【期末复习】网络安全技术(双语)

如需原版文档,请联系我

《网络安全技术(双语)》

第一章 网络安全的本质 Network Security Essentials

1.Terminology 术语

2.Key Security Concepts/关键的安全概念

3.Computer Security Challenges

4.OSI Security Architecture/OSI安全体系结构

5.Passive Attacks/被动攻击

6.Active Attacks/主动攻击

7.Security Service

8.Security Mechanism/安全机制

9.Model for Network Access Security/网络访问安全模型

第二章 网络安全要点Network Security Essentials

1.Symmetric Encryption/对称加密

2.Symmetric Block Cipher Algorithms/对称分组密码算法

3.Stream Cipher Structure/流密码结构

4.Cipher Block Modes

2.Message Authentication/消息认证

3.Hash Functions

4.Attacks on Hash Functions

5.Secure Hash Algorithm/安全散列算法

6.HMAC Design Objectives/HMAC设计目标

7.HMAC Security

8.Authenticated Encryption/经过身份验证的加密

9.Private-Key Cryptography/私钥加密

10.Why Public-Key Cryptography?

11.Diffie-Hellman Key Exchange

12.Digital Signatures

思科网院课件第七章 Network Attacks: A Deeper Look

7.1 Network Monitoring and Tools

7.2 Attacking the Foundation

7.3 Attacking What We Do

第五章 Transport-Level Security

1.Web Security

2.Web Security Threats

3.Web Traffic Security Approaches/Web流量安全方法

4.SSL (Secure Socket Layer)

5.SSL Architecture/ssl 架构

6.Cryptographic Computations/加密计算

7.TLS (Transport Layer Security)

8.HTTPS

9.Secure Shell (SSH)

10.SSH Protocol Stack/SSH协议栈

11.Port Forwarding/端口转发

第六章 Wireless NetWork Security

1.IEEE 802.11

2.Wi-Fi Alliance/无线网络联盟

3.IEEE 802 Protocol Architecture/IEEE 802协议架构

4.Network Components & Architecture/网络组件及架构

5.802.11 Wireless LAN Security

6.802.11i RSN Services and Protocols/802.11i健壮安全网络(RSN)

7.Other Security Problem

第七章 Electronic Mail Security

1.Email Security

2.Email Security Enhancements/电子邮件安全增强

3.Pretty Good Privacy (PGP)

4.S/MIME (Secure/Multipurpose Internet Mail Extensions)

第八章 IP 安全/IP Security

1.Chapter 8 IP Security

2.IP Security Overview/IP安全概述

3.IP Security Architecture/IP安全架构

4.IPSec Document Overview/IPsec文档概述

5.IPSec Services

6.Security Associations (SA)/安全协会SA

7.Key Management

第九章 INTRUDERS

1.Intruders/入侵者

2.Examples of Intrusion

3.Hackers

4.Criminal Enterprise/犯罪集团

5.Insider Attacks/内部攻击者

6.Intrusion Techniques/入侵技术

7.Intrusion Detection/入侵检测

8.Honeypots

9.Intrusion Detection Exchange Format/入侵检测交换格式

10.Password Management

思科网院课件第11章

11.1Technologies and Protocols

11.2 Log Files

思科网院课件第12章Intrusion Data Analysis

12.1 Evaluating Alerts

12.2 Working with Network Security Data

第十章 Malicious Software

1.Types of Malicious Software

2.Viruses

5.DDoS

【作业题】

【附录:信息安全术语中英文对照】

第一章 网络安全的本质 Network Security Essentials

1.Terminology 术语

encryption 加密 decryption 解密 cryptography 密码学 confidentiality 机密性 integrity 完整性 availability 可用性 element 元素 threat 威胁

2.Key Security Concepts/关键的安全概念

  • Confidentiality/机密性

1.Data confidentiality 2.Privacy

  • Integrity/完整性

1.Data integrity 2.System integrity

  • Availability/可用性
  • Additional concepts

1.Authenticity 2.Accountability

3.Computer Security Challenges

not simple must consider potential attacks

procedures used counter-intuitiv involve algorithms and secret info

must decide where to deploy mechanisms battle of wits between attacker / admin

not perceived on benefit until fails requires regular monitoring

too often an after-thought regarded as impediment to using system

4.OSI Security Architecture/OSI安全体系结构

ITU-T X.800 “Security Architecture for OSI”,it defines a systematic way of defining and providing security requirements.For us it provides a useful, if abstract, overview of concepts we will study Aspects of Security.

3 aspects of information security/三个信息安全方面

    • security attack/安全攻击
    • security mechanism: detect, prevent, recover/安全机制:检测、预防、恢复
    • security service/安全服务

terms

  • threat – a potential for violation of security/威胁-潜在的安全威胁
  • attack – an assault on system security, a deliberate attempt to evade security services/攻击-对系统安全的攻击,故意企图逃避安全服务

5.Passive Attacks/被动攻击

  • Release of Message Contents/消息内容发布
  • Traffic Analysis(流量分析):Passive attacks do not affect system resources.
  • Eavesdropping, monitoring /窃听、监视
  • Message transmission apparently normal.No alteration of the data
  • Emphasis on prevention rather than detection.By means of encryption

6.Active Attacks/主动攻击

  • Masquerade/冒充 Replay/重放
  • Modification of Messages/篡改 Denial of Service/拒绝服务

Active attacks try to alter system resources or affect their operation.Modification of data, or creation of false data.

Difficult to prevent---->The goal is to detect and recover

7.Security Service

enhance security of data processing systems and information transfers of an organization/加强组织的数据处理系统和信息传输的安全性。《》intended to counter security attacks/旨在反击安全攻击《》using one or more security mechanisms /使用一个或多个安全机制《》 often replicates functions normally associated with physical documents通常复制通常与物理文档关联的函数《》for example, have signatures, dates; need protection from disclosure, tampering, or destruction; be notarized or witnessed; be recorded or licensed

  • X.800:

“a service provided by a protocol layer of communicating open systems, which ensures adequate security of the systems or of data transfers”

    • Authentication - assurance that communicating entity is the one claimed/身份验证
    • have both peer-entity & data origin authentication/是否同时具有对等实体和数据源身份验证
    • Access Control - prevention of the unauthorized use of a resource/访问控制-防止未经授权使用资源
    • Data Confidentiality –protection of data from unauthorized disclosure/资料保密-保障资料不受未经授权的披露
    • Data Integrity - assurance that data received is as sent by an authorized entity/数据完整性
    • Non-Repudiation - protection against denial by one of the parties in a communication/不可否认
    • Availability – resource accessible/usabl /可用性
  • RFC 2828:

“a processing or communication service provided by a system to give a specific kind of protection to system resources”

8.Security Mechanism/安全机制

  • feature designed to detect, prevent, or recover from a security attack/用于检测、防止或从安全攻击中恢复的特性
  • no single mechanism that will support all services required/没有单一的机制可以支持所有需要的服务
  • one particular element underlies many of the security mechanisms in use:cryptographic techniques/特殊元素:加密

9.Model for Network Access Security/网络访问安全模型

using this model requires us to:

1.select appropriate gatekeeper functions to identify users /选择适当的gatekeeper函数来标识用户

2.implement security controls to ensure only authorised users access designated information or resources/实施安全控制,确保只有授权用户才能访问指定的网站

Standards/标准

NIST: National Institute of Standards and Technology

FIPS: Federal Information Processing Standards

SP: Special Publications

ISOC: Internet Society

Home for IETF (Internet Engineering Task Force) and IAB (Internet Architecture Board)

RFCs: Requests for Comments

第二章 网络安全要点Network Security Essentials

1.Symmetric Encryption/对称加密

or conventional / private-key / single-key,sender and recipient share a common key发送方和接收方共享一个公共密钥。all classical encryption algorithms are private-key.was only type prior to invention of public-key in 1970’s.and by far most widely used.

Some Basic Terminology/一些基本术语

plaintext - original message /纯文本-原始消息

ciphertext - coded message /密文-密文编码的信息

cipher - algorithm for transforming plaintext to ciphertext /密码-将明文转换为密文的算法

key - info used in cipher known only to sender/receiver /密钥-密码中使用的信息,只有发送方/接收方知道

encipher (encrypt) - converting plaintext to ciphertext /加密——将明文转换为密文

decipher (decrypt) - recovering ciphertext from plaintext/解密-从明文恢复密文

cryptography - study of encryption principles/methods/密码学-研究加密原理/方法

cryptanalysis (codebreaking) - study of principles/ methods of deciphering ciphertext without knowing key/密码分析(密码破译)-研究在不知道密钥的情况下破译密文的原理/方法

cryptology - field of both cryptography and cryptanalysis/密码学-密码学和密码分析领域

Symmetric Cipher Model/对称加密模型

Requirements

two requirements for secure use of symmetric encryption:

      • a strong encryption algorithm
      • a secret key known only to sender / receiver

mathematically have:

Y = E(K, X) X = D(K, Y)

assume encryption algorithm is known/假设加密算法已知

implies a secure channel to distribute key/用于分发密钥的安全通道

Cryptography/密码学(can characterize cryptographic system by:/可以表征密码系统)

    • type of encryption operations used/使用的加密操作的类型

(1)substitution (2)transposition (3)product

    • number of keys used/使用的密钥数
      • single-key or private
      • two-key or public
    • way in which plaintext is processed/处理明文的方法
      • block OR stream

Cryptanalysis/密码分析

  • objective to recover key not just message/目的恢复密钥而不仅仅是消息
  • general approaches:
    • cryptanalytic attack/cryptanalytic攻击
        • ciphertext only :only know algorithm & ciphertext, is statistical, know or can identify plaintext
        • known plaintext :know/suspect plaintext & ciphertext
        • chosen plaintext :select plaintext and obtain ciphertext
        • chosen ciphertext :select ciphertext and obtain plaintext
        • chosen text :select plaintext or ciphertext to en/decrypt
    • brute-force attack/蛮力攻击
        • always possible to simply try every key
        • most basic attack, proportional to key size
        • assume either know / recognise plaintext
  • if either succeed all key use compromised/如其中一个成功,所有密钥的使用都受损

An encryption scheme: computationally secure if:/加密方案

1.The cost of breaking the cipher exceeds the value of information/破译密码的代价超过了信息的价值

2.The time required to break the cipher exceeds the lifetime of information/破解密码所需的时间超过了信息的生命周期

Feistel Cipher Structure/Feistel 密码结构

    • Horst Feistel devised the feistel cipher
      • based on concept of invertible product cipher
    • partitions input block into two halves
      • process through multiple rounds which/经过多轮的处理
      • perform a substitution on left data half/对左数据一半执行替换
      • based on round function of right half & subkey/基于右半边和子键的轮函数
      • then have permutation swapping halves/然后置换一半
    • implements Shannon’s S-P net concept

2.Symmetric Block Cipher Algorithms/对称分组密码算法

DES (Data Encryption Standard)

3DES (Triple DES)

AES (Advanced Encryption Standard)

DES

  • most widely used block cipher in world
  • adopted in 1977 by NBS (now NIST)
    • as FIPS PUB 46
  • encrypts 64-bit data using 56-bit key
  • has widespread use
  • has considerable controversy over its security/对其安全性有相当大的争

DES Design Controversy/DES设计争议

    • although DES standard is public, considerable controversy over design
      • in choice of 56-bit key (vs Lucifer 128-bit)
      • and because design criteria were classified
    • subsequent events and public analysis show in fact design was appropriate
    • use of DES has flourished
      • especially in financial applications
      • still standardised for legacy application use

Time to Break a DES Code (assuming 10^6 decryptions/us)

Multiple Encryption & DES/多重DES

Triple DES

Triple-DES with Two-Keys

hence must use 3 encryptions

  • would seem to need 3 distinct keys

but can use 2 keys with E-D-E sequence

  • C = EK1(DK2(EK1(P)))
  • nb encrypt & decrypt equivalent in security
  • if K1=K2 then can work with single DES

standardized in ANSI X9.17 & ISO8732

no current known practical attacks

  • several proposed impractical attacks might become basis of future attacks

[Ex]Why is the middle portion of 3DES a decryption rather than an encryption?

it is compatible with the older single DES by repeating the key.

no cryptographic significance

Double-DES

  • could use 2 DES encrypts on each block
    • C = EK2(EK1(P))
  • issue of reduction to single stage
  • and have “meet-in-the-middle” attack
    • works whenever use a cipher twice
    • since X = EK1(P) = DK2(C)
    • attack by encrypting P with all keys and store
    • then decrypt C with keys and match X value
    • takes O(256) steps

Triple-DES with Three-Keys

although no practical attacks on two-key Triple-DES have some concerns

  • Two-key: key length = 56*2 = 112 bits
  • Three-key: key length = 56*3 = 168 bits

can use Triple-DES with Three-Keys to avoid even these

  • C = EK3(DK2(EK1(P)))

has been adopted by some Internet applications, eg PGP, S/MIME

 

Origins of AES

  • clearly a replacement for DES was needed
    • have theoretical attacks that can break it
    • have demonstrated exhaustive key search attacks
  • can use Triple-DES – but slow, has small blocks
  • US NIST issued call for ciphers in 1997
  • 15 candidates accepted in Jun 98
  • 5 were shortlisted in Aug-99
    • MARS

    • RC6
    • Rijndael-----AES
    • Serpent
    • Twofish
  • Rijndael was selected as the AES in Oct-2000
  • issued as FIPS PUB 197 standard in Nov-2001

The AES Cipher - Rijndael

  • designed by Rijmen-Daemen in Belgium
  • has 128/192/256 bit keys, 128 bit data
  • an iterative(迭代) rather than feistel cipher
    • processes data as block of 4 columns of 4 bytes/将数据处理为4列4字节的块
    • operates on entire data block in every round/每轮操作整个数据块
  • designed to be:
    • resistant against known attacks
    • speed and code compactness on many CPUs
    • design simplicity

 

Comparison

Algorithm

Key Size

Block Size

Round

DES

56

64

16

Tri-DES

112/168

64

48

IDEA

128

64

8

AES

128/192/256

128/192/256

10/12/14

Random Numbers

  • many uses of random numbers in cryptography
    • nonces in authentication protocols to prevent replay/用于防止重播的身份验证协议中的nonces
    • session keys/会话密钥
    • public key generation/公共密钥生成
    • keystream for a one-time pad/一个一次性键盘的密钥流
  • in all cases its critical that these values be /在所有情况下,这些值都是至关重要的
    • statistically random, uniform distribution, independent/统计随机,分布均匀,独立
    • unpredictability of future values from previous values/未来价值与以前价值的不可预测性
  • true random numbers provide this/真随机数提供了这个
  • care needed with generated random numbers

Pseudorandom Number Generators (PRNGs)/伪随机数生成器

  • often use deterministic algorithmic techniques to create “random numbers”/经常使用确定性算法技术来创建“随机数”
    • although are not truly random
    • can pass many tests of “randomness”
  • known as “pseudorandom numbers”
  • created by “Pseudorandom Number Generators (PRNGs)”

Random & Pseudorandom Number Generators

PRNG Algorithm Design/算法设计

  • Purpose-built algorithms/专门的算 E.g. RC4
  • Algorithms based on existing cryptographic algorithms/基于现有密码算法的算法
    • Symmetric block ciphers/对称块密码
    • Asymmetric ciphers/非对称密码
    • Hash functions and message authentication codes/哈希函数和消息身份验证代码

3.Stream Cipher Structure/流密码结构

  • some design considerations are:
    • long period with no repetitions /长时间不重复
    • statistically random /统计随机
    • depends on large enough key, e.g. 128 bits/取决于足够大的键
    • large linear complexity/大型线性复杂度
  • properly designed, can be as secure as a block cipher with same size key
  • but usually simpler & faster

Linear feedback shift register/线性反馈移位寄存器

A 4-bit Fibonacci LFSR with its state diagram. The XOR gate provides feedback to the register that shifts bits from left to right. The maximal sequence consists of every possible state except the "0000" state.

