CN103092680B - Computer network defense scheme emulated execution system - Google Patents

Abstract

The computer network defense scheme simulation execution system includes: (1) Design and implement a formalized computer network defense scheme description language CNDSDL (Computer? NetworkDefense? Scheme? Description? Language) of context-free grammar. EBNF paradigm, and designed a language interpreter based on CNDSDL. (2) A scheme deployment method based on CNDSDL language is proposed. Including the deadlock detection and scheduling algorithm of tasks in the defense scheme, which ensures the correctness of the defense scheme. (3) On the GTNetS simulation platform, the simulation of the defense scheme is realized, including the simulation of IDS, firewall, backup, recovery, and linkage tasks between IDS, vulnerability database and firewall.

Description

Computer Network Defense Scheme Simulation Execution System

technical field

The invention designs and implements a computer network defense scheme simulation execution system, belongs to the technical field of computer network security, and relates to the description of the computer network defense scheme, the deployment of the scheme, and the simulation realization of the scheme.

Background technique

Due to the diversity and openness of the Internet itself, many software and hardware vulnerabilities in computer systems and network equipment, as well as the growth of the network scale and the increasingly complex structure, the relationship between various parts of the system is complex and diverse, and the means of network attacks are also complicated. With the development of diversity, people are faced with many risks brought by network security issues, which poses greater challenges to computer network defense. In order to meet the needs of ensuring the security of large-scale computer networks and application systems, it is necessary to study how to automatically implement the deployment of defense solutions on the network to deal with complex attacks.

Security is not an isolated issue. Relying on any single security product cannot guarantee the security of computer networks and information. The types of network security devices are ever-changing and the configuration methods are different. The traditional manual configuration of network security defense solutions is increasingly inadequate. In the network defense scheme, the joint defense of security devices has become a common method. Through the interconnection of various security devices, the intercommunication and integration of security information, each system uses its own advantages to make up for the shortcomings of other systems, and can more effectively implement network defense solutions.

Because building a physical network is easily limited by the size of the network, and there are reasons such as the inability to accurately reproduce data, easy data loss, and error handling, the modeling and simulation methods have been widely used in the study of network attack and defense. Modeling and simulation is an important way and means to study network security issues.

Through the analysis of the above research status, we can find the following problems.

(1) At present, the research on the formal description of the scheme is mostly concentrated in the military field, and there is a lack of research on the formal description method of the scheme for computer network defense. That is, there is a lack of a unified loosely coupled language-level interface description, so that the defense tasks of security devices and the linkage defense tasks between devices can be expressed;

(2) There is a lack of deployment methods for automatic execution of defense schemes. It can automatically verify the problems such as deadlock in the defense scheme, and can automatically deploy it to the simulation platform to realize the simulation of the scheme;

(3) The simulation research of network defense is mostly used for security assessment and training exercises. The simulation execution mechanism to realize the automatic deployment of defense schemes needs to be further studied, especially the simulation of linkage defense schemes that realize the linkage defense tasks of various defense equipment.

Contents of the invention

The technical problem of the present invention is to overcome the deficiencies of the prior art, and provide a computer network defense scheme simulation execution system, which can more effectively describe the defense scheme, and deploy the defense scheme on the simulation platform to realize the simulation of the scheme, thereby greatly improving increase the efficiency of computer network defense.

Technical solution of the present invention: computer network defense scheme simulation execution system, characterized in that it includes: scheme interpretation module, scheme deployment module, scheme simulation module and its execution result display module, wherein:

Scheme interpretation module: the defense scheme is composed of defense tasks and the temporal logical relationship between tasks. The defense task is composed of task subject, operation set, execution time and execution result. Including protection tasks, detection tasks, analysis tasks, response tasks and recovery tasks. An operation is composed of an action, an action object, and input parameters. Firstly, a computer network defense scheme description language CNDSDL with simple syntax, clear structure, easy operability and scalability is designed and implemented, and the EBNF paradigm of the language is given. Then, for the computer network defense scheme description language CNDSDL, a defense scheme interpreter based on Flex and Bison is designed and implemented, which parses and recognizes CNDSDL sentences, and passes the parameters of various sentences to the interface function. The interpreter performs lexical analysis, syntax analysis and semantic analysis respectively, and finally recognizes the global variable definition statement, task description statement, and task relationship description statement respectively. The specific process is to analyze the input computer network defense scheme description file, analyze the protection, detection, analysis, response and recovery defense tasks in the defense scheme, and the sequence and, sequence or, parallel and, parallel or and XOR relationship.

