Responsive image
博碩士論文 etd-0730104-095705 詳細資訊
Title page for etd-0730104-095705
論文名稱
Title
遠端攻擊入侵偵測
Detecting Remote Attacks
系所名稱
Department
畢業學年期
Year, semester
語文別
Language
學位類別
Degree
頁數
Number of pages
68
研究生
Author
指導教授
Advisor
召集委員
Convenor
口試委員
Advisory Committee
口試日期
Date of Exam
2004-07-05
繳交日期
Date of Submission
2004-07-30
關鍵字
Keywords
分類分析、資料探勘、弱點掃描、阻斷服務、流量分析
Data mining, classification, network traffic analysis, vulnerability scan, Denial-of-service
統計
Statistics
本論文已被瀏覽 5936 次,被下載 0
The thesis/dissertation has been browsed 5936 times, has been downloaded 0 times.
中文摘要
隨著時科技的進步,網路,帶給我們很多生活上的便利;但是,科技也帶來了新型態的犯罪事件。由於入侵手法與工具更是日新月異、防不勝防,伴隨而來的是網路上種種越權存取、入侵、電腦犯罪的新挑戰,屢見不鮮的網路攻擊事件。在網路上時時刻刻都有許多的攻擊行為正在發生,要如何去偵測這些惡意的攻擊行為事實上是個相當大的難題。

網路管理人員可能需要經常性閱讀安全組織所發布的安全通告例如:美國網路危機處理中心(Computer Emergency Response Team)所發布的安全通報;或者訂閱security mail list來不斷累積安全資訊。在安全系統防護方面可能也同樣的需要花費龐大的費用來添購建置防火牆、入侵偵測系統、防毒系統相關安全偵測系統。

這些攻擊行為的進化,從早期的單機攻擊演變至近期多容易被撰寫成網蟲的型態來進行大規模的散播或攻擊行為,針對系統弱點所採用的通訊協定以及通訊埠各不相同,因此在偵測方面多所不易。若能藉由觀察網路流量的變 化而偵測出異常主機,對於掌握網路使用狀況,或對於發生異常現象時協助網路管理者及時偵測與排除問題會有莫大的助益。

近日以來,許多入侵事件頻傳,加上阻斷服務攻擊(Denial-of-Service)在2003年已經成為FBI/CSI(Computer Crime and Security Survey)調查報告中最嚴重的網路事件,因此,在各種攻擊型態當中,我們選擇弱點掃描以及阻斷服務攻擊來做為我們研究的方向。

本研究延伸發展了IPAudit,一套流量監控軟體,來監測區域網路內的封包流量,將測試的攻擊資料藉由分類分析中的決策樹歸納學習方法(也就是C4.5),來建立網路攻擊型態分類預測規則,並評估其分類預測之正確性。本研究對於相同的攻擊型態採用多種不同的攻擊工具進行交叉實驗來加以驗證,並且以不同比例的測試資料來評估分類預測的有效性。實證結果顯示所提出之網路服務分類技術可幫助我們預測相同型態的攻擊事件。
Abstract
With the advanced technology, our life has improved, however, it also brings the new model of crime events. Because the intrusion technique and intrusion tools are developed day by day, many computer crimes such as overstep system authority, intrusion events, computer crime, and network attack incidents are happening everywhere and everyday. In fact, those kinds of animus attack behaviors are troublesome problems.

Staffs of network management may have to read security advisory, which is sent out by security organization. For example, they have to subscribe advisories for Computer Emergency Response Team or security mail list to continuously accumulate their security information. In addition, in the security protect system, they may need to spend huge fund to purchase firewall system, intrusion detection system, antivirus system and other related security protect systems.

These attack behaviors have been evolved from one computer attacked to heavy attack by new intrusion model such as worm to proceed large scale spread attacking recently. Furthermore, each attack use different communication protocol and port, which is aimed at the system vulnerability, it is not easy to detect these attacks. If we can observe the variation of network traffic to detect the unusual hosts, for controlling the usage of network or occurring extraordinary phenomenon, it could help network managers to discover and solve network attack problems in time.

Lately, many intrusion events have been happened increasingly, and the denial-of-service has become the most serious network event of the Computer Crime and Security Survey of FBI/CSI in 2003. Therefore, in various attacking types, we choose vulnerability scan and denial-of-service as our research direction.

