基于Serverless的反溯源技术应用研究
Research on Application of Anti-traceability Technology Based on Serverless
韩杰 1冯美琪 2李建欣2
作者信息
- 1. 北京航天万源科技有限公司,北京 100176
- 2. 中国民航信息网络股份有限公司 运行中心,北京 101318
- 折叠
摘要
随着网络逐渐成为意识形态较量的主战场,攻防双方的技术手段在不断博弈中日渐精进,现有的反溯源手段无法避免防守方多维多技术的溯源手段,更易被防守方溯源反制.该文提出了一种基于Serverless的反溯源技术应用思路,利用Serverless的事件驱动和自动伸缩特性,使得用户在请求目标时,自动调用不同可用区域的IP地址,以此达到隐藏自身真实IP的目的.同时,由于Serverless实现应用开发与服务器分离,攻击者可直接进行攻击代码编写,也更加利于隐藏身份.通过利用Serverless中的云函数和CobaltStrike软件进行试验验证其可行性,发现其能很好地隐藏攻击源,防守方无法溯源到真实的攻击源.同时从防守方角度,详细分析流量特征,基于特征值和访问统计特征两个维度,构建攻击检测模型.通过模拟实际攻击行为和正常业务行为,验证了检测模型能够很好地发现攻击行为,并能区分攻击行为和正常业务行为,在一定程度上可以减少误报,降低对正常业务的影响,提高安全事件的处置效率,为防守方的入侵检测提供了检测思路.
Abstract
With the network gradually becoming the main battlefield of ideological competition,the technical means of both sides of the attack and defense are increasingly refined in the continuous game.The existing anti-traceability means cannot avoid the multi-dimensional and multi-technology traceability means of the defense side,and are more likely to be countered by the defense side.We propose an application idea of anti-traceability technology based on Serverless,which makes use of the event-driven and auto-scaling features of Serverless to make users automatically call the IP address of different areas when requesting the target,so as to achieve the purpose of hiding their own real IP address.At the same time,because Serverless realizes the separation of application development and server,attackers can directly write attack code,which is more conducive to hiding identity.By using the cloud function in Serverless and CobaltStrike software to test and verify its feasibility.It is found that it can well hide the source of attack and the defender cannot trace the source of the real attack.At the same time,from the perspective of the defender,the traffic characteristics are analyzed in detail,and the attack detection model is built based on the two dimensions of the characteristic value and the access statistical characteristics.By sim-ulating the actual attack behavior and the normal business behavior,it is verified that the detection model can well detect the attack behavior,and can distinguish the attack behavior and normal business behavior.To some extent it can reduce the false alarm,reduce the influence on normal business,improve the processing efficiency of security events,and provide a detection idea for the defense's intrusion detection.
关键词
网络攻防/攻击溯源/反溯源/Serverless/攻击检测Key words
network attack-defense/attack traceability/anti-traceability/Serverless/attack detection引用本文复制引用
基金项目
国家重点研发计划(2021YFB3101900)
出版年
2023
国家科技期刊平台
NSTL
维普
万方数据