Scheme deployment module: perform deadlock detection and task scheduling for various defense tasks in the explained defense scheme. The task graph is constructed according to the relationship between tasks, and a graph-based task deadlock detection algorithm is used. By performing a closure operation on the graph, if any directed edge is found to have a reverse edge, then the two tasks have a temporal dependency on each other, indicating that If the scheme will cause deadlock, the execution of the scheme is rejected; otherwise, it is deployed to the corresponding simulation node for execution.

Scheme simulation module: deploy the defense tasks in the defense scheme on the simulation platform to realize the simulation, and display the information of the nodes in the topology. Using GTNetS, a distributed simulator based on discrete events, for IDS detection tasks, firewall access control tasks, vulnerability scanning tasks, backup tasks, recovery tasks, system patching and restart tasks, linkage between IDS, missed scans and firewalls The task is simulated.

Execution result display module: the firewall task simulation will display the access control list deployed on the firewall, and the IDS simulation task will display the deployed detection rules; these simulation tasks will finally display the information of each simulation node in the form of a command console.

The specific implementation process of the program interpretation module: (1) Design and implement a computer network defense program description language, give the EBNF paradigm of the language, and use this language to express the protection, detection, analysis, response and recovery in the defense program Tasks, and sequential and, sequential or, parallel and, parallel or, and exclusive or relationships between tasks. (2) The CNDSDL interpreter is designed. Analyze the description file of the input computer network defense scheme, and analyze the defense tasks in the defense scheme and the relationship between tasks, as well as the subject in each task, operation set, execution time, execution result, and task constraints, and the operation includes Action, action object, action input parameter triplet. Firstly, analyze and identify the CNDSDL statement, including lexical analysis and syntax analysis, which are completed by Flex and Bison tools respectively, so that the parameters of various statements are passed to the interface function. Then carry out semantic analysis, according to the EBNF paradigm description in CNDSDL, respectively identify the global variable definition statement, task description statement, and task relationship description statement. And call the corresponding API interface for different statements, pass the parameters to the relevant modules in the simulation system, and the final program execution is completed by the simulation system. The interpreter implements the parsing of the CNDSDL source file through the above process;

The specific implementation process of the solution deployment module: perform task deadlock detection on various types of defense tasks obtained after explanation, and use a graph-based task deadlock detection algorithm. (1) First construct a task graph according to the sequence or relationship between tasks and the sequence and relationship. (2) Through the closure operation on the graph, if any directed edge has a reverse edge, then the two tasks have a timing dependency relationship with each other, indicating that the scheme will cause deadlock (3) Otherwise, schedule the in-degree from the task graph For a node with a value of 0, if the logic execution results of all forward tasks with sequence or relationship of the node fail, the task must be executed; if the logic execution results of all forward tasks with sequence and relationship of the node are successfully executed, the task will able to execute;

The specific implementation process of the simulation module of the scheme: transfer the tasks through the deadlock detection into the simulation platform to realize the simulation, and adopt the distributed simulator (discrete event-drivensimulator) GTNetS based on discrete events to facilitate large and medium-sized networks. Simulation; vulnerability information, IDS detection rules and firewall access control rules generated during the simulation process will be stored in the database. Its specific task simulation includes the following three parts: (1) Using GTNetS to implement a network-based intrusion detection (NIDS) simulation, and focusing on the feature detection. NIDS is placed in a relatively important network segment, constantly monitors various data packets in the network segment, and analyzes the characteristics of each data packet or suspicious data. If the data packet conforms to the rules, the intrusion detection system will send an alarm or respond, such as sending a vulnerability confirmation message to the vulnerability, or sending the task of blocking the data packet to the firewall; (2) using GTNetS to realize the access control simulation of the firewall . The firewall in security simulation is mainly used for data packet filtering, and data packet filtering is divided into static packet filtering and filtering of data packets according to state. Static packet filtering firewalls, when an interface receives a data packet, first determine whether the ACL is applied to the interface. If not, the packet is routed normally. Process ACLs, if any. For outgoing ACLs, the process is similar. Stateful firewalls mainly filter by recording connection status information. For IP, TCP, UDP, and ICMP protocols, a feasible solution is to obtain connection-related information for Hash when connecting, and the firewall judges whether the traffic is return traffic based on Hash matching. So as to achieve the filtering effect. (3) Using GTNetS to realize the simulation of other defense tasks. The simulation of the backup task in the protection task and the vulnerability confirmation task in the detection task is realized. The backup is the mapping from the target to its copy. By backing up the data and files in the system, it can be used in time when facing attacks and threats. Restoration tasks restore data, thereby ensuring network security. The vulnerability confirmation task is mainly to lower the false detection rate of IDS. For the attack characteristics detected by the IDS, perform vulnerability scanning and search in the vulnerability knowledge base to confirm whether there is such a vulnerability attack in the network. Through the description of the scheme description language, a linkage simulation considering IDS, firewall and vulnerability scanning system is finally realized.