This research extend to develop IPAudit[16], a network traffic monitor system, which is to detect hosts flows traffic of the local area network. We establish network attack rules by using data miningclassification (C4.5) to analyze attack data, and we estimate the correctness percentage of classification. This study also uses different attack applications for the same attack type to process the cross experiment. The result has shown that the technology of data mining classification (C4.5) can help us to forecast efficiently the same attack type events.
目次 Table of Contents
第一章 緒論
前言
研究背景
研究動機
章節結構
第二章 相關研究
弱點掃描分析
阻斷服務攻擊分析
網路流量偵測技術
封包擷取
資料探勘技術
第三章 系統架構
安全檢測流程
問題與研究
系統模型
第四章 系統建置與評估
封包擷取技術
資料轉換排程
規則比對檢測
警訊提供顯示
蒐集封包流量
模擬發動攻擊
建立攻擊規則
交叉攻擊實測
第五章 研究貢獻
結論與研究貢獻
未來研究方向
參考文獻
參考文獻 References
1. CMU CERT/CC(Computer Emergency Response Team),
CERT/CC Statistics 1988-2003,
http://www.cert.org/stats/cert_stats.html#incidents.
2. CERT Advisory CA-1996-26 Denial-of-Service Attack via ping, http://www.cert.org/advisories/CA-1996-26.html.
3. CERT Advisory CA-1997-28 IP Denial-of-Service Attacks, http://www.cert.org/advisories/CA-1997-28.html.
4. CERT Incident Note IN-99-07 Distributed Denial of Service Tools, http://www.cert.org/incident_notes/IN-99-07.html.
5. CERT Advisory CA-1998-01 Smurf IP Denial-of-Service Attacks, http://www.cert.org/advisories/CA-1998-01.html.
6. CERT Advisory CA-1998-13 Vulnerability in Certain TCP/IP Implementations, http://www.cert.org/advisories/CA-1998-13.html.
7. CERT Advisory CA-2000-01 Denial-of-Service Developments, http://www.cert.org/advisories/CA-2000-01.html.
8. CERT Advisory CA-99-17 Denial-of-Service Tools,
http://www.cert.org/advisories/CA-1999-17.html.
9. Computer Security Institute, 2003 CSI/FBI Computer Crime and Security Survey, www.gocsi.com, 2003.
10. CERT Coordination Center, Overview of Attack Trends,
http://www.cert.org/archive/pdf/attack_trends.pdf.
11. Cisco Systems, White Paper: NetFlow Services and Applications, http://www.cisco.com/warp/public/cc/pd/iosw/ioft/neflct/tech/napps_wp.htm.
12. CERT Advisory CA-2002-30 Trojan Horse tcpdump and libpcap Distributions, http://www.cert.org/advisories/CA-2002-30.html.
13. Common Vulnerabilities and Exposures, CVE ID, http://www.cve.mitre.org/.
14. Foundstone, http://www.foundstone.com/.
15. Giorgio Giacinto, Fabio Roli, Luca Didaci, Fusion of multiple classifiers for intrusion detection in computer networks. Pattern Recognition Letters, Elsevier Science B.V. 2003.
16. IPAudit-Web, http://ipaudit.sourceforge.net/.
17. ISS Security Alert, ISS information about Trino/Tribe Flood
Network, http://www.cert.org/incident_notes/IN-99-07.html.
18. J. P. Anderson, "Computer Security Threat Monitoring and Surveillance, " Tech. Rep. , James P Anderson Co. , Fort Washington, PA , Apr. 1980.
19. Micheal J. A. Berry, Gordon S. Linoff – Data Mining Techniques. For Marketing, Sales and Customer Support – Wiley Computer Publishing, 1997, 彭文正譯•
20. Microsoft Security Bulletin MS03-026,
