Author: China Institute of Electronics Technology Group 54th Hsi-yuan Summary: Attack and defense are two basic aspects of confrontation. This paper first summarizes the confrontation mechanism of the information network, then discusses various information network defense mechanisms, focusing on the vulnerability of different defense mechanisms, and proposes the corresponding attack mechanism. Finally, the offensive relationship between the current information network confrontation mechanism has been summarized. Keywords: Information Network Network Fighting Network Attack Network Defense Introduction Information Network Fight As the main form of information combat has been widely identified, some Western countries have even set a network combat force, organize confrontation activities for information networks. . Conceptually, the information network is broad, and everything is capable of implementing information transfer and sharing, the collection of hardware facilities can be referred to as an information network. Therefore, the information network is not completely equivalent to the category of the information network, the sensor network, short-wave radio station network, telephone network, etc. The information network confrontation discussed herein mainly involves computer networks, which also has certain universal applications for other types of information networks. Information networks (hereinafter referred to as network] confrontation include attacks and defense, this paper first summarizes the network confrontation mechanism, then discusses various network defense mechanisms, focusing on the vulnerability of different defense mechanisms, The corresponding attack mechanism is proposed. Finally, the offensive relationship between the current network confrontation mechanism has been summarized. 1. The classified network confrontation mechanism of the network confrontation mechanism generally refers to network attacks, defense methods and their respective strategies or processes. The focus of the network attack and defense is the availability, confidentiality and integrity of information resources. Currently, network attack methods can be said to be a new month and show the development trend of intelligence, systematic, and integration. And against different network levels and There are also a variety of security defense measures in different application requirements, including a variety of defense technologies, combined with soft and hardware, a full-scale defense is considered to be the best solution for network defense. Analysis and summary, this paper proposes a universal network confrontation classification system. We believe that this classification system basically covers current types of network attack mechanisms and defense mechanisms. 2. Network Defense Resistance Network Attack 2.1 Access Control The access control is mainly to prevent unauthorized users from using network resources to avoid the occurrence of network intrusion. The main measures are: (1) Physical isolation: Do not access public networks (such as the Internet) or adopt special, closed network systems to attack external attacks Refused to the Internet, greatly reduced the possibility of external attacks. For some key departments or important applications (such as battlefield communication), physical isolation is an effective defense means. (2) Signal control Access: Signal transmission in direct expansion, frequency hopping or temporal combination is a quite effective network access control method. (3) The firewall is a safe barrier between inter-network interconnection, which is safe according to the security The strategy limits the mutual access between the network to protect the purpose of the protection network. At the same time, the application gateway firewall based on agent technology can also block configuration information inside the network, suppressing some network scan activities. A firewall acting as a TCP connection intermediary to SYN FLOOD attack also has a certain defense effect. (4) identity authentication is used to identify the authenticity of users, hosts, or some materials (such as digital certificates). After identification, different users will be given different network access. Permissions. Identity authentication is an effective means of preventing spoofing attacks. 2.2 Encryption encryption is a form of transformation to the information, so that only users with decryption information can read the original information. Encrypt information can defense network monitoring, protection information Sex.