一个4位Fibonacci LFSR及其状态图。XOR门向寄存器提供反馈,寄存器将位从左向右移动。最大序列由除“0000”状态之外的所有可能状态组成。

RC4

  • a proprietary cipher owned by RSA DSI
  • another Ron Rivest design, simple but effective
  • variable key size, byte-oriented stream cipher
  • widely used (web SSL/TLS, wireless WEP/WPA)
  • key forms random permutation of all 8-bit values
  • uses that permutation to scramble input info processed a byte at a time

RC4 Security

  • claimed secure against known attacks/声称安全防范已知的攻击
    • have some analyses, none practical /有一些分析,没有实际的
  • result is very non-linear /结果非常非线性
  • since RC4 is a stream cipher, must never reuse a key /由于RC4是一个流密码,所以决不能重用密钥
  • have a concern with WEP, but due to key handling rather than RC4 itself /关注WEP,但由于键处理而不是RC4本身

4.Cipher Block Modes

The Most Important Modes

  • Electronic Codebook Mode (ECB)
  • Cipher Block Chaining Mode (CBC)
  • Cipher Feedback Mode (CFB)
  • Counter Mode (CTR)

Electronic Codebook Book (ECB)

  • message is broken into independent blocks which are encrypted /消息被分成独立的块,这些块被加密
  • each block is a value which is substituted, like a codebook, hence name /每个块都是一个被替换的值,就像代码本一样,因此得名
  • each block is encoded independently of the other blocks /每个块独立于其他块进行编码
    • Ci = EK(Pi)
  • uses: secure transmission of single values /用途:安全传输单个值

Advantages and Limitations of ECB

  • message repetitions may show in ciphertext /消息的重复可能显示在密文中
    • if aligned with message block /如果与消息块对齐
    • particularly with data such as graphics /特别是图形等数据
    • or with messages that change very little, which become a code-book analysis problem /或者使用更改很少的消息,这将成为一个代码本分析问题
  • weakness is due to the encrypted message blocks being independent /缺点是加密消息块是独立的
  • main use is sending a few blocks of data /主要用途是发送几个数据块

Cipher Block Chaining (CBC)

  • message is broken into blocks /消息被分成多个块
  • linked together in encryption operation /连接在一起的加密操作
  • each previous cipher blocks is chained with current plaintext block, hence name /前面的每一个密码块都与当前的明文块链接在一起,因此得名
  • use Initial Vector (IV) to start process /使用初始向量(IV)启动进程
    • Ci = EK(Pi XOR Ci-1)
    • C0 = IV
  • uses: bulk data encryption, authentication/用途:批量数据加密、认证

 

If C1 has one bit error during transimision, which block(s) will be corrupted?

P1 and P2

 

Cipher FeedBack (CFB)

  • message is treated as a stream of bits /消息被视为比特流
  • added to the output of the block cipher /添加到块密码的输出中
  • result is feed back for next stage (hence name) /结果是下一阶段的反馈(因此得名)
  • standard allows any number of bit (1,8, 64 or 128 etc) to be fed back /标准允许任何数量的比特(1、8、64或128等)被返回
    • denoted CFB-1, CFB-8, CFB-64, CFB-128 etc /表示CFB-1、CFB-8、CFB-64、CFB-128等
  • most efficient to use all bits in block (64 or 128)/最有效地使用块中的所有位(64或128)
    • Ci = Pi XOR EK(Ci-1)
    • C0 = IV
  • uses: stream data encryption, authentication/用途:流数据加密、认证

Advantages and Limitations of CFB/优点和局限性

  • appropriate when data arrives in bits/bytes
  • most common stream mode
  • Limitation: need to stall while doing block encryption after every n-bits /限制:在每n位之后进行块加密时需要停止
  • note that the block cipher is used in encryption mode at both ends /注意,块密码在两端都以加密模式使用
  • errors propagate for several blocks after the error /错误在错误之后会传播几个块

Counter (CTR)

  • a “new” mode, though proposed early on
  • similar to OFB but encrypts counter value rather than any feedback value
  • must have a different key & counter value for every plaintext block (never reused)
    • Oi = EK(i)
    • Ci = Pi XOR Oi
  • uses: high-speed network encryptions

efficiency

  • can do parallel encryptions in h/w or s/w
  • can preprocess in advance of need/可以在需要前进行预处理
  • good for bursty high speed links/适用于突发性高速链接
  • random access to encrypted data blocks/对加密数据块的随机访问
  • provable security (good as other modes)/可证明的安全性(与其他模式一样好)
  • but must ensure never reuse key/counter values, otherwise could break (cf OFB)/但必须确保永远不要重用键/计数器值,否则可能会破坏(cf OFB)

Output Feedback Mode (OFB)

第三章 网络安全的本质Network Security Essentials

1.Glossary

authentication 认证 signature 签名

infeasible 不可行 performance 性能,表现

degradation 降解,下降

2.Message Authentication/消息认证

  • message authentication is concerned with:
    • protecting the integrity of a message /保护消息的完整性
    • validating identity of originator /验证发起者的身份
    • non-repudiation of origin (dispute resolution)/不可否认产地来源(争议解决)
  • the three alternative functions used:

    • message encryption/消息加密
    • message authentication code (MAC)/消息验证码(MAC)
    • hash function/哈希函数

If the ciphertext is modified during the transmission, can receiver find any problem?

如果在传输过程中修改密文,接收方会发现问题吗?

Yes

MACM=F(KAB, M)

  • Message not altered/信息没有改变
  • The alleged sender confirmed/涉嫌发送人证实
  • The proper sequence of messages assured/确保消息的正确顺序

Similar to encryption/类似于加密

  • NIST recommends the use of DES/NIST建议使用DES
  • difference: authentication algorithm need not be reversible, less vulnerable/区别是:认证算法不需要可逆,不那么脆弱

3.Hash Functions

  • condenses arbitrary message to fixed size h = H(M) /将任意消息压缩到固定大小
    • No secret key needed/不需要密钥
    • usually assume hash function is public/通常假设哈希函数是公共的
    • hash used to detect changes to message/用于检测消息更改的散列
  • want a cryptographic hash function/需要加密哈希函数
    • computationally infeasible to find data mapping to specific hash (one-way property)在计算上无法找到到特定散列的数据映射(单向属性)
    • computationally infeasible to find two data to same hash (collision-free property)/在计算上不可能找到两个数据到同一个散列(无碰撞属性)

 

Hash Function Requirements/哈希函数的要求

4.Attacks on Hash Functions

  • have brute-force attacks and cryptanalysis/有暴力攻击和密码分析
  • a preimage or second preimage attack/预映像或第二次预映像攻击
    • find y s.t. H(y) equals a given hash value
  • collision resistance/耐碰撞
    • find two messages x & y with same hash so H(x) = H(y)
  • hence value 2m/2 determines strength of hash code against brute-force attacks
    • 128-bits inadequate, 160-bits suspect

5.Secure Hash Algorithm/安全散列算法

  • want a MAC based on a hash function /想要一个基于哈希函数的MAC
    • because hash functions are generally faster/因为哈希函数通常更快
    • crypto hash function code is widely available/加密哈希函数代码是广泛可用的
  • hash includes a key along with message/哈希包含一个键和消息
  • original proposal:KeyedHash = Hash(Key|Message)
  • some weaknesses were found with this ,eventually led to development of HMAC

6.HMAC Design Objectives/HMAC设计目标

  • use, without modifications, hash functions/无需修改即可使用散列函数
  • allow for easy replaceability of embedded hash function/允许嵌入哈希函数的易替换性
  • preserve original performance of hash function without significant degradation/保持哈希函数的原始性能,不发生显著的性能下降
  • use and handle keys in a simple way./以简单的方式使用和处理密钥
  • have well understood cryptographic analysis of authentication mechanism strength/对认证机制强度的密码学分析有很好的理解

7.HMAC Security

  • proved security of HMAC relates to that of the underlying hash algorithm
  • attacking HMAC requires either:
    • brute force attack on key used/使用蛮力攻击
    • birthday attack /生日攻击
  • choose hash function used based on speed verses security constraints/选择基于速度和安全约束的哈希函数

8.Authenticated Encryption/经过身份验证的加密

  • simultaneously protect confidentiality and authenticity of communications/同时保护通信的机密性和真实性
    • often required but usually separate
  • approaches
    • Hash-then-encrypt: E(K, (M || H(M))
    • MAC-then-encrypt: E(K2, (M || MAC(K1, M))
    • Encrypt-then-MAC: (C=E(K2, M), T=MAC(K1, C)
    • Encrypt-and-MAC: (C=E(K2, M), T=MAC(K1, M)
  • decryption /verification straightforward/解密/验证简单

9.Private-Key Cryptography/私钥加密

traditional private/secret/single key cryptography uses one key /传统的私有/秘密/单密钥密码学使用一个密钥

shared by both sender and receiver /由发送方和接收方共享

if this key is disclosed communications are compromised /如果这个密钥被公开,通信就会受到危害

also is symmetric, parties are equal /也是对称的,两边相等

hence does not protect sender from receiver forging a message & claiming is sent by sender

因此不保护发送方免受接收方伪造消息&声明是由发送方发送的

probably most significant advance in the 3000 year history of cryptography /可能是密码学3000年历史上最重要的进步

uses two keys – a public & a private key/使用两个密钥——一个公钥和一个私钥

asymmetric since parties are not equal /不对称,因为双方不平等

uses clever application of number theoretic concepts to function/巧妙地运用数论概念进行函数运算

complements rather than replaces private key crypto/补充而不是取代私钥密码

10.Why Public-Key Cryptography?

  • developed to address two key issues:
    • key distribution – how to have secure communications in general without having to trust a KDC with your key
    • digital signatures – how to verify a message comes intact from the claimed sender
  • public invention due to Whitfield Diffie & Martin Hellman at Stanford Uni in 1976
    • known earlier in classified community
  • public-key/two-key/asymmetric cryptography involves the use of two keys:

a public-key, which may be known by anybody, and can be used to encrypt messages, and verify signatures

a related private-key, known only to the recipient, used to decrypt messages, and sign (create) signatures

infeasible to determine private key from public/从公钥确定私钥是不可行的

is asymmetric because those who encrypt messages or verify signatures cannot decrypt messages or create signatures/不对称是因为加密消息或验证签名的人无法解密消息或创建签名

We can use public key to encrypt and private key to decrypt. Can we use private key to encrypt and public key to decrypt? Yes!

Symmetric vs Public-Key

RSA

best known & widely used public-key scheme

based on exponentiation in a finite (Galois) field over integers modulo a prime

nb. exponentiation takes O((log n)3) operations (easy)

uses large integers (eg. 1024 bits)

security due to cost of factoring large numbers

nb. factorization takes O(e log n log log n) operations (hard)

RSA En/decryption

  • to encrypt a message M the sender:/若要加密发送人的讯息
    • obtains public key of recipient PU={e,n} /获取接收方的公钥PU={e,n}
    • computes: C = Me mod n, where 0≤M<n/计算:C = Me mod n,其中0≤M/计算:C = Me mod n,其中0≤M
  • to decrypt the ciphertext C the owner:
    • uses their private key PR={d,n} /使用它们的私钥PR={d,n}
    • computes: M = Cd mod n /计算:M = Cd mod n
  • M must be smaller than the modulus n (block if needed)/消息M必须小于模量n(如果需要,块)

RSA Key Setup

  • each user generates a public/private key pair by:
  • selecting two large primes at random: p, q
  • computing their system modulus n=p.q
    • note ø(n)=(p-1)(q-1)
  • selecting at random the encryption key e
    • where 1<e<ø(n), gcd(e,ø(n))=1
  • solve following equation to find decryption key d
    • e.d=1 mod ø(n) and 0≤d≤n
  • publish their public encryption key: PU={e,n}
  • keep secret private decryption key: PR={d,n}

Why RSA Works

  • because of Euler's Theorem:
    • a^ø(n)mod n = 1 where gcd(a,n)=1
  • in RSA have:
    • n=p.q
    • ø(n)=(p-1)(q-1)
    • carefully chose e & d to be inverses mod ø(n)
    • hence e.d=1+k.ø(n) for some k
  • hence : Cd = M^(e.d) = M^(1+k.ø(n)) = M1.(M^ø(n))k = M1.(1)^k = M1 = M mod n

RSA Example - Key Setup

Select primes: p=17 & q=11

Calculate n = pq =17 x 11=187

Calculate ø(n)=(p–1)(q-1)=16x10=160

Select e: gcd(e,160)=1; choose e=7

Determine d: de=1 mod 160 and d < 160 Value is d=23 since 23x7=161= 1x160+1

Publish public key PU={7,187}

Keep secret private key PR={23,187}

RSA Example - En/Decryption

sample RSA encryption/decryption is:

given message M = 88 (nb. 88<187)

encryption:

C = 88^7 mod 187 = 11

decryption:

M = 11^(23) mod 187 = 88

Encryption

Map a-z to 0-25

(n,e)=(33,3)

(n,d)=(33,7)

