面向安全分析的大规模网络下的DNS流量还原系统
|
摘要
网络流量还原是网络安全分析的基础,文章针对大数据网络环境下对于海量数据实时响应的需求,提出一种基于Storm流式处理框架的面向安全分析的DNS协议实时还原系统。该系统从消息系统获取原始数据包,逐层对数据包进行解析,将还原完成的DNS数据信息进行序列化处理并发布至消息系统,以供后续安全分析。在DNS还原的基础上,对于DNS还原中存在的利用协议特性格式异常的数据进行研究,在还原系统的基础上,增加对以下三类异常DNS数据包的识别功能:异常DNS格式的数据包,利用UDP松弛空间注入传递额外信息的数据包,利用Null字符欺骗隐藏恶意域名信息的数据包。该系统在10 Gbps的真实大数据网络环境中具有高效实时的处理能力,平均处理延迟在5 ms以内,并具有对异常DNS数据包的识别处理能力。
Network traffic restoration is the foundation of network security analysis. A DNS protocol restoration systemfor security analysis based on Storm was proposed aiming at the real-time response to massive data in big data network environment. The system obtains original data packets from the message system, parses the data packet layer by layer, and serializes the restored DNS data to the message system for subsequent security analysis. Based on the restoration, the data which used the protocol's vulnerabilities or had an abnormal format would be researched and the system has the function to tell the packets which are abnormal in format, using UDP's relaxation space injection or using Null to cheat and send message. The results of the experiment showed that the system had efficient realtime processing capabilities in the 10 Gbps real big data network environment with the average processing delay within 5 ms, and the ability to recognize and process abnormally formatted DNS packets.
Network traffic restoration is the foundation of network security analysis. A DNS protocol restoration systemfor security analysis based on Storm was proposed aiming at the real-time response to massive data in big data network environment. The system obtains original data packets from the message system, parses the data packet layer by layer, and serializes the restored DNS data to the message system for subsequent security analysis. Based on the restoration, the data which used the protocol's vulnerabilities or had an abnormal format would be researched and the system has the function to tell the packets which are abnormal in format, using UDP's relaxation space injection or using Null to cheat and send message. The results of the experiment showed that the system had efficient realtime processing capabilities in the 10 Gbps real big data network environment with the average processing delay within 5 ms, and the ability to recognize and process abnormally formatted DNS packets.
引文
[1]LI Juntao,SHI Yong,XUE Zhi.APT Detection based on DNS Traffic and Threat Intelligence[J].Information Security and Communications Privacy,2016,16(7):84-88.李骏韬,施勇,薛质.基于DNS流量和威胁情报的APT检测[J].信息安全与通信保密,2016,16(7):84-88.
[2]NUSSBAUM L,NEYRON P,RICHARD O.On Robust Covert Channels inside DNS[C]//IFIP.24th IFIP TC 11International Information Security Conference,May 18-20,2009,Pafos,Cyprus.Berlin:Springer,2009:51-62.
[3]GU Chuanzheng,WANG Yijun,XUE Zhi.Study on Covert Channel based on the DNS Protocol[J].Information Security and Communications Privacy,2012,12(1):81-82,85.谷传征,王轶骏,薛质.基于DNS协议的隐蔽信道研究[J].信息安全与通信保密,2012,12(1):81-82,85.
[4]ZHANG Siyu,ZOU Futai,WANG Luhua,et al.Detecting DNS-based Covert Channel on Live Traffic[J].Journal on Communications.2013,34(5):143-151章思宇,邹福泰,王鲁华,等.基于DNS的隐蔽通道流量检测[J].通信学报,2013,34(5):143-151.
[5]ZHANG Siyu,WANG Luhua,ZOU Futai.Evading DNSMonitoring System with NULL Character[J].Netinfo Security,2012,12(4):47-50.章思宇,王鲁华,邹福泰.NULL字符欺骗DNS监控系统的研究[J].信息网络安全,2012,12(4):47-50.
[6]BORN K.PSUDP:A Passive Approach to Network-wide Covert Communication[EB/OL].https://media.blackhat.com/bhus-10/whitepapers/Born/BlackHat-USA-2010-Born-psudpPassive-Network-Covert-Communication-wp.pdf,2010-7-10.
[7]China Internet Network Information.The 41th Statistical Report on Internet Development in China[EB/OL].http://www.cnnic.cn/hlwfzyj/hlwxzbg/hlwtjbg/201803/P020180305409870339136.pdf,2018-3-5.
[8]LEIBIUSKY J,EISBRUCH G,SIMONASSI D.Getting Started With Storm[M].US:O’Reilly Media,2012.
[9]WU G.Spark:the Light of Big Data Era[J].Programmer,2013,13(7):100-104.
[10]WANG Mingkun,YUAN Shaoguang,ZHU Yongli,et al.Real-time Clustering for Massive Data Using Storm[J].Journal of Computer Applications,2014,34(11):3078-3081.王铭坤,袁少光,朱永利,等.基于Storm的海量数据实时聚类[J].计算机应用,2014,34(11):3078-3081.