The specific implementation process of the execution result display module: the simulation execution result of the defense simulation task is displayed in the form of a command console, and according to the simulation phenomenon obtained by the simulation module of the scheme, click on the topology node in the simulation, and the node's The simulation execution results are displayed. For example, click Firewall to display the access control list after deploying the firewall access control task, and click IDS to display the detection rules after deploying the IDS detection task.

The beneficial effect of the present invention compared with prior art method is:

(1) The present invention proposes a computer network defense scheme description language. For computer network defense tasks, a computer network defense solution description language CNDSL is adopted, which can uniformly describe the protection, detection, analysis, response and recovery tasks in computer network defense, and the sequence and, sequence or, Parallel AND, parallel OR and XOR 5 sequential logic relationships. In this way, the defense tasks of various security devices and the coordinated defense tasks of the mutual linkage of various security devices can be described. This greatly improves the efficiency of computer network defense.

(2) The present invention provides the explanation and deployment method of the defense scheme. A CNDSDL language interpreter is designed and implemented, combined with its EBNF paradigm, to analyze computer network defense schemes. And a deadlock detection algorithm and task scheduling algorithm of the defense scheme are designed, which can verify the defense scheme and prevent conflicting tasks in the described defense scheme. The correctness of the defense scheme is ensured. Finally, the correct solution is deployed on the simulation platform.

(3) The present invention provides the simulation of the defense scheme. Realize the simulation of IDS tasks based on the distributed GTNetS simulation platform, the simulation of firewall access control tasks, the simulation of backup recovery tasks, the simulation of vulnerability scanning, and the linkage simulation of various defense tasks of IDS, vulnerability database and firewall.

Description of drawings

Fig. 1 is the functional structural diagram of the simulation execution system of the CND defense scheme of the present invention;

Fig. 2 is the syntax tree diagram of the CND scheme of the present invention;

Fig. 3 is a CND task deadlock detection and scheduling algorithm flow chart of the present invention;

Fig. 4 is that Snort intrusion detection system of the present invention processes flow chart to packet;

Fig. 5 is the logical flowchart of input access control list (ACL) of the present invention;

FIG. 6 is a logical flow chart of the output access control list (ACL) of the present invention.

detailed description

As shown in Figure 1, the computer network defense scheme simulation execution system of the present invention, the input is a defense scheme, and the output is a defense scheme execution report, including a scheme interpretation module, a scheme deployment module, a scheme simulation module and an execution result display module.

The whole implementation process is as follows:

(1) Program explanation module

Design the computer network defense scheme description language CNDSDL and its interpreter, conduct lexical analysis, syntax analysis and semantic analysis on the defense scheme described by CDNSDL, explain and generate various defense tasks that conform to the grammatical format of the defense scheme.

Definition 1 Scheme: A scheme is a binary group composed of a set of tasks and a set of relationships between tasks. Recorded as:

$\left\{\begin{array}{c}\mathrm{<span\; class="notranslate">\; Scheme</span>}<span\; class="notranslate">\; :</span><span\; class="notranslate">\; :</span><span\; class="notranslate">\; =</span><span\; class="notranslate">\; (</span>\mathrm{<span\; class="notranslate">\; \&zeta;</span>}<span\; class="notranslate">\; ,</span>\mathrm{<span\; class="notranslate">\; R</span>}<span\; class="notranslate">\; )</span><span\; class="notranslate">\; ;</span>\\ \mathrm{<span\; class="notranslate">\; \&zeta;</span>}<span\; class="notranslate">\; :</span><span\; class="notranslate">\; :</span><span\; class="notranslate">\; \{</span>{\mathrm{<span\; class="notranslate">\; task</span>}}_{\mathrm{<span\; class="notranslate">\; i</span>}}<span\; class="notranslate">\; |</span>\mathrm{<span\; class="notranslate">\; 1</span>}<span\; class="notranslate">\; \&le;</span>\mathrm{<span\; class="notranslate">\; i</span>}<span\; class="notranslate">\; \&le;</span>\mathrm{<span\; class="notranslate">\; no</span>}<span\; class="notranslate">\; \}</span><span\; class="notranslate">\; ;</span>\\ \mathrm{<span\; class="notranslate">\; R</span>}<span\; class="notranslate">\; \&SubsetEqual;</span>\mathrm{<span\; class="notranslate">\; \&zeta;</span>}<span\; class="notranslate">\; \&times;</span>\mathrm{<span\; class="notranslate">\; \&zeta;</span>}<span\; class="notranslate">\; .</span>\end{array}\right.$

Among them, ζ refers to the set of tasks, and R refers to the set of relations between tasks.

