计算机科学

计算机科学 ›› 2023, Vol. 50 ›› Issue (4): 298-307.doi: 10.11896/jsjkx.220300264

• 信息安全 • 上一篇    下一篇

一种基于容器的Cisco IOS-XE系统入侵检测方法

杨鹏飞, 蔡瑞杰, 郭世臣, 刘胜利   

  1. 数学工程与先进计算国家重点实验室 郑州 450001
    战略支援部队信息工程大学 郑州 450001
  • 收稿日期:2022-03-29 修回日期:2022-09-14 出版日期:2023-04-15 发布日期:2023-04-06
  • 通讯作者: 刘胜利(dr_liushengli@163.com)
  • 作者简介:(graduated_learning@outlook.com)
  • 基金资助:
    科技委基础加强项目(2019-JCJQ-ZD-113)

Container-based Intrusion Detection Method for Cisco IOS-XE

YANG Pengfei, CAI Ruijie, GUO Shichen, LIU Shengli   

  1. State Key Laboratory of Mathematical Engineering and Advanced Computing,Zhengzhou 450001
    ChinaInformation Engineering University,Zhengzhou 450001,China
  • Received:2022-03-29 Revised:2022-09-14 Online:2023-04-15 Published:2023-04-06
  • About author:YANG Pengfei,born in 1990,postgra-duate.His main research interests include network device security and network attack detection.
    LIU Shengli,born in 1973,Ph.D,professor.His main research interests include network device security and network attack detection.
  • Supported by:
    Foundation Strengthening Key Project of Science & Technology Commission(2019-JCJQ-ZD-113).

PDF (PC)

331

摘要: IOS-XE网络操作系统被广泛地应用于Cisco核心路由交换节点中,其安全性非常重要。然而由于其设计时专注于数据的快速转发功能,缺少对自身的安全的防护,因而面临重大的风险。此外,现有的针对传统IOS系统的入侵检测方法移植到IOS-XE系统后存在实时性差、检测结果不准确、检测覆盖面不全等问题。为了加强IOS-XE系统自身的安全,提出了一种基于容器的CiscoIOS-XE系统入侵检测方法,通过在路由器上部署检测容器,实时监控路由器状态变化和用户访问请求,解决了配置隐藏攻击检测、路由器https管控流量解密以及路由器状态实时监控等问题,实现了对IOS-XE系统入侵行为的实时检测。实验结果表明,所提方法可有效检测针对IOS-XE路由器的常见攻击行为,包括口令猜解、Web注入、CLI注入、配置隐藏和后门植入等,与已有的检测方法相比具有较高的实时性和准确性,有效提升了IOS-XE路由设备的防护能力。

关键词: Cisco IOS-XE, 容器, 配置隐藏攻击, 命令注入, 入侵检测

Abstract: IOS-XE network operating system is widely used in Cisco core routing and switching nodes,and its security is very important.However,its design focuses on the traffic fast-forwarding function and ignores protection for its own security which makes it faces great risks.In addition,the existing intrusion detection methods for traditional IOS system have problems such as poor real-time performance,inaccurate detection results and incomplete detection coverage when transplanted to the IOS-XE system.In order to strengthen the security of the IOS-XE system,this paper proposes a container-based intrusion detection method for Cisco IOS-XE system which can monitor the router states and requests in real time by deploying a detection container on the router.It solves the problems of configuration hidden attack detection,router https control traffic decryption and router state real-time monitor,which helps to detect the intrusion behavior of IOS-XE in real time.Experimental results show that this method can effectively detect common attacks against IOS-XE routers,including password guessing,Web injection,CLI injection,configuration hidden and backdoor implantation.Compared with existing detection methods,the proposed method has higher real-time performance and accuracy,and effectively improves the defense capability of IOS -XE routing devices.

Key words: Cisco IOS-XE, Container, Configuration hidden attack, Command injection, Intrusion detection

中图分类号: 