http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx.
21. MRTG, http://people.ee.ethz.ch/~oetiker/webtools/mrtg/.
22. NMAP, http://www.insecure.org/nmap/ .
23. National Infrastructure Protection Center, TRINOO/Tribal Flood Net/tfn2k, http://www.nipc.gov/warnings/alerts/1999/trinoo.htm,1999.
24. Nessus, http://www.nessus.org/ .
25. Retina Network Security Scanner, http://www.eeye.com/html/products/retina/index.html.
26. Symantec virus center:MYDOOM,
http://www.sarc.com/avcenter/venc/data/w32.novarg.a@mm.html .
27. Securityfocus, Advisory FreeBSD-SA-02:29: Buffer overflow in tcpdump when handling NFS packets,http://www.securityfocus.com/advisories/4277.
28. SANS TOP 20, http://www.sans.org/top20/.
29. SecurityFocus : Barbarians at the Gate: An Introduction to Distributed Denial of Service Attacks, http://www.cert.org.tw/document/column/show.php?key=58.
30. Securityfocus, Bugtraq ID, http://www.securityfocus.com/bid.
31. Tenable, http://www.tenablesecurity.com/.
32. Trend virus center:WORM_MSBLAST.A, http://www.trendmicro.com/vinfo/zh-tw/virusencyclo/default5.asp?VName=WORM_MSBLAST.A.
33. Trend virus center:MYDOOM,
http://www.trendmicro.com/vinfo/zh-tw/virusencyclo/default5.asp?VName=WORM_MYDOOM.A.
34. The washington.edu, "stacheldraht" distributed denial of service attack tool, http://staff.washington.edu/dittrich/misc/stacheldraht.analysis.
35. TCPDUMP, http://www.tcpdump.org/.
36. William Stallings, Cryptography and Network Security: Principles and Practice, 2nd edition, Prentice-Hall, Inc. 1999,巫坤品/曾志光譯•
37. 黃耀文、黃世昆譯,A Survey and Assessment of Network Mapping Methods and Techniques:網路對映技術探討與評估,
http://www.cert.org.tw/document/column/show.php?key=34
38. 資策會整合技術實驗室,ICMP DoS攻擊之原理與防禦方法, http://www.iii.org.tw/adc/papers/thesis/00B02.htm.
39. 王波,FreeBSD連載:安全工具,http://www.freebsd.org.hk/html/wongpong/bookindex.html.
40. 李忠憲,MRTG Windows版安裝手冊,http://web.tp.edu.tw/docc/documents/mrtg.htm.
41. 安智平,端口掃描技術,http://www.china-pub.com,2001•
42. 陳嘉玫、黃世昆、陳年興、鍾明勳,即時偵測防治Internet Worm,台灣電腦網路危機處理中心,2001•
43. 高振元、陳嘉玫、陳年興、鄭進興,DDoS攻擊的趨勢與防禦策略,資安人雜誌4月,2004•
44. 鄭進興、林敬皇,電腦鑑識程序與資訊安全事件復原,資安人雜誌11月,2003•
45. 邵喻美,網路流量監測與管理,91年度網路技術推廣研討會,2002•
46. 林順傑、曾憲雄、林耀聰、周志明,A Study of Mining Network Behaviors+,教育部追求卓越計劃,2001•
47. 蕭漢威、曾金山、魏志平、楊竹星,以網際網路流量進行網路服務分類預測之研究,TANET2003,2003•
48. 林育生,應用統計信賴區間估計實現網路流量異常行為偵測,通信電子資訊學術季刊•
49. 嚴嘉錚、楊靖宇,流量管理及病毒攻擊防禦整合系統之建置,TANET2003,2003•
50. 黃文穗、林守仁,利用NetFlow建置Code Red Worm偵測系統,TANET2001,2001•
51. 麥可•斐瑞、戈登•林諾夫,彭正文譯,資料採礦理論與實務-顧客關係管理的技巧與科學•
52. 麥可•斐瑞、戈登•林諾夫,彭正文譯,資料採礦-顧客關係管理暨電子行銷之應用•
電子全文 Fulltext
本電子全文僅授權使用者為學術研究之目的,進行個人非營利性質之檢索、閱讀、列印。請遵守中華民國著作權法之相關規定,切勿任意重製、散佈、改作、轉貼、播送,以免觸法。
論文使用權限 Thesis access permission:校內校外均不公開 not available
開放時間 Available:
校內 Campus:永不公開 not available
校外 Off-campus:永不公開 not available

您的 IP(校外) 位址是 34.204.196.206
論文開放下載的時間是 校外不公開

Your IP address is 34.204.196.206
This thesis will be available to you on Indicate off-campus access is not available.

紙本論文 Printed copies
紙本論文的公開資訊在102學年度以後相對較為完整。如果需要查詢101學年度以前的紙本論文公開資訊,請聯繫圖資處紙本論文服務櫃台。如有不便之處敬請見諒。
開放時間 available 已公開 available

QR Code