1. Intrusion blocking technology and application
Intrusion blocking is a technical method of network security active defense. Its basic principle is to block the network attack behavior of the target object, so as to achieve the purpose of protecting the target object.
1.1 Principle of intrusion blocking technology
Although firewalls and IDS are indispensable basic technologies to ensure network security, there are technical defects in firewalls and IDSs.
Firewalls are based on static, coarse-grained access control rules. Its rule updates are not automatic,
IDS systems can identify and log attacks, but cannot prevent them
At the same time, due to the uninterrupted operation of the system, the fragility of system security and the uncertainty of security patch risks, system administrators do not care about installing security patches easily. Vulnerabilities that make security of network systems generally limited by peripheral devices. Currently, this system is called an intrusion prevention system, or IPS (Intrusion Prevention System) for short. IPS judges the attack behavior based on the characteristics and context of the network packet to control packet forwarding. Its working mechanism is similar to that of a router or firewall, but IPS can detect attack behavior and block intrusion behavior. The deployment of IPS is shown in the figure.
Because IPS has various functions such as firewall and intrusion detection, and is limited by the position of IPS in the network, IPS needs to solve the problems of network communication bottleneck and high availability. At present, the commercial IPS is implemented in a hardware manner, for example, the IPS is implemented based on an ASIC, or based on a Side Prevent System (SPS). SPS monitors network traffic in a bypass mode, and then injects packets through the bypass to block attack traffic. From the analysis of technical principles, SPS generally has little effect on network delay.
1.2 Application of intrusion blocking technology
The main content of IPS/SPS is to filter out harmful network information flow and block the intruder's attack on the target. The main security functions of IPS are as follows
- Block specified IP address
- Block specified network ports
- Block specified domain names
- Block specified URLs and block specific attack types
- Provide hotfixes for 0-day
2. Software whitelist technology and application
2.1 Technical principle of software whitelist
By setting a list of trusted software to prevent malicious software from running in related network information systems. In the process of realizing the software whitelist, after the process name, software file name, software publisher name, software binary program processed by cryptographic technology (software digital signature or software Hash value), a software whitelist is formed. Whitelist identities .
The process of controlling software operation according to the white list is as follows.
2.2 Application of software whitelist technology
- Build a safe and credible mobile Internet security ecological environment
- Malicious Code Protection
- "White Environment" Protection
3. Network traffic cleaning technology and application
3.1 Principles of Network Traffic Cleaning Technology
The process of traffic cleaning is to pull the traffic originally sent to the target device system to the traffic cleaning center when abnormal network traffic is detected . After the abnormal traffic is cleaned, the normal traffic retained after cleaning is sent to the target device system.
The steps of network traffic cleaning are as follows:
- flow detection . Utilize distributed multi-core hardware technology, detect and analyze network traffic data based on Deep Packet Inspection (DPI), and quickly identify attack packets hidden in background traffic to achieve accurate traffic identification and cleaning
- Flow traction and cleaning . The traffic pulling technology dynamically forwards the traffic of the target system to the traffic cleaning center for cleaning. Among them, traffic pulling methods mainly include BGP and DNS. Traffic cleaning means refusing to route and forward malicious traffic directed to the target system, so that malicious traffic cannot affect the target system.
- Traffic reinjection means that the cleaned traffic will be sent to the target system, and the normal network traffic of the user will not be affected by the cleaning.
3.2 Application of Network Traffic Cleaning Technology
- Malformed data packet filtering . Attacks that can be prevented include Tear Drop, Fraggle, LAND, Winnuke, Smurf, Ping of Deth, TCP Error Flag, etc.
- Resists server attacks and protects web applications . Attacks that can be prevented include UDP Flood, ICMP Flood, SYN Flood, DNS Query Flood, HTTP Get Flood CC, etc.
- Web application protection . Attacks that can be prevented include HTTP Get Flood, HTTP Post Flood, HTTP Slow Header/Post, HTTPS Flood attacks, etc.
- DDoS high protection IP service . The source server is protected through the proxy forwarding mode. The business traffic of the source server is diverted to the high-defense IP, and after the denial of service attack traffic is filtered and cleaned, the normal business traffic is injected back to the source server.
4. Trusted Computing Technology and Application
- Trusted Computing (Trusted Computing, TC) is a platform and technology designed to improve system security. The idea is to build a trusted platform to ensure network and system security. Trusted computing is the core key technology of network information security.
- At present, trusted verification is a new requirement of level protection 2.0
- The principle of trusted computing is to first build a root of trust, and then build a complete chain of trust from the root of trust to trusted hardware, to trusted operating systems, and to trusted applications.
5. Digital Watermarking Technology and Application
5.1 Principle of digital watermarking technology
Digital Watermark (Digital Watermark) is to use the characteristics of human auditory and visual organs to add some special information to images, audio and video, and at the same time it is difficult for people to notice; after that, it can be added through specific methods and steps. specific information extracted. Digital watermarking technology usually consists of two parts: watermark embedding and watermark extraction.
