臺灣博碩士論文加值系統

隨著網際網路的迅速發展，網路技術正在日益改變著人們的生活，尤其是電子商務日益增多，更加深對於網路安全的要求。本論文由分析並研究DoS和DDoS攻擊現狀、攻擊原理和攻擊手段基礎上，發覺TCP協定自身的不足是造成DDoS攻擊的一個重要因素，因此，針對這樣的缺陷，提出一種基於TCP協定的DDoS攻擊的檢測方法，以降低DDoS攻擊帶來的威脅，並在實驗室建置DDoS網路攻擊與檢測環境實際對本文提出的系統進行測試。
本文提出的檢測模型首先由TCP的三向握手協定提出基於TCP封包旗標的相關性變化假設，並據此應用統計方法分析找出檢測DDoS攻擊所需的門檻值，做為檢測攻擊的發生及建立攻擊檢測模型的基礎。而為能找出實際可行的門檻值則透過收集實測環境攻擊前後伺服器端網路的TCP封包的旗標資訊，進行統計分析並求出門檻值。

With the rapid development of Internet, Internet technology had increasingly reshaped people''s lives. Especially in the growing e-commerce, the prominent issue is network security. In this paper, we first analyze the states during DoS or DDoS attacks and realize the inherent defects of TCP protocol. Therefore, we propose a DDoS detection scheme based on TCP to perceive and react to the occurrence of DDoS attacks. In addition, we build up an DDoS environment in our lab to test our model.
In our detection model, we assume the ratio between the number of TCP segments carried with specified flag fields during the three-way handshaking for connection setup must below a threshold in the DDoS-free situation. By way of the statistical analysis, we can approach a threshold deduced from the ratio between each specified flag of TCP segments. Next, we conduct four different experiments including DDoS-free, DDoS with one attacker, DDoS with two attacker, and DDoS with three attacker to accumulate TCP segments according to each specified flags. Finally, we determine the numerical result of these thresholds.

摘要 i
Abstract ii
誌謝 iii
目錄 iv
圖目錄 vi
表目錄 vii
第一章 緒論 1
1.1 研究背景與動機 1
1.2 研究目的 2
1.3 文章架構 4
第二章 相關研究與背景知識 5
2.1 DDoS攻擊原理[2] 5
2.2 DDoS攻擊過程[3] 6
2.3 DDoS攻擊分類[4] 6
2.3.1 系統資源消耗型攻擊 7
2.3.2 頻寬資源消耗型攻擊 7
2.4 DDoS攻擊的常用工具[5] 8
2.4.1 Trinoo 8
2.4.2 TFN 9
2.4.3 TFN2K 9
2.4.4 Stacheldraht 10
2.5 入侵偵測分析方法 10
2.5.1 統計分析(Statistical) [6,7,8,9] 10
2.5.2 類神經網路(Neural Network)- Backpropagation [10,11] 12
2.5.3 模糊理論(Fuzzy Theory)[12] 13
2.5.4 有限狀態機(Finite State Machine)[13] 16
2.5.5 貝氏網路(Bayesian Network)[14] 17
2.5.6 規則式分析(Rule-based)[15] 19
2.6 TCP協定的特點 20
2.6.1 TCP建立連線—三向握手協定 20
2.6.2 TCP連線結束 22
2.6.3 TCP協定的脆弱性 23
第三章 研究方法 25
3.1 TCP協定的特點 26
3.2 檢測方法分析 27
3.3 檢測模型的建立 30
3.3.1 資料處理模組 31
3.3.2 資料分析模組 32
3.4.3 正常資料處理模組 33
3.3.4 結果模組 33
第四章 結果與討論 35
4.1 實驗環境 35
4.2 實驗方案與程序 38
4.3 實驗結果與討論 41
第五章 結論與建議 46
參考文獻 48

[1] 馬淑貞，以網路流量資料探勘協助進行阻斷服務攻擊檢測與防禦之研究，國立中山大學資訊管理學系碩士論文，民94年。
[2] 李駿偉，入侵偵測系統分析方法效能之定量評估，中原大學資訊工程研究所碩士學位論文，民91年。
[3] 陳建昇，大規模網路異常檢測技術研究，朝陽科技大學資訊管理系碩士論文， 民97年。
[4] 張振宏，利用統計式模糊流量控制防止分散式阻斷服務攻擊，國立成功大學電腦與通信工程研究所碩士論文，民96年。
[5] 藍森林，2006，資料取自：
http://www.lslnet.com/linux/f/docs1/i49/big5333718.htm
[6] Iguchi, M. and Goto, S.,“Network surveillance for detecting intrusions”, Internet Workshop, 1999. IWS 99, Waseda Univ., Tokyo, Japan, pp. 99-106.
