Find their own information security vulnerabilities vulnerability analysis

2:28 PM Edit This 0 Comments »

Information security is concerned with more and more, from the initial information confidentiality, to today's information integrity, availability, controllability and non-repudiation of information technology in a step by step toward maturity.

According to the company's security vulnerabilities of foreign Securityfocus statistical data show that most of the operating system, a security vulnerability. Some applications face the same problem. Together with management, and software complexity issues, the security vulnerability of information products is far unresolved. Stake because of the security vulnerability analysis, security vulnerability found in the technical details are generally not made public, such as the recent Windows platform Rpc security vulnerabilities have been reported despite the foreign security organizations, but security vulnerability analysis process and the use of still undisclosed.



Information System Security Vulnerability Analysis

The current security vulnerabilities threatening the security of network information systems. To protect the network information security, one of the key issues to address security vulnerabilities, including security vulnerability scanning, security vulnerability fixes, security vulnerability prevention.

Network reliability, robustness, resistance to aggressive strength also depends on the product itself, the existence of the information security risks. Around the security vulnerability analysis of the research work is divided into the following areas:

The first, based on the known vulnerability detection and analysis of local

Satan is the first network vulnerability analysis tools, such research is represented by the network security experts Dan farmer and Wietse venema development, its basic idea is to simulate an attacker to try to access their own defense systems, Satan has a extension framework of good, as long as the master of the expansion rules, you can put your own testing procedures and test rules to the framework to make it become an integral component Satan.

Because of this, when the author of Satan to give up continue to develop new version, it can be another programmer to take over in the past, from the devil (Satan) jumped into a saint (Saint). Saint and Satan than the increase in a number of new detection methods, but did not change the architecture of Satan. Satan system can only run on Unix systems, remote users can not use Satan Detection. Saint Satan remote users solve the problem, but Satan and the Saint can not on some remote host gathering of local vulnerability, and vulnerability information between the two analysis methods remained at a low level, can only deal with the vulnerability of the original information.

Nessus is a free, open source and the latest network vulnerability analysis tool, can run on Linux, Bsd, Solaris and other platforms, to achieve multi-threaded and plug-in function, providing gtk interface, now you can check multiple remote vulnerabilities . However, Nessus can only get from a remote vulnerability scan. Many vulnerability is local, can not detect or use the network, such as collecting host configuration information, trust relationships and group information is difficult to remote access.

The second category, formal specification of security attributes of vulnerability detection

Automatic and systematic vulnerability analysis is the focus of current research, CRRamakri-shnan and R. Sekar A model-based analysis of configuration vulnerabilities, the basic principle is: the first goal in the form of standard safety properties, For example, the average user can not override the system log subfolder; followed by the establishment of system security-related actions described in the abstract model, abstract model of the component model by the system to form, for example, file system, process and other privileges; the final abstract model meets the required safety checks property, if not met, then the vulnerability of mining process generates a sequence of operations for security attributes that lead to the realization of the conflict.

This method has the advantage of detecting both known and new vulnerabilities, and Cops and Satan is known mainly to solve the vulnerability checks. However, this method requires intensive use of computing resources, are not currently available to do the actual addition, methods of scalability is still a problem, the actual model is much greater than the experimental. Model development process depends on the manual set up, automatic model generation technology is still to be resolved.

The third category, based on the associated vulnerability analysis and detection

Such studies use the first and second type of research results, focusing on the relevance of vulnerability analysis, from the perspective of an attacker vulnerabilities described in the mining process. A network topology based on the vulnerability analysis tools Tva (Topological Vulnerability Analysis) to simulate the infiltration of security experts to conduct automated vulnerability analysis of high strength, given the weaknesses of data mining process to generate attack graph. tva will attack steps and conditions established for the state transition graph, this makes the vulnerability analysis that has good scalability, so enter the designated safe computing resources figure out the network configuration.

However Tva mining process model of vulnerability is still dependent on manual input required, the solution to the problem requires a standard, the machine can understand the language of automatic acquisition of domain knowledge. In addition, if a large network with multiple vulnerabilities, the Tva will have great graphics, so graphics will become a problem of management. Finally, tva use the information to be accurate and reliable, in order to identify vulnerable points are available, but the vulnerability of information is dependent Tva Nessus.

Laura P. Swiler, who also developed a computer attack graph generation tool, the network configuration, the attacker capabilities, template attack, the attacker profile input to the attack graph generator can output attack graph, the shortest path set that the system most channels may be under attack. Oleg Sheyner and Joshua Haines with a model checking method to study the automatic attack graph generation and analysis, the basic idea is to abstract the network into a finite state machine, state of the migration that atomic attack, and gives specific safety property requires. Model checker Nusmv then automatically generate attack graph, and to network attack domain knowledge to interpret the diagram of state variable significance and relationship between the state transition diagram. But the method is the model to deal with issues of scalability, cost calculation big, modeling the use of the data depends on the hand to achieve.