Definition 2 Task: A task is a five-tuple consisting of subject, operation set, execution time, execution result, and task constraints, formalized as:

$\left\{\begin{array}{c}\mathrm{<span\; class="notranslate">\; task</span>}<span\; class="notranslate">\; :</span><span\; class="notranslate">\; :</span><span\; class="notranslate">\; =</span><span\; class="notranslate">\; (</span>\mathrm{<span\; class="notranslate">\; sub</span>}<span\; class="notranslate">\; ,</span>\mathrm{<span\; class="notranslate">\; Operation</span>}<span\; class="notranslate">\; ,</span>\mathrm{<span\; class="notranslate">\; time</span>}<span\; class="notranslate">\; ,</span>\mathrm{<span\; class="notranslate">\; effect</span>}<span\; class="notranslate">\; ,</span>\mathrm{<span\; class="notranslate">\; Constrain</span>}<span\; class="notranslate">\; )</span><span\; class="notranslate">\; ;</span>\\ \mathrm{<span\; class="notranslate">\; sub</span>}<span\; class="notranslate">\; \&Element;</span>\mathrm{<span\; class="notranslate">\; subject</span>}<span\; class="notranslate">\; ;</span>\\ \mathrm{<span\; class="notranslate">\; Operation</span>}<span\; class="notranslate">\; :</span><span\; class="notranslate">\; :</span><span\; class="notranslate">\; =</span><span\; class="notranslate">\; \{</span>{\mathrm{<span\; class="notranslate">\; ope</span>}}_{\mathrm{<span\; class="notranslate">\; i</span>}}\mathrm{<span\; class="notranslate">\; 1</span>}<span\; class="notranslate">\; \&le;</span>\mathrm{<span\; class="notranslate">\; i</span>}<span\; class="notranslate">\; \&le;</span>\mathrm{<span\; class="notranslate">\; no</span>}<span\; class="notranslate">\; \}</span><span\; class="notranslate">\; ;</span>\\ \mathrm{<span\; class="notranslate">\; time</span>}<span\; class="notranslate">\; \&Element;</span>\mathrm{<span\; class="notranslate">\; time</span>}<span\; class="notranslate">\; ;</span>\\ \mathrm{<span\; class="notranslate">\; effect</span>}<span\; class="notranslate">\; \&Element;</span>\mathrm{<span\; class="notranslate">\; Effect</span>}<span\; class="notranslate">\; ;</span>\\ \mathrm{<span\; class="notranslate">\; Contrain</span>}<span\; class="notranslate">\; \&SubsetEqual;</span>\mathrm{<span\; class="notranslate">\; condition</span>}<span\; class="notranslate">\; ;</span>\end{array}\right.$

Among them, Subject refers to all subjects in the network that can execute the task; Operation refers to the operation contained in the task; TIME refers to the execution time of the task; Effect refers to the result of task execution, including success and failure; Constraints that the subject itself needs to satisfy.

Definition 3 subject: subject refers to all software and hardware resources participating in computer network security defense, and is a collection of subjects for protection, detection, response and recovery.

Subject::=Subject _protect ∪Subject _detect ∪Subject _respond ∪Subject _recover

Definition 4 Operation: It is a triplet consisting of action, action object, and action input parameters. Recorded as:

$\left\{\begin{array}{c}\mathrm{<span\; class="notranslate">\; ope</span>}<span\; class="notranslate">\; :</span><span\; class="notranslate">\; :</span><span\; class="notranslate">\; =</span><span\; class="notranslate">\; (</span>\mathrm{<span\; class="notranslate">\; action</span>}<span\; class="notranslate">\; ,</span>\mathrm{<span\; class="notranslate">\; object</span>}<span\; class="notranslate">\; ,</span>\mathrm{<span\; class="notranslate">\; inPara</span>}<span\; class="notranslate">\; )</span><span\; class="notranslate">\; ;</span>\\ \mathrm{<span\; class="notranslate">\; action</span>}<span\; class="notranslate">\; \&Element;</span>\mathrm{<span\; class="notranslate">\; action</span>}<span\; class="notranslate">\; ;</span>\\ \mathrm{<span\; class="notranslate">\; object</span>}<span\; class="notranslate">\; \&Element;</span>\mathrm{<span\; class="notranslate">\; object</span>}<span\; class="notranslate">\; ;</span>\\ \mathrm{<span\; class="notranslate">\; inPara</span>}<span\; class="notranslate">\; \&SubsetEqual;</span>\mathrm{<span\; class="notranslate">\; InPara</span>}<span\; class="notranslate">\; ;</span>\end{array}\right.$

