Computer Science

Computer Science ›› 2023, Vol. 50 ›› Issue (4): 298-307.doi: 10.11896/jsjkx.220300264

• Information Security • Previous Articles     Next Articles

Container-based Intrusion Detection Method for Cisco IOS-XE

YANG Pengfei, CAI Ruijie, GUO Shichen, LIU Shengli   

  1. State Key Laboratory of Mathematical Engineering and Advanced Computing,Zhengzhou 450001
    ChinaInformation Engineering University,Zhengzhou 450001,China
  • Received:2022-03-29 Revised:2022-09-14 Online:2023-04-15 Published:2023-04-06
  • About author:YANG Pengfei,born in 1990,postgra-duate.His main research interests include network device security and network attack detection.
    LIU Shengli,born in 1973,Ph.D,professor.His main research interests include network device security and network attack detection.
  • Supported by:
    Foundation Strengthening Key Project of Science & Technology Commission(2019-JCJQ-ZD-113).

PDF (PC)

345

Abstract: IOS-XE network operating system is widely used in Cisco core routing and switching nodes,and its security is very important.However,its design focuses on the traffic fast-forwarding function and ignores protection for its own security which makes it faces great risks.In addition,the existing intrusion detection methods for traditional IOS system have problems such as poor real-time performance,inaccurate detection results and incomplete detection coverage when transplanted to the IOS-XE system.In order to strengthen the security of the IOS-XE system,this paper proposes a container-based intrusion detection method for Cisco IOS-XE system which can monitor the router states and requests in real time by deploying a detection container on the router.It solves the problems of configuration hidden attack detection,router https control traffic decryption and router state real-time monitor,which helps to detect the intrusion behavior of IOS-XE in real time.Experimental results show that this method can effectively detect common attacks against IOS-XE routers,including password guessing,Web injection,CLI injection,configuration hidden and backdoor implantation.Compared with existing detection methods,the proposed method has higher real-time performance and accuracy,and effectively improves the defense capability of IOS -XE routing devices.

Key words: Cisco IOS-XE, Container, Configuration hidden attack, Command injection, Intrusion detection

CLC Number: 