At the same time, high-intensity information encryption technology greatly suppressed the implementation of password deciphering attacks, especially after adopting non-technical measures such as confidentiality of algorithms, attempted to adopt technical means to decipher the encryption system is extremely difficult. In addition, encryption can be implemented as an authentication of identity, but also provide guarantees for authentication security, and can also prevent spoofing attacks from a certain extent. Link layer encryption and network layer encryption are generally taken in network transmission. The link layer encrypts the point-to-point communication between adjacent link nodes to provide transmission security guarantees. It is first encrypting the link frame to be transmitted, and then decrypts the received link frame by each intermediate node, such as the frame needs to be transferred, using the key of the next link. Re-encrypt the message packet. Link layer encryption is divided into link encryption and node encryption. The difference between the two is that the link encryption is encrypted on all transmission information including the source / selection node address information, and the intermediate node must completely decrypt the link frame to perform correct processing on the user packet, so user message The intermediate node exists in a clear form. In the node encryption, the address information of the source / hook node is transmitted in a clear text, and the security module (protected peripheral devices) connected to the node machine is responsible for decrypting and encrypting the cipher, and does not allow the user message in the middle. The node appears in a clear form. Network layer encryption is also referred to as end-to-end encryption, which allows user packets to always exist in ciphertext during transmission from the source to the end point, and the intermediate node is only responsible for forwarding operations without making any decryption processing, so user information The content is protected throughout the transmission process. At the same time, each message is independently encrypted, and the transmission error of single packets will not affect subsequent packets. Therefore, the network layer is encrypted, as long as the source and end is safe. 2.3 Monitoring Network Defense can be divided into two parts: malicious code scanning and intrusion detection. Malicious scans are mainly virus scans and latte programs scanning. Existing virus scanning software has been recognized by the public's recognition in killing viruses. It is a powerful weapon for defense malicious code attacks. The intrusion detection system identifies the occurrence of anomalous events primarily by collecting, analyzing networks or host systems, and reports in a timely manner, stoping various invasive activities that may cause hazards on the network or host system. Intrusion detection systems can discover network scan activities and play an important role in the defense of denial of service attacks. 2.4 Audit Audit is a post-appointment, with early discovery of attack activities, get invasive evidence and intrusion characteristics, thereby achieving analysis and tracking of attacks. Building a system log is an important means of implementing audit functions, which can record all activities that occur in the system, so it is conducive to discovering illegal scans, reject service attacks and other suspicious intrusion. 3, Network Attack Fighting Network Defense 3.1 Attacking Access Control First, Target Network Takes Physical Isolation Measures Comptructs an information "island", and the outside world is difficult to use the network to penetrate it. It can only be physically destroyed or passed through spy means Implanted target networks such as virus codes, logical bombs. Second, in terms of signal control access, signal interception, signal spoof and signal interference are feasible to attack. At present, there is an interception of slow short-wave frequency hopping signals, direct expansion signals, and fixed frequency signals. A spoofing attack can be implemented for the fixed frequency signal. If the signal transmission device for obtaining the target network, the spread spectrum signal is also possible, and the network is often used in the WLAN to perform network sniffing. Of course, implementing effective signal interception and signal spoof must be understood by the signal format, this condition is easier to satisfy. In addition, electromagnetic interference means is a general way to deal with various electronic signals. Third, for firewall control technology, since it cannot analyze the encrypted packets transmitted in tunnel mode, the firewall can be encrypted using a camouflage tunnel encrypted data. In addition, using network scanning technology can find network ports open due to negligence or other reasons for users, thereby invading the system for breakthrough.
Fourth, for the certification technology, most of the host IP address is used as an authentication object, so it can be attacked by IP address spoofing. Based on the user's authentication method is higher, the attack is mainly based on buffer overflow and packet cut analysis. At the same time, the password decipherment is also a possible attack method. 3.2 Encryption Vulnerability and Its Attack 3.2.1 Characterization of Link Layer Encryption Vulnerability and Attack (1) Synchronous Problem: Link layer encryption is usually used in synchronization or asynchronous links in point-to-point, so it needs to be chain before encryption The encryption device at both ends is synchronized. If the link quality is poor, you need to synchronize the encryption device frequently, resulting in loss of data or retransmitting frequent data. (2) Communication analysis: Node encryption requires address information of link frames to be transmitted in express formation. In order to make the intermediate node to correctly forward processing. It can be seen that this processing method is fragile for traffic analysis attacks. (3) Physical security dependence of nodes: link encryption requirements Message packets exist in expressive forms in the intermediate node, thereby increasing the dependence of the physical security of nodes to nodes. (4) Allocation and management of keys: Link layer encryption uses symmetric encryption technology, all keys must be safely saved, and updated at a certain rule. Since each node must store the encryption key of all links thereof, the distribution and update of the key need to be performed by physical delivery or establish a dedicated network facility. For networks where nodes are widely distributed, this key distribution and update process is very complicated, and the price of the key continuous allocation is also very high. (5) The cryptography is a common device that implements point-to-point link transmission encryption. It achieves very high cost of single point to multi-point transmission, and its encryption intensity will limit the channel transmission rate used, or cause more High transmission error rate. 3.2.2 Network layer encryption and user message encryption The vulnerability of network layer encryption and user information encryption has the contradiction between encryption strength and processing speed, complexity, so that encryption technology is not in practical applications. True to implement the security claimed. (1) Generally, the longer the encryption key is, the higher the encryption strength, but the long key will result in slowing the speed of / decryption speed, increase the complexity of the system, and the public key encryption is particularly Therefore, in some real-time requirements, the password length is often limited, which provides possible for the deciphering password. (2) Symmetrical encryption security, fast execution, but for large networks, the key management issues brought by symmetrical encryption constrain it. In fact, the public key encryption also has a problem with key management. Without a perfect key management system, it will have a great security hazard for the government of the encryption system. Currently, public key infrastructure for key management, digital certificates, etc. is not perfect, so implementing identity spoof is a feasible way. (3) The enhancement of equipment processing capacity is not only favorable to encryption, but also beneficial to increase the speed of deciphering keys. (4) In some cases, the strong and encrypted measures provided in communication process or communication devices are often not used or not strictly in accordance with the specified manner, which is especially prominent in the Internet and WLANs. (5) When the encryption method of the two network is incompatible, a reverse phenomenon may occur at the network connection, such as WEP encryption when accessing the Internet through the WLAN. 3.2.3 Against the attacker to the encryption can be seen from the above discussion, and the attack on the encryption can be implemented: (1) Password decipherment: it can be used to encrypt at all levels, but in various countries, today, today, attempt to Core encryption is very difficult to perform password.
