An introduction to

What is the background of information security technology research?

The improvement of computer level and the rapid development of its application

The widening of communication channels and the enhancement of communication capabilities

Where is the significance of information security technology research?

What is the main research content of information security technology?

Information security technology

Comprehensive interdisciplinary disciplines;

Comprehensive use of computer, communication, mathematics, physics and many other disciplines of knowledge accumulation and development achievements;

Independent innovation research, strengthen the top-level design, proposed system, complete, collaborative solutions.

Public Key Password Role

Key negotiation, digital signature, and message authentication

Security protocol theory and technology

Three mechanisms: encryption mechanism, authentication mechanism, protection mechanism

Research contents: – Three mechanisms: encryption mechanism, authentication mechanism and protection mechanism;

Research Contents:

Design and analysis of practical security protocol;

Research on security analysis method of security protocol;

Attack test method; Formal analysis methods.

In formal analysis, there are three successful research ideas:

Modal logic based on inference knowledge and information;

Based on state search tool and theorem proving technology;

The correctness of proof theory is developed based on the new protocol model

Security architecture theory and technology

Safety system model establishment and formal description and analysis;

Research on security policy and mechanism;

Establishment of system safety inspection methods and criteria;

System development based on relevant models, strategies and criteria.

Development and evolution:

1980s: TCSEC, the earliest guidelines for security information system architecture, formulated by the US Department of Defense;

1990s: Britain, France, Germany and the Netherlands put forward ITSEC, including the concepts of confidentiality, integrity and usability;

Information adversarial theory and technology

Invasion and anti-invasion

Principle and technology of intrusion detection;

Counterattack method;

Emergency response system;

Information analysis and monitoring;

Hacker prevention system;

Information camouflage theory and method;

Application of artificial immune system in anti – virus and anti – intrusion system

Network security and security products

Factors driving the development of domestic information security industry:

Enterprise informatization and society informatization;

The leading and promoting role of government;

The growing maturity of security technologies and products.

Main safety products:

Firewall: packet filtering technology, application gateway technology, proxy service technology

Secure router: Uses access control technology to control the flow of network information

Physical security of computer systems

System reliability (redundancy, fault tolerance, dedicated)

System availability (normal operation, fault recovery)

System component consistency (Properly configured)

Network interconnection (connectivity versus isolation, wiring)

Environmental safety (power distribution, grounding, protection)

Inspection and acceptance (according to standards, codes, contracts and agreements)

Introduction to cryptography

Disciplines involved in security and confidentiality:

Information theory involves: messages generate information in motion

Information protection is needed when communicating

Now both static and dynamic data needs to be protected

Cryptography involves: the early role is confidential, now in addition to confidential, there are authentication, identification functions

Confidentiality involves early encryption of messages and documents

Now in addition to text, documents, for any text, graphics, images, sound and other multimedia information;

Confidentiality of entities such as hardware components and circuits

The secret of the virtual body such as train of thought, thinking and intention

The relationship and difference between coding system and cryptography system

In the coding system, words or phrases are replaced by other words or phrases, meaning is hidden, meaning is emphasized, and security protection level is low

Cryptography to obtain the key is the key of intrusion and decryption

The encryption mode of symmetric cryptosystem:

Stream ciphers: Sequential ciphers encrypt characters bit by bit. Sequential ciphers are the mainstream of manual and mechanical ciphers

Group password: fixed in plain text

DES

Message authentication and digital signature

Problem posed by communication threat

1. Leaks publish message content to anyone or processes without a legitimate key

2. Traffic analysis finds that the structural pattern of information flow between communities can be used to determine the frequency and duration of connections in a connection-oriented application

3. Forgery Inserts a message into the network from a spoofed source

4. Content modification The message content is inserted, deleted, transformed, and modified

5. Sequential modification Insert deletes or reorganizes message sequences

6. Time change message delay or replay

7. Deny Recipient denies receiving the message Sender denies sending the message

Information hiding mainly studies how to hide secret information in another public information, and how to transmit private information through public information transmission

Digital watermark: a string of visible or invisible, immovable digital codes embedded in the host multimedia data (such as an image or video).

