9response-p
安全防范和安全监测
? 信息生存性技术 ? 安全监测的一般概念 ? 入侵检测技术 ? 响应与防卫技术 ? 计算机取证技术
东南大学 1
响应的六个阶段
? 准备-安全政策、应急处理方案、资源 ? 检测-发现异常或获得告警 ? 抑制-制止攻击的扩散和损失的扩大 ? 根除-确定事件根源并消除之 ? 恢复-将系统恢复到正常状态 ? 总结-对准备阶段的内容进行可能的调整
东南大学 2
响应的类型
? Passive Response
– – – – – – – – – – No direct action is taken against intruder Shun or Ignore Logging Additional Logging Notifications Direct action is taken to protect the target of intrusion Termination Network Reconfiguration Return Fire Deception 东南大学 3
Pros of Different Responses
? 被动响应方式不会影响合法的传输 ? 记录日志方式可以收集非法过程的证据 ? 主动响应可以及时保护目标系统 ? 主动响应方式可以减少管理员的工作强 度
? Active Response
东南大学 4
Cons of Different Responses
? 被动响应方式可能会允许入侵者进一步 获取系统的访问权限 ? 通知方式可能导致管理员工作量过大 ? 切断方式可能影响合法用户的使用 ? 还击可能影响无辜的系统,从而导致副 作用 ? 欺骗是困难的
东南大学 5
计算机安全事件响应组织
? CERT是因Internet的蠕虫事件而成立的网络安 全事件响应机构。 ? CSIRT是负责实施、协调和响应管辖范围内各 网络节点出现的安全事件的工作(咨询)机构。 ? CSIRT对用户没有法律责任,用户不能单纯指 望CSIRT来解决自己的安全问题。 ? CNDSP提供网络安全监测和安全事件处理服务
东南大学 6
安全追踪
? 定位网络攻击报文的来源,推断出攻击报文在网络 中的穿行路线,找到攻击源或者入侵者的确切位置, 从而为入侵检测系统的事件处理、入侵响应决策提 供有价值的信息,协助找到攻击者。 ? 为网络安全管理员提供情报,指导他们关注入侵行 为频繁发生的网段,采取必要的预防措施,以及及 时发现成为入侵者“跳板”的主机或路由器。 ? 对于网络黑客而言,成熟有效的追踪技术对他们也 有威慑作用,迫使他们为了防止被追踪到而减少甚 至停止攻击行为,增强网络的安全性。
东南大学 7
General Requirement
? Compatibility with existing network protocols ? Insignificant network traffic overhead ? Support for easy and incremental implementation ? Compatibility with existing routers and network infrastructure ? Effectiveness against DDoS attacks ? Minimal overhead terms of time and resources
东南大学 8
Basic Strategies
? Reactive
– 在攻击进行期间进行追踪,不能进行事后分析 – 要求ISP的配合,因此适合与单域的环境 – Link testing( hop-by-hop tracing):通过逐跳 地回溯测试路由器之间的链路来寻找攻击源
What can we do
? Exact traceback: A1 determine the attack path and the associated attack R5 origin for each attacker (R6,R3,R2,R1) ? Approximate traceback: finding candidate attack path for each attacker that contains the true attack path as a suffix (R5,R3,R2,R1)
A2 R6 R3 R2 R1 V R4
A3 R7
? Proactive
– 主动记录报文的路径信息,以重构攻击的路径 – Logging, Messaging, Packet marking
东南大学 9
东南大学 10
Link Testing—input debugging Testing—
Attacked? Network operator
Link Testing—input debugging Testing—
? Allows an operator to filter attack traffic’s specific characteristics (attack signature) to determine the incoming network link on the router. ? The most obvious problem with the input debugging approach,even with automated tools, is its considerable management overhead. ? Communicating and coordinating with network operators at multiple ISPs requires the time, attention, and commitment of both the victim and the remote personnel.
