Establishment And Application Of The Common Server Database In NBOS

Client/Server mode is the most important interactive mode in the Internet,which means servers are the core of network resources.Servers such as Web and DNS,which are widely used in the Internet,can be called the Common Servers.It is very important for Internet security protection to grasp the server-related information in time.The research work of this paper focuses on server role detection and anomaly analysis.A server role detection system was designed and implemented,which can be used to detect servers' role information on given addresses on the Internet,and supports the extensions to new detection types.On this basis,based on the NBOS platform,the role identification of the common servers in CERNET were performed,and the Common Server Database of CERNET was established.A set of anomaly detection rules for campus network were designed to support the generation of detection reports on common servers of campus network.In the aspect of server role detection,the paper first analyzed the strategy of collecting server role information of the existing platform who provides server role services on the Internet,and determined to use proactive detection method to grab banner information.Then the server role detection system was designed and implemented.The system consists of three parts: detection module,communication module and webpage module,and supports personal users to use the detection function through web pages and program users through the programming interface at the same time.After detailed analysis of the interaction process of Web,DNS,Mail and NTP servers,the system currently implements the role detection scheme for grabbing the banner information and abnormal information of these four types of servers.At the same time,it supports self-expanding support for detection of new server types.Based on the server role detection system,the Common Server Database in NBOS was designed and implemented,which includes role information of all common servers in CERNET.In order to overcome the problem of too large scale of detection data,an efficient algorithm for constructing detection datasets that combines active measurement and passive measurement based on the flow record data provided by NBOS was proposed.With the support of this algorithm,the Common Server Database in NBOS only needs to detect 1.69% of the total number of combinations to complete the collection of the role information of the four types of common servers in CERNET.As a result,the CERNET network-wide data update cycle is shortened to 3 to 5 days.A random DNS experiment verified that the recall rate is 100%,compared with 40% and 17.3% for Shodan and ZoomEye at the same time.In terms of anomaly analysis,ten types of server abnormalities were proposed through the data provided by the Common Server Database,and matching rule for each abnormal situation was formulated.Based on this,the common server detection report for each campus network that accesses to CERNET is generated.The report can extract abnormal information from the massive measurement data and provide more effective support for the safe operation of the campus network.