Information Security Vulnerability Analysis Technology

Information security involves more and more content. From the initial information confidentiality to the current information integrity, availability, controllability and non-repudiation, information technology is gradually maturing.

According to the security vulnerability statistics of securityfocus, most operating systems have security vulnerabilities. Some applications face the same problems. Coupled with problems such as management and software complexity, the security vulnerabilities of information products are far from being addressed. Security Vulnerability Analysis is critical, and technical details of Security Vulnerability discovery are generally not disclosed. For example, rpc security vulnerabilities on windows platforms have recently been reported by security organizations outside China, however, the security vulnerability analysis process and utilization are not disclosed.

Information System Security Vulnerability Analysis Technology

Current security vulnerabilities always threaten the security of network information systems. To ensure network information security, one of the key issues is to solve security vulnerabilities, including security vulnerability scanning, security vulnerability repair, and security vulnerability prevention.

The reliability, robustness, and attack resistance of the network system also depend on whether the information products used have security risks. The research work on security vulnerability analysis is divided into the following aspects:

The first type is based on known vulnerability detection and local analysis methods.

Satan is the earliest network vulnerability analysis tool and is also a representative of this type of research. It was developed by network security experts dan farmer and wietse venema, the basic design concept of satan is to simulate attackers to try to enter their own defensive system. satan has a good extended framework. As long as he has mastered the expansion rules, you can add your own detection programs and rules to this framework to make it an organic component of satan.

Because of this, when satan's author abandoned the development of the new version, it could be taken over by other programmers and changed from satan to saint ). Compared with satan, saint has added many new detection methods, but has not changed satan's architecture at all. The satan system can only run on unix systems, and remote users cannot use satan detection. Saint solves the problem of satan remote users, but neither satan nor saint can collect local vulnerabilities of some remote hosts, and the vulnerability information analysis methods of both are stuck at a low level, only raw fragile information can be processed.

Nessus is a free, open source code, and the latest network vulnerability analysis tool. It runs on linux, bsd, solaris, and other platforms to implement multithreading and plug-in functions, and provides a gtk interface, multiple Remote security vulnerabilities can be checked. However, nessus can only obtain vulnerabilities from remote scans. Many vulnerabilities are local and cannot be detected or exploited through the network, such as collecting host configuration information, and it is difficult to remotely obtain trust relationship and group information.

The second type is to standardize the Vulnerability Detection Method Based on the Security Attribute form.

Automatic and systematic vulnerability analysis is currently the focus of research. r. ramakri-shnan and r. sekar proposes a model-based vulnerability analysis method. The basic principle is to standardize the security attributes of the target in a form. For example, a common user cannot override the system log sub-file; secondly, establish a system abstract model to describe security-related behaviors. The abstract model is composed of system component models, such as file systems and privileged processes. Finally, check whether the abstract model meets security attributes, if not, a sequence of operations in the vulnerability mining process is generated to describe how these security attributes conflict.

This method has the advantage of detecting known and new vulnerabilities, while cops and satan mainly solve known vulnerabilities. However, using this method requires a large amount of computing resources, and it is not available yet. In addition, the scalability of the method is still a challenge. The actual model is much larger than the experiment. The model development process depends on manual creation. The automatic model generation technology still needs to be solved.

Category 3: associated vulnerability analysis and detection.

This type of research utilizes the first and second types of research results, focusing on correlation analysis of vulnerabilities, that is, describing the process of mining vulnerabilities from the perspective of attackers. Topological vulnerability analysis (tva), a network topology-based vulnerability analysis tool, can simulate the automatic analysis of high-intensity vulnerabilities by penetration security experts, provide the process of discovering vulnerabilities, and generate attack graphs. Tva builds attack steps and conditions into a State migration graph, which makes the vulnerability analysis scalable and allows the input of specified computing resources to calculate secure network configurations.

However, manual input is required for the tva modeling vulnerability mining process. To solve this problem, a standard language that can be understood by machines can automatically acquire domain knowledge. In addition, if a large network has multiple vulnerabilities, tva will generate a huge number of images. Therefore, it is difficult to manage images. Finally, the information used by tva should be accurate and reliable to determine whether the vulnerability is available. However, the weak information of tva only depends on nessus.

Laura p. swiler and others have also developed computer attack graphics generation tools to input network configurations, attacker capabilities, attack templates, and attacker profiles to the attack graph builder to output attack graphs, the shortest path indicates that the system is most vulnerable to attacks. Oleg sheyner and joshua haines use model checking methods to study automatic generation and analysis of attack graphs. The basic idea is to abstract the network into a finite state machine, and State migration indicates atomic attacks, and grant specific security attribute requirements. Then, the model checker nusmv is used to automatically generate an attack graph, and the network attack domain knowledge is used to explain the meaning of the state variable in the graph and the status change relationship in the graph. However, the problem to be addressed in this method is the scalability of the model, the computing overhead is large, and the data used for modeling relies on manual implementation.

Category 4: basic work of Vulnerability Detection mainly involves the discovery, collection, classification and standardization of vulnerable information.

