Chapter 15: Principles and Applications of Network Security Active Defense Technology
Intrusion blocking technology and application
-
Principles of Intrusion Prevention Technology
-
Realize a multi-functional security system with firewall, intrusion detection, and attack migration, namely intrusion prevention system (IPS)
-
Control packet forwarding by judging attack behavior according to the characteristics and context of network packets
-
-
-
Intrusion blocking technology application
- To avoid network communication bottlenecks, implement IPS based on bypass blocking (SPS)
- The main function of IPS/SPS is to filter harmful network information flow
- Block specified IP address
- Block designated network ports
- Block specified domain name
- Block specific URLs, block specific types of attacks
- Provide hot fixes for zero-day vulnerabilities
Software whitelist technology and application
-
Technical Principles of Software Whitelisting
-
Set up a list of trusted software to prevent malicious software from running in related network information systems
-
-
Software whitelist technology application
- Build a safe and credible mobile Internet security ecological environment
- Malicious code protection
- "White Environment" Protection
Network traffic cleaning technology and application
-
Principles of network traffic cleaning technology
- Through abnormal network traffic detection, the traffic originally sent to the target equipment system is dragged to the flow cleaning center . After the cleaning is completed, the retained normal traffic is forwarded to the target equipment system
- Main technical methods
- Flow monitoring: DPI
- Traffic pulling and cleaning: BGP, DNS
- Flow back injection
-
Network traffic cleaning technology application
-
Malformed data packet filtering
-
Resistance to denial of service attacks
-
Web application protection
-
DDos high defense IP service: protect origin server through proxy forwarding mode
-
Trusted Computing Technology and Application
-
Principles of Trusted Computing Technology
-
At present, trusted verification has become a new requirement of Equal Guarantee 2.0
-
principle:
- Root of Trust -> Trusted Hardware Platform -> Trusted Operating System -> Trusted Application System, first level certification, first level trust
-
Viable platform root of trust: TPM
-
TCG defines three roots of trust for trusted computing platforms: Root of Trust Measurement RTM, Root of Trusted Storage RTS and Root of Trusted Report RTR
-
Trusted cryptographic platform composition: Trusted Cryptographic Module (TCM) and TCM Service Module (TSM)
-
TCM composition:
- I / O
- SMS4 engine
- SM2 engine
- SM3 engine
- Random number generator
- HMAC engine: based on SM3 engine to calculate message authentication code
- Execution engine: the calculation execution unit of TCM
- Non-volatile memory: store permanent data
- Volatile memory: store temporary data when TCM is running
-
-
Trusted Computing Technology Application
- Computing platform security protection
- Trusted network connection
- Trusted verification
- P305-P308
Digital Watermarking Technology and Application
- Principles of Digital Watermarking Technology
- Principle: Using digital signal processing methods to embed specific marks in digital media files
- Composition: watermark embedding and watermark extraction
- The embedding methods are divided into:
- Spatial domain method: directly superimposed on the digital carrier spatial domain
- Typical algorithms are Schyndel algorithm and Patchwork algorithm
- Transform domain method: Using spread spectrum communication technology, the discrete cosine transform (DCT) of the image is calculated first, and then superimposed on the largest L coefficients in the DCT domain (excluding the DC component), usually the low-frequency component of the image.
- Algorithm is NEC algorithm
- Spatial domain method: directly superimposed on the digital carrier spatial domain
- Digital watermarking technology application
- Copyright Protection
- Information hiding
- Information traceability
- Access control
Network attack trap technology and application
-
Network attack trap technology principle
-
Network attack deception techniques include:
-
Honeypot host technology
Including: empty system, mirror system, virtual system
-
Trap network technology
- It is composed of multiple honeypot hosts, routers, firewalls, IDS, and audit systems.
- Function realization: honeypot system, data control system, data capture system, data recording, data analysis, data management and other functions
- Open source network attack trap systems include Honeyd, industrial control system honeypot Conpot, password honeypot Honeywords, etc.
-
-
-
Network attack trap technology application
- Malicious code monitoring
- Enhance resistance to attack
- Network situation awareness
Intrusion tolerance and system survival technology and application
- Principles of Intrusion Tolerance and System Survival Technology
- Principle: It is assumed that in the case of intrusion, the network information system can still complete tasks according to user requirements
- Main technique:
- Distributed consensus: avoiding single defects
- Active recovery: Through self-cleaning technology, the system can be migrated to a credible state periodically and the attack chain is destroyed
- Threshold password: used to protect secrets
- Diversified design: avoid common mode to failure
- Intrusion tolerance and system survival technology application
- Flexible CA system, blockchain
Privacy protection technology and application
- Principles of Privacy Protection Technology
- Identity privacy, attribute privacy, social relationship privacy, location trajectory
- Technology to protect privacy:
- k-anonymous method: generalize all tuples in the data so that they no longer correspond to anyone one-to-one
- Differential privacy method: add random noise to the protected data set to form a new data set
- Common technical measures for privacy protection: suppression, generalization, replacement, disturbance, tailoring, etc.
- Privacy protection technology application
- Anonymize personal information
- De-identification of personal information
Development Trends of Frontier Network Security Technology
-
Cyber Threat Intelligence Service
-
Mainly include: security vulnerabilities, attack source IP addresses, malicious mailboxes, malicious domain names, attack tools
-
China Anti-Internet Virus Alliance (ANVA) hosted the establishment of a cyber security threat information sharing platform
-
-
Domain name service security
- Common security risks of domain name services:
- Domain name information tampering
- Domain name resolution configuration error
- Domain hijacking
- Domain name software security vulnerabilities
- Common security risks of domain name services:
-
Homomorphic encryption
- An encryption function that re-encrypts the addition and multiplication operations of the plaintext, and performs the corresponding operations on the ciphertext after encryption, and the result is equivalent