Digital watermark embedding methods are mainly divided into spatial domain and transform domain methods, and their working principles are as follows
5.2 Application of digital watermarking technology
Common scenarios for digital watermarking books are:
(1) Copyright protection: Embedding copyright information or copyright electronic evidence in digital works
(2) Information hiding: Embedding sensitive information that cannot be discovered by attackers in digital media such as images and sounds
(3) Information traceability: Embed the user's identity information in the protected data, and prevent file diffusion through traceability methods
(4) Access control: Add access control information to the protected data, and determine whether the user has authorization before using the protected data
The characteristics of embedded watermarks in digital images are
(1) Transparency
(2) Robustness
(3) Security
6. Network attack trap technology and application
The network attack trap technology changes the information of the protected target object to deceive the attacker, thereby changing the passivity of the network security defender and improving the network security protection capability.
6.1 Honeypot Host
Honeypot is a security resource whose value lies in being detected, attacked and damaged. A honeypot is a "black box" set up by a network administrator after careful arrangement. It seems to be full of loopholes but is under control. The intrusion data he collects is very valuable. Network honeypot technology is a kind of active defense technology.
According to the technical type of the honeypot host, honeypots can be divided into three basic types: sacrificial honeypots, appearance honeypots and measurement honeypots
Honeypots can be configured in four different ways:
(1) Decoy service: Listen to the port and make a corresponding response when a request occurs.
(2) Weaken the system: Configure an operating system with known weaknesses to allow attackers to attack, so that attack data can be easily collected.
(3) Strengthen the system: improve the weakened system, which can not only collect attack data but also collect evidence
(4) User mode service: Simulate the user operating system that runs the application program, thereby confusing the attacker and recording the attack behavior.
6.2 Trap network technology
Network traps, also known as honeynets, are constructed from multiple honeypot hosts, firewalls, routers, IDS, etc., which are more deceptive and can better study attacker behavior.
6.3 Application of network attack trap technology
Network attack trap technology is a proactive network security technology that has been gradually recognized by users. Its main application scenarios are malicious code monitoring, enhanced anti-attack capabilities and network situational awareness.
- Malicious code monitoring: Perform malicious code analysis on the network traffic and system data of honeypot nodes, monitor abnormal and hidden network communications, and discover advanced malicious codes.
- Enhance anti-attack capabilities: use network attack traps to change the asymmetry of network attack and defense, interfere with network public sacrifice activities with false targets and information, delay network attacks, and facilitate defenders to take network security emergency response
- Network situational awareness: use network attack traps and big data analysis technology to obtain network threat intelligence, master its attack methods, attack behavior characteristics and attack sources, so as to effectively carry out network situational awareness.
7. Intrusion tolerance and system survival technology and application
7.1 Principles of Intrusion Tolerance Technology and System Survival Technology
- Intrusion Tolerance Technology (Intrusion Tolerance Technology) and system survival technology are to ensure that the system can still complete tasks as required when the system is under attack or failure occurs suddenly.
- Survival 3R method: This method first divides the system into an unbreakable security core and a recoverable part; then for a certain attack mode, a 3R strategy is given, in which 3R are resistance (Rsistance), recognition (Recognition), recovery ( Recovery), and divide the system mode into normal mode and intrusion mode used by hackers, give the system the basic functional services and key information that need to be protected, analyze the 3R strategy of the system for the two modes, find out its weaknesses and make improvements ;Finally, repeat the above process according to the changes in usage and intrusion patterns.
7.2 Application of Intrusion Tolerance and System Survival Technology
- Elastic CA system. The CA private key is the security basis of the PKI system. Once the CA private key is leaked, the digital certificate cannot be trusted. In order to protect the security of the CA private key, the researchers proposed an elastic CA system, which allows the PKI system to still operate normally when a server or Duoai device is compromised.
- Blockchain (blockchain is a decentralized distributed database, data security has strong intrusion tolerance)
8. Privacy protection technology and application
Privacy protection technology is an important measure for personal information security protection
8.1 Types and technical principles of privacy protection
Privacy can be divided into several categories such as identity-based privacy, attribute privacy, social relationship privacy, and location track privacy.
The goal of privacy protection technology is to safely modify private data so that the modified data can be released publicly without privacy attacks. At the same time, the modified data should retain the use value of the original data to the greatest extent under the premise of protecting privacy. At present, the main methods of privacy protection are K-anonymity method and differential privacy method.
8.2 Application of Privacy Protection Technology
Common application scenarios for personal information protection are as follows:
(1) Anonymize personal information . Personal information is anonymized so that the subject of personal information cannot be identified, and the processed information cannot be recovered.
(2) De-identify personal information . The subject identification of personal information is replaced by pseudonym, encryption, Hash function, etc., so that it is impossible to identify the subject of personal information without additional information.
In addition to being used for personal information protection, privacy protection hormone can also be used to protect important sensitive data of network information systems, such as router configuration files and system password files. Passwords of users such as operating systems and databases are usually processed by Hash functions and then saved to prevent leakage.
9. Frontier development trend of the Internet
- Network threat intelligence services refer to information about security threats to network information systems, mainly including security vulnerabilities, attack source IP addresses, malicious email addresses, malicious domain names, attack tools, etc. At present, domestic and foreign manufacturers and security agencies provide network threat intelligence services in different ways
- domain name service security,
- Homomorphic encryption technology refers to an encryption function that re-encrypts the addition and multiplication operations of plaintext, and performs corresponding operations on ciphertext after encryption, and the result is equivalent. . An encryption function with homomorphic properties refers to an encryption function in which two plaintexts a and b satisfy the following equality conditions:
