Loading...
|
Please use this identifier to cite or link to this item:
https://nccur.lib.nccu.edu.tw/handle/140.119/141044
|
Title: | 網路偵查攻擊之封包式欺騙防禦 DEFIC: Defensive Packet Deception on Reconnaissance Attack |
Authors: | 林子翔 Lin, Zih-Siang |
Contributors: | 郁方 Yu, Fang 林子翔 Lin, Zih-Siang |
Keywords: | 網路殺攻擊鍊 網路偵查 欺騙式防禦 作業系統指紋 連接埠掃描 Cyber kill chain Network reconnaissance Defensive deception OS fingerprint Port scanning |
Date: | 2022 |
Issue Date: | 2022-08-01 17:25:09 (UTC+8) |
Abstract: | 網絡偵查是網絡攻擊鏈的第一階段,攻擊方進行主機發現、端口掃描和作業系統檢測,試圖從遠端主機獲取關鍵資源。 在網絡偵查階段誤導對手可以提供主動保護機制,而非在攻擊實際發生後才採取應對措施,此舉可防止後續階段的武器化和攻擊者的漏洞利用。
在本文中,我們提出了一種新的封包式欺騙防禦框架DEFIC,可用於對抗 Nmap 等第三方網路偵查工具的常見偵查攻擊。 我們所提出的欺騙式防禦框架可以偽造針對連接埠和系統組態之掃描封包的欺騙式回應,以在網絡偵查期間混淆攻擊者,從而使目標主機能夠偽裝其正在運行防禦端所指定的作業系統。 除此之外,我們建構了幾個作業系統模板,可動態針對系統實時狀態、掃描封包的細微差異包與作業系統欺騙策略生成一系列的偽造回應。
初步結果表明,Nmap 很有可能會誤判被我們如隱形斗篷一般的DEFIC所覆蓋的遠程主機。 Network reconnaissance stands the first stage of a cyber kill chain, where adversaries conduct host discovery, port scanning, and operating system detection in order to obtain critical information from remote hosts. Misleading an adversary in the network reconnaissance phase can provide orthogonal protection in the first place, preventing subsequent phases of weaponization and exploitation from attackers. In this paper, we propose a novel packet-level defensive deception framework against common reconnaissance attacks that can be employed by third-party reconnaissance tools such as Nmap. Specifically, we propose DEFIC, a deceptive firewall that can forge fake responses to unknown requests on port and system status to confuse attackers during network reconnaissance and hence provide the target host the ability to pretend running with a designated operating system. We build several templates of response packets that can be used to reconstruct packets with the desired information and synthesize a sequence of fake packets according to different OS strategies. Our preliminary results show that the Nmap tool has a high chance of miss-guessing remote hosts that are covered with our invisibility cloak. |
Reference: | [1] E. M. Hutchins, M. J. Cloppert, R. M. Amin et al., “Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains,” Leading Issues in Information Warfare & Security Research, vol. 1, no. 1, p. 80, 2011. [2] J. Pawlick, E. Colbert, and Q. Zhu, “A game-theoretic taxonomy and survey of defensive deception for cybersecurity and privacy,” ACM Computing Surveys (CSUR), vol. 52, no. 4, pp. 1–28, 2019. [3] T. Yadav and A. M. Rao, “Technical aspects of cyber kill chain,” in International Symposium on Security in Computing and Communication. Springer, 2015, pp. 438–452. [4] S. Sengupta, A. Chowdhary, A. Sabur, A. Alshamrani, D. Huang, and S. Kambhampati, “A survey of moving target defenses for network security,” IEEE Communications Surveys & Tutorials, vol. 22, no. 3, pp. 1909–1941, 2020. [5] F. J. Stech, K. E. Heckman, and B. E. Strom, “Integrating cyber-d&d into adversary modeling for active cyber defense,” in Cyber deception. Springer, 2016, pp. 1–22. [6] M. Zhu, A. H. Anwar, Z. Wan, J.