operations:processes,principles and techniques[D]. North Carolina:North Carolina State University, 2006. |
[20] | ALMESHEKAH M H , SPAFFORD E H . Cyber Security Deception[M]// Cyber Deception. 2016: 25-52. |
[21] | ANTONATOS S , AKRITIDIS P , MARKATOS E P ,et al. Defending against hitlist worms using network address space randomization[J]. Computer Networks, 2007,51(12): 3471-3490. |
[22] | AL-SHAER E . Toward network configuration randomization for moving target defense[M]// Moving Target Defense. 2011: 153-159. |
[23] | ROWE N C , DUONG B T , CUSTY E J . Fake honeypots:a defensive tactic for cyberspace[C]// 2006 IEEE Information Assurance Workshop. 2006: 223-230. |
[24] | MURPHY S , MCDONALD T , MILLS R . An application of deception in cyberspace:operating system obfuscation[C]// 5th International Conference on Information Warfare and Security. 2010. |
[25] | SPITZNER L . The honeynet project:trapping the hackers[J]. IEEE Security&Privacy, 2003,99(2): 15-23. |
[26] | 诸葛建伟, 韩心慧, 周勇林 ,等. HoneyBow:一个基于高交互式蜜罐技术的恶意代码自动捕获器[J]. 通信学报, 2007,(12): 8-13. |
ZHUGE J W , HAN X H , ZHOU Y L ,et al. HoneyBow:an automated malware collection tool based on the high-interaction honeypot principle[J]. Journal on Communications, 2007,28(12): 8-13 | |
[27] | YUILL J , ZAPPE M , DENNING D ,et al. Honeyfiles:deceptive files for intrusion detection[C]// Information Assurance Workshop. 2004: 116-122. |
[28] | COHEN F . A note on the role of deception in information protection[J]. Computers&Security, 1998,17(6): 483-506. |
[29] | STOLL C P . The cuckoo’s egg:tracing a spy through the maze of computer espionage[M]. Doubleday. 1989. |
[30] | CHESWICK B , . An evening with Berferd in which a cracker is Lured,Endured,and Studied[C]// The Winter 1992 USENIX Conference. 1992: 163-174. |
[31] | KIM G H , SPAFFORD E H . Experiences with tripwire:using integrity checkers for intrusion detection[R]. Purdue University,Department of Computer Sciences, 1994. |
[32] | COHEN F . A mathematical structure of simple defensive network deceptions[J]. Computers&Security, 2000,19(6): 520-528. |
[33] | SPITZNER L . Honeypots:tracking hackers[M]. Addison-Wesley Reading, 2003. |
[34] | DAGON D , QIN X , GU G ,et al. Honeystat:local worm detection using honeypots[C]// International Workshop on Recent Advances in Intrusion Detection. 2004: 39-58. |
[35] | CRANDALL J R , WU S F , CHONG F T . Experiences using minos as a tool for capturing and analyzing novel worms for unknown vulnerabilities[C]// International Conference on Detection of Intrusions and Malware,and Vulnerability Assessment. 2005: 32-50. |
[36] | KREIBICH C , CROWCROFT J . Honeycomb:creating intrusion detection signatures using honeypots[J]. ACM SIGCOMM computer communication review, 2004,34(1): 51-56. |
[37] | SCHRYEN G , . An e-mail honeypot addressing spammers' behavior in collecting and applying addresses[C]// 6th Annual IEEE Systems,Man and Cypernetics Information Assurance Workshop. 2005: 37-41. |