Set plaintext M=public

E(p)=15^3 = 9 mod 33

E(u)=20^3 = 14 mod 33

E(b)=1^3 = 1 mod 33

E(l)=11^3 = 11 mod 33

E(i)=8^3 = 17 mod 33

E(c)=2^3 = 8 mod 33

c = E(M)= 09 14 01 11 17 28= joblri

Decrytion

Decrypt with d=7

D(j)= 09^7 = 15 mod 33, p

D(o)= 14^7 = 20 mod 33, u

D(b)= 01^7 = 1 mod 33, b

D(l)= 11^7 = 11 mod 33, l

D(r)= 17^7 = 8 mod 33, i

D(i)= 08^7 = 2 mod 33, c

If we use a very large modulus in previous encryption, is this method secure? No

11.Diffie-Hellman Key Exchange

  • first public-key type scheme proposed
  • is a practical method for public exchange of a secret key
  • used in a number of commercial products
  • a public-key distribution scheme /公开密钥分发方案
  • cannot be used to exchange an arbitrary message /不能用于交换任意消息
  • rather it can establish a common key /相反,它可以建立一个公共密钥
  • known only to the two participants /只有两名参与者知道
  • value of key depends on the participants (and their private and public key information) /key的值取决于参与者
  • based on exponentiation in a finite (Galois) field (modulo a prime or a polynomial) - easy/基于指数在有限(伽罗瓦)领域(模a '或多项式)-容易
  • security relies on the difficulty of computing discrete logarithms (similar to factoring) – hard/安全性依赖于计算离散对数(类似于因式分解)的难度——很难

 

 

Key Exchange Protocols

  • users could create random private/public D-H keys each time they communicate/用户可以在每次通信时创建随机的私有/公共D-H密钥
  • users could create a known private/public D-H key and publish in a directory, then consulted and used to securely communicate with them/用户可以创建一个已知的私有/公共D-H密钥,并将其发布到一个目录中,然后进行查询并使用它与用户进行安全通信
  • both of these are vulnerable to a man-in-the-Middle Attack/这两种攻击都很容易受到中间人的攻击
  • authentication of the keys is needed/需要对密钥进行身份验证

 

12.Digital Signatures

have looked at message authentication /消息验证

but does not address issues of lack of trust/但并没有解决缺乏信任的问题

digital signatures provide the ability to: /数码签署提供以下功能

verify author, date & time of signature/验证作者、日期和签名时间

authenticate message contents /验证消息内容

be verified by third parties to resolve disputes/经第三方核实,解决争议

hence include authentication function with additional capabilities/因此包含具有附加功能的身份验证功能

 

 

思科网院课件第七章 Network Attacks: A Deeper Look

7.1 Network Monitoring and Tools

Network Monitoring Methods/网络监控方法

  • Tools used to help discover normal network behavior(用于帮助发现正常网络行为的工具) include IDS, packet analyzers, SNMP, NetFlow, and others.
  • Traffic information capture methods/流量信息获取方法
    • Network TAPs – Network test access points that forward all traffic including physical layer errors to an analysis device. /网络抽头——将包括物理层错误在内的所有通信转发给分析设备的网络测试接入点。
    • Port mirroring – enables a switch to copy frames of one or more ports to a Switch Port Analyzer (SPAN) port connected to an analysis device./端口镜像——使交换机能够将一个或多个端口的帧复制到连接到分析设备的交换机端口分析器(SPAN)端口。

Network Taps/网络利用

  • A network tap(网络分流器) is typically a passive splitting device implemented inline between a device of interest and the network. A tap forwards all traffic including physical layer errors to an analysis device.
  • Taps are also typically fail-safe, which means if it fails or loses power, traffic between the firewall and internal router is not affected.//发生故障,防火墙和内部路由器之间的通信不会受到影响

Traffic Mirroring and SPAN /流量镜像

  • Port mirroring enables the switch to copy frames of one or more ports to a Switch Port Analyzer (SPAN) port connected to an analysis device./端口镜像使交换机能够将一个或多个端口的帧复制到连接到分析设备的开关端口分析器(SPAN)端口。
  • the switch will forward ingress traffic on F0/1 and egress traffic on F0/2 to the destination SPAN port G0/1 connecting to an IDS.
  • The association between source ports and a destination port is called a SPAN session. In a single session, one or multiple ports can be monitored. 

Network Security Monitoring Tools

  • Monitoring Tools:
    • Protocol Analyzers(捕获流量) – Are programs used to capture traffic. 如Wireshark、Tcpdump.
      • Analysts can use protocol analyzers such as Wireshark and tcpdump to see network exchanges down to the packet level./分析人员可以使用协议分析程序(如Wireshark和tcpdump)查看网络交换到数据包级别的情况。
      • Network protocol analyzers are also very useful for network troubleshooting, software and protocol development, and education. In security forensics, a security analyst may reconstruct an incident from relevant packet captures./网络协议分析器在网络故障排除、软件和协议开发以及教育方面也非常有用。在安全取证中,安全分析人员可以根据相关的数据包捕获重构事件。
    • NetFlow – Provides a complete audit trail of basic information about every IP flow forwarded on a device. /提供关于设备上转发的每个IP流的基本信息的完整审计跟踪。
      • NetFlow is a Cisco IOS technology that provides 24x7 statistics on packets flowing through a Cisco router or multilayer switch. 
      • NetFlow can be used for network and security monitoring, network planning, and traffic analysis; however, it does not capture the content./可以用于网络和安全监控、网络规划和流量分析;但是,它不能捕获内容。
      • NetFlow collectors like Cisco Stealthwatch can also perform advanced functions including:
        • Flow stitching: It groups individual entries into flows./流拼接:它将单个条目分组到流中。
        • Flow deduplication: It filters duplicate incoming entries from multiple NetFlow clients.
        • NAT stitching: It simplifies flows with NAT entries./NAT拼接:它通过NAT条目简化了流。
    • SIEM – Security Information Event Management systems provide real time reporting and long-term analysis of security events. /提供对安全事件的实时报告和长期分析。
      • SIEM includes the following essential functions:
        • Forensic analysis – The ability to search logs and event records from sources throughout the organization. It provides more complete information for forensic analysis./能够从整个组织的来源搜索日志和事件记录。它为法医分析提供了更完整的信息。
        • Correlation – Examines logs and events from different systems or applications, speeding detection of and reaction to security threats./相关性——检查来自不同系统或应用程序的日志和事件,加快对安全威胁的检测和响应。
        • Aggregation - Aggregation reduces the volume of event data by consolidating duplicate event records./聚合——聚合通过合并重复的事件记录来减少事件数据的量。
        • Reporting - Reporting presents the correlated and aggregated event data in real-time monitoring and long-term summaries./报告实时监控和长期总结中显示相关和聚合的事件数据。
      • SIEM Systems
        • Splunk is one of the more popular proprietary SIEM systems used by Security Operation Centers.
        • As an open source option, this course uses the ELK suite for SIEM functionality. ELK is an acronym for three open source products from Elastic:
        • Elasticsearch - Document oriented full text search engine
        • Logstash - Pipeline processing system that connects "inputs" to "outputs" with optional "filters" in between
        • Kibana - Browser based analytics and search dashboard for Elasticsearch
    • SNMP – Simple Network Management Protocol provides the ability to request and passively collect information across all network devices./提供了跨所有网络设备请求和被动收集信息的能力。
  • Log files – It is also common for security analysts to access Syslog log files to read and analyze system events and alerts./日志文件—安全分析人员访问Syslog日志文件来读取和分析系统事件和警报也是很常见的。

7.2 Attacking the Foundation

IPv4 and IPv6

It is important for security analysts to understand the different fields in both the IPv4 and IPv6 headers because threat actors can tamper with packet information./篡改数据包信息

ICMP Attacks

  • ICMP was developed to carry diagnostic messages and to report error conditions when routes, hosts, and ports are unavailable. ICMP messages are generated by devices when a network error or outage occurs. /ICMP用于携带诊断消息,并在路由、主机和端口不可用时报告错误情况。ICMP消息由设备在发生网络错误或中断时生成。
  • Common ICMP messages of interest to threat/威胁 actors include:
    • ICMP echo request and echo reply – This is used to perform host verification and DoS attacks.

CMP echo请求和echo - 用于执行主机验证和DoS攻击。

    • ICMP unreachable – This is used to perform network reconnaissance and scanning attacks.

ICMP不可访问-这是用来执行网络侦察和扫描攻击。

    • ICMP mask reply – This is used to map an internal IP network.

ICMP掩码应答——用于映射内部IP网络。

    • ICMP redirects – This is used to lure a target host into sending all traffic through a compromised device and create a MITM attack./ICMP重定向-这是用来引诱目标主机发送所有流量通过一个受损的设备,并创建一个MITM攻击。
    • ICMP router discovery – This is used to inject bogus route entries into the routing table of a target host./ICMP路由器发现——用于将伪路由条目注入目标主机的路由表。

DoS Attacks

  • The goal of a Denial of Service (DoS) attack is to prevent legitimate users from gaining access to websites, email, online accounts, and other services.
  • There are two major sources of DoS attacks:
    • Maliciously Formatted Packets – Threat actors craft a maliciously formatted packet and forward it to a susceptible host, causing the host to crash or become extremely slow./恶意格式化的包——威胁行动者精心制作一个恶意格式化的包,并将其转发给易受攻击的主机,导致主机崩溃或变得极其缓慢。
    • Overwhelming Quantity of Traffic – Threat actors overwhelm a target network, host, or application, causing them to crash or become extremely slow./压倒性的流量——威胁行动者淹没目标网络、主机或应用程序,导致它们崩溃或变得极其缓慢。
  • A distributed DoS (DDoS) attack combines multiple DoS attacks. 

Amplification and Reflection Attacks/放大和反射攻击

Threat actors often use amplification and reflection techniques to create DoS attacks. The example in the figure illustrates how an amplification and reflection technique called a Smurf attack is used to overwhelm a target host:

1. Amplification - The threat actor forwards ICMP echo request messages that contain the source IP address of the victim to a large number of hosts.

2. Reflection - These hosts all reply to the spoofed IP address of the victim to overwhelm/压倒 it.

DDoS Attacks

  • A DDoS attack is larger in magnitude than a DoS attack because it originates from multiple, coordinated sources. DDoS attacks introduced new terms such as botnet, handler systems, and zombie computers.
  • A DDoS attack could proceed as follows:

1. The threat actor builds or purchases the use of a botnet of zombie hosts.Command-and-control (CnC) server communicates with zombies over a covert channel/隐蔽通道 using IRC, P2P, DNS, HTTP, or HTTPS.

2. Zombie computers continue to scan and infect more targets to create more zombies.

3. When ready, the botmaster uses the handler systems to make the botnet of zombies carry out the DDoS attack on the chosen target.

Address Spoofing Attacks

IP address spoofing attacks occur when a threat actor creates packets with false source IP address information to either hide the identity of the sender or to pose as another legitimate user. The attacker can then gain access to otherwise inaccessible data or circumvent/绕过 security configurations. 

TCP Attacks

  • Although the TCP protocol is a connection-oriented and reliable protocol, there are still vulnerabilities that can be exploited.
  • TCP attacks target expected protocol behaviors:
    • TCP SYN flood attack
    • TCP reset attack
    • TCP session hijacking

UDP and UDP Attacks

  • UDP is a simple protocol that provides the basic transport layer functions. UDP is commonly used by DNS, TFTP, NFS, and SNMP. It is also used with real-time applications such as media streaming or VoIP. UDP is a connectionless transport layer protocol.
  • By default, UDP is not protected by any encryption. The lack of encryption allows anyone to look at the traffic, change it, and send it on to its destination.
  • UDP protocol attacks target the lack of protocol behaviors (UDP):
    • UDP checksum attack
    • UDP flood attack
    • UDP DoS attacks

7.3 Attacking What We Do

ARP Vulnerabilities

  • Hosts broadcast an ARP Request to other hosts on the segment to determine the MAC address of a host with a particular IP address.
  • All hosts on the subnet receive and process the ARP Request.
  • The host with the matching IP address in the ARP Request sends an ARP Reply.

ARP Cache Poisoning

  • ARP cache poisoning attacks deliberately poison the cache of another computer with spoofed IP address to MAC address mappings.

DNS Attacks

  • DNS servers resolve names to IP addresses and are a major target of attackers. Some DNS exploits are:
    • DNS Open Resolvers (public name servers)/DNS打开解析器(公共名称服务器)
    • DNS Stealth Attacks/DNS隐形攻击
    • DNS Shadowing Attacks – hijacked domains are used to create subdomains which are used to resolve to malicious web sites /DNS跟踪攻击——被劫持的域名用于创建子域名,用于解析恶意网站
    • DNS Tunneling Attacks - hides malicious instructions inside DNS queries and responses/DNS隧道攻击——在DNS查询和响应中隐藏恶意指令

DNS Tunneling

  • Threat actors who use DNS tunneling place non-DNS traffic within DNS traffic. This method often circumvents security solutions. For the threat actor to use DNS tunneling, the different types of DNS records such as TXT, MX, SRV, NULL, A, or CNAME are altered. /使用DNS隧道的威胁参与者将非DNS流量放置在DNS流量中。这种方法通常会绕过安全解决方案。对于使用DNS隧道的威胁参与者,将更改不同类型的DNS记录,如TXT、MX、SRV、NULL、A或CNAME。

DHCP

  • A DHCP attack could result in every host on the network communicating with malicious DNS servers and gateways. A DHCP spoofing attack creates a rogue DHCP server to serve falsified information./DHCP攻击可能导致网络上的每台主机都与恶意DNS服务器和网关通信。会创建流氓DHCP服务器来提供伪造的信息。

HTTP and HTTPS

  • Browsing the Web is possibly the largest vector of attack. Security analysts should have in depth knowledge of how web attacks work.
    • Malicious iFrames – an iFrame allows a page from a different domain to be opened inline within the current page. The iFrame can be used to launch malicious code./恶意iFrame——iFrame允许在当前页面内内联打开来自不同域的页面。iFrame可以用来启动恶意代码。
    • HTTP 302 cushioning – allows a web page to redirect and open in a different URL. Can be used to redirect to malicious code./允许web页面以不同的URL重定向和打开。可用于重定向到恶意代码。
    • Domain shadowing – malicious web sites are created from subdomains created from a hijacked domain.域跟踪——恶意网站是由被劫持域创建的子域创建的。

Email

  • Email messages are accessed from many different devices that are often not protected by the company’s firewall.
    • Attachment-based attacks – email with malicious executable files attached./基于附件的攻击
    • Email spoofing – phishing attack where the message appears to come from a legitimate source./钓鱼攻击,其中的消息似乎来自一个合法的来源。
    • Spam email – unsolicited email with advertisements or malicious content. /垃圾邮件
    • Open mail relay server – massive amount of spam and worms can be sent by misconfigured email servers./打开邮件中继服务器-大量的垃圾邮件和蠕虫可以发送错误配置的电子邮件服务器。
    • Homoglyphs – phishing scheme where text characters (hyperlinks) look similar to real text and links./同形文字-网络钓鱼方案,其中的文本字符(超链接)看起来类似于真实的文本和链接。