This string of numbers typically includes the state of the host data, copyright, control information, or a pseudo-random sequence

kerberos

Security Services:

In computer communication network, the main security protection measure is called security service.

According to ISO7498-2, security services include:

1. Data Confidentiality

2. Data Integrity

3. Non-repudiation

4. Authentication

5. Access Control

The identity authentication

Access control

Access Control: The process of restricting Access to system resources by authorized users, programs, processes, or other systems in a computer network.

Access control mechanism: Hardware or software functions, operating procedures, management procedures, and any combination of them designed to detect and prevent unauthorized access and to formalize authorized access in an information system

Access control: Subject-to-object access is controlled as a way to enforce authorization.

Access control consists of three elements: subject, object and control policy.

Agent: An active entity, abbreviated as S, that can exert actions on other entities.

Object: a passive entity that is accessed by another entity, shorthand O.

Control strategy: is the set of operating behaviors and constraint conditions between the subject and the object, abbreviated as KS.

Ways to prevent unauthorized users from accessing a target:

Access request filter

The separation of

Access Control Policies (Key Review)

Autonomous access control DAC:

Identity-based policies, the principle of least privilege, where multiple users are grouped together and given a common identifier

Subjects with independent access permission can transfer access control to other subjects

Access Control Table (ACL)

The characteristic of DAC is that the subject can withdraw permissions or transfer existing permissions

Access Control Capability Table (ACCL) : Understood as user owned identity

Enforce access control MAC:

Rules-based strategy for classified military operations

Multistage strategy

Classified targets: Top secret, secret, confidential, restricted, no secret

The user also has an allowed level of security: prevent disclosure write up, Guarantee integrity: write down

MAC model and DAC model belong to traditional access control model.

MAC and DAC are implemented

Each user is typically given an access rule set to the object

Users freely grant access to their own objects to other users

Disadvantages:

The job of a system administrator will become very onerous

Prone to errors and security loopholes.

Role-based access control RBAC:

Permissions inheritance

Additional elements of access control:

Access control products:

SunScreen

WeBST security platform

HP Praesidium licensing server

NetKey Network security authentication system

Cisco NetRanger

Pki technology

PKIPublic-key infrastructure)

Provides a foundation and framework for addressing these issues

X.509 defines PKI as the collection of hardware, software, people, and processes required to create, manage, store, publish, and revoke digital certificates based on public key cryptosystems.

Managed object: Certificate key The certificate is revoked

Certificate, “certificate,” is sometimes called cert for short

PKI applies to a heterogeneous environment, so the certificate format must be consistent in all applications

A certificate is a certificate issued by an organization to a security individual, so the authority of the certificate depends on the authority of the organization

The most important information in a certificate is the individual name, the individual public key, the institution’s signature, algorithm, and purpose

The signing certificate is separated from the encryption certificate

The most common certificate format is X.509 V3

PKI**** technically solves the security problems such as online identity authentication, information integrity and anti-repudiation.

Note that Subject Unique is preceded by an extension field

Computer security and malware

Security of computer operating system

Operating system security

Internal memory protection

User authentication

Access control

Windows security mechanism

WindowsThe core functionality of the security service includes the active directoryADThe service,PKIIntegration support forKerberos V5Authentication protocol support to protect local dataEFSAnd the use ofIPSec**** to support secure communication over public networks.

Computer software security

Software security concept: an engineering approach that allows software to continue to function under hostile attack. That is to use systematic, standardized, and quantitative methods to guide the construction of safe software.

Knowledge system of software security:

Descriptive knowledge: Provide advice on what to avoid when building secure software

Diagnostic knowledge:

• Attack mode describes common attack programs in an abstract form. This form can be applied to situations that span multiple systems, that is, attack modes that exist in multiple systems. This knowledge can be used by security analysts, such as reliability detection based on abuse cases.

• An attack program describes how instances of vulnerabilities can be used to cause a particular security hazard to a particular system.

• Vulnerability knowledge is a description of software weaknesses that have occurred and been reported in real systems

Historical knowledge

Include historical databases of historical risks and, in some cases, vulnerabilities.