[38] | SCHRYEN G . The impact that placing email addresses on the Internet has on the receipt of spam:an empirical analysis[J]. Computers &Security, 2007,26(5): 361-372. |
[39] | WANG Y M , BECK D , JIANG X ,et al. Automated Web patrol with strider honeymonkeys[C]// The 2006 Network and Distributed System Security Symposium. 2006: 35-49. |
[40] | BAECHER P , KOETTER M , HOLZ T ,et al. The nepenthes platform:An efficient approach to collect malware[C]// 9th International Symposium on Recent Advances in Intrusion Detection. Hamburg,GERMANY, 2006. 165-184. |
[41] | PORTOKALIDIS G , SLOWINSKA A , BOS H . Argos:an emulator for fingerprinting zero-day attacks for advertised honeypots with automatic signature generation[C]// The 2006 EuroSys Conference. 2006: 15-27. |
[42] | NEWSOME J , SONG D . Dynamic taint analysis for automatic detection,analysis,and signaturegeneration of exploits on commodity software[C]// The 12th Annual Network and Distributed System Security Symposium. 2005. |
[43] | HOLZ T , RAYNAL F . Detecting honeypots and other suspicious environments[C]// 6th Annual IEEE Systems,Man and Cypernetics Information Assurance Workshop. 2005: 29-36. |
[44] | ROWE N C , CUSTY E J , DUONG B T . Defending cyberspace with fake honeypots[J]. Journal of Computers, 2007,2(2): 25-36. |
[45] | ZHAO Z , LIU F , GONG D . An SDN-based fingerprint hopping method to prevent fingerprinting attacks[J]. Security and Communication Networks, 2017. |
[46] | DISSO J P , JONES K , BAILEY S . A plausible solution to scada security honeypot systems[C]// 2013 Eighth International Conference on Broadband and Wireless Computing,Communication and Applications(BWCCA). 2013: 443-448. |
[47] | PROVOS N , . Honeyd-a virtual honeypot daemon[C]// 10th DFN-CERT Workshop. 2003. |
[48] | ARTAIL H , SAFA H , SRAJ M ,et al. A hybrid honeypot framework for improving intrusion detection systems in protecting organizational networks[J]. Computers&Security, 2006,25(4): 274-288. |
[49] | BORDERS K , FALK L , PRAKASH A . OpenFire:using deception to reduce network attacks[C]// 3rd International Conference o Security and Privacy in Communication Networks and Workshops. 2007: 224-233. |
[50] | RRUSHI J L , . NIC displays to thwart malware attacks mounted from within the OS[C]// Computers&Security. 2016: 6159-6171. |
[51] | ROBERTSON S , ALEXANDER S , MICALLEF J ,et al. CINDAM:customized information networks for deception and attack mitigation[C]// IEEE 9th International Conference on Self-Adaptive and Self-Organizing Systems Workshops,Massachusetts Inst Technol. 2015: 114-119. |
[52] | WANG K , CHEN X , ZHU Y . Random domain name and address mutation (RDAM) for thwarting reconnaissance attacks[J]. Plos One, 2017,12(5):e0177111. |
[53] | BORDERS K , ZHAO X , PRAKASH A . Siren:catching evasive malware[C]// 2006 IEEE Symposium on Security and Privacy (S&P'06). 2006. |
[54] | WHITE J . Creating personally identifiable honeytokens[M]. Innovations and Advances in Computer Sciences and Engineering.Springer. 2010: 227-232. |