  • TP393
[1]IDC.IDC’s Worldwide Trackers Show Growth in the Ethernet Switch and Router Markets in Q3 2021[EB/OL].(2021-12-08)[2022-03-05].https://www.idc.com/getdoc.jsp?containerId=prUS48502421.
[2]DANIEL Z.Hacker broke into T-Mobile via vulnerable router[EB/OL].(2021-09-02)[2022-03-05].https://adware.guru/hacker-broke-into-t-mobile/.
[3]LINDNER F.Developments in Cisco IOS forensics[EB/OL].(2009-08-14)[2022-03-05].http://www.blackhat.com/presentions/bn-usa-08/Linder/BH_US_08_Linder_Developments_in_IOS_Froensics.pdf/.
[4]LIU B N,CAI R J,YIN X K,et al.A Method for Detecting Malicious Behavior of Weakly Supervised Routing Equipment[J].Journal of Information Engineering University,2020,21(3):361-368.
[5]Cisco.Snort IPS[EB/OL].(2017-08-07)[2022-03-05].https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_utd/configuration/xe-16-12/sec-data-utd-xe-16-12-book/snort-ips.pdf.
[6]DAMIRIS G P.Router Forensics[D].Piraeus:University of Piraeus,2020.
[7]Cisco Systems,Inc.Troubleshoot Datapath Handling by UTDand URL-Filtering[EB/OL].(2020-01-10)[2022-01-22].https://www.cisco.com/c/en/us/support/docs/routers/xe-sd-wan-routers/215107-troubleshoot-datapath-handling-by-utd-an.html.
[8]KURELI S.Snort IPS on ISR,ISRv and CSR-Step-By-StepConfiguration[EB/OL].(2018-04-19)[2022-03-09].https://community.cisco.com/t5/security-documents/snort-ips-on-isr-isrv-and-csr-step-by-step-configuration/ta-p/3369186.
[9]YAO K L,WANG R X,LUO C J,et al.SSH Password Brute Force Cracking and Defense Based on Kali Linux[J].Network Security Technology & Application,2022(7):27-28.
[10]NATHAN A.Best Practices and Useful Scripts for EEM[EB/OL].(2020-10-12)[2022-02-26].https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-xe-16/216091-best-practices-and-useful-scripts-for-ee.html.
[11]MANUEL H S P.IOSTrojan:Who really owns your router?[EB/OL].(2009-08-04)[2022-02-26].https://sansorg.egnyte.com/dl/MTDsf9Y5xu.
[12]MIKE P.IOS-XE:request system shell vulnerability[EB/OL].(2014-11-12)[2022-03-05].https://networkengineering.stackexchange.com/questions/12790/ios-xe-request-system-shell-vul-nerability.
[13]Trend Micro Research Team.CVE-2019-12643:CISCO IOS XE AUTHENTICATION BYPASS VULNERABILITY[EB/OL].(2019-10-18)[2022-03-05].https://www.zerodayinitiative.com/blog/2019/10/17/cve-2019-12643-cisco-ios-xe-authentication-bypass-vulnerability.
[14]MUNIZ S.Killing the myth of Cisco IOSrootkits[EB/OL].(2008-05-01)[2022-03-05].https://drwho.virtadpt.net/images/killing_the_myth_of_cisco_ios_rootkits.pdf.
[15]ANDY D.Creating Backdoors in Cisco IOS using Tcl[EB/OL].(2007-11-28)[2022-03-05].http://www.irmplc.com/content/pdfs/Creating_Backdoors_in_Cisco_IOS_using_Tcl.pdf.
[16]KYLER M.Penetration Testing:How to Hide an Admin User on Cisco IOS(Router/Switch)Platform[EB/OL].(2015-04-03)[2022-03-05].https://www.kylermiddleton.com/2015/04/pen-etration-testing-how-to-hide-admin.html.
[17]Gauis.Things To Do in Ciscoland When You’re Dead[EB/OL].(2000-01-05)[2022-01-24].http://www.phrack.org/issues/56/10.html.
[18]NAKIBLY G,SCHCOLNIK J,RUBIN Y.{Website-Targeted} False Content Injection by Network Operators[C]//25th USENIXSecurity Symposium(USENIX Security 16).2016:227-244.
[19]RADOVAN B.Hosting KVM Apps Inside IOS XE VirtualService Container[EB/OL].(2020-08-02)[2022-03-14].https://brezular.com/2020/08/02/hosting-kvm-apps-inside-ios-xe-virtual-service-container/.
[20]Cisco.UTD Snort Signature[EB/OL].(2022-03-12)[2022-03-15].https://software.cisco.com/download/home/284364978/type/286285292/release/29130.383.
[21]Corbamico.TBC(TclByteCode)decoder[EB/OL].(2018-07-31)[2022-01-22].https://github.com/corbamico/tbcload.
[22]CERT-EU.CISCO IOS/IOS XE Risk Mitigation[EB/OL].(2014-10)[2022-03-15].https://cert.europa.eu/static/WhitePapers/CERT-EU-SWP_14_08_CISCO-Risk-Mitigation_1_5.pdf.
[1] HE Jie, CAI Ruijie, YIN Xiaokang, LU Xuanting, LIU Shengli. Detection of Web Command Injection Vulnerability for Cisco IOS-XE [J]. Computer Science, 2023, 50(4): 343-350.
[2] XIE Yongsheng, HUANG Xiangheng, CHEN Ningjiang. Self-balanced Scheduling Strategy for Container Cluster Based on Improved DQN Algorithm [J]. Computer Science, 2023, 50(4): 233-240.
[3] LI Haitao, WANG Ruimin, DONG Weiyu, JIANG Liehui. Semi-supervised Network Traffic Anomaly Detection Method Based on GRU [J]. Computer Science, 2023, 50(3): 380-390.
[4] CHEN Yiyang, WANG Xiaoning, LU Shasha, XIAO Haili. Survey of Container Technology for High-performance Computing System [J]. Computer Science, 2023, 50(2): 353-363.
[5] LENG Dian-dian, DU Peng, CHEN Jian-ting, XIANG Yang. Automated Container Terminal Oriented Travel Time Estimation of AGV [J]. Computer Science, 2022, 49(9): 208-214.
[6] WANG Xin-tong, WANG Xuan, SUN Zhi-xin. Network Traffic Anomaly Detection Method Based on Multi-scale Memory Residual Network [J]. Computer Science, 2022, 49(8): 314-322.
[7] ZHOU Zhi-hao, CHEN Lei, WU Xiang, QIU Dong-liang, LIANG Guang-sheng, ZENG Fan-qiao. SMOTE-SDSAE-SVM Based Vehicle CAN Bus Intrusion Detection Algorithm [J]. Computer Science, 2022, 49(6A): 562-570.
[8] CAO Yang-chen, ZHU Guo-sheng, SUN Wen-he, WU Shan-chao. Study on Key Technologies of Unknown Network Attack Identification [J]. Computer Science, 2022, 49(6A): 581-587.
[9] WEI Hui, CHEN Ze-mao, ZHANG Li-qiang. Anomaly Detection Framework of System Call Trace Based on Sequence and Frequency Patterns [J]. Computer Science, 2022, 49(6): 350-355.
[10] WANG Jue, LU Bin, ZHU Yue-fei. Generation and Application of Adversarial Network Traffic:A Survey [J]. Computer Science, 2022, 49(11A): 211000039-11.
[11] WANG Lu, WEN Wu-song. Study on Distributed Intrusion Detection System Based on Artificial Intelligence [J]. Computer Science, 2022, 49(10): 353-357.
[12] ZHANG Shi-peng, LI Yong-zhong. Intrusion Detection Method Based on Denoising Autoencoder and Three-way Decisions [J]. Computer Science, 2021, 48(9): 345-351.
[13] LI Bei-bei, SONG Jia-rui, DU Qing-yun, HE Jun-jiang. DRL-IDS:Deep Reinforcement Learning Based Intrusion Detection System for Industrial Internet of Things [J]. Computer Science, 2021, 48(7): 47-54.
[14] CHENG Xi, CAO Xiao-mei. SQL Injection Attack Detection Method Based on Information Carrying [J]. Computer Science, 2021, 48(7): 70-76.
[15] CAO Yang-chen, ZHU Guo-sheng, QI Xiao-yun, ZOU Jie. Research on Intrusion Detection Classification Based on Random Forest [J]. Computer Science, 2021, 48(6A): 459-463.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
Add:18# Honghu West Rd., Yubei ,Chongqing,China    Post Code: 401121
Tel: 023-63500828/023-67039612/023-67039623
E-mail: jsjkx12@163.com
Powered by Beijing Magtech Co., Ltd.