Publications-Theses
Article View/Open
Publication Export
-
題名 網路偵查攻擊之封包式欺騙防禦
DEFIC: Defensive Packet Deception on Reconnaissance Attack作者 林子翔
Lin, Zih-Siang貢獻者 郁方
Yu, Fang
林子翔
Lin, Zih-Siang關鍵詞 網路殺攻擊鍊
網路偵查
欺騙式防禦
作業系統指紋
連接埠掃描
Cyber kill chain
Network reconnaissance
Defensive deception
OS fingerprint
Port scanning日期 2022 上傳時間 1-Aug-2022 17:25:09 (UTC+8) 摘要 網絡偵查是網絡攻擊鏈的第一階段,攻擊方進行主機發現、端口掃描和作業系統檢測,試圖從遠端主機獲取關鍵資源。在網絡偵查階段誤導對手可以提供主動保護機制,而非在攻擊實際發生後才採取應對措施,此舉可防止後續階段的武器化和攻擊者的漏洞利用。在本文中,我們提出了一種新的封包式欺騙防禦框架DEFIC,可用於對抗 Nmap 等第三方網路偵查工具的常見偵查攻擊。我們所提出的欺騙式防禦框架可以偽造針對連接埠和系統組態之掃描封包的欺騙式回應,以在網絡偵查期間混淆攻擊者,從而使目標主機能夠偽裝其正在運行防禦端所指定的作業系統。除此之外,我們建構了幾個作業系統模板,可動態針對系統實時狀態、掃描封包的細微差異包與作業系統欺騙策略生成一系列的偽造回應。初步結果表明,Nmap 很有可能會誤判被我們如隱形斗篷一般的DEFIC所覆蓋的遠程主機。
Network reconnaissance stands the first stage of a cyber kill chain, where adversaries conduct host discovery, port scanning, and operating system detection in order to obtain critical information from remote hosts.Misleading an adversary in the network reconnaissance phase can provide orthogonal protection in the first place, preventing subsequent phases of weaponization and exploitation from attackers.In this paper, we propose a novel packet-level defensive deception framework against common reconnaissance attacks that can be employed by third-party reconnaissance tools such as Nmap.Specifically, we propose DEFIC, a deceptive firewall that can forge fake responses to unknown requests on port and system status to confuse attackers during network reconnaissance and hence provide the target host the ability to pretend running with a designated operating system.We build several templates of response packets that can be used to reconstruct packets with the desired information and synthesize a sequence of fake packets according to different OS strategies.Our preliminary results show that the Nmap tool has a high chance of miss-guessing remote hosts that are covered with our invisibility cloak.參考文獻 [1] E. M. Hutchins, M. J. Cloppert, R. M. Amin et al., “Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains,” Leading Issues in Information Warfare & Security Research, vol. 1, no. 1, p. 80, 2011.[2] J. Pawlick, E. Colbert, and Q. Zhu, “A game-theoretic taxonomy and survey of defensive deception for cybersecurity and privacy,” ACM Computing Surveys (CSUR), vol. 52, no. 4, pp. 1–28, 2019.[3] T. Yadav and A. M. Rao, “Technical aspects of cyber kill chain,” in International Symposium on Security in Computing and Communication. Springer, 2015, pp. 438–452.[4] S. Sengupta, A. Chowdhary, A. Sabur, A. Alshamrani, D. Huang, and S. Kambhampati, “A survey of moving target defenses for network security,” IEEE Communications Surveys & Tutorials, vol. 22, no. 3, pp. 1909–1941, 2020.[5] F. J. Stech, K. E. Heckman, and B. E. Strom, “Integrating cyber-d&d into adversary modeling for active cyber defense,” in Cyber deception. Springer, 2016, pp. 1–22.[6] M. Zhu, A. H. Anwar, Z. Wan, J.-H. Cho, C. A. Kamhoua, and M. P. Singh, “A survey of defensive deception: Approaches using game theory and machine learning,” IEEE Communications Surveys & Tutorials, vol. 23, no. 4, pp. 2460–2493, 2021.[7] D. Ye, T. Zhu, S. Shen, and W. Zhou, “A differentially private game theoretic approach for deceiving cyber adversaries,” IEEE Transactions on Information Forensics and Security, vol. 16, pp. 569–584, 2020.[8] M. A. Rahman, M. M. Hasan, M. H. Manshaei, and E. Al-Shaer, “A game-theoretic analysis to defend against remote operating system fingerprinting,” Journal of Information Security and Applications, vol. 52, p. 102456, 2020.