Web-Exposed Databases

  • Web applications commonly connect to a relational database. Because relational databases often contain sensitive data, databases are a frequent target for attacks.
    • Command injection attacks – insecure code and web application allows OS commands to be injected into form fields or the address bar./命令注入攻击
    • XSS Cross-site scripting attacks – insecure server-side scripting where the input is not validated allows scripting commands to be inserted into user generated forms fields, like web page comments. This results in visitors being redirected to a malicious website with malware code.
    • SQL injection attacks – insecure server-side scripting allows SQL commands to be inserted into form fields where the input is not validated.
    • HTTP injection attacks – manipulation of html allows executable code to be injected through HTML div tags, etc./HTTP注入攻击——html的操作允许通过html div标签等注入可执行代码。

第五章 Transport-Level Security

1.Web Security

Internet & Web are vulnerable, and have a variety of threats

    • integrity confidentiality/保密
    • denial of service authentication/认证
  • need added security mechanisms/需要添加安全机制

2.Web Security Threats

  • In terms of passive and active attacks
  • In terms of location of the threat

Web server、Web browser、Network traffic between browser and server

3.Web Traffic Security Approaches/Web流量安全方法

4.SSL (Secure Socket Layer)

  • transport layer security service
  • originally developed by Netscape
  • version 3 designed with public input
  • subsequently became Internet standard known as TLS (Transport Layer Security)
  • uses TCP to provide a reliable end-to-end service
  • SSL has two layers of protocols

5.SSL Architecture/ssl 架构

Can we find TCP three-way handshakes in a SSL traffic stream? Yes

SSL connection

a transient, peer-to-peer, communications link

associated with 1 SSL session

SSL session

an association between client & server/客户机和服务器之间的关联

created by the Handshake Protocol

define a set of cryptographic parameters/定义一组密码参数

may be shared by multiple SSL connections/可以由多个SSL连接共享

confidentiality

using symmetric encryption with a shared secret key defined by Handshake Protocol/使用对称加密和握手协议定义的共享密钥,如AES, IDEA, RC2-40, DES-40, DES, 3DES, Fortezza, RC4-40, RC4-128

message is compressed before encryption/加密前压缩消息

message integrity

using a MAC with shared secret key /使用共享密钥的MAC

similar to HMAC but with different padding/与HMAC相似,但填充不同

·SSL Handshake Protocol

Can SSL/TLS defend against SYN Flooding attack? No

SSL Record Protocol Operation/SSL记录协议操作

SSL Record Format/SSL记录格式

SSL Change Cipher Spec Protocol/SSL更改密码规范协议

one of 3 SSL specific protocols which use the SSL Record protocol/使用SSL记录协议的三个SSL特定协议之一

a single message

causes pending state to become current/使挂起状态变为当前状态

hence updating the cipher suite in use/因此更新正在使用的密码套件

SSL Alert Protocol/SSL警报协议

  • conveys SSL-related alerts to peer entity
  • severity/严重程度
    • warning or fatal/警告或致命
  • specific alert
    • fatal: unexpected message, bad record mac, decompression failure, handshake failure, illegal parameter/致命:意外消息,坏记录mac,解压失败,握手失败,非法参数
    • warning: close notify, no certificate, bad certificate, unsupported certificate, certificate revoked, certificate expired, certificate unknown/警告:关闭通知,无证书,坏证书,不支持的证书,证书已撤销,证书过期,证书未知
  • compressed & encrypted like all SSL data/像所有SSL数据一样压缩和加密

SSL Handshake Protocol

  • allows server & client to:
    • authenticate each other
    • to negotiate encryption & MAC algorithms
    • to negotiate cryptographic keys to be used
  • comprises a series of messages in phases/分阶段包含一系列消息
  1. Establish Security Capabilities/建立安全功能
  2. Server Authentication and Key Exchange/服务器身份验证和密钥交换
  3. Client Authentication and Key Exchange/客户端身份验证和密钥交换
  4. Finish

6.Cryptographic Computations/加密计算

  • master secret creation/创建主密钥
    • a one-time 48-byte value
    • generated using secure key exchange (RSA / Diffie-Hellman) and then hashing info/使用安全密钥交换(RSA / Diffie-Hellman)生成,然后哈希信息
  • generation of cryptographic parameters/生成密码参数
    • client write MAC secret, a server write MAC secret, a client write key, a server write key, a client write IV, and a server write IV/客户端写MAC secret,服务器写MAC secret,客户端写密钥,服务器写密钥,客户端写IV,服务器写IV
    • generated by hashing master secret/由哈希主密钥生成

7.TLS (Transport Layer Security)

  • IETF standard RFC 5246 similar to SSLv3
  • with minor differences
    • in record format version number
    • uses HMAC for MAC
    • a pseudo-random function expands secrets
      • based on HMAC using SHA-1 or MD5
    • has additional alert codes
    • some changes in supported ciphers
    • changes in certificate types & negotiations
    • changes in crypto computations & padding

8.HTTPS

  • HTTPS (HTTP over SSL)
    • combination of HTTP & SSL/TLS to secure communications between browser & server
      • documented in RFC2818
      • no fundamental change using either SSL or TLS
  • use https:// URL rather than http://
    • and port 443 rather than 80
  • encrypts
    • URL, document contents, form data, cookies, HTTP headers

In HTTPS, port 443 is usually used by Server!

HTTPS Use

  • connection initiation
    • TLS handshake then HTTP request(s)
  • connection closure
    • have “Connection: close” in HTTP record
    • TLS level exchange close_notify alerts
    • can then close TCP connection
    • must handle TCP close before alert exchange sent or completed

9.Secure Shell (SSH)

  • protocol for secure network communications
    • designed to be simple & inexpensive
  • SSH1 provided secure remote logon facility
    • replace TELNET & other insecure schemes
    • also has more general client/server capability
  • SSH2 fixes a number of security flaws
    • documented in RFCs 4250 through 4256
  • SSH clients & servers are widely available
  • method of choice for remote login/ X tunnels

10.SSH Protocol Stack/SSH协议栈

 

SSH Transport Layer Protocol

  • server authentication occurs at transport layer, based on server/host key pair(s)/服务器身份验证发生在传输层,基于服务器/主机密钥对
    • server authentication requires clients to know public host keys in advance/服务器身份验证要求客户端提前知道公共主机密钥
  • packet exchange/包交换
    • establish TCP connection /建立TCP连接
    • can then exchange data/然后可以交换数据
      • identification string exchange, algorithm negotiation, key exchange, end of key exchange, service request/识别字符串交换,算法协商,密钥交换,密钥交换结束,服务请求
    • using specified packet format/使用指定的分组格式

SSH User Authentication Protocol

  • authenticates client to server
  • three message types:

SSH_MSG_USERAUTH_REQUEST||SSH_MSG_USERAUTH_FAILURE ||SSH_MSG_USERAUTH_SUCCESS

  • authentication methods used
    • public-key, password, host-based

SSH Connection Protocol

  • runs on SSH Transport Layer Protocol
  • assumes secure authentication connection
  • used for multiple logical channels
    • SSH communications use separate channels
    • either side can open with unique id number
    • flow controlled
    • have three stages:
      • opening a channel, data transfer, closing a channel
    • four types:
      • session, x11, forwarded-tcpip, direct-tcpip.

SSH Connection Protocol Exchange

11.Port Forwarding/端口转发

  • convert insecure TCP connection into a secure SSH connection/不安全的TCP连接转换为安全的SSH连接
    • SSH Transport Layer Protocol establishes a TCP connection between SSH client & server/SSH传输层协议在SSH客户机和服务器之间建立TCP连接
    • client traffic redirected to local SSH, travels via tunnel, then remote SSH delivers to server/客户机流量重定向到本地SSH,通过隧道传输,然后远程SSH将数据发送到服务器
  • supports two types of port forwarding/支持两种类型的端口转发
    • local forwarding – hijacks selected traffic/本地转发-劫持选定的流量
    • remote forwarding – client acts for server/远程转发——客户端代理服务器

第六章 Wireless NetWork Security

1.IEEE 802.11

IEEE 802 committee for LAN standard

charter to develop a protocol & transmission specifications for wireless LANs (WLANs)/特许为无线局域网(wlan)开发协议和传输规范

since then demand for WLANs, at different frequencies and data rates, has exploded/从那时起,对wlan的需求,以不同的频率和数据速率,出现了爆炸式增

2.Wi-Fi Alliance/无线网络联盟

  • initially for 802.11b, later extended to 802.11g
  • concerned with a range of WLANs markets, including enterprise, home, and hot spots

3.IEEE 802 Protocol Architecture/IEEE 802协议架构

4.Network Components & Architecture/网络组件及架构

5.802.11 Wireless LAN Security

  • wireless traffic can be monitored by any radio in range, not physically connected/无线电监控,非物理连
  • original 802.11 spec had security features
    • Wired Equivalent Privacy (WEP) algorithm,but found this contained major weaknesses
  • 802.11i task group developed capabilities to address WLAN security issues
    • Wi-Fi Alliance Wi-Fi Protected Access (WPA)
    • final 802.11i Robust Security Network (RSN)

6.802.11i RSN Services and Protocols/802.11i健壮安全网络(RSN)

802.11i RSN Cryptographic Algorithms/802.11i RSN密码算法

802.11i Phases of Operation/操作阶段

802.11i Discovery and Authent-ication Phases/发现和创作阶段

IEEE 802.1X Access Control Approach/IEEE 802.1X访问控制方法

802.11i Key Manage-ment Phase

802.11i Key Manage-ment Phase

802.11i Protected Data Transfer Phase/802.11i保护数据传输阶段

  • have two schemes for protecting data
  • Temporal Key Integrity Protocol (TKIP)/时间密钥完整性协议(TKIP)
    • s/w changes only to older WEP/s/w只更改为较老的WEP
    • adds 64-bit Michael message integrity code (MIC)/添加64位Michael消息完整性代码(MIC)
    • encrypts MPDU plus MIC value using RC4/使用RC4加密MPDU加MIC值
  • Counter Mode-CBC MAC Protocol (CCMP)/计数器模式- cbc MAC协议(CCMP)
    • uses the cipher block chaining message authentication code (CBC-MAC) for integrity/使用密码块链接消息验证码(CBC-MAC)实现完整性
    • uses the CRT block cipher mode of operation/使用CRT分组密码操作模式

7.Other Security Problem

  • WEP Crack
  • DoS – Jamming
  • Evil Twin AP

第七章 Electronic Mail Security

1.Email Security

  • email is one of the most widely used and regarded network services
  • currently message contents are not secure
    • may be inspected either in transit
    • or by suitably privileged users on destination system

2.Email Security Enhancements/电子邮件安全增强

  • confidentiality保密性:protection from disclosure/防止披露
  • authentication认证性:of sender of message/消息发送者
  • message integrity消息完整性:protection from modification /防止修改
  • non-repudiation of origin不可否认性:protection from denial by sender/防止发件人拒绝

3.Pretty Good Privacy (PGP)

  • widely used de facto secure email/广泛使用的事实上的安全电子邮件
  • developed by Phil Zimmermann
  • selected best available crypto algs to use/选择可用的最佳加密算法
  • integrated into a single program/集成到一个单独的程序
  • on Unix, PC, Macintosh and other systems
  • originally free, now also have commercial versions available

PGP Operation – Authentication

  1. sender creates message
  2. make SHA-1160-bit hash of message
  3. attached RSA signed hash to message
  4. receiver decrypts & recovers hash code
  5. receiver verifies received message hash

PGP Operation – Confidentiality

  1. sender forms 128-bit random session key

  1. encrypts message with session key
  2. attaches session key encrypted with RSA
  3. receiver decrypts & recovers session key
  4. session key is used to decrypt message

PGP Operation – Confidentiality & Authentication /PGP操作-机密性和认证

  • can use both services on same message

    • create signature & attach to message
    • encrypt both message & signature
    • attach RSA/ElGamal encrypted session key

PGP Operation – Compression/压缩

  • by default PGP compresses message after signing but before encrypting
    • so can store uncompressed message & signature for later verification
    • & because compression is non deterministic
  • uses ZIP compression algorithm

PGP Operation – Email Compatibility/电子邮件的兼容性

  • when using PGP will have binary data to send (encrypted message etc)
    • however email was designed only for text
  • hence PGP must encode raw binary data into printable ASCII characters/PGP必须将原始二进制数据编码为可打印的ASCII字符
  • uses radix-64 algorithm
    • maps 3 bytes to 4 printable chars/将3个字节映射到4个可打印字符
    • also appends a CRC/附加一个CRC
  • PGP also segments messages if too big/如果消息太大,PGP也会对消息进行分段

PGP Operation – Summary

PGP Session Keys

  • need a session key for each message
    • of varying sizes: 56-bit DES, 128-bit CAST or IDEA, 168-bit Triple-DES
  • generated using ANSI X12.17 mode
  • uses random inputs taken from previous uses and from keystroke timing of user

PGP Public & Private Keys

  • since many public/private keys may be in use, need to identify which is actually used to encrypt session key in a message
    • could send full public-key with every message
    • but this is inefficient
  • rather use a key identifier based on key
    • least significant 64-bits of the key
    • will very likely be unique
  • also use key ID in signatures

PGP Message Format/PGP消息格式

 

PGP Key Rings

  • each PGP user has a pair of keyrings:

    • public-key ring contains all the public-keys of other PGP users known to this user, indexed by key ID
    • private-key ring contains the public/private key pair(s) for this user, indexed by key ID & encrypted keyed from a hashed passphrase
  • security of private keys thus depends on the pass-phrase security

PGP Message Generation

PGP Message Reception

PGP Key Management

  • rather than relying on certificate authorities
  • in PGP every user is own CA
    • can sign keys for users they know directly
  • forms a “web of trust”
    • trust keys have signed
    • can trust keys others have signed if have a chain of signatures to them
  • key ring includes trust indicators
  • users can also revoke their keys

PGP Trust Model Example

4.S/MIME (Secure/Multipurpose Internet Mail Extensions)

  • security enhancement to MIME email/MIME电子邮件的安全增强
    • original Internet RFC822 email was text only/原始Internet RFC822电子邮件仅为文本
    • MIME provided support for varying content types and multi-part messages/对不同内容类型和多部分消息的支持
    • with encoding of binary data to textual form/以文本形式对二进制数据进行编码
    • S/MIME added security enhancements/添加了安全增强功能
  • have S/MIME support in many mail agents/邮件代理中具有S/MIME支持: MS Outlook, Mozilla, Mac Mail etc

