Research On Web Active Defense Technology Based On Software Diversity

Web services have grown rapidly with the rapid development of the Internet.The analysis and research on the security of Web services have become increasingly important.Traditional defenses based on detection and patching of known vulnerabilities are extremely passive when under attack.And the large-scale distribution and deployment of a single software provides the possibility of large-scale vulnerability exploitation.The Web service software stack contains multiple layers and can be composed of different reusable components.The successful exploitation of any vulnerability of any software at any layer by attackers may lead to the leakage of a large amount of user-sensitive data,which poses a great security risk.Software diversification can enrich the diversity of middleware,forcing attackers to break through the software one by one,and the attack cost will increase greatly.In order to improve the security of Web services,the thesis selects different components at multiple layers of the Web service software stack,and combines different middleware to form different software stacks and attack surfaces,supplemented by a dynamic scheduling mechanism.And through the diversification of software to enrich the diversity of middleware,an effective Web service active defense mechanism is realized.Aiming at the difficult problem of diversity evaluation,a new evaluation method based on information entropy and software complexity is proposed.The main research contents and innovations are as follows:1.A proactive defense mechanism for Java Web services based on natural software diversity is proposed.According to the diversity of existing software in the Web service system,different middleware is selected at the operating system layer and server software layer to form different software stacks,supplemented by mechanisms of input distribution,output voting,and dynamic scheduling.By conducting security comparison tests on five different vulnerabilities in the system layer,software layer,and application layer,it is verified that natural software diversity can effectively improve the security of Java Web services.2.A proactive defense mechanism for Web services based on automatic software diversity is proposed.A compiling-based software diversification methods are applied to Web server software to realize the generation of heterogeneous variants and enrich the diversity of Web server software,supplemented by mechanisms of input distribution,output voting,dynamic scheduling.A calculation model for the probability of cooperative escape attacks is proposed.And the possibility of cooperative escape attacks is analyzed.It is proved that diversity can bring security gains.Through a security comparison test case,it is verified that automatic software diversity can effectively improve the security of Web services.And the practicality is verified through performance comparison test.The maximum performance loss of all compilation methods does not exceed 6.2%.3.A software diversity evaluation method based on information entropy and software complexity is proposed.Five typical software complexity attributes are selected as evaluation indicators.And a method for calculating software diversity is given based on information entropy theory.The effectiveness of the evaluation method is verified by applying four different software diversification methods to the typical ranking algorithm code and conducting a comprehensive comparative evaluation.This evaluation method has a good reference value for the actual deployment of diverse software.