计算机科学 ›› 2023, Vol. 50 ›› Issue (4): 298-307.doi: 10.11896/jsjkx.220300264
杨鹏飞, 蔡瑞杰, 郭世臣, 刘胜利
YANG Pengfei, CAI Ruijie, GUO Shichen, LIU Shengli
摘要: IOS-XE网络操作系统被广泛地应用于Cisco核心路由交换节点中,其安全性非常重要。然而由于其设计时专注于数据的快速转发功能,缺少对自身的安全的防护,因而面临重大的风险。此外,现有的针对传统IOS系统的入侵检测方法移植到IOS-XE系统后存在实时性差、检测结果不准确、检测覆盖面不全等问题。为了加强IOS-XE系统自身的安全,提出了一种基于容器的CiscoIOS-XE系统入侵检测方法,通过在路由器上部署检测容器,实时监控路由器状态变化和用户访问请求,解决了配置隐藏攻击检测、路由器https管控流量解密以及路由器状态实时监控等问题,实现了对IOS-XE系统入侵行为的实时检测。实验结果表明,所提方法可有效检测针对IOS-XE路由器的常见攻击行为,包括口令猜解、Web注入、CLI注入、配置隐藏和后门植入等,与已有的检测方法相比具有较高的实时性和准确性,有效提升了IOS-XE路由设备的防护能力。
中图分类号:
[1]IDC.IDC’s Worldwide Trackers Show Growth in the Ethernet Switch and Router Markets in Q3 2021[EB/OL].(2021-12-08)[2022-03-05].https://www.idc.com/getdoc.jsp?containerId=prUS48502421. [2]DANIEL Z.Hacker broke into T-Mobile via vulnerable router[EB/OL].(2021-09-02)[2022-03-05].https://adware.guru/hacker-broke-into-t-mobile/. [3]LINDNER F.Developments in Cisco IOS forensics[EB/OL].(2009-08-14)[2022-03-05].http://www.blackhat.com/presentions/bn-usa-08/Linder/BH_US_08_Linder_Developments_in_IOS_Froensics.pdf/. [4]LIU B N,CAI R J,YIN X K,et al.A Method for Detecting Malicious Behavior of Weakly Supervised Routing Equipment[J].Journal of Information Engineering University,2020,21(3):361-368. [5]Cisco.Snort IPS[EB/OL].(2017-08-07)[2022-03-05].https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_utd/configuration/xe-16-12/sec-data-utd-xe-16-12-book/snort-ips.pdf. [6]DAMIRIS G P.Router Forensics[D].Piraeus:University of Piraeus,2020. [7]Cisco Systems,Inc.Troubleshoot Datapath Handling by UTDand URL-Filtering[EB/OL].(2020-01-10)[2022-01-22].https://www.cisco.com/c/en/us/support/docs/routers/xe-sd-wan-routers/215107-troubleshoot-datapath-handling-by-utd-an.html. [8]KURELI S.Snort IPS on ISR,ISRv and CSR-Step-By-StepConfiguration[EB/OL].(2018-04-19)[2022-03-09].https://community.cisco.com/t5/security-documents/snort-ips-on-isr-isrv-and-csr-step-by-step-configuration/ta-p/3369186. [9]YAO K L,WANG R X,LUO C J,et al.SSH Password Brute Force Cracking and Defense Based on Kali Linux[J].Network Security Technology & Application,2022(7):27-28. [10]NATHAN A.Best Practices and Useful Scripts for EEM[EB/OL].(2020-10-12)[2022-02-26].https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-xe-16/216091-best-practices-and-useful-scripts-for-ee.html. [11]MANUEL H S P.IOSTrojan:Who really owns your router?[EB/OL].(2009-08-04)[2022-02-26].https://sansorg.egnyte.com/dl/MTDsf9Y5xu. [12]MIKE P.IOS-XE:request system shell vulnerability[EB/OL].(2014-11-12)[2022-03-05].https://networkengineering.stackexchange.com/questions/12790/ios-xe-request-system-shell-vul-nerability. [13]Trend Micro Research Team.CVE-2019-12643:CISCO IOS XE AUTHENTICATION BYPASS VULNERABILITY[EB/OL].(2019-10-18)[2022-03-05].https://www.zerodayinitiative.com/blog/2019/10/17/cve-2019-12643-cisco-ios-xe-authentication-bypass-vulnerability. [14]MUNIZ S.Killing the myth of Cisco IOSrootkits[EB/OL].(2008-05-01)[2022-03-05].https://drwho.virtadpt.net/images/killing_the_myth_of_cisco_ios_rootkits.pdf. [15]ANDY D.Creating Backdoors in Cisco IOS using Tcl[EB/OL].(2007-11-28)[2022-03-05].http://www.irmplc.com/content/pdfs/Creating_Backdoors_in_Cisco_IOS_using_Tcl.pdf. [16]KYLER M.Penetration Testing:How to Hide an Admin User on Cisco IOS(Router/Switch)Platform[EB/OL].(2015-04-03)[2022-03-05].https://www.kylermiddleton.com/2015/04/pen-etration-testing-how-to-hide-admin.html. [17]Gauis.Things To Do in Ciscoland When You’re Dead[EB/OL].(2000-01-05)[2022-01-24].http://www.phrack.org/issues/56/10.html. [18]NAKIBLY G,SCHCOLNIK J,RUBIN Y.