[9] M. Albanese, E. Battista, and S. Jajodia, “A deception based approach for defeating os and service fingerprinting,” in 2015 IEEE Conference on Communications and Network Security (CNS). IEEE, 2015, pp. 317–325.[10] Z. Zhao, F. Liu, and D. Gong, “An sdn-based fingerprint hopping method to prevent fingerprinting attacks,” Security and Communication Networks, vol. 2017, 2017.[11] M. S. I. Sajid, J. Wei, M. R. Alam, E. Aghaei, and E. Al-Shaer, “Dodgetron: Towards autonomous cyber deception using dynamic hybrid analysis of malware,” in 2020 IEEE Conference on Communications and Network Security (CNS). IEEE, 2020, pp. 1–9.[12] S. Wang, Q. Pei, Y. Zhang, X. Liu, and G. Tang, “A hybrid cyber defense mechanism to mitigate the persistent scan and foothold attack,” Security and Communication Networks, vol. 2020, 2020.[13] F. De Gaspari, S. Jajodia, L. V. Mancini, and A. Panico, “Ahead: A new architecture for active defense,” in Proceedings of the 2016 ACM Workshop on Automated Decision Making for Active Cyber Defense, 2016, pp. 11–16.[14] J. H. Jafarian, E. Al-Shaer, and Q. Duan, “Adversary-aware ip address randomization for proactive agility against sophisticated attackers,” in 2015 IEEE Conference on Computer Communications (INFOCOM). IEEE, 2015, pp. 738–746.[15] ——, “An effective address mutation approach for disrupting reconnaissance attacks,” IEEE Transactions on Information Forensics and Security, vol. 10, no. 12,pp. 2562–2577, 2015.[16] S.-Y. Chang, Y. Park, and B. B. A. Babu, “Fast ip hopping randomization to secure hop-by-hop access in sdn,” IEEE Transactions on Network and Service Management, vol. 16, no. 1, pp. 308–320, 2018.[17] P. K. Manadhata and J. M. Wing, “An attack surface metric,” IEEE Transactions on Software Engineering, vol. 37, no. 3, pp. 371–386, 2010.[18] M. F. Hyder and M. A. Ismail, “Securing control and data planes from reconnaissance attacks using distributed shadow controllers, reactive and proactive approaches,” IEEE Access, vol. 9, pp. 21 881–21 894, 2021.[19] G. F. Lyon, Nmap network scanning: The official Nmap project guide to network discovery and security scanning. Insecure. Com LLC (US), 2008.[20] MITRE, “CVE,” Oct. 19, 2021. [Online]. Available: https://cve.mitre.org/[21] I. Brett, N. Satya, and H. Amy, “Microsoft Fiscal Year 2021 Third Quarter EarningsConference Call,” Apr. 27, 2021. [Online]. Available: https://www.microsoft.com/en-us/Investor/events/FY-2021/earnings-fy-2021-q3.aspx 描述 碩士
國立政治大學
資訊管理學系
109356036資料來源 http://thesis.lib.nccu.edu.tw/record/#G0109356036 資料類型 thesis dc.contributor.advisor 郁方 zh_TW dc.contributor.advisor Yu, Fang en_US dc.contributor.author (Authors) 林子翔 zh_TW dc.contributor.author (Authors) Lin, Zih-Siang en_US dc.creator (作者) 林子翔 zh_TW dc.creator (作者) Lin, Zih-Siang en_US dc.date (日期) 2022 en_US dc.date.accessioned 1-Aug-2022 17:25:09 (UTC+8) - dc.date.available 1-Aug-2022 17:25:09 (UTC+8) - dc.date.issued (上傳時間) 1-Aug-2022 17:25:09 (UTC+8) - dc.identifier (Other Identifiers) G0109356036 en_US dc.identifier.uri (URI) http://nccur.lib.nccu.edu.tw/handle/140.119/141044 - dc.description (描述) 碩士 zh_TW dc.description (描述) 國立政治大學 zh_TW dc.description (描述) 資訊管理學系 zh_TW dc.description (描述) 109356036 zh_TW dc.description.abstract (摘要) 網絡偵查是網絡攻擊鏈的第一階段,攻擊方進行主機發現、端口掃描和作業系統檢測,試圖從遠端主機獲取關鍵資源。在網絡偵查階段誤導對手可以提供主動保護機制,而非在攻擊實際發生後才採取應對措施,此舉可防止後續階段的武器化和攻擊者的漏洞利用。在本文中,我們提出了一種新的封包式欺騙防禦框架DEFIC,可用於對抗 Nmap 等第三方網路偵查工具的常見偵查攻擊。我們所提出的欺騙式防禦框架可以偽造針對連接埠和系統組態之掃描封包的欺騙式回應,以在網絡偵查期間混淆攻擊者,從而使目標主機能夠偽裝其正在運行防禦端所指定的作業系統。除此之外,我們建構了幾個作業系統模板,可動態針對系統實時狀態、掃描封包的細微差異包與作業系統欺騙策略生成一系列的偽造回應。初步結果表明,Nmap 很有可能會誤判被我們如隱形斗篷一般的DEFIC所覆蓋的遠程主機。 