S/MIME Certificate Processing/S/MIME认证处理

  • S/MIME uses X.509 v3 certificates (Ch.4)
  • managed using a hybrid of a strict X.509 CA hierarchy & PGP’s web of trust
  • each client has a list of trusted CA’s certs
  • and own public/private key pairs & certs
  • certificates must be signed by trusted CA’s

Certificate Authorities/证书颁发机构

  • have several well-known CA’s
  • Verisign one of most widely used/Verisign是应用最广泛的
  • Verisign issues several types of Digital IDs/Verisign发行几种类型的数字id
  • increasing levels of checks & hence trust/增加检查级别&因此增加信任

Class Identity Checks Usage

1 name/email check web browsing/email

2 + enroll/addr check email, subs, s/w validate

3 + ID documents e-banking/service access

Internet Mail Architecture

第八章 IP 安全/IP Security

1.Chapter 8 IP Security

IPv4 Header

IPv6 Header

2.IP Security Overview/IP安全概述

IPSec is not a single protocol. Instead, IPSec provides a set of security algorithms plus a general framework that allows a pair of communicating entities to use whichever algorithms provide security appropriate for the communication./IPSec不是一个单一的协议。相反,IPSec提供了一组安全算法和一个通用框架,允许一对通信实体使用任何为通信提供适当安全的算法。

Applications of IPSec/IPSec的应用

  • Secure branch office connectivity over the Internet
  • Secure remote access over the Internet
  • Establsihing extranet and intranet connectivity with partners
  • Enhancing electronic commerce security

IP Security Scenario/IP安全场景

  • Benefits of IPSec/IPSec的好处
    • Transparent to applications (below transport layer (TCP, UDP)/对应用程序透明(传输层(TCP、UDP)以下)
    • Provide security for individual users/为个人用户提供安全性
  • IPSec can assure that:/IPSec可以保证
    • A router or neighbor advertisement comes from an authorized router/路由器或邻居广告来自授权路由器
    • A redirect message comes from the router to which the initial packet was sent/重定向消息来自发送初始包的路由器
    • A routing update is not forged/路由更新不是伪造的

3.IP Security Architecture/IP安全架构

  • IPSec documents:
    • RFC 2401: An overview of security architecture
    • RFC 2402: Description of a packet encryption extension to IPv4 and IPv6
    • RFC 2406: Description of a packet emcryption extension to IPv4 and IPv6
    • RFC 2408: Specification of key managament capabilities

4.IPSec Document Overview/IPsec文档概述

5.IPSec Services

Access Control/访问控制 Connectionless integrity/无连接的完整性

Data origin authentication/数据来源认证 Rejection of replayed packets/拒绝重播包

Confidentiality (encryption)/保密(加密) Limited traffic flow confidentiallity/有限的交通流量保密

6.Security Associations (SA)/安全协会SA

  • A one way relationship between a sender and a receiver./发送方和接收方之间的单向关系。
  • Identified by three parameters:/由三个参数确定:
    • Security Parameter Index (SPI)/安全参数索引(SPI)
    • IP Destination address/IP目的地址
    • Security Protocol Identifier/安全协议标识符
 

Transport Mode SA

Tunnel Mode SA

AH

Authenticates IP payload and selected portions of IP header and IPv6 extension headers

Authenticates entire inner IP packet plus selected portions of outer IP header

ESP

Encrypts IP payload and any IPv6 extesion header

Encrypts inner IP packet

ESP with authentication

Encrypts IP payload and any IPv6 extesion header. Authenticates IP payload but no IP header

Encrypts inner IP packet. Authenticates inner IP packet.

Before applying AH

Tunnel Mode (AH Authentication)

Authentication Header

Provides support for data integrity and authentication (MAC code) of IP packets.

Guards against replay attacks.

End-to-end versus End-to-Intermediate Authentication

Encapsulating Security Payload/封装安全载荷

ESP provides confidentiality services/ESP提供保密服务

Encryption and Authentication Algorithms

  • Encryption:
    • Three-key triple DES
    • RC5
    • IDEA
    • Three-key triple IDEA
    • CAST
    • Blowfish
  • Authentication:
    • HMAC-MD5-96
    • HMAC-SHA-1-96

ESP Encryption and Authentication

Combinations of Security Associations

 

7.Key Management

  • Two types:
    • Manual/人工
    • Automated /自动化
      • Oakley Key Determination Protocol
        • Three authentication methods:
          • Digital signatures
          • Public-key encryption
          • Symmetric-key encryption
      • Internet Security Association and Key Management Protocol (ISAKMP)

 

第九章 INTRUDERS

1.Intruders/入侵者

  • significant issue for networked systems is hostile or unwanted access/网络系统的一个重要问题是恶意访问或不想要的访问
  • either via network or local/无论是通过网络还是本地
  • can identify classes of intruders:/可以识别入侵者的类别:
    • masquerader/冒充者||misfeasor/违法行为者||clandestine user/秘密的用户
  • varying levels of competence/不同水平的能力

2.Examples of Intrusion

  • remote root compromise web server defacement
  • guessing / cracking passwords copying viewing sensitive data / databases
  • running a packet sniffer distributing pirated software
  • using an unsecured modem to access net impersonating a user to reset password
  • using an unattended workstation

3.Hackers

  • motivated by thrill/刺激 of access and status/访问和地位
    • hacking community a strong meritocracy/黑客社区强有力的任人唯贤。
    • status is determined by level of competence/地位是由能力水平决定的。
  • benign intruders might be tolerable/良性入侵者可能是可以容忍的

do consume resources and may slow performance||can’t know in advance whether benign or malign

  • IDS / IPS / WAF/ VPNs can help counter
  • awareness led to establishment of CERTs
    • collect / disseminate vulnerability info / responses//收集/传播漏洞信息/响应

Hacker Behavior Example

  1. select target using IP lookup tools
  2. map network for accessible services
  3. identify potentially vulnerable services
  4. brute force (guess) passwords
  5. install remote administration tool
  6. wait for admin to log on and capture password
  7. use password to access remainder of network

 

4.Criminal Enterprise/犯罪集团

  • organized groups of hackers now a threat/有组织的黑客团体现在是一个威胁
    • corporation / government / loosely affiliated gangs/公司/政府/松散的帮派
    • typically young/通常年轻
    • often Eastern European or Russian hackers
    • often target credit cards on e-commerce server/经常针对电子商务服务器上的信用卡
  • criminal hackers usually have specific targets/犯罪黑客通常有特定的目标
  • once penetrated act quickly and get out/一旦被渗透,迅速行动并出去
  • IDS / IPS help but less effective/id / ip有所帮助,但效果较差
  • sensitive data needs strong protection/敏感数据需要强有力的保护

Criminal Enterprise Behavior/犯罪行为

  • act quickly and precisely to make their activities harder to detect/迅速而准确地采取行动,使他们的活动更难被发现
  • exploit perimeter via vulnerable ports/利用周界通过脆弱的港口
  • use trojan horses (hidden software) to leave back doors for re-entry/使用木马(隐藏的软件)离开后门重新进入
  • use sniffers to capture passwords/使用嗅探器捕获密码
  • do not stick around until noticed/不要逗留,直到有人发现
  • make few or no mistakes. /少犯或不犯错误。

5.Insider Attacks/内部攻击者

  • among most difficult to detect and prevent/其中最难以发现和预防
  • employees have access & systems knowledge/员工具有访问和系统知识
  • may be motivated by revenge / entitlement/可能是出于报复/权利
    • when employment terminated/当就业终止
    • taking customer data when move to competitor/将客户数据转移到竞争对手那里
  • IDS / IPS may help but also need:/id / IPS可能有帮助,但也需要:
    • least privilege, monitor logs, strong authentication, termination process to block access & mirror data/最少的特权,监控日志,强认证,终止进程来阻止访问和镜像数据

Insider Behavior Example

  1. create network accounts for themselves and their friends
  2. access accounts and applications they wouldn't normally use for their daily jobs
  3. e-mail former and prospective employers
  4. conduct furtive instant-messaging chats
  5. visit web sites that cater to disgruntled employees, such as f'dcompany.com
  6. perform large downloads and file copying
  7. access the network during off hours.

6.Intrusion Techniques/入侵技术

  • aim to gain access and/or increase privileges on a system/目标是获得访问和/或增加系统上的特权
  • often use system / software vulnerabilities/经常使用系统/软件漏洞
  • key goal often is to acquire passwords/关键目标通常是获取密码
    • so then exercise access rights of owner/然后行使所有者的访问权
  • basic attack methodology
    • target acquisition and information gathering /目标获取和信息收集
    • initial access /首次访问
    • privilege escalation /特权升级
    • covering tracks /覆盖跟踪

Password Guessing

  • one of the most common attacks
  • attacker knows a login (from email/web page etc)
  • then attempts to guess password for it
    • defaults, short passwords, common word searches
    • user info (variations on names, birthday, phone, common words/interests)
    • exhaustively searching all possible passwords
  • check by login or against stolen password file
  • success depends on password chosen by user
  • surveys show many users choose poorly

Password Capture/密码捕获

  • another attack involves password capture
    • watching over shoulder as password is entered
    • using a trojan horse program to collect
    • monitoring an insecure network login
      • eg. telnet, FTP, web, email
    • extracting recorded info after successful login (web history/cache, last number dialed etc)
  • using valid login/password can impersonate user
  • users need to be educated to use suitable precautions/countermeasures

7.Intrusion Detection/入侵检测

  • inevitably will have security failures/将不可避免地出现安全故障
  • so need also to detect intrusions so can
    • block if detected quickly/快速检测到阻塞
    • act as deterrent/作为威慑
    • collect info to improve security/收集信息以提高安全性
  • assume intruder will behave differently to a legitimate user/假设入侵者的行为与合法用户不同
    • but will have imperfect distinction between

Anderson and the Audit Reduction Problem

  • Anderson wrote a report for the U.S. Air Force in 1980
  • Seminal work on intrusion detection
  • Changes to computer audit mechanisms to provide information
  • The goal is audit reduction
    • The elimination of redundant of irrelevant records from security audit trails

Denning, Neumann, and IDES

  • Late 1980s – Real-time Intrusion Detection
    • Principles formalized by D. Denning (from Purdue)
    • Created the Intrusion Detection Expert System (IDES)/创建入侵检测专家系统(ide)
      • Hybrid of anomaly detection and an expert system/异常检测与专家系统的结合
      • Used adaptive statistical profiles and policy rules/使用自适应统计概要和策略规则
    • Seminal work in intrusion detection. Many more followed
      • Haystack, MIDAS, NADIR, NSM, Wisdom and Sense

 

Information Source:System calls, system logs, application logs, audit…

信息来源:系统调用、系统日志、应用程序日志、审计……

Approaches to Intrusion Detection/入侵检测方法

  • statistical anomaly detection/统计异常检测

    • attempts to define normal/expected behavior/试图定义正常/预期行为
    • threshold/阈值
    • profile based/基于配置文件
  • rule-based detection(or signature-based, or misuse detection)/基于规则的检测(或基于签名的检测,或误用检测)
    • attempts to define proper/bad behavior/试图定义正确/错误的行为
    • penetration identification/渗透识别

Statistical Anomaly Detection/统计异常探测

  • threshold detection/阈值检测
    • count occurrences of specific event over time/计算特定事件在一段时间内的出现次数
    • if exceed reasonable value assume intrusion/如超过合理值,则视为侵入
    • alone is a crude & ineffective detector/单独是一种粗糙而无效的探测器
  • profile based/基于配置文件
    • characterize past behavior of users/描述用户过去的行为
    • detect significant deviations from this/检测明显的偏离
    • profile usually multi-parameter/配置文件通常多参数

Audit Record Analysis/审计记录分析

  • foundation of statistical approaches/统计方法基础
  • analyze records to get metrics over time/分析记录以获得随时间变化的度量
    • counter, gauge, interval timer, resource use
  • use various tests on these to determine if current behavior is acceptable/使用各种测试来确定当前行为是否可以接受
    • mean & standard deviation, multivariate, markov process, time series, operational
    • machine learning methods
  • key advantage is no prior knowledge used/关键优势是不使用先验知识

Strengths and Drawbacks/优缺点

  • Strengths
    • Discover unknown vulnerabilities/发现未知的漏洞
    • Do not require the constant updates/不需要不断更新
  • Drawbacks
    • Perform batch mode processing/执行批处理模式
    • Do not take into account the sequential relationships between events/不考虑事件之间的顺序关系
    • High false alarm rates ( including false negative and false positive) /高误报率(包括假阴性及假阳性

Rule-Based Intrusion Detection/基于规则的入侵检测

  • observe events on system & apply rules to decide if activity is suspicious or not/观察系统上的事件并应用规则来判断活动是否可疑
  • rule-based detection
    • analyze historical audit records to identify usage patterns & auto-generate rules for them/分析历史审计记录,以确定使用模式和自动生成规则
    • then observe current behavior & match against rules to see if conforms/然后观察当前的行为和与规则的匹配,看看是否符合
  • rule-based penetration identification/基于规则的渗透识别
  • uses expert systems technology/使用专家系统技术
  • with rules identifying known penetration, weakness patterns, or suspicious behavior/通过规则识别已知的渗透、弱点模式或可疑行为
  • compare audit records or states against rules/根据规则比较审计记录或状态
  • rules usually machine & O/S specific/规则通常是机器和O/S特定的
  • rules are generated by experts who interview & codify knowledge of security admins/规则由访问和编纂安全管理员知识的专家生成
  • quality depends on how well this is done/质量取决于这项工作做得有多好
  • Strengths
    • Accurate
    • low false alarm rates ( including false negative and false positive)
  • Drawbacks
    • Cannot discover unknown vulnerabilities
    • Require the constant updates

Base-Rate Fallacy/基础概率谬误

  • practically an intrusion detection system needs to detect a substantial percentage of intrusions with few false alarms/实际上,入侵检测系统需要在几乎没有虚假警报的情况下检测出相当大比例的入侵
    • if too few intrusions detected -> false security/如果检测到的入侵太少->假安全
    • if too many false alarms -> ignore / waste time/如果太多的错误警报->忽略/浪费时间
  • this is very hard to do
  • existing systems seem not to have a good record

Demo-Snort

  • An open source network intrusion prevention and detection system (IDS/IPS)
  • Network-based
  • Approaches:
    • Signature (or rule-based)
    • Protocol
    • Anomaly-based inspection

 

Distributed Intrusion Detection/分布式入侵检测

  • traditional focus is on single systems
  • but typically have networked systems
  • more effective defense has these working together to detect intrusions
  • issues
    • dealing with varying audit record formats/处理不同的审计记录格式
    • integrity & confidentiality of networked data/网络数据的完整性和保密性
    • centralized or decentralized architecture/集中式或分散式架构

Agent Implementation/实现代理

 