Software development key work: safety coding, safety testing, safety design

• Software security requirements and design are fundamental to developing secure software

• Software security requirement analysis

– Establish a threat analysis plan based on risk management

– Create a definition of software security requirements and ensure that the definition is correct

– Security requirements must be documented

• Software security design

– Every requirement of a software system should be carefully considered during the software security design phase

Anti-tracking technology in software operation:

• 1. Suppress trace command

•DEBUG Runs the system single-step interrupt and breakpoint interrupt service programs when running the T command and the G command respectively. In the system interrupt vector table, the interrupt vectors of these two kinds of interrupts are 1 and 3 respectively. The interrupt service program entry address is stored in the four bytes starting from memory 0000:0004 and 0000:000C respectively, where the first two bytes are offset addresses and the last two bytes are segment addresses. Therefore, when the contents of these cells are changed, T and G commands cannot be executed properly, thus inhibiting trace commands.

• 2. Block keyboard input

•1) Change the entry address of the keyboard interrupt service program.

•2) Disable keyboard interruption.

•3) Forbid receiving keyboard data.

• 3. Change CRT display features

•1) After various debug commands are executed, the results are displayed on the screen for people to view.

•2) When debugging information is displayed, the screen is automatically rolled up or pages are changed.

• 4. Timing technology

• Suppose there are two points A and B in the program. Under normal circumstances, the running time from A to B is C, but when tracing, the speed is slower and the time required will be much longer than C, so that the time difference can be used to determine whether someone is tracing the program. How do I know the actual running time between A and B? There is an 8253 timer on the PC motherboard, where channel 0 provides a fixed real-time counter for the universal timer for timing. In the ROM BIOS, soft interrupt 1AH provides the ability to read the current clock value.

How encryption software works:

• 1. The way encryption software works

• Encryption software works in the following ways:

• (1) shell type

• (2) Inclusion

• (3) Combination

• 2. Restrictions on technology

• Constraints are some sort of validation of what the user is going to do, that is, who he is, what characteristics he has, and what permissions he has. The most typical restriction techniques are password and access control.

• (1) Password encryption restriction technology

• (2) Access control technology

Malicious code survival techniques

  • Malicious code concept: Malicious code is the key to malicious, unauthorized damage to the security and integrity of the computer system program or code

  • Malicious code classification:

  • Malicious code attack technology:

  • Malicious code generation technology: anti-tracking technology, encryption technology, fuzzy deformation technology, automatic production technology (anti-self-modeling)

  • Malicious code hiding technology:

  • [

  • A computer virus runs and spreads by running its host program, but if the program doesn’t run, it can’t do anything. That is, it needs a host

  • A worm is a program that can run independently, self-replicating and spreading across a network

  • Trojan: A program that appears to have some function, but hides malicious goods inside.

  • [

  • Trojan three – thread technology: main monitoring thread, monitoring thread, daemon thread

  • To guard against

  • 1. General computer virus prevention

    The best way to deal with computer viruses is “prevention first”. Through taking all kinds of effective preventive measures, strengthen legal system, management and technical means, it will be more effective to avoid the invasion of the virus, so, the prevention of computer virus, should take the prevention-based strategy.

    2. Trojan Horse virus prevention

    As a result of the particularity of Trojan virus, need timely and effective prevention, do prevent in the future.

    ① Don’t click on emails from unknown sources.

    ② Do not download unknown software.

    (3) Timely bug repair and live all suspicious ports.

    ④ Use real-time monitoring program.

    detection

    1. Initial detection according to abnormal symptoms

    (1) preliminary detection of general viruses

    ① The computer is abnormal ② the screen is abnormal

    ③ Sound playback is abnormal. ④ File */** The system is abnormal

    ⑤ Peripheral exception ⑥ Network exception

    (2) Trojan virus detection

    (1) **** View open ports. (2) View the system configuration file

    Check system processes. Check the registry

    2. Use professional software and methods for detection

    (1) feature code method

    (2Checksum method

    (3) behavior monitoring

    (4) Software simulation method

    remove

    **1.** Common virus removal methods

    Although there are a variety of anti-virus software and firewall protection, but computer poisoning is still very common, if accidental poisoning, be sure to clean up the virus in time. Based on the extent of virus damage, you can take the following measures to remove viruses:

    ① General common epidemic virus removal methods.

