隨著網路的使用不斷的增加， 電腦系統不再是獨立分開的系統，相反的、在這資訊科技高度發展的數十年中，隨著系統與系統之間連接不斷增加，電腦之間的計算能力、設備、資源都在一個高度共享的環境中。 然而、危險也隨之而來。自從1988年以來所發生的第一個電腦病毒(Morris Worm)以來，大眾便了解到電腦網路實際是處在一個危險的環境之中。隨著安全事件不斷大量而且快速的在世界各地增加，很多國家陸續成立了很多組織以解決、了解這些問題。

台灣電腦危機處理/協調中心(TWCERT/CC ,Taiwan Computer Emergency Response Team/ Coordination Center)是其中的一個在這樣的情況下所產生的單位。台灣電腦危機處理/協調中心成立的主要宗旨是在讓一般民眾了解並警覺到電腦網路危安事件、回覆處理或者協調來自國內外的安全事件、監控台灣的網路安全環境並在必要的時候發布安全通報以減輕病毒等特殊安全事件對台灣造成的影響。
回覆並協調安全事件是台灣電腦危機處理/協調中心相當重要並且複雜的一個工作。然而、沒有一個系統化的方式去處理與日俱增的安全事件對電腦安全事件處理小組是一件相當大的任務。本研究的目的即在於研究發展一個系統化的安全事件處理方法以及流程，建立一個可以實現這個流程的系統，並且用以分析這個系統所蒐集的安全事件的相關資料，以期獲得一些有用的資料，縮短安全事件處理者的工作時間並且增加處理的速度以及準確性。

Due to the enlargement of the use of Internet, computers are no longer separated systems. On the contrary, the frequency of sharing between computers’ computing abilities, devices, and resources is surprisingly high in the last few decades. This situation makes people have a more convenient network situation. However, dangers also come along. Ever since the event occurred in 1988, the first computer worm (Morris Worm) makes people be aware of this issue. The computer network world has becoming an environment contains many potential dangers. Whereas the computer security incidents are increasing dramatically, many countries have established some specific organizations to solve these problems.

TWCERT/CC (Taiwan Computer Emergency Response Team/ Coordination Center) is one of these organizations. The utilities of TWCERT/CC are to help people be aware of computer network dangers, to make responses and coordinate the security incidents inside and outside Taiwan, and to supervise the security circumstances in Taiwan and to announce alerts or take proper actions when the situation is serious.

Responding and coordinating those incidents in TWCERT/CC is one crucial everyday job which requires a very complicated procedure. However, without a systematic method to handle the security incidents would be a heavy load for a computer security incident response team. This research is to develop a systematic method and procedure to handle incident and a system can implement this procedure. The goal is to shorten the processing time of incidents and enhance the accuracy of handling incidents, and to analyze the data collected from the system to get useful information.

1.Introduction-------------------------------------------------------------------------------------1
1.1. The networked environment------------------------------------------------------------1
1.2. The threats to the network--------------------------------------------------------------4
1.3. The Computer Emergency Response Team/ Coordination Center ---------------8
1.4. Motivation of this research------------------------------------------------------------10
1.5. Research Method and steps-----------------------------------------------------------11

2.Related studies--------------------------------------------------------------------------------13
2.1. The classification of attacks-----------------------------------------------------------13
2.2. Incident and Incident reports----------------------------------------------------------14
2.2.1. Incident classification---------------------------------------------------------------------------------15
2.2.2. Incident response---------------------------------------------------------------------------------------18
2.2.3. IR services----------------------------------------------------------------------------------------------19
2.2.4. Comparing the paradigm functions with functions provided by TWCERT/CC-------------20
2.3. Incidents versus attacks----------------------------------------------------------------21
2.4. The incidents people concerned mostly about--------------------------------------22
2.5. Automation of incident response/incident report ----------------------------------25

3.Research design------------------------------------------------------------------------------30
3.1. Research outline-----------------------------------------------------------------------30
3.2. System testing--------------------------------------------------------------------------35

4.Research Results-----------------------------------------------------------------------------40
4.1. Case study-------------------------------------------------------------------------------40
4.2. Statistic data from research-----------------------------------------------------------42

5.Conclusions and Future study--------------------------------------------------------------51
5.1. Conclusions-----------------------------------------------------------------------------51
5.2. Future study-----------------------------------------------------------------------------52


6. References------------------------------------------------------------------------------------53

{1}. ANDY BRINEY – Security Focused SURVEY 2000
{2}. 張智晴,林盈達 – 網路的攻擊與防護機制
{3}. Moira J. West-Brown, Don Stikvoort, Klaus-Peter Kossakowski, December 1998 Handbook for Computer Security Incident Response Teams (CSIRTs)
{4}. Published in The Froehlich/Kent Encyclopedia of Telecommunications vol. 15. Marcel Dekker, New York, 1997, pp. 231-255. Security of the Internet
{5}. N. Brownlee, The University of Auckland E. Guttman, Sun Microsystems, June 1998, Expectations for Computer Security Incident Response
{6}. Andy Briney, Information security magazine September 2000 p40-p68, Security Focused Survey 2000
{7}. Andy Briney, Information security maganize October 2001 p34-p47, Industry Survey 2001
{8}. Levy, S., Hackers: Heroes of the Computer Revolution, Anchor Press/Doubleday, Garden City, NY, 1984.
{9}. Stoll, C., The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage, Doubleday, New York, 1989.
{10}. 4. Denning, P. J., (ed.), Computers Under Attack: Intruders, Worms, and Viruses, ACM Press, Addison-Wesley, New York, 1990.
{11}. Paul Mason Ford, Incident Reporting & Automation, 2001 March 9,
{12}. Dan Hanson, Mario van Velzen, Sean Hittel, and Jensenne Roculan, ARIS Top Ten 2001 Threats, January 31, 2002
{13}. Compaq Secure Solutions Team, February 2002,Security Enhancementsfor Microsoft Windows 2000,Windows 2000 (SE)
{14}. Computer Security Incident Response Team (CSIRT) Frequently Asked Questions (FAQ) -www.cert.org
{15}. CERT/CC Statistics 1988-2001- http://www.cert.org/stats/cert_stats.html
{16}. John Fisher (CIAC, USA) / Incident Request and Ticketing System (IRTS)
{17}. Computer Incident Advisory Capability (CIAC) http://www.ciac.org/ciac/
{18}. John D. Howard April 7, 1997 / An Analysis Of Security Incidents On The Internet
{19}. http://www.microsoft.com/technet/security/bulletin/MS02-018.asp
{20}. Lockdown, http://www.microsoft.com/technet/security/tools/locktool.asp
{21}. URLscan, http://www.microsoft.com/technet/security/URLScan.asp
{22}. http://www.nohack.com.tw/
{23}. Stopping Attacks: The Importance of Denial of Service (DoS) Security Appliances, 2002, Newmediary, Inc.
{24}. Top Attacks for the 1st Quarter 2002, http://www.securityfocus.com/corporate/research/top10attacks_q1_2002.shtml
{25}. A Very Real and Present Threat to the Internet: Resurgence in Code Red Scanning Activity, CERT/CC, August 1, 2001, http://www.cert.org/archive/html/coderedannounce.html
{26}. Windows NT Security and Configuration Resources,
{27}.林柏宇 ,大規模網路安全掃描之研究, 2002/06