[1]韩 杰,冯美琪,李建欣.基于 Serverless 的反溯源技术应用研究[J].计算机技术与发展,2023,33(12):143-148.[doi:10. 3969 / j. issn. 1673-629X. 2023. 12. 020]
　HAN Jie,FENG Mei-qi,LI Jian-xin.Research on Application of Anti-traceability Technology Based on Serverless[J].,2023,33(12):143-148.[doi:10. 3969 / j. issn. 1673-629X. 2023. 12. 020]

点击复制

基于 Serverless 的反溯源技术应用研究()

分享到：

《计算机技术与发展》[ISSN:1006-6977/CN:61-1281/TN]

卷:

33

期数:

2023年12期

页码:

143-148

栏目:

网络空间安全

出版日期:

2023-12-10

文章信息/Info

Title:

Research on Application of Anti-traceability Technology Based on Serverless

文章编号:

1673-629X(2023)12-0143-06

作者:

韩 杰¹ ; 冯美琪² ; 李建欣²

1. 北京航天万源科技有限公司,北京 100176;

2. 中国民航信息网络股份有限公司 运行中心,北京 101318

Author(s):

HAN Jie1 ; FENG Mei-qi2 ; LI Jian-xin2

1. Beijing Aerospace Wanyuan Science & Technology Co. ,Ltd. ,Beijing 100176,China;

2. Operation Center,TravelSky Technology Limited,Beijing 101318,China

关键词:

网络攻防; 攻击溯源; 反溯源; Serverless; 攻击检测

Keywords:

network attack-defense; attack traceability; anti-traceability; Serverless; attack detection

分类号:

TP393. 08

DOI:

10. 3969 / j. issn. 1673-629X. 2023. 12. 020

摘要:

随着网络逐渐成为意识形态较量的主战场,攻防双方的技术手段在不断博弈中日渐精进,现有的反溯源手段无法避免防守方多维多技术的溯源手段,更易被防守方溯源反制。 该文提出了一种

基于 Serverless 的反溯源技术应用思路,利用 Serverless 的事件驱动和自动伸缩特性,使得用户在请求目标时,自动调用不同可用区域的 IP 地址,以此达到隐藏自身真实 IP 的目的。 同时,由于 Serverless 实现应用开发与服务器分离,攻击者可直接进行攻击代码编写,也更加利于隐藏身份。 通过利用 Serverless 中的云函数和 CobaltStrike 软件进行试验验证其可行性,发现其能很好地隐藏攻击源,防守方无法溯源到真实的攻击源。 同时从防守方角度,详细分析流量特征,基于特征值和访问统计特征两个维度,构建攻击检测模型。 通过模拟实际攻击行为和正常业务行为,验证了检测模型能够很好地发现攻击行为,并能区分攻击行为和正常业务行为,在一定程度上可以减少误报,降低对正常业务的影响,提高安全事件的处置效率,为防守方的入侵检测提供了检测思路。

Abstract:

With the network gradually becoming the main battlefield of ideological competition,the technical means of both sides of theattack and defense are increasingly refined in the contin－uous game. The existing anti - traceability means cannot avoid the multi -dimensional and multi-technology traceability means of the defense side,and are more likely to be countered?

by the defense side. Wepropose an application idea of anti-traceability technology based on Serverless,which makes use of the event-driven and auto-scalingfeatures of Serverless to make users automatically call the IP address of different areas when requesting the target,so as to achieve thepurpose of hiding their own real IP address. At the same time,because Serverless realizes the separation of application development andserver,attackers can directly write attack code,which is more conducive to hiding identity. By using the cloud function in Serverless andCobaltStrike software to test and verify its feasibility. It is found that it can well hide the source of attack and the defender cannot tracethe source of the real attack. At the same time,from the perspective of the defender,the traffic characteristics are analyzed in detail,andthe attack detection model is built based on the two dimensions of the characteristic value and the access statistical characteristics. By simulating the actual attack behavior and the normal business behavior, it is verified that the detection model can well detect the attackbehavior,and can distinguish the attack behavior and normal business behavior. To some extent it can reduce the false alarm,reduce theinfluence on normal business,improve the processing efficiency of security events,and provide a detection idea for the defense’ s intrusiondetection.

常用功能