[7] Argus Open Project, http://qosient.com/argus/ (13 November 2000).
[8] Staniford, S., Hoagland, J.A. and McAlerney, J.M., “Practical Automated Detection of Stealthy Portscans”, Silicon Defense, 513 2nd Street Eureka, CA 95501.
[9] The Stealthy Portscan and Intrusion Correlation Engine, a project at Silicon Defense to detect portscans, http://www.silicondefense.com/software/spice/ (14 May 2001).
[10] Ghosh, A.K., Wanken, J. and Charron, F., “Detecting anomalous and unknown intrusions against programs”, Proceedings of Computer Security Applications Conference, 1998. Reliable Software Technol., Sterling, VA, USA, pp. 259-267.
[11] Girardin, L.,“An eye on network intruder-administrator shootouts”, Proceedings of the Workshop on Intrusion Detection and Network Monitoring, UBS, Ubilab, April
9-12,1999.
[12] Dickerson, J.E., Dickerson, J.A. and Editor(s): Whalen, T., “Fuzzy network profiling for intrusion detection”, Proceedings of NAFIPS. 19th International Conference of
the North American, 2000, Iowa State Univ., Ames, IA, USA, pp. 301-306.
[13] Ilgun, K., Kemmerer, R.A. and Porras, P.A.,“State Transition Analysis: A Rule-Based Intrusion Detection Approach”, IEEE Transaction on Software Engineering, VOL.21 No.3, March 1995.
[14] Ye, N., Xu, M. and Emran, S.M., “Probabilistic Networks with Undirected Links for Anomaly Detection”,Proceedings of the 2000 IEEE Workshop on Information Assurance and Security United States, Military Academy, West Point, NY, 6-7 June, 2000.
[15] Porras, P.A., “Detecting Computer and Network Misuse Through the Production-Based Expert System Toolset (P-BEST)*”, Proceedings of the 1999 IEEE Symposium on Security and Privacy, Oakland, California, MAY 9-12, 1999.
[16] 張永旺、江建良，2007，商用統計學(二版)，普林斯頓國際有限公司。
[17] 沈文吉，網路安全監控與攻擊行為之分析與實作，國立台灣大學資訊管理研究所碩士論文，民90年。
[18] 陳苡萍，應用Active Networks在網路管理及DoS監測之研究，中原大學資訊工程系碩士論文，民89年。
[19] 鍾昌翰，適用於分散式阻斷服務與分散式掃描之網路入侵檢測方法，國立交通大學資訊工程學系碩士論文，民90年。
[20] 陳培德、賴溪松，入侵檢測系統簡介與實現，國立成功大學電機工程系(所)，Communications of the CCISA Vol.8 No.2 March 2002.
[21] 林耀聰、曾憲雄、蔡孟凱、江孟峰，兩階層網路入侵檢測系統之研究，台灣區網際網路研討會論文集，民90年。
[22] 李駿偉、田筱榮、黃世昆，入侵檢測分析方法評估與比較，中原大學資工所，中研院資訊所，Communications of the CCISA Vol.8 No.2 March 2002.
[23] 劉仲鑫、宋品霆、黃泳誌，WLAN於DDoS攻擊之安全分析，2010數位科技與創新管理研討會，民99年。
[24] Felix Lau, Stuart H.Rubin, Michael H.Smith et al. Distributed denial of sevrice attacks. In:IEEE Intenrational Conference on Systems, Man, and Cybernetics. Nashville, October 2000, Pages:2275~2280.
[25] David Mankins, Rajesh Krishnan, Ceilyn Boyd et al. Mitigating distributed denial of sevrice attacks with dynamic resoucre pricing. In: Proceedings of Annual Computer Security Applications Conference. Sheraton New Orleans, Louisiana, December 2001, Pages:411~421.
[26] Roshan Thomas, Brian Mark, Tommy Johnson et al. NetBouncer: client-Legitimacy-based high-performance DDOS filtering. In: Proceedings of DARPA Information Survivability Conference and Exposition.Washington, April 2003, Pages:14~25.