  • TP393
[1]IDC.IDC’s Worldwide Trackers Show Growth in the Ethernet Switch and Router Markets in Q3 2021[EB/OL].(2021-12-08)[2022-03-05].https://www.idc.com/getdoc.jsp?containerId=prUS48502421.
[2]DANIEL Z.Hacker broke into T-Mobile via vulnerable router[EB/OL].(2021-09-02)[2022-03-05].https://adware.guru/hacker-broke-into-t-mobile/.
[3]LINDNER F.Developments in Cisco IOS forensics[EB/OL].(2009-08-14)[2022-03-05].http://www.blackhat.com/presentions/bn-usa-08/Linder/BH_US_08_Linder_Developments_in_IOS_Froensics.pdf/.
[4]LIU B N,CAI R J,YIN X K,et al.A Method for Detecting Malicious Behavior of Weakly Supervised Routing Equipment[J].Journal of Information Engineering University,2020,21(3):361-368.
[5]Cisco.Snort IPS[EB/OL].(2017-08-07)[2022-03-05].https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_utd/configuration/xe-16-12/sec-data-utd-xe-16-12-book/snort-ips.pdf.
[6]DAMIRIS G P.Router Forensics[D].Piraeus:University of Piraeus,2020.
[7]Cisco Systems,Inc.Troubleshoot Datapath Handling by UTDand URL-Filtering[EB/OL].(2020-01-10)[2022-01-22].https://www.cisco.com/c/en/us/support/docs/routers/xe-sd-wan-routers/215107-troubleshoot-datapath-handling-by-utd-an.html.
[8]KURELI S.Snort IPS on ISR,ISRv and CSR-Step-By-StepConfiguration[EB/OL].(2018-04-19)[2022-03-09].https://community.cisco.com/t5/security-documents/snort-ips-on-isr-isrv-and-csr-step-by-step-configuration/ta-p/3369186.
[9]YAO K L,WANG R X,LUO C J,et al.SSH Password Brute Force Cracking and Defense Based on Kali Linux[J].Network Security Technology & Application,2022(7):27-28.
[10]NATHAN A.Best Practices and Useful Scripts for EEM[EB/OL].(2020-10-12)[2022-02-26].https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-xe-16/216091-best-practices-and-useful-scripts-for-ee.html.
[11]MANUEL H S P.IOSTrojan:Who really owns your router?[EB/OL].(2009-08-04)[2022-02-26].https://sansorg.egnyte.com/dl/MTDsf9Y5xu.
[12]MIKE P.IOS-XE:request system shell vulnerability[EB/OL].(2014-11-12)[2022-03-05].https://networkengineering.stackexchange.com/questions/12790/ios-xe-request-system-shell-vul-nerability.
[13]Trend Micro Research Team.CVE-2019-12643:CISCO IOS XE AUTHENTICATION BYPASS VULNERABILITY[EB/OL].(2019-10-18)[2022-03-05].https://www.zerodayinitiative.com/blog/2019/10/17/cve-2019-12643-cisco-ios-xe-authentication-bypass-vulnerability.
[14]MUNIZ S.Killing the myth of Cisco IOSrootkits[EB/OL].(2008-05-01)[2022-03-05].https://drwho.virtadpt.net/images/killing_the_myth_of_cisco_ios_rootkits.pdf.
[15]ANDY D.Creating Backdoors in Cisco IOS using Tcl[EB/OL].(2007-11-28)[2022-03-05].http://www.irmplc.com/content/pdfs/Creating_Backdoors_in_Cisco_IOS_using_Tcl.pdf.
[16]KYLER M.Penetration Testing:How to Hide an Admin User on Cisco IOS(Router/Switch)Platform[EB/OL].(2015-04-03)[2022-03-05].https://www.kylermiddleton.com/2015/04/pen-etration-testing-how-to-hide-admin.html.
[17]Gauis.Things To Do in Ciscoland When You’re Dead[EB/OL].(2000-01-05)[2022-01-24].http://www.phrack.org/issues/56/10.html.
[18]NAKIBLY G,SCHCOLNIK J,RUBIN Y.{Website-Targeted} False Content Injection by Network Operators[C]//25th USENIXSecurity Symposium(USENIX Security 16).2016:227-244.
[19]RADOVAN B.Hosting KVM Apps Inside IOS XE VirtualService Container[EB/OL].(2020-08-02)[2022-03-14].https://brezular.com/2020/08/02/hosting-kvm-apps-inside-ios-xe-virtual-service-container/.