[55] | WHITE J , PANDA B . Implementing PII honeytokens to mitigate against the threat of malicous insiders[C]// 2009 IEEE International Conference on Intelligence and Security Informatics. 2009:233. |
[56] | CHAKRAVARTY S , PORTOKALIDIS G , POLYCHRONAKIS M ,et al. Detecting traffic snooping in Tor using decoys[C]// International Workshop on Recent Advances in Intrusion Detection. 2011: 222-241. |
[57] | AKIYAMA M , YAGI T , HARIU T ,et al. HoneyCirculator:distributing credential honeytoken for introspection of web-based attack cycle[J]. International Journal of Information Security, 2017: 1-17. |
[58] | ZHAO L , MANNAN M . Explicit authentication response considered harmful[C]// The 2013 New security paradigms workshop(NSPW'13). 2013: 77-86. |
[59] | JOHN J P , YU F , XIE Y ,et al. Heat-seeking honeypots:design and experience[C]// The 20th International Conference on World Wide Web. 2011: 207-216. |
[60] | MPHAGO B , BAGWASI O , PHOFUETSILE B ,et al. Deception in dynamic Web application honeypots:case of glastopf[C]// The International Conference on Security and Management (SAM). 2015:104. |
[61] | ISHIKAWA T , SAKURAI K . Parameter manipulation attack prevention and detection by using web application deception proxy[C]// The 11th International Conference on Ubiquitous Information Management and Communication. 2017:74. |
[62] | THOMPSON M , MENDOLLA M , MUGGLER M ,et al. Dynamic application rotation environment for moving target defense[C]// 2016 Resilience Week. 2016. |
[63] | VALLI C , RABADIA P , WOODWARD A . Patterns and patter-an investigation into SSH activity using kippo honeypots[C]// The 11th Australian Digital Forensics Conference. 2013: 141-149. |
[64] | HES R , KOMISARCZUK P , STEENSON R ,et al. The capture-HPC client architecture[R]. Technical report,Victoria University of Wellington, 2009. |
[65] | NAZARIO J , . PhoneyC:a virtual client honeypot[C]// The 2nd USENIX Conference on Large-scale Exploits and Emergent Threats:Botnets,Spyware,Worms,and More. 2009: 1-8. |
[66] | TAKATA Y , AKIYAMA M , YAGI T ,et al. MineSpider:extracting hidden URLs behind evasive drive-by download attacks[J]. Ieice Transactions on Information&Systems, 2016,E99.D(4): 860-872. |
[67] | HUTCHINS E M , CLOPPERT M J , AMIN R M . Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains[J]. Leading Issues in Information Warfare&Security Research, 2011,180. |
[68] | CHEN X , ANDERSEN J , MAO Z M ,et al. Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware[C]// 2008 IEEE International Conference on Dependable Systems&Networks With FTCS&DCC. 2008: 177-186. |
[69] | DORNSEIF M , HOLZ T , KLEIN C N . Nosebreak-attacking honeynets[C]// 5th Annual IEEE Information Assurance Workshop. 2004: 123-129. |
[70] | FU X , YU W , CHENG D ,et al. On recognizing virtual honeypots and countermeasures[C]// 2nd IEEE International Symposium on Depenable,Autonomic and Secure Computing. 2006: 211-218. |