[27] Tao Peng, Christopher Leckie, Kotagiri Ramamohanarao. Protection from distributed denial of service attaeks using history-based IP filtering. In:IEEE International Conference on Communications (ICC’03). Anchorage, Alaska, USA, May 2003, Pages:482~486.
[28] 謝彥偉，分散式阻斷服務下之過載保護機制，國立中央大學資訊工程研究所 碩士論文，民92年。
[29] Jelena Mirkovic, Gregory Prier, Peter Reiher. Source-end DDOS defense. In:Second IEEE International Symposium on Network Computing and Applications (NCA2003). Cambridge, Massachusette, April 2003, Pages:171~178.
[30] Udaya KiranTupakula, Vijay Varadharajan. Counteracting DDoS attacks in multiple ISP domains using routing arbiter architecture. In: the11th IEEE International Conference on Networks(IC0N203). Sydney, Australia, October 2003, Pages:455~460.
[31] Joos.B.D.Cabrera, Lundy Lewis, Xinzhou Qin et al. Proactive detection of distributed denial of service attacks using MIB traffic variables-a feasibility study. In: proceedings of IEEE/IFIP International Integrated Network Management Symposium. Seattle, Washington, May 2001, Pages:609~622.
[32] Laura Feinstein, Dan Schnackenberg, Ravindra Balupari et al. Statistical approaches to DDoS attack detection and response. In:Proceedings of DARAP Information Survivability Conference and Exposition. Washington. April 2003, Pages:303~314.
[33] 陳俊傑，以重疊網路防禦分散式阻斷服務攻擊，國立中央大學資訊工程研所 碩士論文，民94年。
[34] 張振宏，利用統計式模糊流量控制防止分散式阻斷服務攻擊，國立成功大學電腦與通信工程研究所碩士論文，民95年。
[35] A.Snoeren, C.Partridge, L.A.Sanchez, et al. Hash-based IP Traceback. In: Proceedings of ACM SIGCOMM. San Diego, CA, USA, August 2001, Pages:3~14.
[36] S.Bellovin, M.Leech, and T.Taylor. ICMP Traceback Messages. Internet draft, work in porgress, October 2001.
[37] H.Burch and B.Cheswick. Tracing Anonymous Packets to Their Approximate Source. In: Proceedings of 2000 USENIX LISA Conf. New Orleans, LA, December 2000, Pages:319~327.
[38] Stone R. Centertrack: An IP overlay network of tracking DoS floods. In the Proceedings of the 9th USENIX Security Smyposium. Denver,CO, USA: USENIX, July 2000, Pages:199~212.
[39] John Ioannidis, S.M.Bellovin. Implementing Pushback: Router-Based Defense Against DDoS Attacks. In: Proceedings of the Network and Distributed System Security Symposium.San Diego, California, February 2002.
[40] Stefan Savage, David Wetherall, Anna Karlin et al. Practical Network Support for IP Traceback. In:Proceedings of the 2000 ACM SIGCOMM Conference. Stoekholm, Sweden, Angust 2000, Pages:226~237.
[41] Yoohwan Kim, Ju-Yeon Jo, Frank L.Merat. Defeating Distributed Denial-of-Service Attack with Deterministic Bit Marking. In:Global Telecommunications Conference(GLOBECOM’03. IEEE). San Francisco, CA, December 2003, Pages:1363~1367.
[42] 曾昱國，網路攻擊路徑追蹤之研究，國立中山大學資訊工程學系博士論文，民93年。
[43] D. Dasgupta, F. Gonzalez, K. Yallapu, J. Gomez, and R. Yarramsettii (2005),“CIDS: An Agent-based Intrusion Detection System,” Computers & Security, Vol. 24, Issue 5, pp. 387-398.
[44] A. P. Phillip (1999), “Detecting Computer and Network Misuse Through the Production-Based Expert System Toolset (P-BEST),” Proceedings of the 1999 IEEE Symposium on Security and Privacy, pp.0146.
[45] Bykova, M., Ostermann, S. and Tjaden, B., “Detecting network intrusions via a statistical analysis of network packet characteristics”, Proceedings of the 33rd Southeastern Symposium on System Theory, 2001, pp. 309-314.
[46] Caberera, J.B.D., Ravichandran, B. and Mehra, R.K., “Statistical traffic modeling for network intrusion detection”, Proceedings of 8th International Symposium, San Francisco, CA, USA, 2000, pp. 466-473.
[47] 林順傑、曾憲雄、林耀聰、周志明，網路行為模式之探勘，台灣區網際網路研討會論文集，民90年。