Attack signature Input debugging filter Victim The process is then repeated Recursively on the upstream Router.
router
东南大学 11
东南大学 12
Link Testing—controlled flooding Testing—
attacker
Link Testing—controlled flooding Testing—
attacker
Router A
Router B
Router A
Router B
Attack traffic flooding The attack traffic is not dropped host
东南大学 13 东南大学 14
Link Testing—controlled flooding Testing—
attacker
Link Testing—controlled flooding Testing—
? This technique is to test links by flooding them with large bursts of traffic and observing how this perturbs traffic from the attackers ? It needs a pregenerated “map” of internet topology
Router A
Router B
? Drawbacks and limitations
– controlled flooding itself is a denial-of-service attack, so it is unsuitable for routine use – controlled flooding requires the victim to have a good topological map of large sections of the Internet in addition to an associated list of “willing” flooding hosts – poorly suited for tracing denial-of-service attacks
东南大学 16
flooding The attack traffic is dropped,attack is come from router A 东南大学 15
Logging
? This approach is to log packets at key routers and then use data mining techniques to determine the path that the packets traversed. ? This scheme has the useful property that it can trace an attack long after the attack has completed ? Drawbacks: require enormous resource, a large scale interprovider database integration.
东南大学 17
SPIE: Source Path Isolation Engine
? 开发一种可以在发现攻击后很快追踪到 特定AS入口点的源点发现技术-BBN Technologies ? 基本原理:在路由器中将转发的报文以 摘录的形式记录并缓存一段时间,这样 到发现攻击时可以快速反向查询。 (2001年开始与Avici公司合作)
东南大学 18
ICMP Traceback
? IETF iTrace-WG (since July 2000) ? The principle idea in this scheme is for every router to sample, with low probability (e.g.,1/20000), one of the packets it is forwarding and copy the contents into a special ICMP Traceback message including information about the adjacent routers along the path to the destination. ? The victim host can then use these message to reconstruct a path back to the attacker. 东南大学 19
ICMP Traceback
? Disadvantages in the current design
– ICMP traffic is increasingly differentiated and may itself be filtered in a network under attack – ICMP traceback message relies on an input debugging capability that is not available in some router architectures – it requires a key distribution infrastructure to deal with the problem of attackers sending false ICMP traceback messages
东南大学 20
Mark Packets
? This method mention the possibility of tracing flooding attacks by “marking” packets with the addresses of the routers they traverse, either probabilistically or deterministically. The victim uses the information in the marked packets to trace an attack back to its source.
– E.g. using the source route option in IP header – Probabilistic Packet Marking (PPM): e.g. 1/25 from edge router
Mark Packets
? All marking algorithms have two components
– a marking procedure executed by routers in the network – a path reconstruction procedure implemented by the victim.
? A router “marks” one or more packets by augmenting them with additional information about the path they are traveling.
? All the methods mentioned above need the support of routers. Some methods also need the help and cooperation of network operators. So, if the vendors refuse to implement the techniques or implement different techniques that aren’t compatible, the traceback procedure can not continue.
东南大学 22
? It does not require interactive cooperation with ISPs and therefore avoids the high management overhead of input debugging. 东南大学 21
Connection Traceback
? Traceback to find the real source of detoured attack
– Detoured Attack : An attack that is done via several systems – Can’t find the information for hacker’s real location only with Host A’s audit trail – More important than the IP Traceback
Hacker
Connection Traceback的分类 Traceback的分类
? Host-based traceback
– Traceback module should be installed in every system in the Internet – Traceback with authentication of the connection request system – Traceback by analyzing the log in the system – Can’t Apply to the Current Internet Environment
Internet
Only can find the information of the Host A
Host B
? Network-based traceback
Host A
Can find the information of the Hacker
Attack Path Real Attack Connection 东南大学 23
– Traceback by extracting the information from packets on the network 东南大学 24
CIS(Caller Identification System)
? The Caller Identification System is basically made up of
– A network connection request filter(ETCPW) located between the TCP/UDP and the servers in the application layer and – An authentication server(CIS) whose function is to grant any connection request only after authentication of caller and his or her network trace have been verified
Connection Chain
? When a user on a computer H0 logs into another computer H1 via a network, a TCP connection C1 is established between them. When the user logs from H1 into another computer H2, and then H3, . . . , Hn successively in the same way, TCP connections C2, C3, . . ., Cn are established respectively on each link between the computers. We call this sequence of connections C = (C1, C2, . . . , Cn) a connection chain. ? Algorithm to identify the relations between connections
– Thumbprints : Holding Intruders Accountable on the Internet – Sequence Number Deviation : Finding a Connection Chain for Tracing Intruders – Timing-Based Algorithm : Detecting Stepping Stones
? Network load increasing, problem of integrity and privacy, afterward tracing
UserID-1 UserID-2 UserID-(n-1) UserID-n
…
path Inform 东南大学 25 Verify
东南大学 26
Thumbprints
? All the transmitted data in connections would be same if the connections are in the same connection chain ? Thumbprints : A small quantity of data which have been effectively
summarized from a certain section of a connection’s collected contents.