Security Vulnerability Detection relies on Security Vulnerability discovery. Therefore, original vulnerability discovery is the most challenging research. Currently, the research departments engaged in security vulnerability mining mainly come from universities, security companies, and hacker groups. In terms of vulnerability information release, cert is the most representative and the earliest Research Institute to publish vulnerability information to internet networks. In terms of vulnerability information standardization, mitre developed the common vulnerabilities and exposures (cve) vulnerability list to standardize the vulnerability naming, at the same time, mitre has developed an open vulnerability assessment language (oval), which is used for Benchmark Testing of vulnerability detection. At present, this language is gradually being improved.

Compared with foreign countries, the real-time and integrity of China's vulnerability information is still lacking, mainly because the new vulnerability discovery lags behind foreign countries. Security Vulnerability Detection, elimination, and prevention are all subject to the discovery of security vulnerabilities. Therefore, security vulnerability analysis has become the most challenging research hotspot.

 

Intrusion detection and warning technology

Network Information System Security Protection involves a variety of security systems, including protection, detection, response and recovery. The intrusion detection system is an important component and plays the role of an "early warning server" in a digital space. Intrusion detection technology is divided into five stages: the first stage is based on simple attack feature pattern matching detection; the second stage is based on Abnormal Behavior Model detection; the third stage is based on Association Analysis Detection of intrusion alerts; stage 4: Attack intention detection; Stage 5: security situation detection. In summary, the development trend of intrusion detection and early warning is shown in the following aspects.

Intrusion Security Technology Integration

Due to the development of network technology and the changes of attack technology, intrusion detection systems cannot solve all problems, such as detection, prevention, response, and evaluation. Intrusion Detection Systems are evolving: intrusion detection systems, vulnerability detection systems, firewall systems, and emergency response systems will be gradually integrated to form an integrated information security assurance system. For example, securedecisions has developed a security decision-making system product that integrates ids, firewall, firewall, and other functions, and visualizes the alarm data. Intrusion prevention system (intrusion prevention system) becomes the future direction of ids.

High-Performance Network Intrusion Detection

The new problem brought about by the development of modern network technology is that ids requires massive computing. Therefore, high-performance detection algorithms and new intrusion detection systems have become a hot research topic. High-performance parallel computing technology will be used in the intrusion detection field. Both high-speed pattern matching algorithms and hardware-only nids are currently studied abroad.

Standardization of Intrusion Detection Systems

Standardization facilitates data fusion between different types of ids and interaction between ids and other security products. The intrusion detection working group (idwg) of internet engineering task force (ietf) has developed the idmef and idxp protocols) intrusion alarm (iap) and other standards to meet the needs of security data exchange between intrusion detection systems. In addition, these standard protocols are supported by different organizations, such as silicon defense, defcom, and ucsb, and are implemented according to the standards. Currently, open-source network intrusion detection system snort supports idmef plug-ins. Therefore, functions with standardized interfaces will be the development direction of the next generation of ids.

Embedded Intrusion Detection

The application of the Internet enables the computing mode to enter a new computing mode after host computing and desktop computing. This is the universal computing mode. The universal computing mode embeds computers into people's daily lives and work environments, allowing users to conveniently access information and obtain computing services. With the use of a large number of mobile computing devices, embedded intrusion detection technology has been paid attention.

Systematic intrusion detection and early warning

The intrusion detection system evolved from a centralized system to a distributed system. The distributed deployment of detectors enables hierarchical monitoring of intrusion behaviors, summarizes alarm events to the intrusion management platform, and then centrally associates and analyzes these events, to understand the global monitoring of the security situation and support emergency response. Currently, the technology is moving from "Detection-response" to "WARNING-Preparation.

Network Worm Prevention Technology

Compared with traditional host viruses, network worms have higher breeding and damage capabilities. Traditional standalone-based virus prevention technology, standalone-based LAN virus prevention technology, and virus firewall technology cannot meet the Network Worm warning requirements of open networks. For example, the traditional standalone virus detection technology relies on certain detection rules and does not adapt to the detection of Network Worms. Because of the wide variety of malicious code in the network and the ever-changing forms, the intrusion, infection, and attack mechanisms vary widely. In recent years, the main research hotspots are: computer worm classification, worm Traffic Simulation and worm Warning System Design and Testing, Worm Propagation simulation experiment, worm analysis model and isolation technology research. In terms of the Network Worm product market, silicon defense released countermalice, which is a stealthwatch product of Lanyi. It is a behavior-based Intrusion Detection System and has threat management functions.

In short, according to the development of the network worm, the attack and defense technology of the Network Worm is under development, and its main technological trends include: The Fast Propagation mechanism and concealment mechanism of the Network Worm; early Warning Technology and Simulation Test of Network Worms; Emergency response Technology of Network Worms, mainly blocking technology; theoretical model of network worms, such as application system-based worms, database worms, and mobile environment network worms. Network Worm protection mechanisms, such as code randomization and software diversity