Use vulnerability mining technology to establish a new Information Security Protection Model

This article analyzes the information security situation and status quo, and describes the impact of the virus industry chain composed of vulnerability mining and vulnerability exploitation on existing security technologies and concepts. According to the characteristics of various links in the virus industry chain, a new security protection mode based on the "cloud security" concept is proposed to quickly perceive and capture new threats, and monitor it from the source. 1. Introduction

The concept of information security and network security is keeping pace with the times. It has evolved from the early stages of communication confidentiality to focusing on the confidentiality, integrity, availability, controllability, and undeniable information security of information, and now the Information Assurance and Information Assurance System. Both simple confidentiality and static protection modes cannot meet today's needs. Information security protection relies on people, operations, and technologies to achieve the business operations of the Organization, A sound information assurance model means that information assurance and policies, procedures, technologies and mechanisms can be implemented at all levels of the organization's information infrastructure.

In recent years, the information security situation in China has undergone profound changes. We can find some rules and trends, and some future changes to the information security protection model are coming soon.

2. Information security situation and analysis

According to the British "Jane's Strategy Report" and other network organizations to evaluate the information protection capabilities of countries in the world, China is listed as one of the countries with the lowest protection capabilities, the ranking is much lower than that of information security powers such as the United States, Russia, and Israel, behind India and South Korea. China has become the hardest hit by information security incidents. All kinds of illegal activities related to the Internet in China are increasing at a rate higher than 30% every year. According to the monitoring results of the national Internet emergency response center, 95% of China's network management centers connected to the internet have suffered attacks or intrusions from domestic and foreign hackers. Among them, banks, financial institutions and securities institutions are the focus of hacker attacks.

Under the catalysis of the Internet, the computer virus field is undergoing profound changes, and the trend of virus industrialization is becoming increasingly apparent. A terrible virus industry chain is quietly being generated.

Traditional hackers need to manually search for security vulnerabilities, Write Vulnerability exploitation tools, spread viruses, and manipulate affected hosts. However, because the entire chain operates over the Internet, from exploiting vulnerabilities, exploiting vulnerabilities, spreading viruses to manipulating affected hosts, an efficient pipeline has been formed, different hackers can choose the links they are good at and make profits, which makes the entire virus industry more efficient. The industrialization of hackers has a serious negative impact:

First, the formation of the virus industry chain means higher production efficiency. Some experienced hackers can even write automated processing programs to deform existing viruses to produce a large number of new types of viruses. In the face of explosive growth of viruses, the current virus prevention technology has the following three limitations: ④ new samples increase dramatically, and the survival time of a single sample is shortened. The existing technology cannot intercept new samples in time. ② Even if it can be intercepted, up to 100,000 of new samples per day are also severely testing the analysis and processing capabilities of samples. ③ Even if it can be analyzed and processed, it is important to obtain the latest virus sample database from the interruption in the shortest time.

Second, the formation of the virus industry chain means that more unknown vulnerabilities are discovered. In the Internet collaboration mode, hackers can greatly improve vulnerability mining capabilities by sharing technologies and achievements, far exceeding the patch release speed of operating systems and software manufacturers.

Once again, hackers lease better servers and higher bandwidth to facilitate vulnerability exploitation and virus propagation. They also use Internet forums and blogs, senior hackers hire "software migrant workers" to write stronger drivers and add them to the virus to enhance protection. The addition of a large number of software migrant workers makes the virus industry chain more "formal and professional", and the efficiency is further improved.

Finally, hackers can use automated "zombie" management tools to control a large number of affected hosts and use them to continue to profit. So far, the entire hacker industry has formed a closed "virtuous circle" of hackers.
3. Vulnerability mining and Utilization

The current situation of the virus industry is closely related to breaking through the bottleneck of vulnerability mining. Vulnerability mining is also a powerful tool for us to find and make up for vulnerabilities. This is a double-edged sword.

3.1 inevitability of the existence of Vulnerabilities

First, because there are a large number of early systems in the Internet, including low-level devices and old systems, organizations with these early systems do not have enough resources to maintain and upgrade, therefore, a large number of known unpatched vulnerabilities are retained. Secondly, due to the need to push the systems and various yingchuan software to the market as soon as possible, there is often not enough time to perform rigorous tests, and there are inevitably a large number of security risks. Again, in software development, bugs are fixed due to the original culprit of development costs, development cycles, and excessively large system scale. These bugs are often the source of security risks. In addition, an excessively large network involves many factors in connection, organization, and management. Different hardware platforms, different system platforms, and different application services are intertwined. Security Network under certain restrictions may also be exposed due to changes in restrictions.

3.2 vulnerability Mining Technology

The vulnerability mining technology does not simply use one method. it selectively uses bottom-up or top-down technologies based on different applications and gives full play to the advantages of each technology to achieve better results. The following are common vulnerability mining methods:

(1) security scanning technology. Security scanning is also called vulnerability assessment. Its basic principle is to use simulated attacks to detect known security vulnerabilities in the target system one by one. With the help of security scanning technology, people can discover the open ports, services, some system information, and wrong configurations of hosts and network systems, so as to detect known security vulnerabilities, detects intrusion points of hosts and network systems.

