臺灣博碩士論文加值系統

隨著各式網際網路應用程式的快速發展，在網路上進行身份認證是無可避免的流程，密碼認證的方法是目前仍無法取代的認證方式。而字典攻擊手法為利用字典中經常出現的字詞猜測使用者可能的密碼，這類字典攻擊的技術仍被入侵者拿來做為主要的入侵手段之一。近年來觀察位於網際網路上的伺服器日誌檔，經常有許多入侵者以字典攻擊的方法試圖入侵伺服器，這類的攻擊方法因為網路程式的技術日益發達，有許多利用字典攻擊自動入侵的機制被發展出來，所以這類的攻擊事件有越來越嚴重的趨勢，造成了各級網管人員的困擾。


本研究利用了網路 NetFlow 的流量資料，蒐集了針對SSH通信協定進行字典攻擊的流量記錄，以資料探勘中分類分析技術的貝式機率演算法、決策樹演算法與支援向量機演算法，建立了一個有效的偵測模組。在本研究中實證了這個偵測模組有很好的效果，在預測準確率上可達 90% 以上的正確率。此外，本研究並且利用SSH字典攻擊偵測模組所偵測到的攻擊IP與NetFlow資料發展SSH字典攻擊追蹤演算法，藉以幫助網路管理者追蹤SSH字典攻擊的主機，並找出其間的攻擊路徑拓樸關係以找出較早發動字典攻擊的主機位址。研究結果將可以有效的提供網路管理人員從網路流量的記錄中自動找出潛在進行的SSH字典攻擊跳板，並協助找出目前網路內的SSH字典攻擊發動路徑的拓樸關係，對於提高網路安全防護具有很大的幫助。

With the rapid growth of technology, there are many applications system needs to authenticate in the Internet environment. User account and password is a simply and general way for authentication in network. The dictionary attack means that attackers attempt to login some user accounts illegally by trying all possible password. There are a lot of login failed SSH service login records in the system authentication logs file, that become a usually situation on the Taiwan Academic Network environment. It implies that dictionary attack is a serious intrusive event.


In this paper, we propose a classification-based detection module to detect SSH dictionary attack. We used three data mining classification algorithms, Naïve Bayes, decision tree and SVM to build our SSH dictionary attack detection module. We collected real world NetFlow traffic data in a month as our training samples to build our detection system. Our empirical evaluation results show that the proposed detection module reaches above 90% detection accuracy. Further, we used detection module and NetFlow history data to develop the SSH dictionary attack tracking algorithm. We try to find out the topology of IP address that launched SSH dictionary attack, and try to trace back the origin of SSH dictionary attacker. This research result that could be helps the network managers to detect implicit dictionary attack behaviors to improve the network security.

第1章 前言 1
第2章 文獻探討 4
2.1 字典攻擊 4
2.2 防禦SSH字典攻擊的方法 4
2.3 追蹤網路攻擊相關研究 7
第3章 網路流量偵測SSH字典攻擊模組 9
3.1 NetFlow資料簡介 9
3.2 SSH連線網路流量資料 11
3.3 SSH字典攻擊偵測模組 12
第4章 SSH字典攻擊追蹤機制 17
4.1 SSH字典攻擊追蹤演算法 17
4.2 SSH字典攻擊追蹤演算法範例 19
第5章 SSH字典攻擊偵測模組與追蹤SSH字典攻擊演算法實例 24
5.1 SSH字典攻擊偵測模組實證評估 24
5.2 SSH字典攻擊追蹤演算法實例 30
第6章 結論與未來研究方向 37

1. Adams, A., & Sasse, M. A. (1999). Users are not the enemy. Communications of the ACM, 42(12), 40-46.
2. Ahn, L. v., Blum, M., & Langford, J. (2004). Telling humans and computers apart automatically. Communications of the ACM, 47(2), 56-60.
3. Aljifri, H., Smets, M., & Pons, A. (2003). IP traceback using header compression. Computers & Security, 22(2), 136-151.
4. Baba, T., & Matsuda, S. (2002). Tracing network attacks to their sources. Internet Computing, IEEE, 6(2), 20-26.
5. Bellare, M., Kohno, T., & Namprempre, C. (2006). The secure shell (SSH) transport layer encryption modes. IETF, RFC 4344.
6. Bellovin, S., Leech, M., & Taylor, T. (2003). ICMP traceback messages. IETF, Internet draft, work in progress, http://tools.ietf.org/html/draft-ietf-itrace-04.
7. Boser, B. E., Guyon, I. M., & Vapnik, V. N. (1992). A training algorithm for optimal margin classifiers. Paper presented at the Proceedings of the fifth annual workshop on Computational learning theory.
8. Cisco (2008a). Cisco IOS NetFlow, http://www.cisco.com/en/US/products/ps6601/products_ios_protocol_group_home.html
9. Cisco (2008b). Cisco IOS NetFlow data sheet, http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6555/ps6601/product_data_sheet0900aecd80173f71.html
10. Cisco (2008c). Introduction to Cisco IOS NetFlow - A technical overview, http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6555/ps6601/prod_white_paper0900aecd80406232.html
11. Dean, D., Franklin, M., & Stubblefield, A. (2002). An algebraic approach to IP traceback. ACM Transactions on Information and System Security (TISSEC), 5(2), 119-137.
12. Furnell, S. (2007). An assessment of website password practices. Computers & Security, 26(7-8), 445-451.
13. Halevi, S., & Krawczyk, H. (1999). Public-key cryptography and password protocols. ACM Transactions on Information and System Security (TISSEC), 2(3), 230-268.
14. Ianelli, N., & Hackworth, A. (2005). Botnets as a vehicle for a online crime, http://www.cert.org.tw/archive/pdf/Botnets.pdf
15. Ives, B., Walsh, K. R., & Schneider, H. (2004). The domino effect of password reuse. Communication of the ACM, 47(4), 75-78.
16. Kim, H. S., Lee, S. W., & Yoo, K. Y. (2003). ID-based password authentication scheme using smart cards and fingerprints. SIGOPS Operating Systems Review, 37(4), 32-41.
17. Oorschot, P. C. V., & Stubblebine, S. (2006). On countering online dictionary attacks with login histories and humans-in-the-loop. ACM Transations on Information and System Security, 9(3), 235-258.
18. Peslyak, A. (2008). John the ripper password cracker, http://www.openwall.com/john/
19. Pinkas, B., & Sander, T. (2002). Securing passwords against dictionary attacks. Paper presented at the Proceedings of the 9th ACM conference on Computer and communications security.
20. Quinlan, J. R. (1993). C4.5: programs for machine learning. San Mateo: Morgan Kaufmann Publishers Inc.
21. Ratha, N. K., Connell, J. H., & Bolle, R. M. (2001). Enhancing security and privacy in biometrics-based authentication systems. IBM Systems Journal, 40(3), 614-634.
22. Savage, S., Wetherall, D., Karlin, A., & Anderson, T. (2001). Network support for IP traceback. IEEE/ACM Transactions on Networking, 9(3), 226-237.
23. Schwartz, P. (2008). Denyhosts project, http://denyhosts.sourceforge.net
24. Wolverton, T. (2002). Hackers find new way to bilk eBay users, http://www.news.com/2100-1017-868278.html
25. Zhang, Y., & Paxson, V. (2000a, August 14-17). Detecting Backdoors. Paper presented at the Proceedings of the 9th USENIX Security Symposium, Denver, Colorado, USA.
26. Zhang, Y., & Paxson, V. (2000b, August 14-17). Detecting stepping stones. Paper presented at the Proceedings of the 9th USENIX Security Symposium, Denver, Colorado, USA.