The fourth category, vulnerability testing basic work, mainly referring to the discovery of vulnerability information, collection, classification, standardization of

Security vulnerability detection depends on the security vulnerabilities discovered, the original vulnerability was found to be the most challenging research. At present, mining in security vulnerability research mainly from universities, security company, hacker groups. The vulnerability of information dissemination, Cert most representative, it was the first to publish vulnerability information Internet network of research institutions. Information standardization in the vulnerability of the work, Mitre development "Common Vulnerabilities list (Common Vulnerabilities and Exposures, CVE)" to standardize the naming of vulnerability, while mitre also developed an open vulnerability assessment language OVAL (Open Vulnerability Assessment Language), with Vulnerability testing in benchmark testing, currently the language is gradually perfected.

Compared with overseas, our vulnerabilities and integrity of real-time information is still lacking, mainly due to newly discovered vulnerabilities lag abroad. The security vulnerability detection, elimination, prevention and so subject to the discovery of security vulnerabilities. Thus, security vulnerability analysis to be the most challenging research focus.

Intrusion detection and early warning technology

Network information system security involves a variety of security systems, including protection, detection, response and restoration of four levels. Intrusion Detection System is an important part of playing digital space "early warning" role. Intrusion detection technology can be divided into five phases: the first is based on simple pattern matching detection attack signatures; the second stage, based on detection of abnormal behavior model; the third stage, based on correlation analysis of intrusion detection alarm; the fourth stage, based on attack intent detection; fifth stage detection based on security situation. To sum up, the development trend of intrusion detection and warning performance for the following aspects.

Intrusion Security Technology Integration

As the network technology and changes in attack technology, intrusion detection system can not solve all the problems, such as detection, prevention, response and assessment. Intrusion detection system is evolved: intrusion detection systems, vulnerability scanning systems, firewall systems, emergency response system, will be gradually integrated to form a comprehensive information security system. For example, Securedecisions research and development company, a security product decision-making system, integrated IDS, Scanner, Firewall and other functions, and alarm data visualization. Intrusion prevention system (Intrusion Prevention System) to become the future direction of IDS.

High-performance network intrusion detection

The development of modern network technology has brought new problems, IDS requires massive computing, and therefore high-performance detection algorithm and a new intrusion detection system become a research hotspot. High-performance parallel computing technology will be used for intrusion detection, high-speed pattern matching algorithm and the pure hardware based NIDS are the contents of the current study abroad.

Intrusion Detection System Standardization

IDS favor standardization of data between different types of IDS and other security integration and interaction between the products. IETF (Internet Engineering Task Force) Intrusion Detection Working Group (Intrusion Detection Working Group, referred to as IDWG) formulation of the intrusion detection message exchange format (IDMEF), Intrusion Detection Exchange Protocol (IDXP), Intrusion Alarm (IAP) and other standards to meet Intrusion Detection System for data exchange between the security needs. At the same time, these standard protocols have been Silicon Defense, Defcom, UCSB supported by various organizations, and the provisions of the standard achieved. At present, the open source Snort network intrusion detection system has to support Idmef plug-ins. Therefore, a standardized interface functions will be the development direction of the next generation of IDS.

Embedded Intrusion Detection

Internet usage, so that the mode of calculation, following after the mainframe computing and desktop computing, will enter a new computing model, which is pervasive computing model. Pervasive computing model emphasizes the computer embedded in people's daily life and working environment so that users can easily access information and services are calculated. With the use of a large number of mobile computing devices, embedded intrusion detection techniques gained in importance.

Of intrusion detection and warning system

Intrusion detection system from centralized to distributed development, distributed through the deployment of detectors to achieve classification of the intrusion monitoring, will be aggregated to the intrusion alarm event management platform, and then focus on correlation analysis, in order to grasp the overall security posture control, to support emergency response. Current technology being "test - response" to "warning - prepare" direction.

Internet worm protection technology

Compared with the traditional host viruses, network worms has more capacity and damage the reproductive capacity. Based on the traditional stand-alone virus prevention technology, based on single linkage of the local area network virus prevention technology, the antivirus technology and so are not well adapted to an open network of early warning requirements of the network worm. For example, the traditional stand-alone virus detection technology relies on detection of certain rules and does not meet the network worm detection. Because a wide range of malicious code network, shape changing, its invasion, infection, attack mechanisms vary. In recent years, the research focus is mainly: the classification of computer worms, worms and worm traffic warning system design simulation and testing, the worm spread simulation, worms, analysis model and isolation technology. Worm in the network market, the foreign Silicon Defense has released the worm containment products Countermalice, Lancope's Stealthwatch product, the product is based on the behavior of intrusion detection system, a threat management.