zh_TW dc.description.abstract (摘要) Network reconnaissance stands the first stage of a cyber kill chain, where adversaries conduct host discovery, port scanning, and operating system detection in order to obtain critical information from remote hosts.Misleading an adversary in the network reconnaissance phase can provide orthogonal protection in the first place, preventing subsequent phases of weaponization and exploitation from attackers.In this paper, we propose a novel packet-level defensive deception framework against common reconnaissance attacks that can be employed by third-party reconnaissance tools such as Nmap.Specifically, we propose DEFIC, a deceptive firewall that can forge fake responses to unknown requests on port and system status to confuse attackers during network reconnaissance and hence provide the target host the ability to pretend running with a designated operating system.We build several templates of response packets that can be used to reconstruct packets with the desired information and synthesize a sequence of fake packets according to different OS strategies.Our preliminary results show that the Nmap tool has a high chance of miss-guessing remote hosts that are covered with our invisibility cloak. en_US dc.description.tableofcontents 摘要 iAbstract iiContents ivList of Figures viiList of Tables viii1 Introduction 12 Related Work 42.1 Active deception 42.1.1 Deception-based cyber defense 42.1.2 Moving target defense 63 Network Reconnaissance 73.1 Port scanning 73.1.1 TCP connect Scan 73.1.2 TCP SYN Port Scan 83.2 OS detection . 93.3 Reconnaissance attack process 104 Defensive packet deception 144.1 Objective 144.2 Implementation 154.3 Deceptive packet synthesis 174.3.1 Reconnaissance simulation 174.3.2 Packet sniffer 174.3.3 Extract packet diff 194.3.4 Template synthesis 204.4 Deceiver 224.4.1 Port deceiver 224.4.2 OS Deceiver 255 Experiments 305.1 Environment setting 305.2 OS template synthesis experiment 315.3 OS deceiver experiment 335.3.1 Experiment on Window 7 335.3.2 Experiment on Win10 355.3.3 Experiment on CentOS8 375.3.4 Experiment on Idle IP 395.3.5 Result summarize 426 Traffic Maintenance 446.1 Public service traffic 446.1.1 The impact on public service traffic 446.1.2 Turn off the deception on public service ports 476.2 Legal user traffic 487 Discussion And Future Work 507.1 Facing diverse attacks 507.2 Deception Tactic Reinforcement 507.2.1 Research on reconnaissance tools 507.2.2 Automation 517.3 Practical Implementation 518 Conclusions 53Reference 54 zh_TW dc.format.extent 1382794 bytes - dc.format.mimetype application/pdf - dc.source.uri (資料來源) http://thesis.lib.nccu.edu.tw/record/#G0109356036 en_US dc.subject (關鍵詞) 網路殺攻擊鍊 zh_TW dc.subject (關鍵詞) 網路偵查 zh_TW dc.subject (關鍵詞) 欺騙式防禦 zh_TW dc.subject (關鍵詞) 作業系統指紋 zh_TW dc.subject (關鍵詞) 連接埠掃描 zh_TW dc.subject (關鍵詞) Cyber kill chain en_US dc.subject (關鍵詞) Network reconnaissance en_US dc.subject (關鍵詞) Defensive deception en_US dc.subject (關鍵詞) OS fingerprint en_US dc.subject (關鍵詞) Port scanning en_US dc.title (題名) 網路偵查攻擊之封包式欺騙防禦 zh_TW dc.title (題名) DEFIC: Defensive Packet Deception on Reconnaissance Attack en_US dc.type (資料類型) thesis en_US dc.relation.reference (參考文獻) [1] E. M. Hutchins, M. J. Cloppert, R. M. Amin et al., “Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains,” Leading Issues in Information Warfare & Security Research, vol. 1, no. 1, p. 80, 2011.[2] J. Pawlick, E. Colbert, and Q. Zhu, “A game-theoretic taxonomy and survey of defensive deception for cybersecurity and privacy,” ACM Computing Surveys (CSUR), vol. 52, no. 4, pp. 1–28, 2019.[3] T. Yadav and A. M. Rao, “Technical aspects of cyber kill chain,” in International Symposium on Security in Computing and Communication. Springer, 2015, pp. 438–452.