[11]CHEN Xingshu,WANG Yue,LUO Yonggang,et al.Protocol Restore Framework Based on Storm[J].Journal of Huazhong University of Science and Technology(Natural Science Edition),2018,46(1):1-5,21.陈兴蜀,王岳,罗永刚,等.基于Storm的协议还原框架[J].华中科技大学学报(自然科学版),2018,46(1):1-5,21.
[12]The Apache Software Foundation.Apache Zookeeper[EB/OL].https://zookeeper.apache.org/,2010-7-15.
[13]ANDERSON Q.Storm Real-time Processing Cookbook[M].Birmingham:PacktPublishing,2013.
[14]MOCKAPETRIS P.RFC1034 Domain Names-Concepts and Facilities[EB/OL].https://tools.ietf.org/html/rfc1034,1987-10-16.
[15]MOCKAPETRIS P.RFC1035 Domain Names-Implementation and Specification[EB/OL].https://tools.ietf.org/html/rfc1035,1987-10-16.
[16]MARLINSPIKE M.Null Prefix Attacks Against SSL/TLSCertificates[EB/OL].http://www.thoughtcrime.org/papers/nullprefix-attacks.pdf,2009-7-29/2012-2-23.
[2]NUSSBAUM L,NEYRON P,RICHARD O.On Robust Covert Channels inside DNS[C]//IFIP.24th IFIP TC 11International Information Security Conference,May 18-20,2009,Pafos,Cyprus.Berlin:Springer,2009:51-62.
[3]GU Chuanzheng,WANG Yijun,XUE Zhi.Study on Covert Channel based on the DNS Protocol[J].Information Security and Communications Privacy,2012,12(1):81-82,85.谷传征,王轶骏,薛质.基于DNS协议的隐蔽信道研究[J].信息安全与通信保密,2012,12(1):81-82,85.
[4]ZHANG Siyu,ZOU Futai,WANG Luhua,et al.Detecting DNS-based Covert Channel on Live Traffic[J].Journal on Communications.2013,34(5):143-151章思宇,邹福泰,王鲁华,等.基于DNS的隐蔽通道流量检测[J].通信学报,2013,34(5):143-151.
[5]ZHANG Siyu,WANG Luhua,ZOU Futai.Evading DNSMonitoring System with NULL Character[J].Netinfo Security,2012,12(4):47-50.章思宇,王鲁华,邹福泰.NULL字符欺骗DNS监控系统的研究[J].信息网络安全,2012,12(4):47-50.
[6]BORN K.PSUDP:A Passive Approach to Network-wide Covert Communication[EB/OL].https://media.blackhat.com/bhus-10/whitepapers/Born/BlackHat-USA-2010-Born-psudpPassive-Network-Covert-Communication-wp.pdf,2010-7-10.
[7]China Internet Network Information.The 41th Statistical Report on Internet Development in China[EB/OL].http://www.cnnic.cn/hlwfzyj/hlwxzbg/hlwtjbg/201803/P020180305409870339136.pdf,2018-3-5.
[8]LEIBIUSKY J,EISBRUCH G,SIMONASSI D.Getting Started With Storm[M].US:O’Reilly Media,2012.
[9]WU G.Spark:the Light of Big Data Era[J].Programmer,2013,13(7):100-104.
[10]WANG Mingkun,YUAN Shaoguang,ZHU Yongli,et al.Real-time Clustering for Massive Data Using Storm[J].Journal of Computer Applications,2014,34(11):3078-3081.王铭坤,袁少光,朱永利,等.基于Storm的海量数据实时聚类[J].计算机应用,2014,34(11):3078-3081.
[11]CHEN Xingshu,WANG Yue,LUO Yonggang,et al.Protocol Restore Framework Based on Storm[J].Journal of Huazhong University of Science and Technology(Natural Science Edition),2018,46(1):1-5,21.陈兴蜀,王岳,罗永刚,等.基于Storm的协议还原框架[J].华中科技大学学报(自然科学版),2018,46(1):1-5,21.
[12]The Apache Software Foundation.Apache Zookeeper[EB/OL].https://zookeeper.apache.org/,2010-7-15.
[13]ANDERSON Q.Storm Real-time Processing Cookbook[M].Birmingham:PacktPublishing,2013.
[14]MOCKAPETRIS P.RFC1034 Domain Names-Concepts and Facilities[EB/OL].https://tools.ietf.org/html/rfc1034,1987-10-16.
[15]MOCKAPETRIS P.RFC1035 Domain Names-Implementation and Specification[EB/OL].https://tools.ietf.org/html/rfc1035,1987-10-16.
[16]MARLINSPIKE M.Null Prefix Attacks Against SSL/TLSCertificates[EB/OL].http://www.thoughtcrime.org/papers/nullprefix-attacks.pdf,2009-7-29/2012-2-23.