{Website-Targeted} False Content Injection by Network Operators[C]//25th USENIXSecurity Symposium(USENIX Security 16).2016:227-244. [19]RADOVAN B.Hosting KVM Apps Inside IOS XE VirtualService Container[EB/OL].(2020-08-02)[2022-03-14].https://brezular.com/2020/08/02/hosting-kvm-apps-inside-ios-xe-virtual-service-container/. [20]Cisco.UTD Snort Signature[EB/OL].(2022-03-12)[2022-03-15].https://software.cisco.com/download/home/284364978/type/286285292/release/29130.383. [21]Corbamico.TBC(TclByteCode)decoder[EB/OL].(2018-07-31)[2022-01-22].https://github.com/corbamico/tbcload. [22]CERT-EU.CISCO IOS/IOS XE Risk Mitigation[EB/OL].(2014-10)[2022-03-15].https://cert.europa.eu/static/WhitePapers/CERT-EU-SWP_14_08_CISCO-Risk-Mitigation_1_5.pdf. |
[1] | 谢雍生, 黄相恒, 陈宁江. 基于改进DQN算法的容器集群自均衡调度策略 Self-balanced Scheduling Strategy for Container Cluster Based on Improved DQN Algorithm 计算机科学, 2023, 50(4): 233-240. https://doi.org/10.11896/jsjkx.220300215 |
[2] | 何杰, 蔡瑞杰, 尹小康, 陆炫廷, 刘胜利. 面向Cisco IOS-XE的Web命令注入漏洞检测 Detection of Web Command Injection Vulnerability for Cisco IOS-XE 计算机科学, 2023, 50(4): 343-350. https://doi.org/10.11896/jsjkx.220100113 |
[3] | 李海涛, 王瑞敏, 董卫宇, 蒋烈辉. 一种基于GRU的半监督网络流量异常检测方法 Semi-supervised Network Traffic Anomaly Detection Method Based on GRU 计算机科学, 2023, 50(3): 380-390. https://doi.org/10.11896/jsjkx.220100032 |
[4] | 陈轶阳, 王小宁, 卢莎莎, 肖海力. 面向高性能计算系统的容器技术综述 Survey of Container Technology for High-performance Computing System 计算机科学, 2023, 50(2): 353-363. https://doi.org/10.11896/jsjkx.220100163 |
[5] | 王馨彤, 王璇, 孙知信. 基于多尺度记忆残差网络的网络流量异常检测模型 Network Traffic Anomaly Detection Method Based on Multi-scale Memory Residual Network 计算机科学, 2022, 49(8): 314-322. https://doi.org/10.11896/jsjkx.220200011 |
[6] | 周志豪, 陈磊, 伍翔, 丘东亮, 梁广升, 曾凡巧. 基于SMOTE-SDSAE-SVM的车载CAN总线入侵检测算法 SMOTE-SDSAE-SVM Based Vehicle CAN Bus Intrusion Detection Algorithm 计算机科学, 2022, 49(6A): 562-570. https://doi.org/10.11896/jsjkx.210700106 |
[7] | 曹扬晨, 朱国胜, 孙文和, 吴善超. 未知网络攻击识别关键技术研究 Study on Key Technologies of Unknown Network Attack Identification 计算机科学, 2022, 49(6A): 581-587. https://doi.org/10.11896/jsjkx.210400044 |
[8] | 魏辉, 陈泽茂, 张立强. 一种基于顺序和频率模式的系统调用轨迹异常检测框架 Anomaly Detection Framework of System Call Trace Based on Sequence and Frequency Patterns 计算机科学, 2022, 49(6): 350-355. https://doi.org/10.11896/jsjkx.210500031 |
[9] | 王珏, 芦斌, 祝跃飞. 对抗性网络流量的生成与应用综述 Generation and Application of Adversarial Network Traffic:A Survey 计算机科学, 2022, 49(11A): 211000039-11. https://doi.org/10.11896/jsjkx.211000039 |
[10] | 王璐, 文武松. 基于人工智能的分布式入侵检测研究 Study on Distributed Intrusion Detection System Based on Artificial Intelligence 计算机科学, 2022, 49(10): 353-357. https://doi.org/10.11896/jsjkx.220700095 |
[11] | 张师鹏, 李永忠. 基于降噪自编码器和三支决策的入侵检测方法 Intrusion Detection Method Based on Denoising Autoencoder and Three-way Decisions 计算机科学, 2021, 48(9): 345-351. https://doi.org/10.11896/jsjkx.200500059 |
[12] | 李贝贝, 宋佳芮, 杜卿芸, 何俊江. DRL-IDS:基于深度强化学习的工业物联网入侵检测系统 DRL-IDS:Deep Reinforcement Learning Based Intrusion Detection System for Industrial Internet of Things 计算机科学, 2021, 48(7): 47-54. https://doi.org/10.11896/jsjkx.210400021 |
[13] | 程希, 曹晓梅. 基于信息携带的SQL注入攻击检测方法 SQL Injection Attack Detection Method Based on Information Carrying 计算机科学, 2021, 48(7): 70-76. https://doi.org/10.11896/jsjkx.200600010 |
[14] | 曹扬晨, 朱国胜, 祁小云, 邹洁. 基于随机森林的入侵检测分类研究 Research on Intrusion Detection Classification Based on Random Forest 计算机科学, 2021, 48(6A): 459-463. https://doi.org/10.11896/jsjkx.200600161 |
[15] | 俞建业, 戚湧, 王宝茁. 基于Spark的车联网分布式组合深度学习入侵检测方法 Distributed Combination Deep Learning Intrusion Detection Method for Internet of Vehicles Based on Spark 计算机科学, 2021, 48(6A): 518-523. https://doi.org/10.11896/jsjkx.200700129 |
|