[20]Cisco.UTD Snort Signature[EB/OL].(2022-03-12)[2022-03-15].https://software.cisco.com/download/home/284364978/type/286285292/release/29130.383.
[21]Corbamico.TBC(TclByteCode)decoder[EB/OL].(2018-07-31)[2022-01-22].https://github.com/corbamico/tbcload.
[22]CERT-EU.CISCO IOS/IOS XE Risk Mitigation[EB/OL].(2014-10)[2022-03-15].https://cert.europa.eu/static/WhitePapers/CERT-EU-SWP_14_08_CISCO-Risk-Mitigation_1_5.pdf.
[1] 谢雍生, 黄相恒, 陈宁江.
基于改进DQN算法的容器集群自均衡调度策略
Self-balanced Scheduling Strategy for Container Cluster Based on Improved DQN Algorithm
计算机科学, 2023, 50(4): 233-240. https://doi.org/10.11896/jsjkx.220300215
[2] 何杰, 蔡瑞杰, 尹小康, 陆炫廷, 刘胜利.
面向Cisco IOS-XE的Web命令注入漏洞检测
Detection of Web Command Injection Vulnerability for Cisco IOS-XE
计算机科学, 2023, 50(4): 343-350. https://doi.org/10.11896/jsjkx.220100113
[3] 李海涛, 王瑞敏, 董卫宇, 蒋烈辉.
一种基于GRU的半监督网络流量异常检测方法
Semi-supervised Network Traffic Anomaly Detection Method Based on GRU
计算机科学, 2023, 50(3): 380-390. https://doi.org/10.11896/jsjkx.220100032
[4] 陈轶阳, 王小宁, 卢莎莎, 肖海力.
面向高性能计算系统的容器技术综述
Survey of Container Technology for High-performance Computing System
计算机科学, 2023, 50(2): 353-363. https://doi.org/10.11896/jsjkx.220100163
[5] 王馨彤, 王璇, 孙知信.
基于多尺度记忆残差网络的网络流量异常检测模型
Network Traffic Anomaly Detection Method Based on Multi-scale Memory Residual Network
计算机科学, 2022, 49(8): 314-322. https://doi.org/10.11896/jsjkx.220200011
[6] 周志豪, 陈磊, 伍翔, 丘东亮, 梁广升, 曾凡巧.
基于SMOTE-SDSAE-SVM的车载CAN总线入侵检测算法
SMOTE-SDSAE-SVM Based Vehicle CAN Bus Intrusion Detection Algorithm
计算机科学, 2022, 49(6A): 562-570. https://doi.org/10.11896/jsjkx.210700106
[7] 曹扬晨, 朱国胜, 孙文和, 吴善超.
未知网络攻击识别关键技术研究
Study on Key Technologies of Unknown Network Attack Identification
计算机科学, 2022, 49(6A): 581-587. https://doi.org/10.11896/jsjkx.210400044
[8] 魏辉, 陈泽茂, 张立强.
一种基于顺序和频率模式的系统调用轨迹异常检测框架
Anomaly Detection Framework of System Call Trace Based on Sequence and Frequency Patterns
计算机科学, 2022, 49(6): 350-355. https://doi.org/10.11896/jsjkx.210500031
[9] 王珏, 芦斌, 祝跃飞.
对抗性网络流量的生成与应用综述
Generation and Application of Adversarial Network Traffic:A Survey
计算机科学, 2022, 49(11A): 211000039-11. https://doi.org/10.11896/jsjkx.211000039
[10] 王璐, 文武松.
基于人工智能的分布式入侵检测研究
Study on Distributed Intrusion Detection System Based on Artificial Intelligence
计算机科学, 2022, 49(10): 353-357. https://doi.org/10.11896/jsjkx.220700095
[11] 张师鹏, 李永忠.
基于降噪自编码器和三支决策的入侵检测方法
Intrusion Detection Method Based on Denoising Autoencoder and Three-way Decisions
计算机科学, 2021, 48(9): 345-351. https://doi.org/10.11896/jsjkx.200500059
[12] 李贝贝, 宋佳芮, 杜卿芸, 何俊江.
DRL-IDS:基于深度强化学习的工业物联网入侵检测系统
DRL-IDS:Deep Reinforcement Learning Based Intrusion Detection System for Industrial Internet of Things
计算机科学, 2021, 48(7): 47-54. https://doi.org/10.11896/jsjkx.210400021
[13] 程希, 曹晓梅.
基于信息携带的SQL注入攻击检测方法
SQL Injection Attack Detection Method Based on Information Carrying
计算机科学, 2021, 48(7): 70-76. https://doi.org/10.11896/jsjkx.200600010
[14] 曹扬晨, 朱国胜, 祁小云, 邹洁.
基于随机森林的入侵检测分类研究
Research on Intrusion Detection Classification Based on Random Forest
计算机科学, 2021, 48(6A): 459-463. https://doi.org/10.11896/jsjkx.200600161
[15] 俞建业, 戚湧, 王宝茁.
基于Spark的车联网分布式组合深度学习入侵检测方法
Distributed Combination Deep Learning Intrusion Detection Method for Internet of Vehicles Based on Spark
计算机科学, 2021, 48(6A): 518-523. https://doi.org/10.11896/jsjkx.200700129
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
地址:重庆市渝北区洪湖西路18号    邮编:401121  
电话:023-63500828(编辑部) 023-67039612(会议/专题) 023-67039623(财务/发票)
E-mail:jsjkx12@163.com
本系统由北京玛格泰克科技发展有限公司设计开发