For some common applications on the Internet, password decipherment is quite useful. (2) Creditivity analysis: Mainly used for link layer attacks, network layer encryption attacks that have not been used in tunnel methods are also very effective. (3) Electronic interference: Mainly encrypted for link layer. By reducing the transmission quality of the communication link, the synchronous processing is used to process the encryption device, resulting in the loss of the data or retransmit frequently. (4) Deception attack: Implement identity spoofing with the imperfectness of key management mechanisms and the deficiencies in the certification process. Many for Internet attacks. (5) Replay Attack: If you are unable to decrypt the accepted packets, you can copy it and pass it. This attack may cause the recipient's processing error, and due to the decryption operation, especially the public key system is large, it may also cause the dejected service of the target system. 3.3 The vulnerability of the monitoring and its attack virus scan and intrusion detection are unable to identify new viruses or intrusion operations, and even recognize the variation of known viruses or intrusion operations. The vulnerability of other intrusion detection systems is: (1) limits the processing speed when performing flow recognition and processing, such as the case of traffic dramatic, the detection function is easy to crash. (2) When he suffers from a denial of service attack, the failure open mechanism of some intrusion detection system masks other attacks of attackers. (3) Management and maintenance difficulties, easy to cause vulnerabilities on the configuration to form a safety hazard. (4) The leakage rate and the false positive rate are high. Easy to enable users to ignore the occurrence of truly attacks. Therefore, attacks can be implemented in the following ways: (1) Spoof attack: mainly based on code camouflage, including code replacement, split, encoding transformation, etc. (2) DOS and DDoS attacks. (3) New virus code or new intrusion. 3.4 The focus of the audit attack audit attack is to process log files for the target system, and can be implemented in two ways: (1) Directly delete the log or selectively modify the log, can be implemented by the attacker or use some rootkits program. (2) Use DDoS attack with address spoof to quickly expand the size of the system log file, affect the normal implementation of the system itself and the audit function. 4. Summary Comprehensive This article can obtain interrelationship between the network confrontation mechanism in Table 1. Table 1 Combination relationship between network attack and defense
Attack confrontation defense network sniffing password deciphering deceive malicious code denial service access control physics isolation × × × × ★ × × ★ firewall ★ × ★ ★ ★ × identity authentication ★ ★ × ★ ★ ★ encryption Link layer encryption ★ × ★ × ★ × ★ network layer encryption ★ × ★ × ★ × ★ Application layer encryption × ★ × ★ × ★ monitor × ★ ★ × ★ × audit × ★ ★ ★ ×
The following conclusions can be drawn: (1) Spoofing and network sniffing have been attached importance to the two sides of the attack, surrounding these two kinds of attacks, the confrontation is more concentrated, and the attack and defense are also relatively balanced. (2) Malicious code attacks and refusal service attacks are two effective way of attack. From practical applications, the defense is always in passive state in confronting malicious code attacks and denial service attacks. (3) Obviously, password deciphering is primarily attacked by the link layer, network layer, and application layer. Simple encryption of applications The corresponding technology has been implemented to implement decipher attacks, and the current deciphering technology is very weak, especially in the limited application of limited timeliness.