    ② The severity of system file damage.

    ③ Use the registry to clear.

    2. Remove Trojan viruses

    (1) Manually delete it.

    (2) Antivirus software removal

Firewall technology for network security

• A firewall is a collection of components that enforce internetwork access control between two (or more) networks,

• It meets the following conditions

– All network data flows between internal and external devices must pass through the firewall

– Only the data flows that meet the security policy can pass the firewall

-the firewall itself is immune to penetration

• In terms of the technology used, firewalls can be divided into:

– Packet filtering firewall

• Static packet filtering firewall

• Dynamic packet filtering firewall

– Proxy server firewall

– Circuit-level gateway

– Hybrid firewall

• The simplest firewall configuration is to install a packet filtering router or application gateway directly between the Intranet and the extranet. In order to better realize network security, sometimes several firewall technologies are combined to build a firewall system.

• The following three firewall configurations are popular at present.

– Dual host mode: The fortress host is installed between the extranet and extranet

– Masked host mode: packet filtering router (only inbound packets sent to the Fortress are allowed, only inbound packets sent from the fortress are allowed) and fortress. If the router is breached, it can directly communicate with the Intranet

– Shielded subnet mode: Add routers at both ends

Network security intrusion detection technology system

The data comes from the data stream on the network.

NIDS can intercept data packets on the network, extract their features and compare them with known attack signatures in the knowledge base, thus achieving detection.

Its advantages are fast detection speed, good concealment, not vulnerable to attack, less consumption of host resources;

The disadvantage is that some attacks are issued by the keyboard of the server, which does not go through the network, so it cannot be identified, and the false positive rate is high.

Host-based Intrusion Detection System (HIDS)

Data is obtained from the host system, usually system logs and audit records.

HIDS continuously monitors and analyzes system logs and audit records to detect misoperations after attacks.

The advantage is that application-layer intrusion is captured for different operating systems, with fewer false positives.

The disadvantage is that it depends on the host and its audit subsystem, and the real-time performance is poor

Distributed Intrusion Detection System (DIDS)

The intrusion detection system, which uses the above two data sources and can analyze the audit logs and network data streams from the host system at the same time, is generally distributed and consists of multiple components.

DIDS can obtain data from multiple hosts and network transmission, overcomes the deficiency of single HIDS and NIDS.

The invasion ofThe detection mechanism of detection system can be divided into three kinds: detection mechanism based on exception, detection mechanism based on feature, and detection mechanism mixed with both.

Based on anomaly detection, the system or user behaviors are compared with normal behaviors to determine whether the intrusion behavior is an intrusion behavior. Usually, a feature list of normal behaviors is presented first, that is, a whitelist list. Then, the system or user behaviors are compared with those in the whitelist. If the behaviors match, the system or user behaviors are considered normal; otherwise, the system or user behaviors are considered intrusion behaviors.

Different from anomaly detection, feature detection assumes that each intrusion behavior can be represented by a unique pattern or feature. Therefore, a feature database of abnormal behavior is established in the system, and then the behavior of the system or users is compared with the feature database. If the features match each other, the system or user’s behaviors are regarded as intrusion behaviors. If they do not match each other, the system or user’s behaviors are regarded as normal behaviors.

New technology of network security

• Honeypot is a computer system that operates over the Internet and is specifically designed to attract and “trap” people who try to illegally break into other people’s computer systems. Honeypot system is a decoy system that contains vulnerabilities. It provides an easy target for attackers by simulating one or more vulnerable hosts.

• The honeypot is used to delay the attacker’s attack on the real target, allowing the attacker to waste time on the honeypot.

In this way, the original target is protected and the truly valuable content is not violated. In addition, honeypots can provide useful clues for trackers and gather strong evidence for prosecuting attackers

(1) Protection (2) Detection (3) Reaction (4)

•P2DR: Policy, Protection, Detection, and Reaction.

Security architecture and evaluation criteria

## Perception of personal growth: In-depth look, calm down

One person is a team, build a portfolio of competencies that form core competencies, around some core