-H. Cho, C. A. Kamhoua, and M. P. Singh, “A survey of defensive deception: Approaches using game theory and machine learning,” IEEE Communications Surveys & Tutorials, vol. 23, no. 4, pp. 2460–2493, 2021. [7] D. Ye, T. Zhu, S. Shen, and W. Zhou, “A differentially private game theoretic approach for deceiving cyber adversaries,” IEEE Transactions on Information Forensics and Security, vol. 16, pp. 569–584, 2020. [8] M. A. Rahman, M. M. Hasan, M. H. Manshaei, and E. Al-Shaer, “A game-theoretic analysis to defend against remote operating system fingerprinting,” Journal of Information Security and Applications, vol. 52, p. 102456, 2020. [9] M. Albanese, E. Battista, and S. Jajodia, “A deception based approach for defeating os and service fingerprinting,” in 2015 IEEE Conference on Communications and Network Security (CNS). IEEE, 2015, pp. 317–325. [10] Z. Zhao, F. Liu, and D. Gong, “An sdn-based fingerprint hopping method to prevent fingerprinting attacks,” Security and Communication Networks, vol. 2017, 2017. [11] M. S. I. Sajid, J. Wei, M. R. Alam, E. Aghaei, and E. Al-Shaer, “Dodgetron: Towards autonomous cyber deception using dynamic hybrid analysis of malware,” in 2020 IEEE Conference on Communications and Network Security (CNS). IEEE, 2020, pp. 1–9. [12] S. Wang, Q. Pei, Y. Zhang, X. Liu, and G. Tang, “A hybrid cyber defense mechanism to mitigate the persistent scan and foothold attack,” Security and Communication Networks, vol. 2020, 2020. [13] F. De Gaspari, S. Jajodia, L. V. Mancini, and A. Panico, “Ahead: A new architecture for active defense,” in Proceedings of the 2016 ACM Workshop on Automated Decision Making for Active Cyber Defense, 2016, pp. 11–16. [14] J. H. Jafarian, E. Al-Shaer, and Q. Duan, “Adversary-aware ip address randomization for proactive agility against sophisticated attackers,” in 2015 IEEE Conference on Computer Communications (INFOCOM). IEEE, 2015, pp. 738–746. [15] ——, “An effective address mutation approach for disrupting reconnaissance attacks,” IEEE Transactions on Information Forensics and Security, vol. 10, no. 12, pp. 2562–2577, 2015. [16] S.-Y. Chang, Y. Park, and B. B. A. Babu, “Fast ip hopping randomization to secure hop-by-hop access in sdn,” IEEE Transactions on Network and Service Management, vol. 16, no. 1, pp. 308–320, 2018. [17] P. K. Manadhata and J. M. Wing, “An attack surface metric,” IEEE Transactions on Software Engineering, vol. 37, no. 3, pp. 371–386, 2010. [18] M. F. Hyder and M. A. Ismail, “Securing control and data planes from reconnaissance attacks using distributed shadow controllers, reactive and proactive approaches,” IEEE Access, vol. 9, pp. 21 881–21 894, 2021. [19] G. F. Lyon, Nmap network scanning: The official Nmap project guide to network discovery and security scanning. Insecure. Com LLC (US), 2008. [20] MITRE, “CVE,” Oct. 19, 2021. [Online]. Available: https://cve.mitre.org/ [21] I. Brett, N. Satya, and H. Amy, “Microsoft Fiscal Year 2021 Third Quarter Earnings Conference Call,” Apr. 27, 2021. [Online]. Available: https://www.microsoft.com/ en-us/Investor/events/FY-2021/earnings-fy-2021-q3.aspx |
Description: | 碩士 國立政治大學 資訊管理學系 109356036 |
Source URI: | http://thesis.lib.nccu.edu.tw/record/#G0109356036 |
Data Type: | thesis |
DOI: | 10.6814/NCCU202200748 |
Appears in Collections: | [資訊管理學系] 學位論文
|
Files in This Item:
File |
Description |
Size | Format | |
603601.pdf | | 1350Kb | Adobe PDF2 | 23 | View/Open |
|
All items in 政大典藏 are protected by copyright, with all rights reserved.
|