Sequence Number
? Define the deviation for on packet stream on a connection from another, and implement a system to compute deviations. ? If a deviation is small, the two connections must be in the same connection chain.
Hacker
? Can’t apply to the encrypted packet ? May have False Positive and False negative alarm
Compromised system TCP Connection
Internet
cd(128)
Internet
ls(142)
Compromised system
Victim
ls(142)
cd(128)
Hacker
ls(142)
cd(128)
Data : “ls” Data : “ls” Data : “ls”
Victim
东南大学 27
TCP Connection
东南大学 28
Timing based Algorithm
? Strikingly distinct distribution of the spacing between user key stokes can be detected ? All the connections would have the same interval between ON and OFF period ? All the connections would be changed to ON period from OFF period at the almost same time
– OFF period : there is no data traffic on a flow for more than Tidle seconds – ON period : Interval which is Not the OFF period
Hacker
Cooperative Intrusion Traceback
? Cooperative Intrusion Traceback and Response Architecture (CITRA)
– CITRA communities are administrative domains controlled by a management component called a Discovery Coordinator – CITRA communities consist of interconnected neighborhoods – A CITRA neighborhood is the collection of CITRA devices that are “adjacent” in the sense that no other CITRA nodes are positioned between them
Internet
ls
Compromised system TCP Connection
Ti
dle
c d
Victim
ls Ti
dle
c d
ls
Ti
dle
c d
东南大学 29
东南大学 30
Cooperative Intrusion Traceback
community Neighborhood 1 Boundary Controller Discovery Coordinator
Cooperative Intrusion Traceback
1
3
Neighborhood 2
Boundary Controllers Boundary Controllers
Neighborhood 3 Network Audit trail 2
Intrusion Detection System
Intrusion Detection System
东南大学 32
安全防范和安全监测
? 信息生存性技术 ? 安全监测的一般概念 ? 入侵检测技术 ? 响应与防卫技术 ? 计算机取证技术
东南大学 33
Forensics Defined
? Forensic Analysis
– Gathering and analyzing data to reconstruct information or what has happened in the past on a system
? Computer Forensics
– Process of identifying, preserving, analyzing and presenting digital evidence in a manner that is legally acceptable in any legal proceedings (i.e. a court of law).
? Amateur vs Professional
东南大学 34
计算机取证的目标
计算机取证的目标是尽可能的以最小的损失还原 和重建发生过的事件,其取证方法有很多但目的 是一致的,都是发现证据去证明: ? 发生了什么? ? 发生的地点? ? 发生的时间? ? 谁做的? ? 如何做的?
东南大学 35
计算机取证的类别
计算机取证主要分为实时取证和事后取证 ? 实时取证:与IDS、Honeypot、Honeynet的紧 密结合,实时获取数据并进行分析,智能分析 攻击者的企图,实施相应的动作,或切断连接、 或诱敌深入,在确保安全的情况下获取攻击者 的大量证据。(动态取证) ? 事后取证:在已遭受入侵的情况下,运用各种 技术手段进行分析取证工作。(静态取证)
东南大学 36
Computer Evidence
? …is nothing more than information presented in court ? ...is like any other evidence, it must be:
– admissible
? Conform to legal requirements
Computer Evidence
? ...is like any other evidence, it must be:
– accurate
? reliability of computer process not data content ? can we explain how an exhibit came into being?
– – – – what does the computer system do? what are its inputs? what are the internal processes? what are the controls?
– authentic
? Be relevant to incident in dispute ? can we explicitly link files, data to specific individuals and events?