Among them, Action is a collection of actions, Object is a collection of action objects, InPara is a collection of input parameters, and the input parameters are key-value pairs, InPara::={(key,value)|key∈strig, value∈strig}

Definition 5 Inter-task relationship: The inter-task relationship refers to the timing and logical relationship between tasks, including sequence and relationship, sequence or relationship, parallel and relationship, parallel or relationship, and XOR relationship. Recorded as:

R _task ::={r _{seq_and} ,r _{seq_or} ,r _{concu_and} ,r _{concu_or} ,r _xor }

Each relationship is described below:

r _{seq_and} : If seq_and(task ₁ , task ₂ ), it means that task ₁ is executed first, and if task ₁ is executed successfully, then task ₂ is executed next, and both task ₁ and task ₂ are executed successfully, indicating that the plan is executed successfully.

r _{seq_or} : If the result is seq_or(task ₁ , task ₂ ), it means that task ₁ is executed first. If task ₁ is successfully executed, task ₂ does not need to be executed. If task ₁ fails, task ₂ must be executed, and the plan is successful. Whether or not depends on whether task ₂ can be successfully executed.

r _{concu_and} : If concu_and(task ₁ , task ₂ ), it means that task ₁ and task ₂ must be executed at the same time, and task ₁ and task ₂ are both executed successfully, so that the scheme can succeed.

r _{concu_or} : If concu_or(task ₁ , task ₂ ), it means that task ₁ and task ₂ must be executed at the same time, and as long as one task is executed successfully, the plan is executed successfully.

r _xor : If xor(task ₁ , task ₂ ), it means that only one of task ₁ and task ₂ will be executed, and the success of this task directly determines the success or failure of the plan.

The EBNF definition of the defense scheme is as follows:

The defense task is composed of the task execution subject, the operations contained in the task, the task execution time, and the constraints of task execution.

<tasks>::=<task>|<tasks>;<task>

<task>::=task<num>'{'subject:<subject>actions:'('<actions>')'

[time:<time>][constrains:'{'<constrains>'}']

There are four types of subjects, namely protection subjects, detection subjects, response subjects, and recovery subjects.

<subjcet>::=<protection_subject>|<detection_subject>|<response_subject>|<recovery_subject>

Commonly used protection subjects are backup servers, firewalls and gateways, gateways, encryption machines, hosts and servers, etc.

<protection_subject>=back_up_server<num>|firewall<num>|gateway<num>|cryptor<num>|host<num>|server<num>

Detection subjects include intrusion detection systems, antivirus systems, vulnerability databases, and audit systems.

<detection_subject>::=IDS<num>|anti_virus_system<num>|vul_base<num>|audit_system<num>

The response body includes host and server.

<response_subject>::=server<num>|host<num>

Recovery subjects include backup servers, hosts, servers, etc.

<recovery_subject>::=back_up_server<num>|host<num>|server<num>

Each type of subject can be extended by adding keywords.

The operations correspond to the main body, which are protection operations, detection operations, response operations, and recovery operations.

<actions>::=<action>|<actions>,<action>

<action>::=<protect_action>|<detect_action>|<respond_action>|<recover_action>

Operations consist of actions, action objects, and input parameters.

<protect_action>::=<protect_act><protect_obj>[inPara:’{‘<protection_inParas>’}’]

Protection actions include backup, permission, denial, encryption, authentication, etc., which can be extended by adding keywords.

<protect_act>::=back_up|permit|deny|crypt|authenticate

Protected objects include files, data packets, ip addresses, etc.

<protect_obj>::=<file>|<packet>|ip

Data packets include ip packets, TCP packets, UDP packets, and ICMP packets.

<packet>::=<ip_packet>|<tcp_packet>|<udp_packet>|<icmp_packet>

The ip packet includes the original IP address and the destination IP address.

<ip_packet>::=IP<src_ip><dst_ip>

TCP packets, UDP packets, and ICMP packets include IP addresses and port numbers.

<tcp_packet>::=TCP<src_ip><ports><dst_ip><ports>

<udp_packet>::=UDP<src_ip><ports><dst_ip><ports>

<icmp_packet>::=ICMP<src_ip><ports><dst_ip><ports>

IP address includes ip and mask.

<src_ip>::=(ip/mask)|any

<dst_ip>::=(ip/mask)|any

A port can be a specific port, a range of ports, or a port with a comparator, etc.

<ports>=<port>|<port>:<port>|<port_operator><port>|any

The parameters of the protection action mainly include backup priority, backup type, encryption or not, secure transmission, interface number, etc.