8.Honeypots

  • decoy systems to lure attackers/引诱攻击者的诱饵系统
    • away from accessing critical systems/远离关键系统
    • to collect information of their activities/收集他们活动的资料
    • to encourage attacker to stay on system so administrator can respond/鼓励攻击者留在系统上,以便管理员可以响应
  • are filled with fabricated information/是否充斥着虚假的信息
  • instrumented to collect detailed information on attackers activities/用于收集关于攻击者活动的详细信息
  • single or multiple networked systems:Honeynet

9.Intrusion Detection Exchange Format/入侵检测交换格式

  • Facilitate the development of distributed IDS
  • cf IETF Intrusion Detection WG standards
  • Interoperability
    • IDS
    • Response Systems
    • Honeypot or Honeynet
    • Firewall
    • ……

10.Password Management

  • front-line defense against intruders/前线防御入侵者
  • users supply both:
    • login – determines privileges of that user
    • pasord – to identify them
  • passwords often stored encrypted/加密存储
    • Unix uses multiple DES (variant with salt)/UNIX使用多个DES(带有SALT的变体)
    • more recent systems use crypto hash function/更新的系统使用加密散列函数
  • should protect password file on system/应保护系统上的密码文件

思科网院课件第11章

11.1Technologies and Protocols

  • Syslog and NTP
    • Syslog and Network Time Protocol (NTP) essential to work of cybersecurity analyst
      • Syslog is used for logging event messages from network devices and endpoints./设备和端点
      • Syslog servers typically listen on UDP port 514.
      • Syslog servers may be a target for threat actors.
      • Hackers may block the transfer of data, tamper with log data, or tamper with software that creates and transmits log messages.
      • Enhancements provided by syslog-ng (next generation).
    • NTP/网络时间协议Network Time Protocol
      • Syslog messages are usually timestamped(时间戳) using the Network Time Protocol (NTP).
      • NTP operates on UDP port 123.
      • Timestamps are essential for detection of an exploit./时间戳对于检测利用漏洞是必不可少的
      • Threat actors may attempt to attack NTP to corrupt time information used to correlate logged network events./攻击NTP以破坏用于关联记录的网络事件的时间信息。
      • Threat actors use NTP systems to direct DDoS attacks.
  • DNS
    • DNS is used by many types of malware.
    • Attackers encapsulate different network protocols within DNS to evade security devices./攻击者在DNS中封装不同的网络协议以逃避安全设备。
    • Some malware use DNS to communicate with command-and-control (CnC) servers and to exfiltrate data in traffic disguised as normal DNS queries. /某些恶意软件使用DNS与命令和控制(CnC)服务器通信,并在伪装成普通DNS查询的流量中泄露数据。
    • Malware could encode stolen data as the subdomain portion of a DNS lookup for a domain where the nameserver is under control of an attacker. /恶意软件可以将被盗数据编码为名称服务器受攻击者控制的域的DNS查找的子域部分。
    • DNS queries for randomly generated domain names, or extremely long random-appearing subdomains, should be considered suspicious, especially if their occurrence spikes dramatically on the network. /对随机生成的域名或极长随机出现的子域的DNS查询应该被认为是可疑的,特别是如果它们的出现在网络上出现严重影响。
  • HTTP and HTTPS
    • All information carried in HTTP is transmitted in plaintext from the source computer to the destination on the Internet./明文形式传输.HTTP does not protect data from alteration or interception.
    • Web-based threats consist of malware scripts that have been planted on webservers that direct browsers to infected servers by loading iframes. /基于Web的威胁包括安装在Web服务器上的恶意软件脚本,这些脚本通过加载iframe将浏览器定向到受感染的服务器。
    • In iFrame injection, a threat actor compromises a webserver and plants malicious code which creates an invisible iFrame on a commonly visited webpage. /危及Web服务器并植入恶意代码,该恶意代码在通常访问的网页上创建不可见的IFRAME。
    • When the iFrame loads, malware is downloaded/当IFrame加载时,将下载恶意软件。
    • HTTPS adds a layer of encryption to the HTTP protocol by using secure socket layer (SSL).
    • SSL makes the HTTP data unreadable as it leaves the source computer until it reaches the server.
    • Encrypted HTTPS traffic complicates network security monitoring./HTTPS使网络安全监控复杂化。
    • HTTPS adds complexity to packet captures.增加了数据包捕获的复杂性。

  • Email protocols
    • Email protocols such as SMTP, POP3, and IMAP can be used by threat actors to spread malware, exfiltrate data, or provide channels to malware CnC servers.
      • SMTP sends data from a host to a mail server and between mail servers and is not always monitored. /将数据从主机发送到邮件服务器,在邮件服务器之间,并不总是被监视。
      • IMAP and POP3 are used to download email messages from a mail server to the host computer and can be responsible for bringing malware to the host./IMAP和POP3用于将电子邮件消息从邮件服务器下载到主机,并负责将恶意软件带到主机。
      • Security monitoring can identify when a malware attachment entered the network and which host it first infected./安全监控可以识别恶意软件附件何时进入网络以及最初感染的主机。
  • ICMP——can be used to craft a number of types of exploits./制作多种类型的漏洞
    • Can be used to identify hosts on a network, the structure of a network, and determine the operating systems at use on the network. /可用于标识网络上的主机、网络结构以及确定网络上使用的操作系统。
    • Can also be used as a vehicle for various types of DoS attacks.
    • ICMP can also be used for data exfiltration through ICMP traffic from inside the network.
      • ICMP tunneling - Malware uses crafted ICMP packets to transfer files from infected hosts to threat actors. /使用精心编制的ICMP数据包将文件从受感染的主机传输到威胁参与者。
  • ACLs--ACLs may provide a false sense of security./ACL可能提供错误的安全感
    • Attackers can determine which IP addresses, protocols, and ports are allowed by Access Control Lists (ACLs), by port scanning, penetration testing, or through other forms of reconnaissance./确定访问控制列表(ACL)、端口扫描、渗透测试或其他形式的侦察允许哪些IP地址、协议和端口。
    • Attackers can craft packets that use spoofed source IP addresses or applications can establish connections on arbitrary ports. /攻击者可以手工创建使用欺骗源IP地址的数据包,或者应用程序可以在任意端口上建立连接。
  • NAT and PAT——can complicate security monitoring./会使安全监控复杂化
    • Multiple IP addresses are mapped to one or more public addresses that are visible on the Internet./多个IP地址映射到Internet上可见的一个或多个公有地址
    • Hides the individual IP addresses that are inside the network./隐藏网络内的各个IP地址
  • Encryption, Encapsulation, and Tunneling/加密、封装和隧道
    • Encryption
      • Makes traffic contents unreadable by cybersecurity analysts./流量内容无法被安全分析人员读取
      • Part of Virtual Private Network (VPN) and HTTPS.
    • Virtual point-to-point connection between an internal host and threat actor devices
      • Malware can establish an encrypted tunnel that rides on a common and trusted protocol, and use it to exfiltrate data from the network./恶意软件建立加密隧道,并从网络中渗出数据。
    • Peer-to-Peer Networking and Tor
      • Peer-to-Peer network activity
      • Can circumvent firewall protections and is a common vector for the spread of malware. /传播恶意软件的媒介
        • Three types of Peer-to-Peer applications exist: file sharing, processor sharing, and IM/存在三种类型的对等应用程序:文件共享、处理器共享和IM。
        • File-sharing P2P applications should not be allowed on corporate networks./公司网络上不应允许文件共享P2P应用程序
    • Tor is a software platform and network of Peer-to-Peer hosts that function as Internet routers on the Tor network. ToR是对等主机的软件平台和网络,用作ToR网络上的Internet路由器。
      • Allows users to browse the Internet anonymously using a special browser./允许用户使用特殊浏览器匿名浏览Internet。
      • Can be used to hide identity of threat actors and used by criminal organizations/可用于隐藏威胁行为者的身份并被犯罪组织使用
  • Load Balancing
    • Load balancing is the distribution of traffic between devices or network paths to prevent overwhelming network resources.负载平衡是在设备或网络路径之间分配流量,以防止网络资源过多。
      • Some load balancing approaches use DNS to send traffic to resources that have the same domain name but multiple IP addresses. /一些负载平衡方法使用DNS将流量发送到具有相同域名但具有多个IP地址的资源。
      • his can result in a single Internet transaction being represented by multiple IP addresses on the incoming packets. /HIS可以导致单个因特网事务由传入分组上的多个IP地址来表示。
      • This may cause suspicious features to appear in packet captures. /导致可疑特征出现在数据。

11.2 Log Files

Alert Data/警报数据

  • Alert Data consists of messages generated by IPSs or IDSs in response to traffic that violates a rule or matches the signature of a known exploit. /警报数据由IPS或IDS响应违反规则或匹配已知利用漏洞的签名的流量而生成的消息组成
  • A network IDS (NIDS), such as Snort, comes configured with rules for known exploits. /配置有已知的规则
  • Alerts are generated by Snort and are made readable and searchable by applications such as Sguil, which are part of the Security Onion suite of NSM tools./警报由Snort生成,可由Sguil等应用程序读取和搜索,这些应用程序是安全Onion NSM工具套件的一部分。

Session and Transaction Data/会话和事务数据

  • Session Data is a record of a conversation between two network endpoints.
    • Includes a session ID, the amount of data transferred by source and destination, and information related to the duration of the session.会话持续时间
    • Bro is a network security monitoring tool./BRO是一种网络安全监控工具。
  • Transaction data consists of the messages that are exchanged during network sessions/事务数据由在网络会话期间交换的消息组成
    • Can be viewed in packet capture transcripts. /可以在数据包捕获记录中查看

Full Packet Capture/完整数据包捕获

  • Full Packet Capture contains the actual contents of the conversations themselves, including the text of email messages, the HTML in webpages, and the files that enter or leave the network.

Statistical Data/统计数据

  • Statistical Data is about network traffic.
    • Created through the analysis of other forms of network data.
    • Allow conclusions to be made that describe or predict network behavior.
    • Normal network behavior can be compared to current traffic to detect anomalies.
  • Cisco Cognitive Threat Analytics is a NSM tool.
    • Able to find malicious activity that has bypassed security controls, or entered through unmonitored channels (including removable media), and is operating inside an organization’s environment.

Host Logs

  • Host-based intrusion protection (HIDS) runs on individual hosts.
    • HIDS not only detects intrusions, but in the form of host-based firewalls, can also prevent intrusion.
    • Creates logs and stores them on the host.
    • Microsoft Windows host logs are visible locally through Event Viewer.
    • Event Viewer keeps four types of logs: Application logs, System logs, Setup logs, and Security logs.

Syslog

  • Many types of network devices can be configured to log events to syslog servers.
    • Client/server protocol
    • Syslog messages have three parts: PRI (priority), HEADER, and MSG (message text).
      • PRI consists of two elements, the Facility and Severity of the message.
      • Facility consists of broad categories of sources that generated the message, such as the system, process, or application, directs message to appropriate log file.
      • Severity is a value from 0-7 that defines the severity of the message. 

Server Logs

  • Server Logs are an essential source of data for network security monitoring.
    • Email and web servers keep access and error logs.
    • DNS proxy server logs document all DNS queries and responses that occur on the network.
    • DNS proxy logs can identify hosts that visited dangerous websites and identify DNS data exfiltration and connections to malware CnC servers.

Apache Webserver Access Logs

  • Apache Webserver access logs record the requests for resources from clients to the server.
    • Two log formats
      • Common log format (CLF)
      • Combined log format, which is CLF with the addition of the referrer and user agent fields 

IIS Access Logs

Microsoft IIS creates access logs that can be viewed from the server with Event Viewer.

SIEM and Log Collection

    • Security Information and Event Management (SIEM) technology
      • Provides real-time reporting and long-term analysis of security events.
      • Uses the following functions: Log collection, Normalization, Correlation, Aggregation, Reporting, Compliance
      • A popular SIEM is Splunk..

TCPdump

  • Tcpdump command line tool is a popular packet analyzer.
    • Displays packet captures in real time, or writes packet captures to a file.
    • Captures detailed packet protocol and content data.
    • Wireshark is a GUI built on tcpdump functionality.
  • tcpdump命令行工具是一个流行的数据包分析器。实时显示数据包捕获,或将数据包捕获写入文件。捕获详细的数据包协议和内容数据。Wireshark是基于tcpdump功能构建的GUI。

NetFlow

Application Visibility and Control

Content Filter Logs

  • Devices that provide content filtering
    • Cisco Email Security Appliance (ESA)
    • Cisco Web Security Appliance (WSA)
  • Provide a wide range of functionalities for security monitoring. Logging is available for many of these functionalities.

Logging from Cisco Devices

  • Cisco devices can be configured to submit events and alerts to security management platforms using SNMP or syslog.

Proxy Logs

  • Proxy servers contain valuable logs that are a primary source of data for network security monitoring.
    • Proxy servers make requests for resources and return them to the client.
    • Generate logs of all requests and responses.
    • Can be analyzed to determine which hosts are making the requests, whether the destinations are safe or potentially malicious, and to gain insights into the kind of resources that have been downloaded.
  • Web proxies provide data that helps determine whether responses from the web were generated in response to legitimate requests or only appear to be responses.
  • Open DNS offers a hosted DNS service that extends the capability of DNS to include security enhancements.
    • DNS super proxy
    • Apply real-time threat intelligence to managing DNS access and the security of DNS records

NextGen IPS

  • Cisco NexGen IPS devices extend network security to the application layer and beyond.
    • Provide more functionality than previous generations of network security devices.
    • Include reporting dashboards with interactive features that allow quick reports on very specific information without the need for SIEM or other event correlators.
    • Use FirePOWER Services to consolidate multiple security layers into a single platform.
    • FirePOWER services include application visibility and control, reputation and category-based URL filtering, and Advanced Malware Protection (AMP).

思科网院课件第12章Intrusion Data Analysis

12.1 Evaluating Alerts

Security Onion

  • Security Onion is an open-source suite of Network Security Monitoring (NSM) tools that run on an Ubuntu Linux distribution./Security Onion是在Ubuntu发行版上运行的网络安全监控(NSM)工具的开源套件。
  • Some components of Security Onion are owned and maintained by corporations, such as Cisco and Riverbend Technologies, but are made available as open source.

