Chapter 15: Principles and Applications of Network Security Active Defense Technology

Intrusion blocking technology and application

Principles of Intrusion Prevention Technology
- Realize a multi-functional security system with firewall, intrusion detection, and attack migration, namely intrusion prevention system (IPS)
  - Control packet forwarding by judging attack behavior according to the characteristics and context of network packets
Intrusion blocking technology application
- To avoid network communication bottlenecks, implement IPS based on bypass blocking (SPS)
- The main function of IPS/SPS is to filter harmful network information flow
  - Block specified IP address
  - Block designated network ports
  - Block specified domain name
  - Block specific URLs, block specific types of attacks
  - Provide hot fixes for zero-day vulnerabilities

Technical Principles of Software Whitelisting
- Set up a list of trusted software to prevent malicious software from running in related network information systems
Software whitelist technology application
- Build a safe and credible mobile Internet security ecological environment
- Malicious code protection
- "White Environment" Protection

Principles of network traffic cleaning technology
- Through abnormal network traffic detection, the traffic originally sent to the target equipment system is dragged to the flow cleaning center . After the cleaning is completed, the retained normal traffic is forwarded to the target equipment system
- Main technical methods
  - Flow monitoring: DPI
  - Traffic pulling and cleaning: BGP, DNS
  - Flow back injection
Network traffic cleaning technology application
- Malformed data packet filtering
- Resistance to denial of service attacks
- Web application protection
- DDos high defense IP service: protect origin server through proxy forwarding mode

Principles of Trusted Computing Technology
- At present, trusted verification has become a new requirement of Equal Guarantee 2.0
- principle:
  - Root of Trust -> Trusted Hardware Platform -> Trusted Operating System -> Trusted Application System, first level certification, first level trust
- Viable platform root of trust: TPM
- TCG defines three roots of trust for trusted computing platforms: Root of Trust Measurement RTM, Root of Trusted Storage RTS and Root of Trusted Report RTR
- Trusted cryptographic platform composition: Trusted Cryptographic Module (TCM) and TCM Service Module (TSM)
- TCM composition:
  - I / O
  - SMS4 engine
  - SM2 engine
  - SM3 engine
  - Random number generator
  - HMAC engine: based on SM3 engine to calculate message authentication code
  - Execution engine: the calculation execution unit of TCM
  - Non-volatile memory: store permanent data
  - Volatile memory: store temporary data when TCM is running
Trusted Computing Technology Application
- Computing platform security protection
- Trusted network connection
- Trusted verification
- P305-P308

Principles of Digital Watermarking Technology
- Principle: Using digital signal processing methods to embed specific marks in digital media files
- Composition: watermark embedding and watermark extraction
- The embedding methods are divided into:
  1. Spatial domain method: directly superimposed on the digital carrier spatial domain
    - Typical algorithms are Schyndel algorithm and Patchwork algorithm
  2. Transform domain method: Using spread spectrum communication technology, the discrete cosine transform (DCT) of the image is calculated first, and then superimposed on the largest L coefficients in the DCT domain (excluding the DC component), usually the low-frequency component of the image.
    - Algorithm is NEC algorithm
Digital watermarking technology application
- Copyright Protection
- Information hiding
- Information traceability
- Access control

Network attack trap technology principle
- Network attack deception techniques include:
  1. Honeypot host technology
    
    Including: empty system, mirror system, virtual system
  2. Trap network technology
    - It is composed of multiple honeypot hosts, routers, firewalls, IDS, and audit systems.
    - Function realization: honeypot system, data control system, data capture system, data recording, data analysis, data management and other functions
    - Open source network attack trap systems include Honeyd, industrial control system honeypot Conpot, password honeypot Honeywords, etc.
Network attack trap technology application
- Malicious code monitoring
- Enhance resistance to attack
- Network situation awareness

Principles of Intrusion Tolerance and System Survival Technology
- Principle: It is assumed that in the case of intrusion, the network information system can still complete tasks according to user requirements
- Main technique:
  - Distributed consensus: avoiding single defects
  - Active recovery: Through self-cleaning technology, the system can be migrated to a credible state periodically and the attack chain is destroyed
  - Threshold password: used to protect secrets
  - Diversified design: avoid common mode to failure
Intrusion tolerance and system survival technology application
- Flexible CA system, blockchain

Principles of Privacy Protection Technology
- Identity privacy, attribute privacy, social relationship privacy, location trajectory
- Technology to protect privacy:
  - k-anonymous method: generalize all tuples in the data so that they no longer correspond to anyone one-to-one
  - Differential privacy method: add random noise to the protected data set to form a new data set
- Common technical measures for privacy protection: suppression, generalization, replacement, disturbance, tailoring, etc.
Privacy protection technology application
- Anonymize personal information
- De-identification of personal information

Cyber Threat Intelligence Service
- Mainly include: security vulnerabilities, attack source IP addresses, malicious mailboxes, malicious domain names, attack tools
- China Anti-Internet Virus Alliance (ANVA) hosted the establishment of a cyber security threat information sharing platform
Domain name service security
- Common security risks of domain name services:
  1. Domain name information tampering
  2. Domain name resolution configuration error
  3. Domain hijacking
  4. Domain name software security vulnerabilities
Homomorphic encryption
- An encryption function that re-encrypts the addition and multiplication operations of the plaintext, and performs the corresponding operations on the ciphertext after encryption, and the result is equivalent