<protection_inPara>::=priority:<num>|type:(full|addition|offset)|crypt:(Y|N)|secure_trans:(Y|N)|interface:<num>

Detection operations include detecting data packets, checking viruses, scanning vulnerabilities, auditing logs and other operations.

<detection_action>::=<detect_act><detect_obj>[in_Para:’{‘<detection_inParas>’}’

<detect_act>::=detect|check_virus|scan|audit

<detect_obj>::=<IDS_rule>|<virus>|<vul>|<log>

<virus>::=<string>

<vul>::=cve-<cve_year>-<cve_number>

<log>::=<file>

<detection_inPara>::=(host:<num>)|(ip:<ip>)|(service:<service_name>)

<service_name>::=Web|Telnet|Rlogin|Ftp|SMTP

The ids rule includes two parts: the rule header and the rule body.

<ids_rule>::=<idsRule_head><idsRule_body>

<idsRule_head>::=<idsRule_action><packet>

<idsRule_action>::=alert|pass|log

The rule body includes detection options.

<idsRule_body>::=’(‘<options>’)’

<options>::=<option>|<options>;<option>

content is generally a binary bit string or character string, used for feature pattern matching, refenrence is the vulnerability information exploited by the attack, the fw parameter is the firewall number or IP address that needs to be linked when the rule is triggered, and vbase indicates that when the rule is triggered, it needs to Linked vulnerability database number or IP address.

<option>::=(message:<string>)|(content:<bin-str>|<string

>)|(refenrence:<vul>)|(fw:<num>|<ip>)|(vbase:<num>|<ip>)|resp:(rst_all|rst_rcv|rst_send|icmp_all|icmp_host|icmp_net| icmp_port)

Based on the above EBNF, a CNDSDL interpreter is designed. Analyze and identify the CNDSDL statement, so that the parameters of various statements are passed to the interface function. The lexical analysis and syntax analysis module codes in the CNDSDL interpreter are respectively generated by Flex and Bison tools. In the semantic analysis, according to the EBNF paradigm description in CNDSDL, respectively identify the global variable definition statement, task description statement, task relationship description statement, and Generate a defense scheme syntax tree, as shown in Figure 2.

(2) Solution deployment module

When a plan can be executed, if and only if the tasks of the plan do not constitute a deadlock, that is, there is no mutual timing dependency between the two tasks, so judging the task deadlock and selecting the correct task to run are the keys to the execution of the plan. According to the above task-related concepts and the relationship between tasks, the task deadlock detection and scheduling algorithm can be analyzed.

In this algorithm, the task graph is first constructed according to the seq_or relationship seq_and relationship between tasks. By performing a closure operation on the graph, if any directed edge is found to have a reverse edge, then the two tasks have a temporal dependency on each other, indicating that the scheme will generate Deadlock; otherwise, schedule a node with an in-degree of 0 from the task graph. If the logic execution result of all forward tasks with seq_or relationship of this node fails, the task must be executed. If the node has all forward tasks with seq_and relationship The task can only be executed if the logic execution result is executed successfully. The flow chart of this algorithm is shown in Fig.3.

(3) Scheme simulation module

The simulator GTNetS, which is based on discrete event-driven and supports distributed simulation, is used to simulate IDS detection tasks, firewall access control tasks, backup and recovery tasks, and linkage tasks of IDS, missed scans and firewalls.

IDS detection task

Simulation of Network Intrusion Detection (NIDS) based on signature detection. A typical representative of NIDS is Snort. Snort is a lightweight intrusion detection system, capable of intercepting network data packets, performing real-time analysis of network data, alarming and recording logs. Snort's packet interception is based on the libpcap library. Snort is composed of basic modules such as packet sniffer, preprocessor, detection engine, and alarm output. The processing flow of Snort on data packets is shown in Figure 4 below.

Rule parsing first reads the rule file, then reads each rule in turn, then parses it, and expresses it with the corresponding rule syntax, organizes the rules in memory, and builds a rule syntax tree.

All the rules in Snort are arranged into the main chain according to the rule header, and then the rules are inserted into this chain according to the rule options to form a rule tree. RTN (RuleTreeNode) nodes form the first layer of the rule tree, so that each option node OTN (OptTreeNode node) corresponds to a rule.

The detection engine uses the pattern matching method to detect network data packets, mainly to match the information of the data packets according to the rule tree to determine whether there is any intrusion.

Use GTNetS to simulate the detection process and detection results. The simulation of IDS includes sniffing and decoding of data packets, setting of intrusion detection rules and detection engine.

Use the PeekPDU function in GTNetS to get the decoded data packets in the simulation platform.