Detection Tools for Collection/用于收集的检测工具

  • CapME provides the cybersecurity analyst with an easy-to-read means of viewing an entire Layer 4 session./CapME为网络安全分析师提供了查看整个第4层会话的易于阅读的方法
  • Snort uses rules and signatures to generate alerts./Snort使用规则和签名来生成警报。
  • Bro uses policies, in the form of scripts that determine what data to log and when to issue alert notifications./BRO使用脚本形式的策略,以确定要记录哪些数据以及何时发出警报通知。
  • OSSEC actively monitors host system operations, including conducting file integrity monitoring, local log monitoring, system process monitoring, and rootkit detection./OSSEC积极监视主机系统操作,包括执行文件完整性监视、本地日志监视、系统进程监视和rootkit检测。
  • Suricata uses native multithreading, which allows the distribution of packet stream processing across multiple processor cores./Suricata使用本机多线程,这允许跨多个处理器核心分发数据包流处理。

Analysis Tools

  • Sguil – This provides a high-level cybersecurity analysts’ console for investigating security alerts from a wide variety of sources./提供了一个高级网络安全分析员控制台,用于调查来自各种来源的安全警报。
  • ELSA – Logging sources such as HIDS, NIDS, firewalls, syslog clients and servers, domain services, and others can be configured to make their logs available to ELSA databases./可以配置ELSA日志记录源(如HID、NID、防火墙、syslog客户端和服务器、域服务等),使其日志可用于ELSA数据库。
  • Wireshark – This is a packet capture application that is integrated into the Security Onion suite.这是集成到Security Onion套件中的数据包捕获应用程序。

Alert Generation/生成警报

  • Alerts are generated in Security Onion by many sources including Snort, Bro, Suricata, and OSSEC, among others./警报由许多来源(包括Snort、Bro、Suricata和OSSEC等)在Security Onion中生成。
  • Sguil provides a console that integrates alerts from multiple sources into a timestamped queue./SGUIL提供了一个控制台,它将来自多个源的警报集成到一个带时间戳的队列中。
  • Alerts will generally include the following five-tuples information:/五元组
    • SrcIP - the source IP address for the event.
    • SPort - the source (local) Layer 4 port for the event.
    • DstIP - the destination IP for the event.
    • DPort - the destination Layer 4 port for the event.
    • Pr - the IP protocol number for the event

Rules and Alerts

  • Alerts can come from a number of sources:
    • NIDS - Snort, Bro and Suricata
    • HIDS – OSSEC
    • Asset management and monitoring - Passive Asset Detection System (PADS)/资产管理和监控.被动资产检测系统(PADS)
    • HTTP, DNS, and TCP transactions - Recorded by Bro and pcaps
    • Syslog messages - Multiple sources

Evaluating Alerts/评估警报

  • Alerts can be classified as follows:
    • True Positive: The alert has been verified to be an actual security incident/实际安全事件
    • False Positive: The alert does not indicate an actual security incident.误报:警报不表示实际的全事件
    • True Negative: No security incident has occurred. /确实没有安全事件
    • False Negative: An undetected incident has occurred./漏报:发生了未检测到的事件

Deterministic Analysis and Probabilistic Analysis/确定性分析与概率分析

  • Statistical techniques can be used to evaluate the risk that exploits will be successful in a given network. /统计技术可用于评估在给定网络中利用漏洞将成功的风险
    • Deterministic Analysis – evaluates risk based on what is known about a vulnerability./确定性分析-基于已知的漏洞评估风险
    • Probabilistic Analysis – estimates the potential success of an exploit by estimating the likelihood that if one step in an exploit has successfully been completed that the next step will also be successful./概率分析-通过估计攻击中的一个步骤成功完成的可能性,估计下一步也将成功的可能性,来估计攻击的潜在成功。

12.2 Working with Network Security Data

Enterprise Log Search and Archive (ELSA) is an enterprise-level tool for searching and archiving NSM data that originates from multiple sources. /企业日志搜索和归档是用于搜索和归档源自多个源的NSM数据的企业级工具。

Data Reduction/数据缩减

  • Data reduction is the identification of data that should be gathered and stored to reduce the burden on systems./数据缩减是对应该收集和存储的数据的标识,以减少系统的负担。
  • By limiting the volume of data, tools like ELSA will be far more useful./通过限制数据量,工具更加有用。

Data Normalization/数据规范化

  • Data normalization is the process of combining data from a number of sources into a common format for indexing and searching./数据规范化是将来自多个源的数据组合成用于索引和搜索的通用格式的过程。

Types of Evidence

  • In legal proceedings, evidence is broadly classified:/在法律诉讼中,证据大致分类如下
    • Direct evidence was indisputably in the possession of the accused, or is eyewitness evidence from someone who observed criminal behavior. /直接证据无可争议地由被告人掌握,或者是观察到犯罪行为的人的目击者证据
    • Best evidence is evidence that is in its original state./最好的证据是证据处于原始状态
    • Corroborating evidence supports an assertion that is developed from best evidence./确凿证据支持从最佳证据发展出来的断言
    • Indirect evidence, in combination with other facts, establishes a hypothesis. Also know as circumstantial evidence间接证据与其他事实相结合,建立了一个假设。 也被称为间接证据。

第十章 Malicious Software

1.Types of Malicious Software

Backdoor or Trapdoor

  • secret entry point into a program/程序的秘密入口点
  • allows those who know access bypassing usual security procedures/允许那些知道访问绕过通常的安全程序
  • have been commonly used by developers/已经被开发人员普遍使用
  • a threat when left in production programs allowing exploited by attackers/在生产程序中留下的一种威胁,允许攻击者利用它
  • very hard to block in O/S/很难阻挡
  • requires good s/w development & update/需要良好的s/w开发和更新

Logic Bomb/逻辑炸弹

  • one of oldest types of malicious software/最古老的恶意软件之一
  • code embedded in legitimate program/嵌入合法程序的代码
  • activated when specified conditions met/满足指定条件时激活
    • eg presence/absence of some file
    • particular date/time
    • particular user
  • when triggered typically damage system/触发时通常会损坏系统
    • modify/delete files/disks, halt machine, etc

Trojan Horse

  • program with hidden side-effects /具有隐藏副作用的程序
  • which is usually superficially attractive
    • eg game, s/w upgrade etc
  • when run performs some additional tasks/运行时执行一些额外的任务
    • allows attacker to indirectly gain access they do not have directly/允许攻击者间接获得他们没有的访问权限
  • often used to propagate a virus/worm or install a backdoor/常用于传播病毒/蠕虫或安装后门
  • or simply to destroy data/或者只是破坏数据

Mobile Code

  • program/script/macro that runs unchanged/程序/脚本/宏运行不变
    • on heterogeneous collection of platforms/在异构的平台集合上
    • on large homogeneous collection (Windows)/在大型同类集合(Windows)
  • transmitted from remote system to local system & then executed on local system/从远程系统传输到本地系统,然后在本地系统上执行
  • often to inject virus, worm, or Trojan horse/经常注入病毒,蠕虫或特洛伊木马
  • or to perform own exploits或者进行自己的攻击
    • unauthorized data access, root compromise/未经授权的数据访问,root妥协

Multiple-Threat Malware

  • malware may operate in multiple ways/恶意软件可能以多种方式运行
  • multipartite virus infects in multiple ways/多方病毒以多种方式感染
    • eg. multiple file types
  • blended attack uses multiple methods of infection or transmission/混合攻击使用多种感染或传播方法
    • to maximize speed of contagion and severity/最大化传染速度和严重程度
    • may include multiple types of malware/可能包括多种类型的恶意软件
    • eg. Nimda has worm, virus, mobile code/例如。 Nimda有蠕虫,病毒,移动代码
    • can also use IM & P2P/也可以使用IM和P2P

2.Viruses

  • piece of software that infects programs/感染程序的软件
    • modifying them to include a copy of the virus/修改它们以包含病毒的副本
    • so it executes secretly when host program is run/所以它在运行主程序时秘密执行
  • specific to operating system and hardware/特定于操作系统和硬件
    • taking advantage of their details and weaknesses/利用他们的细节和弱点
  • a typical virus goes through phases of:/典型的病毒经历了以下阶段:
    • dormant/休眠
    • propagation/传播
    • triggering/触发
    • execution/执行

Virus Structure

  • components:/组件
    • infection mechanism - enables replication/感染机制 - 启用复制
    • trigger - event that makes payload activate/trigger - 使有效负载激活的事件
    • payload - what it does, malicious or benign/有效载荷 - 它的作用,恶意或良性
  • prepended / postpended / embedded 前置/后置/嵌入式
  • when infected program invoked, executes virus code then original program code/当被感染的程序被调用时,执行病毒代码
  • can block initial infection (difficult) or propagation (with access controls)/可以阻止初始感染(困难)或传播(使用访问控制)

Virus Classification

  • By target
    • boot sector
    • file infector
    • macro virus
  • By concealment strategy
    • encrypted virus
    • stealth virus
    • polymorphic virus
    • metamorphic virus

Macro Virus/宏病毒

  • became very common in mid-1990s since
    • platform independent/平台独立
    • infect documents/感染文件
    • easily spread/容易传播
  • exploit macro capability of office apps/利用办公应用的宏功能
    • executable program embedded in office doc/嵌入办公室文档的可执行程序
    • often a form of Basic/通常是一种基本形式
  • more recent releases include protection
  • recognized by many anti-virus programs/被许多反病毒程序认可

E-Mail Viruses

  • more recent development
  • e.g. Melissa
    • exploits MS Word macro in attached doc
    • if attachment opened, macro activates
    • sends email to all on users address list
    • and does local damage
  • then saw versions triggered reading email
  • hence much faster propagation

3.Viruses Countermeasures/病毒对策

  • prevention - ideal solution but difficult/预防 - 理想的解决方案但很难
  • realistically need:
    • detection/发现
    • identification/定位
    • removal/清楚
  • if detect but can’t identify or remove, must discard and replace infected program/如果检测到但无法识别或删除,则必须丢弃并替换受感染的程序

Anti-Virus Evolution/反病毒进化

  • virus & antivirus tech have both evolved
  • early viruses simple code, easily removed
  • as become more complex, so must the countermeasures
  • generations
    • first - signature scanners
    • second - heuristics
    • third - identify actions
    • fourth - combination packages

Generic Decryption

  • runs executable files through GD scanner:/通过GD扫描程序运行可执行文件
    • CPU emulator to interpret instructions/CPU模拟器解释指令
    • virus scanner to check known virus signatures/病毒扫描程序检查已知的病毒签名
    • emulation control module to manage process/仿真控制模块来管理进程
  • lets virus decrypt itself in interpreter/让病毒在解释器中解密自己
  • periodically scan for virus signatures/定期扫描病毒签名
  • issue is how long to interpret and scan/问题是解释和扫描多长时间
    • tradeoff chance of detection vs time delay/权衡检测机会与时间延迟

Digital Immune System/数字免疫系统

Behavior-Blocking Software

4.Worms

  • replicating program that propagates over net/复制通过网络传播的程序
    • using email, remote exec, remote login /使用电子邮件,远程执行,远程登录
  • has phases like a virus:/像病毒一样的阶段:
    • dormant, propagation, triggering, execution/休眠,传播,触发,执行
    • propagation phase: searches for other systems, connects to it, copies self to it and runs/传播阶段:搜索其他系统,连接到它,自我复制并运行
  • may disguise itself as a system process/可能将自己伪装成一个系统过程
  • concept seen in Brunner’s “Shockwave Rider”
  • First implemented by Xerox Palo Alto labs in 1980’s

Morris Worm

  • one of best know worms
  • released by Robert Morris in 1988
  • various attacks on UNIX systems
    • cracking password file to use login/password to logon to other systems
    • exploiting a bug in the finger protocol
    • exploiting a bug in sendmail
  • if succeed have remote shell access
    • sent bootstrap program to copy worm over

Worm Propagation Model/蠕虫传播模型

Recent Worm Attacks

  • Code Red
    • exploiting MS IIS bug
    • probes random IP address, does DDoS attack
  • Code Red II variant includes backdoor
  • SQL Slammer
    • early 2003, attacks MS SQL Server
  • Mydoom
    • mass-mailing e-mail worm that appeared in 2004
    • installed remote access backdoor in infected systems
  • Warezov family of worms
    • scan for e-mail addresses, send in attachment

Worm Technology

  • multiplatform
  • multi-exploit
  • ultrafast spreading
  • polymorphic
  • metamorphic
  • transport vehicles
  • zero-day exploit

Mobile Phone Worms

  • first appeared on mobile phones in 2004
    • target smartphone which can install s/w
  • they communicate via Bluetooth or MMS
  • to disable phone, delete data on phone, or send premium-priced messages
  • CommWarrior, launched in 2005
    • replicates using Bluetooth to nearby phones
    • and via MMS using address-book numbers

Worm Countermeasures/蠕虫对策

  • overlaps with anti-virus techniques
  • once worm on system A/V can detect
  • worms also cause significant net activity
  • worm defense approaches include:
    • signature-based worm scan filtering
    • filter-based worm containment
    • payload-classification-based worm containment
    • threshold random walk scan detection
    • rate limiting and rate halting

Proactive Worm Containment

Network Based Worm Defense

5.DDoS

Distributed Denial of Service Attacks (DDoS)

  • Distributed Denial of Service (DDoS) attacks form a significant security threat/分布式拒绝服务(DDoS)攻击形成重大安全威胁
  • making networked systems unavailable by flooding with useless traffic/通过无用流量泛滥使网络系统无法使用
  • using large numbers of “zombies” /使用大量的“僵尸”
  • growing sophistication of attacks/越来越复杂的攻击
  • defense technologies struggling to cope/防御技术正在努力应对

DDoSFlood Types

Constructing an Attack Network/构建攻击网络

  • must infect large number of zombies/必须感染大量的僵尸
  • needs:
  • software to implement the DDoS attack/用于实施DDoS攻击的软件
  • an unpatched vulnerability on many systems/许多系统上未修补的漏洞
  • scanning strategy to find vulnerable systems/扫描策略以找到易受攻击的系统
    • random, hit-list, topological, local subnet/随机,命中列表,拓扑,本地子网

DDoS Countermeasures

  • three broad lines of defense:/三大防线
  1. attack prevention & preemption (before)/攻击预防和抢占(之前)
  2. attack detection & filtering (during)/攻击检测和过滤(期间)
  3. attack source traceback & ident (after)/攻击源追溯和身份(后)
  • huge range of attack possibilities/大范围的攻击可能性
  • hence evolving countermeasures/演变的对策

【作业题】

 

 

 

 

 

 

 

【附录:信息安全术语中英文对照】

(N)中继

(N)-relay

数据保密性

data confidentiality

网络安全

network security

安全操作系统

secure operating system

抽象语法

abstract syntax

数据损害

data contamination

网络服务

network service

安全路径

secure path

访问/存取

access

数据完整性

data integrity

网络可信计算基

network trusted computed base

安全状态

secure state

访问控制

access control

数据原发鉴别

data origin authentication

抗抵赖

non-repudiation

安全管理员

security administrator

访问(存取)控制证书

access control certificate

数据串(数据)

data string(data)