(2) manual analysis. For open-source software, manual analysis is generally based on source code reading tools, such as sourceinsight, to speed up source code retrieval and query. A simple analysis is generally to first review insecure library function calls such as strcpy () in the system, and further review the use of security library functions and loops. Non-open-source software is somewhat different from open-source software. The main limitation of non-open-source software is that it can only be analyzed based on the compiled code obtained by disassembly. In the vulnerability analysis for non-open-source software, the disassembly engine and debugger play the most important role, for example, IDA Pro is currently a good Disassembly tool.

(3) static check. Static checks are divided into two types based on software types: static checks for open-source software and static checks for non-open-source software. The former mainly uses the compilation technology to determine the relevant judgment information during code scanning or compilation, and then checks the specific vulnerability model based on the information. The latter is mainly based on the disassembly platform IDA Pro, which uses a bottom-up analysis method to check library function calls and cyclic operations in binary files, it focuses on static data stream backtracking and reverse engineering of software.

(4) dynamic check. Dynamic Check is also called a runtime check. The basic principle is to obtain the running status and data of the Target Program at runtime through the resource monitoring interface and debugging interface provided by the operating system. Currently, common dynamic check methods include environment error injection and data flow analysis.

The various vulnerability mining technologies described above are not completely independent. Various technologies often compensate for each other by integrating them to construct powerful vulnerability mining tools.

3.3 vulnerability Exploitation

The value of a vulnerability is reflected in the exploitation. If a vulnerability is not widely used, it becomes meaningless. Generally, technically, hackers can exploit vulnerabilities to penetrate the target host through remote/local overflow, script injection, and other means, including obtaining host information and sensitive files, obtaining control of the host, monitoring host activity, damaging the system, and hiding backdoors. lfI: "The main trend of current vulnerability exploitation is more Web attacks, the ultimate goal is to implant a composite virus that comprehensively utilizes the above mining technologies on the target host (mainly for servers) to achieve its various purposes.
4. Analysis of New Information Security Modes

In the past two or three years, the information security assurance system has emerged in a race against the rise of the virus industry, there have been some profound and significant changes in related technologies, architectures, and forms, which are roughly summarized into the following three aspects:

First, segmentation and expansion. The functions and applications of information security are starting to expand to a variety of new online application businesses from simple attack behaviors and virus prevention in the past, and to expand to the network perimeter. For example, the common account security protection, password security protection, game security protection, and e-commerce payment process security protection are the subdivision and expansion of information security functions and applications.

Second, the trend of Integration of information security assurance. For end users, they hope that information security protection can not only solve various specific problems faced by their specific application process, we also hope that the overall and integrated information security solution will run through the entire business process and the entire IT Enterprise Architecture process. As a result, many different security vendors are integrating their own security products and architecture and applying them to all aspects of individual customers in a targeted manner, demonstrating the trend of integrating information security assurance.

Third, changes in the security distribution structure. On the server side, both the investment in the relevant market and the needs of the enterprise, and even the importance that the relevant enterprise attaches to the server market are undergoing major changes. Such changes have a significant impact on the security distribution structure. In this regard, various security vendors have added many new features in both server security and Client Security, even some new models have been proposed in terms of the architecture.

Through the new development of technology, architecture, and form, we have seen some rules and trends, and some clues of future changes in the information security protection model. Since hackers implement Industrialization Under the catalysis of the Internet, what about information security protection? By mobilizing the power of every end user on the Internet, the entire Internet will become a security guarantee tool. This is the future mode of information security assurance, it is named "cloud security" by some organizations and security vendors ".

In the "cloud security" model, not only are security organizations and security product manufacturers involved in security protection, but also end users-clients involved. "Cloud Security" is not a security technology, but a concept that integrates security with the Internet.

The client of "cloud security" is different from the common standalone client, but a client of the traditional Client for Internet transformation. It is a front-end for perceiving, capturing, and resisting internet threats, in addition to the traditional single-host client detection function, it also provides Internet-based collaborative behavior feature detection and Internet-based collaborative resource protection. Therefore, it can detect threats while, quickly pass threats to the threat information data center of "cloud security. Threat information data center is an organization that collects and provides threat information to the client. It has two functions: one is to collect threat information, and the other is to query and feedback client collaboration information. First, malicious threat information collected and intercepted from the "cloud security" client is transmitted to the data center in a timely manner and then to the source mining and Mining Service Cluster, the source mining and mining service cluster mines the sources of malicious threats based on the data, finds the source through collaborative analysis, and then controls the source. If the source cannot be controlled, at least the source can be detected. Then, all the collected information is centralized to the automatic analysis and processing system to form a solution, which is passed to the server and then sent back to the client, or form an Internet basic service, transfer to all security partners to form an Internet technical service so that the entire network can enjoy this security solution