Drawing reference from the implementation of Snort, the detection rules are divided into two logical parts: rule header and rule options. The rule header includes rule action, protocol, source and destination IP address and network source code, and source and destination port information; the rule option part includes the alarm information content and the specific part of the packet to be checked.

For the setting of the detection engine part, the rule tree implemented by Snort is modified as follows. The first layer is ListHead, which contains the detection rule set corresponding to one type of attack. The different linked lists are further organized by protocol. The second layer is RTN; the third layer is the flag option node; the fourth layer is OTNIdx (OTNIndex) and OTN, and there is a one-to-one correspondence between them. The purpose of setting OTNIdx is to dynamically adjust the OTN according to the retrieval results. order. When a rule is matched, recursive traversal is performed according to the rule tree.

Access Control Tasks for Firewalls

Use GTNetS to simulate the packet filtering process of a firewall. Including static packet filtering and state-based packet filtering.

For static packet filtering. The firewall has a logic flow as shown in Figure 5 for the input data packets:

When an interface receives a packet, it first determines whether the ACL is applied to the interface. If not, route the packet normally. Process ACLs, if any. Starting with the first statement, the condition is compared to the contents of the packet. If there is no match, the next statement in the list will be processed. Action if there is a match: allow or deny. If the default action is Deny, then if the entire ACL is searched and there is no match, the packet will be discarded; if the default action is Allow, if the entire ACL is searched and there is no match, then the packet will be forwarded.

For outgoing ACLs, the process is similar, as shown in Figure 6. When a data packet is received, it first routes the data packet to the output interface, and then checks whether there is an ACL output on the interface, if not, queues the data packet and sends it out the interface. Otherwise, the packet is processed by comparison with the ACL entries, as described previously.

Because the access control list cannot track the connection state; therefore, if you want to send traffic from the internal network to the external network, and then allow the traffic to return safely, it is difficult for a static firewall to do so, unless you set static rules, and such static rules will also allow non- Packets of return traffic are passed through, so it would cause a security hole. That is, a standard or extended ACL always uses static entries to filter the configured information, and a stateful firewall is required to implement it. Stateful firewalls mainly filter by recording connection status information. For IP, TCP, UDP, and ICMP protocols, a feasible solution is to obtain connection-related information for Hash when connecting, and the firewall judges whether the traffic is return traffic based on Hash matching. So as to achieve the filtering effect.

other defense tasks

The simulation of the backup task in the protection task and the vulnerability confirmation task in the detection task is realized. The backup is the mapping from the target to its copy. By backing up the data and files in the system, it can be used in time when facing attacks and threats. Restoration tasks restore data, thereby ensuring network security. The vulnerability confirmation task is mainly to lower the false detection rate of IDS. For the attack characteristics detected by the IDS, perform vulnerability scanning and search in the vulnerability knowledge base to confirm whether there is such a vulnerability attack in the network. Through the description of the scheme description language, a linkage simulation considering IDS, firewall and vulnerability scanning system is finally realized.

(4) Execution result display module

The defense information of the defense node obtained in step (3), including the detection rule information of the IDS, the access control list information of the firewall, the backup recovery node information, etc., is displayed to the network security management personnel in the form of a report.

Claims (4)

1. a computer network defense scheme emulated execution system, is characterized in that comprising: scheme explanation module, plan implementation module, scheme emulation module and execution result display module, wherein:

Scheme explanation module: design and Implement a kind of computer network defense scheme descriptive language CNDSDL (ComputerNetworkDefenseSchemeDescriptionLanguage), provide EBNF (ExtendedBackus-NaurForm) normal form of this language, utilize lexical analyzer Flex and syntax analyzer Bison automatically to resolve described defense schemes file, parse the sequential-logical relation between various defensive missions and task;

Plan implementation module: the various types of defensive missions explained according to scheme explanation module, and the sequential-logical relation between task, thus judge whether there is mutual Temporal dependency relation between arbitrary two tasks, if exist, then deadlock will be caused, if do not exist, then scheduling arranges various defensive missions to realize emulation;

Scheme emulation module: the defensive missions that plan implementation module exports are input in emulation platform, realize the emulation of defensive missions, thus obtaining the emulated execution result of defending artificial tasks, the emulation of described defensive missions comprises: intruding detection system IDS artificial tasks, fire wall artificial tasks, vulnerability database artificial tasks and backup artificial tasks; The emulation of various defensive missions, by the knowledge in calling data storehouse, comprises vulnerability information, IDS (IntrusionDetectionSystems) rule and firewall rule;

Execution result display module: the emulated execution result of defence artificial tasks is shown with the form of command console, comprise the Access Control List (ACL) that fire wall task simulation will be presented at fire wall deploy, the detected rule that display is disposed by IDS artificial tasks;