抗抵赖交换

non-repudiation exchange

安全报警

security alarm

访问控制判决功能

Access control Decision Function(ADF)

数据单元完整性

data unit integrity

抗抵赖信息

non-repudiation information

安全报警管理者

security alarm administrator

访问控制判决信息

Access control Decision Information(ADI)

解密/脱密

decipherment

创建抗抵赖/抗创建抵赖

non-repudiation of creation

安全关联

security association

访问控制实施功能

Access control Enforcement Function(AEF)

降级

degradation

交付抗抵赖/抗交付抵赖

non-repudiation of delivery

安全保证

security assurance

访问控制信息

access control information

委托

delegation

原发抗抵赖

non-repudiation of origin

安全属性

security attribute

访问控制列表

access control list

委托路径

delegation path

接收抗抵赖/抗接收抵赖

non-repudiation of receipt

安全审计

security audit

访问控制机制

access control mechanisms

交付机构

delivery authority

发送抗抵赖/抗发送抵赖

non-repudiation of sending

安全审计消息

security audit message

访问控制策略

access control policy

增量证书撤销列表

delta-CRL(dCRL)

提交抗抵赖/抗提交抵赖

non-repudiation of submission

安全审计记录

security audit record

访问控制策略规则

access control policy rules

拒绝服务

denial of service

抗抵赖策略

non-repudiation policy

安全审计踪迹

security audit trail

访问控制令牌

access control token

依赖/依赖性

dependency

抗抵赖服务请求者

non-repudiation service requester

安全审计者

security auditor

访问列表

access list

数字签名

digital signature

公证

notarization

安全机构

security authority

访问周期

access period

目录信息库

Directory Information Base

公证权标

notarization token

安全证书

security certificate

访问请求

access request

目录信息树

Directory Information Tree

公证方/公证者

notary

安全证书链

security certificate chain

访问类型

access type

目录系统代理

Directory system Agent

公证方(公证机构)

notary(notary authority)

安全通信功能

security communication function

认可/审批

accreditation

目录用户代理

Directory user Agent

NRD权标/NRD令牌

NRD token

安全控制信息

security control information

主动威胁

active threat

可区分名

distinguished name

NRO权标

NRO token

安全域

security domain

主动搭线窃听

active wiretapping

可区分标识符

distinguishing identifier

NRS权标

NRS token

安全域机构

security domain authority

报警处理器

alarm processor

加密

Encipherment、encipher、encryption

NRT权标

NRT token

安全要素

security element

应用级防火墙

application level firewall

加密算法

encryption algorithm

客体

object

安全交换

security exchange

资产

Assets

终端实体

end entity

对象方法

object method

安全交换功能

security exchange function

赋值

assignment

终端系统

end system

客体重用

object reuse

安全交换项

security exchange item

关联安全状态

association security state

终端实体属性证书撤销列表(EARL)

End-entity Attribute Certificate Revocation List 

离线鉴别证书

off-line authentication certificate

安全特征

security features

保障/保证

assurance

终端实体公钥证书撤销列表(EPRL)

End-entity Public-key Certificate Revocation List

离线密码运算

offline crypto-operation

安全过滤器

security filter

非对称认证方法

asymmetric authentication method

端到端加密

end-to-end encipherment

单向函数

one-way function

安全功能

security function

非对称密码算法

asymmetric cryptographic algorithm

实体鉴别

entity authentication

单向散列函数

one-way hash function

安全功能策略

security function policy

非对称密码技术

asymmetric cryptographic technique

环境变量

environmental variables

在线鉴别证书

on-line authentication certificate

安全信息

security information

非对称加密系统

asymmetric encipherment system

评估保证级

evaluation assurance level(EAL)

在线密码运算

online crypto-operation

安全内核

security kernel

非对称密钥对

asymmetric key  pair

评估机构

evaluation authority

开放系统

open system

安全等级

security level

非对称签名系统

asymmetric signature system

评估模式

evaluation scheme

组织安全策略

organizational security policies

安全管理信息库

Security Management Information Base

属性

attribute

事件辨别器

event discriminator

原发者

originator

安全目的

security objective

属性管理机构撤销列表(AARL)

Attribute Authority Revocation List(AARL)

证据

evidence

OSI管理

OSI Management

安全周边

security perimeter

属性管理机构(AA

Attribute Authority(AA)

证据生成者

evidence generator

带外

out-of-band

安全策略

security policy

属性证书

Attribute certificate

证据请求者

evidence requester

package

安全恢复

security recovery

属性证书撤销列表(ACRL)

Attribute Certificate Revocation List(ACRL)

证据主体

evidence subject

包过滤防火墙

packet filter firewall

安全关系

security relationship

审计/审核

audit

证据使用者

evidence user

填充

padding

安全报告

security report

审计分析器

audit analyzer

证据验证者

evidence verifier

成对的密钥

pair wise key

安全需求

security requirements

审计归档

audit archive

交换鉴别信息

exchange authentication information

被动威胁

passive threat

安全规则

security rules

审计机构

audit authority

外部IT实体

external IT entity

被动窃听

passive wiretapping

安全规范

security specifications

审计调度器

audit dispatcher

外部安全审计

external security audit

口令

password

安全状态

security state

审计提供器

audit provider

故障访问

failure access

口令对话

password dialog

安全目标

security target

审计记录器

audit recorder

故障控制

failure control

对等实体鉴别

peer-entity authentication

安全测试

security testing

审计踪迹

audit trail

容错

fault tolerance

渗透

penetration

安全变换

security transformation

审计跟踪收集器

audit trail collector

特征

features

渗透轮廓

penetration profile

安全相关事件

Security-related event

审计跟踪检验器

audit trail examiner

反馈缓冲器

feedback buffer

渗透痕迹

penetration signature

敏感信息

sensitive information

鉴别/认证

authentication

取数保护

fetch protection

渗透测试

penetration testing

敏感性

sensitivity

认证证书

authentication certificate

文件保护

file protection

个人识别号

person identification number(PIN)

敏感标记

sensitivity label

鉴别数据

authentication data

防火墙

firewall

人员安全

personal security

屏蔽

shield

鉴别(认证)信息

authentication information

固件

firmware

物理安全

physical security

短时中断

short interruption

鉴别(认证)发起方

authentication initiator

形式化证明

formal proof

明文

plain text

安全服务

security service

鉴别(认证)令牌

authentication token(token)

形式化顶层规范

formal top-level specification

策略

policy

简单鉴别

simple authentication

鉴别(认证)符

authenticator

形式化验证

formal verification

策略映射

policy mapping

单项结合安全关联

single-item-bound security association

授权用户

authorized user

完全CRL

full CRL

端口

port

单级装置

single-level device

授权机构/机构

Authority

粒度

granularity

表示上下文

presentation context

中级功能强度

SOF-medium

授权机构证书

authority certificate

接地网

ground grid

表示数据值

presentation data value

源认证机构

Source of Authority (SOA)

授权

authorization

接地电阻

ground resistance

表示实体

presentation-entity

欺骗

spoofing

授权管理员

authorized administrator

接地

grounding

预签名

pre-signature

待机模式、休眠模式

stand-by mode 、sleep-mode

自动安全监控

automated security monitoring

接地电极

grounding electrode

本体

principal

强鉴别

strong authentication

可用性

availability

接地系统

grounding system

最小特权原则

principle of least privilege

主体

subject

数据可用性

availability of data

握手规程

handshaking procedure

服务优先权

priority of service

管态

supervisor state

备份规程

backup procedure

散列函数(哈希函数)

hash function

隐私

privacy

对称鉴别方法

symmetric authentication method

基础证书撤消列表

base CRL

散列代码

hash-code

保密变换

privacy transformation

对称密码算法

symmetric cryptographic algorithm

分组/块

block

散列函数标识符

hash-function identifier

私有解密密钥

private decipherment key

对称密码技术

symmetric cryptographic technique

分组链接

block chaining

隐藏

hide

私有密钥(私钥)

private key

对称加密算法

symmetric encipherment algorithm

界限检查

bounds checking

持有者

holder

私有签名密钥

private signature key

系统完整性

system integrity

简码列表

brevity lists

主机

Host

特权指令

privileged instructions

系统完整性规程

system integrity procedure

浏览

browsing

宿主单元

host unit

规程安全

procedural security

系统安全功能

system security function

CA证书

CA-certificate

标识

identification

产品

product

技术攻击

technological attack

回叫

call back

标识数据

identification data

证明

proof

终端标识

terminal identification

权能/能力

capability

抗扰度

immunity(to a disturbance)

保护表示上下文

protecting presentation context

威胁

threat

证书

certificate

假冒

impersonation

保护传送语法

protecting transfer syntax

威胁监控

threat monitoring

证书策略

certificate policy

印章

imprint

保护映射

protection mapping

防雷保护接地

thunder proof protection ground

证书序列号

certificate serial number

交错攻击

interleaving attack

保护轮廓

protection profile

时间戳

time stamp

证书用户

certificate user

不完全参数检验

incomplete parameter checking

保护环

protection ring

时变参数

time variant parameter

证书确认

certificate validation

间接攻击

indirect attack

保护接地

protective earthing

时间相关口令

time-dependent password

认证

certification

间接CRL

indirect CRL (iCRL)

协议数据单元

protocol data unit

令牌

token

认证机构

certification authority

信息系统安全

information system security

协议实现一致性声明

protocol implementation conformance statement

通信业务流保密性

traffic flow confidentiality

认证机构撤销列表(CARL)

Certification Authority Revocation List (CARL)

信息系统安全管理体系结构

information system security management architecture

代理服务器

proxy server

通信业务流安全

traffic flow security

认证路径

certification path

信息技术设备

information technology equipment

伪缺陷

pseudo-flaw

陷门

trap door

信道/通道

channel

初始编码规则

initial encoding rules

公开加密密钥

public encipherment key

特洛伊木马

Trojan horse

密文

ciphertext

初始化值

initialization value

公开密钥基础设施(PKI)

Public Key Infrastructure (PKI)

可信/信任

trust

申明鉴别信息

claim authentication information

发起者

initiator

公开密钥(公钥)

public key

可信信道

trusted channel

许可权

clearance

完整性

integrity

公开密钥证书(证书)

public key certificate(certificate)

可信计算机系统

trusted computer system

明文

cleartext

禁止

interdiction

公开密钥信息

public key information

可信计算基

trusted computing base

无碰撞(冲突)散列函数

collision resistant hash-function

交错攻击

interleaving attack

公开验证密钥

public verification key

可信实体

trusted entity

混合型防火墙

combination firewall

内部通信信道

internal communication channel

消除

purging

可信主机

trusted host

共用接地系统

common grounding system

内部安全审计

internal security audit

随机数

Random number

可信路径

trusted path

通信安全

communications security

隔离

isolation

随机化

Randomized

可信软件

trusted software

分割

compartmentalization

密钥

key

实开放系统

Real open system

可信第三方

trusted third party

构件/组件/部件

component

密钥协商

key agreement

接收方/接收者

Recipient

可信时间戳

trusted time stamp

泄漏

compromise

密钥确认

key confirmation

恢复规程

Recovery procedure

可信时间戳机构

trusted time stamping authority

已泄露证据

compromised evidence

密钥控制

key control

冗余

Redundancy

无条件可信实体

unconditionally trusted entity

泄漏发射

compromising emanations

密钥分发中心

key distribution centre

参照确认机制

reference validation mechanism

单向鉴别

unilateral authentication

计算机系统

computer system

密钥管理

key management

细化

refinement

不间断供电系统

uninterrupted power supply system

隐蔽系统

concealment system

密钥转换中心

key translation centre

反射攻击

reflection attack

用户鉴别

user authentication

配置管理

configuration management

标记

label

反射保护

reflection protection

用户标识

user identification(user ID)

配置管理系统

configuration management system

主、客体标记

label of subject and object

中继系统

relay system

用户-主体绑定

user-subject binding

不带恢复的连接完整性

connection integrity without recovery

最小特权

least privilege

可依赖方

relying party

确认

validation

无连接保密性

connectionless confidentiality

雷电电磁脉冲

lightning electromagnetic pulse

重放攻击

replay attack

验证

verification

无连接完整性

connectionless integrity

雷电防护区

lightning protection zones

抵赖

repudiation

验证函数

verification function

连通性

connectivity

受限访问

limited access

资源分配

resource allocation

验证密钥

verification key

应急计划

contingency plan

链路加密

link encryption

受限区

restricted area

验证过程

verification process

控制区

control zone

逐链路加密

link-by-link encipherment

保留的ADI

retained ADI

验证者

verifier

可控隔离

controllable isolation

本地系统环境

local system environment

揭示

reveal

脆弱性

vulnerability

受控访问

controlled access

漏洞

loophole

撤销证书

revocation certificate

  

受控可访问性

controlled accessibility

故障

malfunction

撤销证书列表

revocation list certificate

  

受控共享

controlled sharing

管理信息

Management Information

风险

risk

  

成本风险分析

cost-risk analysis

强制访问控制

mandatory access control

风险分析

risk analysis

  

对抗

countermeasure

冒充

Masquerade

风险管理

risk management

  

隐蔽信道

covert channel

测量

measurement

角色

role

  

隐蔽存储信道

covert storage channel

消息

message

角色分配证书

role assignment certificate

  

隐蔽时间信道

covert timing channel

消息鉴别码

message authentication code

角色规范证书

role specification certificate

  

凭证

credentials

仿制

mimicking

回退

rollback

  

CRL分发点

CRL distribution point

监控器(监控机构)

monitor(monitor authority)

root

  

串扰

cross-talk

监控

monitoring

循环函数/轮函数

round-function

  

密码分析

cryptanalysis

多级装置

multilevel device

路由选择

routing

  

密码算法

crypto-algorithm

多级安全

multilevel secure

路由选择控制

routing control

  

密码链接

cryptographic chaining

多访问权终端

multiple access rights terminal

基于规则的安全策略

rule-based security policy

  

密码校验函数

cryptographic check function

相互鉴别

mutual authentication

SA属性

SA-attributes

  

密码校验值

cryptographic check value

n位分组密码

n-bit block cipher

安全保护(大)地

safety protection earth

  

密码同步

cryptographic synchronization

网络实体

network entity

封印/密封

seal

  

密码体制

cryptographic system; cryptosystem

网络层

network layer

秘密密钥

secret key

  

密码编码(学)

cryptography

网络协议

network protocol

安全配置管理

secure configuration management

  

密码运算

crypto-operation

网络协议数据单元

network protocol data unit

安全信封(SENV)

secure envelope

  

密码安全

crypto-security

网络中继

network relay

安全交互规则

secure interaction rules

  

 

 

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

东方隐侠安全团队-千里

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值