– access control, logging, audit logs, collateral evidence, cryptobased authentication 东南大学 37
– complete
? tells within its own terms a complete story of particular circumstances
– convincing to juries
? have probative value ? Believable and understandable
东南大学 38
Computer Evidence
? ...is different from other evidence, computer data
– can change from moment to moment within a computer and along a transmission line – can be easily altered without trace – can be changed during evidence collection – much immediate computer evidence cannot be read by humans
东南大学 39
计算机取证的原则
? 尽早搜集证据,并保证其没有受到任何破坏; ? 必须保证“证据的连续性”(chain of custody) 即在证据被正式提交给法庭时,必须能够说明 在证据从最初的获取状态到在法庭上出现状态 之间的任何变化,当然最好是没有任何变化。 ? 整个检查、取证过程必须是受到监督的,例如, 由原告委派的专家所作的所有调查取证工作都 应该受到由其它方委派的专家的监督。
东南大学 40
Source of Evidence
? Users and Administrator (First Person)
– First hand observations
The Four Steps
? From the definition of Computer Forensics, the four steps that need to be undertaken are:
– – – – Identify Preserve Analyze Present 证据获取Identify 证据保全 证据分析 证据使用
东南大学 42
? Systems
– – – – Log files! Intruder remnants (processes, files etc) Backup media!!!!!!!!!!!!! Tcpwrappers
? Networks/communications
– Firewall logs – Modem banks/telephone logs – Network transaction auditing (Netflow logs) 东南大学 41
The Four Steps
? Identify the evidence
– Must identify the type of information that is available – What is the “Best Evidence” – Determine how to best retrieve it
The Four Steps
? Analyze the evidence
– Extract - may produce binary 'gunk' that isn't human readable – Process - make it humanly readable – Interpret - requires a deeper understanding of how things fit together
? Preserve the evidence
– With the least amount of change possible – You must be able to account for any changes Present 东南大学 43
? Don’t make ASSUMPTIONS!Present
东南大学 44
The Four Steps
? Present the evidence
– To management, attorneys, etc. – Acceptance will depend on
? Manner of presentation (did you make it understandable, convincing?) ? The qualifications of the presenter ? The credibility of the processes used to preserve and analyze the evidence ? Credibility enhanced if you can duplicate the process
Continuity of Evidence
? Who has had access to the evidence? ? What procedures did they follow in working with the evidence? ? How can we show that our analysis is based on copies that are identical to the original evidence? ? Answer: documentation, checksums, timestamps
? Focus on understandability
东南大学 45
东南大学 46
The BIG Issues