[4] S. Sengupta, A. Chowdhary, A. Sabur, A. Alshamrani, D. Huang, and S. Kambhampati, “A survey of moving target defenses for network security,” IEEE Communications Surveys & Tutorials, vol. 22, no. 3, pp. 1909–1941, 2020.[5] F. J. Stech, K. E. Heckman, and B. E. Strom, “Integrating cyber-d&d into adversary modeling for active cyber defense,” in Cyber deception. Springer, 2016, pp. 1–22.[6] M. Zhu, A. H. Anwar, Z. Wan, J.-H. Cho, C. A. Kamhoua, and M. P. Singh, “A survey of defensive deception: Approaches using game theory and machine learning,” IEEE Communications Surveys & Tutorials, vol. 23, no. 4, pp. 2460–2493, 2021.[7] D. Ye, T. Zhu, S. Shen, and W. Zhou, “A differentially private game theoretic approach for deceiving cyber adversaries,” IEEE Transactions on Information Forensics and Security, vol. 16, pp. 569–584, 2020.[8] M. A. Rahman, M. M. Hasan, M. H. Manshaei, and E. Al-Shaer, “A game-theoretic analysis to defend against remote operating system fingerprinting,” Journal of Information Security and Applications, vol. 52, p. 102456, 2020.[9] M. Albanese, E. Battista, and S. Jajodia, “A deception based approach for defeating os and service fingerprinting,” in 2015 IEEE Conference on Communications and Network Security (CNS). IEEE, 2015, pp. 317–325.[10] Z. Zhao, F. Liu, and D. Gong, “An sdn-based fingerprint hopping method to prevent fingerprinting attacks,” Security and Communication Networks, vol. 2017, 2017.[11] M. S. I. Sajid, J. Wei, M. R. Alam, E. Aghaei, and E. Al-Shaer, “Dodgetron: Towards autonomous cyber deception using dynamic hybrid analysis of malware,” in 2020 IEEE Conference on Communications and Network Security (CNS). IEEE, 2020, pp. 1–9.[12] S. Wang, Q. Pei, Y. Zhang, X. Liu, and G. Tang, “A hybrid cyber defense mechanism to mitigate the persistent scan and foothold attack,” Security and Communication Networks, vol. 2020, 2020.[13] F. De Gaspari, S. Jajodia, L. V. Mancini, and A. Panico, “Ahead: A new architecture for active defense,” in Proceedings of the 2016 ACM Workshop on Automated Decision Making for Active Cyber Defense, 2016, pp. 11–16.[14] J. H. Jafarian, E. Al-Shaer, and Q. Duan, “Adversary-aware ip address randomization for proactive agility against sophisticated attackers,” in 2015 IEEE Conference on Computer Communications (INFOCOM). IEEE, 2015, pp. 738–746.[15] ——, “An effective address mutation approach for disrupting reconnaissance attacks,” IEEE Transactions on Information Forensics and Security, vol. 10, no. 12,pp. 2562–2577, 2015.[16] S.-Y. Chang, Y. Park, and B. B. A. Babu, “Fast ip hopping randomization to secure hop-by-hop access in sdn,” IEEE Transactions on Network and Service Management, vol. 16, no. 1, pp. 308–320, 2018.[17] P. K. Manadhata and J. M. Wing, “An attack surface metric,” IEEE Transactions on Software Engineering, vol. 37, no. 3, pp. 371–386, 2010.[18] M. F. Hyder and M. A. Ismail, “Securing control and data planes from reconnaissance attacks using distributed shadow controllers, reactive and proactive approaches,” IEEE Access, vol. 9, pp. 21 881–21 894, 2021.[19] G. F. Lyon, Nmap network scanning: The official Nmap project guide to network discovery and security scanning. Insecure. Com LLC (US), 2008.[20] MITRE, “CVE,” Oct. 19, 2021. [Online]. Available: https://cve.mitre.org/[21] I. Brett, N. Satya, and H. Amy, “Microsoft Fiscal Year 2021 Third Quarter EarningsConference Call,” Apr. 27, 2021. [Online]. Available: https://www.microsoft.com/en-us/Investor/events/FY-2021/earnings-fy-2021-q3.aspx zh_TW dc.identifier.doi (DOI) 10.6814/NCCU202200748 en_US