[71] | DEFIBAUGH-CHAVEZ P , VEERAGHATTAM R , KANNAPPA M ,et al. Network based detection of virtual environments and low interaction honeypots[C]// 7th Annual IEEE Information Assurance Workshop. 2006: 283-289. |
[72] | KRAWETZ N . Anti-honeypot technology[J]. IEEE Security&Privacy, 2004,2(1): 76-79. |
[73] | ZOU C C , CUNNINGHAM R . Honeypot-aware advanced botnet construction and maintenance[C]// International Conference on Dependable Systems and Networks(DSN'06). 2006: 199-208. |
[74] | QUYNH N A , TAKEFUJI Y . Towards an invisible honeypot monitoring system[C]// 11th Australasian Conference on Information Security and Privacy. Melbourne,AUSTRALIA, 2006: 111-122. |
[75] | JIANG X , WANG X . “Out-of-the-box”monitoring of VM-based high-interaction honeypots[C]// International Workshop on Recent Advances in Intrusion Detection. 2007: 198-218. |
[76] | ANTONATOS S , ANAGNOSTAKIS K , MARKATOS E . Honey@home:a new approach to large-scale threat monitoring[C]// 5th ACM Workshop on Recurring Malcode. 2007: 38-45. |
[77] | 石乐义, 李婕, 刘昕 ,等. 基于动态阵列蜜罐的协同网络防御策略研究[J]. 通信学报, 2012,(11): 159-164. |
SHI L Y , LI J , LIU X ,et al. Research on dynamic array honeypot for collaborative network defense strategy[J]. Journal on Communications, 2012,33(11): 159-164. | |
[78] | 郭军权, 诸葛建伟, 孙东红 ,等. Spampot:基于分布式蜜罐的垃圾邮件捕获系统[J]. 计算机研究与发展, 2014,51(5): 1071-1080. |
GUO J Q , ZHUGE J W , SUN D H ,et al. Spampot:a spam CAPTURE system based on distributed honeypot[J]. Journal of Computer Research&Development, 2014,51(5): 1071-1080 | |
[79] | WANG C Y , JHAO Y L , WANG C S ,et al. The bilateral communication-based dynamic extensible honeypot[C]// 49th Annual International Carnahan Conference on Security Technology (ICCST). 2015: 263-268. |
[1] | 马鑫迪, 李清华, 姜奇, 马卓, 高胜, 田有亮, 马建峰. 面向Non-IID数据的拜占庭鲁棒联邦学习[J]. 通信学报, 2023, 44(6): 138-153. |
[2] | 张佳乐, 朱诚诚, 孙小兵, 陈兵. 基于GAN的联邦学习成员推理攻击与防御方法[J]. 通信学报, 2023, 44(5): 193-205. |
[3] | 刘盈泽, 郭渊博, 方晨, 李勇飞, 陈庆礼. 基于有限理性的网络防御策略智能规划方法[J]. 通信学报, 2023, 44(5): 52-63. |
[4] | 余晟兴, 陈泽凯, 陈钟, 刘西蒙. DAGUARD:联邦学习下的分布式后门攻击防御方案[J]. 通信学报, 2023, 44(5): 110-122. |
[5] | 周大成, 陈鸿昶, 何威振, 程国振, 扈红超. 基于深度强化学习的微服务多维动态防御策略研究[J]. 通信学报, 2023, 44(4): 50-63. |
[6] | 杜少宇. 积分攻击改进——随机线性区分与密钥恢复攻击[J]. 通信学报, 2023, 44(4): 145-153. |
[7] | 陈晋音, 熊海洋, 马浩男, 郑雅羽. 基于对比学习的图神经网络后门攻击防御方法[J]. 通信学报, 2023, 44(4): 154-166. |
[8] | 罗智勇, 张玉, 王青, 宋伟伟. 基于贝叶斯攻击图的SDN入侵意图识别算法的研究[J]. 通信学报, 2023, 44(4): 216-225. |
[9] | 张进, 葛强, 徐伟海, 江逸茗, 马海龙, 于洪涛. 拟态路由器BGP代理的设计实现与形式化验证[J]. 通信学报, 2023, 44(3): 33-44. |
[10] | 徐明, 张保俊, 伍益明, 应晨铎, 郑宁. 面向网络攻击和隐私保护的多智能体系统分布式共识算法[J]. 通信学报, 2023, 44(3): 117-127. |
[11] | 黄华伟. 基于矩阵作用问题的公钥密码体制抗量子攻击安全性分析[J]. 通信学报, 2023, 44(3): 220-226. |
[12] | 王东滨, 吴东哲, 智慧, 郭昆, 张勖, 时金桥, 张宇, 陆月明. 软件定义网络抗拒绝服务攻击的流表溢出防护[J]. 通信学报, 2023, 44(2): 1-11. |
[13] | 康海燕, 龙墨澜. 基于吸收马尔可夫链攻击图的网络攻击分析方法研究[J]. 通信学报, 2023, 44(2): 122-135. |
[14] | 田有亮, 田茂清, 高鸿峰, 何淼, 熊金波. 面向群智感知应用的基于协作的位置认证方案[J]. 通信学报, 2022, 43(9): 121-133. |
[15] | 赵静, 李俊, 龙春, 万巍, 魏金侠, 陈凯. 基于多层次特征的RoQ隐蔽攻击无监督检测方法[J]. 通信学报, 2022, 43(9): 224-239. |
阅读次数 | ||||||
全文 |
|
|||||
摘要 |
|
|||||
|