? Systems are HUGE & complex, change rapidly ? Things can hide anywhere ? No suitable software available ? Knowledge & experience are important ? Gathering data easy, analysis harder (but mostly vastly time-consuming) ? Storage
东南大学 47
电子数据证据搜集的法律程序要求
? 主要包括收集主体的要求、收集具 体程序的要求以及其收集中和相关 权利的冲突和协调。 ? 由于电子证据的不稳定性和易更改 性,为收集者作假和随意变更提供了 可能,因此对于电子证据的收集的主 体应当严格限定。
东南大学 48
电子数据证据搜集的法律程序要求
? 我国刑事诉讼法第43条明确规定了收集证据应当遵循的程序, 民事诉讼法也规定了收集证据的必须程序。计算机取证时应 注意:
– 全面收集原则,这主要是指在刑事诉讼中,既要收集对犯罪嫌疑人、被 告人不利的证据也要收集对其有利的证据,收集过程重要注重对其人 权的保护。 – 民事诉讼中电子证据的收集的程序要求分为法院主持下的收集和当事 人的收集。在法院主持下的收集,应当有审判人员的主持,并且由两个 以上的人共同进行,要对证据收集的若干情况进行详细的记载。在当 事人个人收集电子证据时,应当有特定的国家机关,主要是公证机关对 其收集过程、以及所收集证据的真实程度进行见证或者公证。 – 无论是何种收集方式,在收集时都应当有相关的见证人在场,特别是记 载该数据的计算机的操作员或者管理者的在场。 东南大学 49
电子数据证据搜集的法律程序要求
? 在电子证据的收集过程中,要注意取证与相关人的隐 私权之间的冲突问题的解决。
– 在动态取证的情况, 往往会采取对通信内容进行监听和检 查的方式来取得证据,如果运用不当就会侵犯公民的隐私 权。对这种问题的讨论已有很长时间,因为国家机关的调 查权和个人的隐私权方面的价值选择,关系到公众的安全 感和公民个人的人格尊严。许多国家禁止在收集证据是侵 犯公民的人身自由和私生活秘密。但是随着近年来计算机 犯罪的增加以及电子证据的取证上的难度,各国在价值选 择上也有了变化,对在收集证据中侵犯隐私的行为加以了 明确的规定,并不笼统地认为只要是在取证中涉及到个人 隐私问题都会产生侵犯隐私的行为。 东南大学 50
计算机取证的一般流程 计算机取证的一般流程
1. 在取证检查中,保护目标计算机系统,避免发 生任何的改变、伤害、数据破坏或病毒感染; 2. 发现目标系统中的所有文件,包括现存的正常 文件、已经被删除但仍存在于磁盘上(即还没 有被新文件覆盖)的文件,隐藏文件,受到密 码保护的文件和加密文件; 3. 全部(或尽可能)恢复发现的已删除文件; 4. 最大程度地显示操作系统或应用程序使用的隐 藏文件、临时文件和交换文件的内容; 东南大学 51 5.如果可能并且如果法律允许,访问被保护或加密文 件的内容; 6.分析在磁盘的特殊区域(通常是无法访问的)中发 现的所有相关数据。包括但不局限于: ? 未分配磁盘空间,虽然目前没有被使用, 但可能 包含有先前的数据残留; ? 文件中的“slack”空间,文件的磁盘存储空间是以 簇为单位分配的,如果文件的长度不是簇长度的整 数倍,那么分配给文件的最后一簇中会有未被当前 文件使用的剩余空间,其中可能包含了先前文件遗 留下来的信息,可能是有用的证据;
东南大学 52
计算机取证的一般流程
7. 打印对目标计算机系统的全面分析结果,包括 所有的相关文件列表和发现的文件数据。 8. 给出分析结论:系统的整体情况,发现的文件 结构、数据、和作者的信息,对信息的任何隐 藏、删除、保护、加密企图、以及在调查中发 现的其它的相关信息; 9. 给出必须的专家证明。
东南大学 53
数据获取技术
数据获取技术的关键是如何保证在获取数据的同 时不破坏原始介质,一般不推荐使用原始介质进 行取证分析,常用的数据获取技术包括: ? 对计算机系统和文件的安全获取技术; ? 对数据和软件的安全搜集技术; ? 对磁盘或其它存储介质的安全无损伤备份技术; ? 对已删除文件的恢复、重建技术;
东南大学 54
数据获取技术
? 对slack磁盘空间、未分配空间和自由空 间中包含的信息的发掘技术; ? 对交换文件、缓存文件、临时文件中包 含的信息的复原技术; ? 计算机在某一特定时刻活动内存中的数 据搜集技术; ? 网络流动数据的获取技术。
东南大学 55
数据分析技术
在已经获取的数据流或信息流中寻找、匹 配关键词或关键短语是目前的主要数据分 析技术,常用的数据分析技术包括: ? 文件属性分析技术 ? 文件数字摘要分析技术 ? 根据已经获得的文件或数据的用词、语 法和写作(编程)风格,推断出其可能 的作者的分析技术; 东南大学 56
数据分析技术
? 日志分析技术; ? 发掘同一事件的不同证据间的联系的分析技 术; ? 数据解密技术; ? 密码破译技术; ? 对电子介质中的被保护信息的强行访问技术。
东南大学 57
计算机取证相关工具
? SATAN的Dan Farmer和Wietse Venema 编写的Coroners工具包是能够帮助对计 算机进行取证检查的一些工具软件的集 合。 ? Coroners的取证平台是UNIX系统,但也 能对非UNIX的磁盘、介质做有限的数据 获取和分析。
东南大学 58
计算机取证相关工具
Coroners工具包,主要包括下列工具: ? Grave-robber:以数据的易变性为序搜集数据,它 搜集的数据包括进程和网络信息、磁盘文件信息等。 ? Unrm:磁盘数据恢复工具,拷贝所有未分配的数据 块到指定文件。 ? Lazarus:恢复已删除文件的工具。 ? Mactime:确定在一个特定的时间段内哪些文件被访 问或修改过。 https://www.sodocs.net/doc/0f2002349.html, 东南大学 59