The specific implementation process of described scheme explanation module:

(1) a kind of computer network defense scheme descriptive language is designed and Implemented, provide the EBNF normal form of this language, by the protection in this language performance defense schemes, detection, analysis, response and recovery tasks, and order between task and, order or, parallel with, walk abreast or and XOR relation; (2) CNDSDL interpreter is devised, input computer network defense scheme description document is resolved, parse the relation between defensive missions in defense schemes and task, and the main body in every bar task, operational set, execution time, execution result, and task restriction, the action that operation comprises, action object, action input parameter tlv triple; First carry out parsing to CNDSDL statement to identify, comprise lexical analysis and grammatical analysis, completed by Flex and Bison instrument respectively, thus by the Parameter transfer of various statement in interface function; Then semantic analysis is carried out, describe according to the EBNF normal form in CNDSDL, identify global variable definition statement, task description statement, task nexus descriptive statement respectively, and corresponding api interface is called to different statements, by Parameter transfer to the correlation module in analogue system, complete final scheme by analogue system to perform, interpreter achieves the parsing to CNDSDL source file by above flow process.

2. computer network defense scheme emulated execution system according to claim 1, is characterized in that: the specific implementation process of described plan implementation module:

The various types of defensive missions obtained after explanation are carried out to the Deadlock Detection of task, adopt the task deadlock detection algorithm based on figure, first build task image with order with relation according to the order between task or relation; By carrying out closure operation to figure, if find there is reverse edge in any directed edge, then two tasks exist mutually Temporal dependency relation, represents scheme meeting produce of deadlock; Otherwise, from task image, dispatch the node that in-degree is 0, if this node has all forward direction the Logic of Tasks execution result failures of order or relation, then this task must perform, run succeeded with all forward direction the Logic of Tasks execution results of relation if this node has order, then this task can perform.

3. computer network defense scheme emulated execution system according to claim 1, it is characterized in that: the specific implementation process of described scheme emulation module: the task through Deadlock Detection is called in emulation platform and realize emulation, adopt distributed emulation device (discreteevent-drivensimulator) GTNetS based on discrete event control system, conveniently big-and-middle-sized network is simulated; The access control rule of IDS detected rule and the fire wall produced in vulnerability information and simulation process will be stored in database, its concrete task simulation comprises following three parts: (1) adopts GTNetS to realize the emulation of a kind of Network Intrusion Detection System NIDS, and the feature detection paid close attention to wherein, NIDS is placed in the important network segment, ceaselessly monitor the various packets in the network segment, signature analysis is carried out to each packet or suspicious data; If packet is consistent with rule, then intruding detection system can send warning, or responds, and sends leak confirmation to leak, or releases the task of blocking packet to fire wall; (2) GTNetS is adopted to realize the access control emulation of fire wall, firewall applications in safe simulation is in Packet Filtering, and Packet Filtering is divided into static packet filtering and according to the filtration of state to packet, static packet filter firewall, when interface receives packet, first determine whether access control list ACL has been applied to this interface; If no, this packet of normal route, if had, according to this packet of ACL process, is more than the processing procedure to the ACL being arranged in input interface; Processing procedure for the ACL being arranged in output interface is upon reception of the data packet, first routes a data packet to output interface, then checks the application whether having ACL on this output interface, if do not had, is come by packet in queue, sends out interface; If had, according to this packet of ACL process;

The status information that status firewall connects mainly through record is filtered, for IP, TCP, UDP, ICMP agreement, a kind of feasible scheme will obtain join dependency information when connecting to carry out Hash, whether fire wall is return flow according to Hash matching judgment flow, thus reaches the effect of filtration; (3) GTNetS is adopted to realize the emulation of other defensive missions, achieve the emulation of the backup tasks in protection task and the confirmation of the leak in Detection task task, backup is the mapping that target arrives its copy, by backing up the data in system and file, when in the face of attacking and threaten, timely employing recovery tasks carries out the recovery of data, thus has ensured the security of network; Leak confirms that task reduces IDS false drop rate, to the attack signature that IDS detects, carries out vulnerability scanning, and searches in leak knowledge base, thus confirms the attack that whether there is this kind of leak in network; By the description of scheme descriptive language, finally achieve a kind of consideration IDS, the linkage simulation between fire wall and vulnerability scanning system.

4. computer network defense scheme emulated execution system according to claim 1, it is characterized in that: the specific implementation process of described execution result display module: the emulated execution result of defence artificial tasks is shown with the form of command console, according to the emulation phenomenon that scheme emulation module obtains, click the topological node in emulation, the emulated execution result of this node can be shown.