In short, the development view of network worms, network worms of the offensive and defensive technology is in the course of development, the main technologies to include: the rapid spread of Internet worms mechanism and hidden mechanisms; network worm early warning technology and simulation testing; network worm emergency response technology, mainly blocking technology; theoretical model of network worms, such as worm-based applications, database worms, network worms mobile environment. Anti-worm attack mechanisms, such as randomization code, software diversity of automatic worm attack.

Tolerance information system attack

According to statistics, or communications, one hour can make the insurance company lost 20,000 U.S. dollars, loss of 2.5 million U.S. dollars to the airlines, so that investment banking loss of 600 million. If communications were interrupted two days enough to bank failures. Attack tolerance technology to solve security issues in the face of attack, failure, and the case of accidental events, information network system able to complete tasks according to user requirements, information network system to support the business users need to run. At present, the international information network on the survival of a stage of development, the main research areas include the concept and characteristics of survival, survival models and simulation, survivability engineering, systems analysis and evaluation of survivability, network fault tolerance, database intrusion tolerance.

Information security technology development trend of the 8

IT means new technologies and changes in the acceleration of the attack, making information security, new ideas, new concepts, new methods, new technologies, new products will continue to emerge. It is predicted that the future development trend of information security technology has the following characteristics:

1. Information security technology security products from a single change to the security management platform

Information systems security is a holistic concept, it is not stop-gap measure of time, the security needs of the product mix and interaction of the organic. A single network security products and can not guarantee the security of network performance, security products, a simple network stack can not bring the quality of security protection (QOP), only to security policy as the core, the organic combination of security products to form a security system by the safety management system to ensure the implementation of security and implementation of the system can really improve network security.

2. Information security technology development from a static, is dynamic movement, the direction of change initiative

The traditional emphasis on computer security static, closed threat protection, can only passively respond to security threats, often after only deal with security incidents, a security control delays. With the dynamic changes in the information environment, such as network boundaries blur, the user interface to the diversity and range of applications, security threats become increasingly complex. Therefore, the dynamic, proactive information security technology to develop and attention. For example, emergency response, attack forensics, attack traps, attacks to track location, intrusion tolerance, automatic recovery, proactive technologies are valued and developed.

3. Information security and protection from the feature-based to behavior-based change

Hackers increasingly high technology, many new means of attack is difficult to protection by the feature-based measures to achieve protection, therefore, behavior-based protection technology to become a development trend.

4. Internal network information security technology are valued and developed

Information network security threats not only from the Internet, or an external network; research increasingly aware of security threats within the network effect is even larger. As the internal network of users is relatively external users, with better conditions for the understanding of network architecture, the deployment of protective measures, business operation mode and access the internal network; If the internal network users if an attack or misuse, are likely to result in huge losses. Therefore, internal network security technology are valued and developed, Mitre Corporation researchers began to study the internal user behavior model to be used for security management.

5. Information security components of structural trends

Simplify complex information system security engineering development, through the application of different security components, to achieve "Ikea" style automatic combination of dynamic implementation, "according to user requirements," security mechanism, quickly adapt to user requirements for the development businesses.

6. Information security management from extensive to quantify the pattern transition

Traditional information network security management good or bad depends on the administrator's "experience" is ambiguous effect of safety management, safety management lack of valid evidence to support the network is the security of information systems to achieve the required level of security. As information increases the complexity of network systems, information security management more scientific, quantitative information security management should be management, information security management also requires implementation of the KPI. Currently, information security researchers have already made QOP notion that the quality of security, related technologies and products are research and development in.

7. Software security is increasingly important, its security engineering approach and rapid development of related products will be

Software as an information network in the "soul", highlighting the increasing importance of its security, especially information in the network infrastructure software (such as the communication protocol software, operating systems, databases, middleware, general office software, etc.), once a security vulnerability , the impact is often immeasurable. As society is now increasingly dependent on computing security, software reliability requirement is particularly pressing. Issues surrounding software security personnel have been security concerns, such as software security engineering, software reliability verification function, the software automatically vulnerability analysis tools, software integrity protection methods are all doing.

8. For the security of SOA-related technologies and products will be rapidly

With the development of information network application, a system of services for SOA (Service Oriented Architecture) to develop ideas, enterprises and institutions through the SOA can enhance the collaboration capabilities to enhance information sharing capabilities, an integrated information system is conducive to integration. However, SOA also brings a series of new security issues, such as XML security, SOAP protocol security.

Currently, foreign companies have already developed XML firewall. The traditional firewall is IP header information for access control, but on the Web Http-based services, access control granularity is too rough, therefore, need to be able to support processing SOAP message-level firewall, this is the cause of XML firewalls. XML Firewall is an application level firewall. XML firewall by intercepting SOAP request packet, and analysis of the SOAP request, and then the implementation of service-level access control policy access control.

0 comments: