基于深度欺骗策略的网络积极防御系统的设计与实现

Design and implementation of a network active defense system based on deception in depth

为解决网络欺骗的安全性、欺骗性和交互性问题,提出了一个基于深度欺骗策略的五重欺骗与控制架构,在此基础上,建立了可实际应用的网络积极防御系统.该系统将防护、欺骗、监视、控制与审计整合为一体,在安全的条件下,通过网络服务欺骗、安全漏洞伪造、操作行为控制、文件系统欺骗和信息欺骗,实现了对整个网络入侵过程的欺骗与控制.其完整的欺骗与控制框架不仅仅针对某一攻击过程,还确保了系统不会轻易被识别,使欺骗程度和安全性大大提高.

In order to solve the security, deception and interaction problems in network deception, a fivefold deception and control architecture based on defense in depth policy was proposed. According to the architecture, a network active defense system which integrates defense, deception, monitor, control and audit was implemented. Under the condition of security, it can deceive and control a whole network intrusion activity with network service simulation, vulnerability forgery, operation control, file system bam and information bam. The fivefold deception and control architecture does not only aim at a certain attack, but also insures the system can not be easily recognized and obviously promotes the level of deception and security.