臺灣博碩士論文加值系統

近年來由於網路的快速發展，使得一般大眾能夠更容易接觸網路，但是在網路上卻潛伏著許多的危險。例如網路駭客的惡意攻擊，或者是遭受隱藏的特洛伊木馬程式影響，都很有可能導致個人或公司，難以估計的損失。所以許多公司或個人都會建置防火牆阻擋外部的攻擊，然而防火牆的建置成本昂貴且維護不易。所以需要入侵偵測系統加以輔助，而如何快速又正確的判斷網路上的入侵行為，一直是入侵偵測系統的一個重要目標。
在本篇論文中所使用的方法中是採用階層式規則，以求在不大幅度改變原來規則定義的方式下，來增加入侵偵測系統的效能。在這一個方法中我們將採取階層式的方式搭配動態調整規則搜尋順序，以定義可能是入侵行為的規則中，可以明顯區隔不同的攻擊行為的特徵做一個分類基礎。在第一層的部分我們利用最可以明顯區隔的特徵，之後再以經常發生的入侵行為來做偵測入侵的檢查。假如當第一層無法確認系統或網路是否是被入侵時，再將任務教給下一層的部分去比對。經過這樣的分類我們將可以在較短的時間內偵測出經常用來入侵的行為，之後再利用動態調整的方式去調整各個規則的順序，使規則能夠更有效率的被應用。

In recently years the network is rapidly growth. However, there are many malicious activities under the network environment, such as the malicious attacks from intruders or hidden Trojan horse programs. Therefore, many companies use firewall to defense the attacks from outside. However, the costs of firewalls are high and firewalls are hard to maintain. That is, we need intrusion detection system to assist the firewalls. How to detect the intruders and attackers more efficiently and accurately is always an important goal of an intrusion detection system.
In this paper, we present a hierarchical rules-based method to improve the performance of intrusion detection system. This method represents the rules in a hierarchical store and adjusts dynamically the rules of importance for these rules.

第一章 前言..........................................1
1.1背景..............................................1
1.2研究動機..........................................2
1.3論文架構..........................................3
第二章 導論..........................................4
2.1入侵偵測系統......................................4
2.1.1 主機為主(Host-based)之入侵偵測系統..............4
2.1.2 網路為主(Network-Based)之入侵偵測系統...........6
2.1.3 不當偵測系統(Anomaly Detection system).........7
2.1.4 誤用偵測系統(Misuse Detection System)..........8
2.2常見的入侵攻擊方式................................10
2.2.1特洛伊木馬 (Trojan Horse)......................10
2.2.2阻斷服務攻擊 (Denial of Service attack)........12
2.2.3 掃描攻擊(Scanning attack).....................15
2.2.4 緩衝區溢位攻擊(Buffer Overflow attack).........16
2.2.5系統漏洞入侵....................................17
2.3 特徵選取.........................................18
2.3.1 特徵分類.......................................19
2.3.2 特徵應用.......................................20
第三章 系統架構及方法.................................21
3.1 系統架構.........................................23
3.2 規則分類.........................................24
3.3 規則調整.........................................25
第四章 實驗..........................................27
4.1 實驗.............................................27
4.2 分析.............................................30
4.3 在Snort上的應用..................................31
第五章 結論..........................................33
參考文獻.............................................34
誌 謝...............................................36

[1]S. Northcutt, J. Novak, “Network Intrusion Detection: An Analyst’s Handbook”, New Riders Press[2]A. Householder, A. Manion, L. Pesante, G. M. Weaver, ”Managing the Threat of Denial-of- Service Attacks”, CERT® Coordination Center, http://www.cert.org/archive/pdf/Managing_DoS.pdf[3]A. Sundaram, “An Introduction to Intrusion Detection”, ACM Crossroads Student Magazine, http://www.acm.org/crossroads/xrds2-4/intrus.html[4] B. C. Soh, T.S. Dillon, ”Setting Optimal Intrusion-Detection Thresholds”, Computers and Security, Vol.14, 1995, pp. 621-631[5]M. Iguchi and S. Goto, “Detection Malicious Activities through Port Profiling”, IEICE Transactions on Information and Sytems, Vol.E82-D, no.4, April 1999, pp. 784 - 792[6] N. Kato, H. Nitou, K. Ohta, G. Mansfield, Y. Nemoto, “A Real-Time Intrusion Detection System (IDS) for Large Scale Networks and Its Evaluation”, IEICE Transactions on Communications, Vol.E82-B, no. 11, November 1999, pp. 1817-1825[7]D. E. Denning, “An Intrusion-Detection Model”, IEEE Transactions on Software Engineering, Vol. SE-13, no. 2, pp. 222-232, February 1987[8]E. Lundin, E. Jonsson, “Anomaly-Based Intrusion Detection: Privacy Concerns and Other Problem”, Computer Networks, Vol. 34, 2000, pp. 623 - 640[9] G. Helmer, J. Wong, S. Madaka, “Anomalous intrusion detection system for hostile Java applets”, Journal of Systems and Software Volume: 55, Issue: 3, January 15, 2001, pp. 273-286[10] S. P. Shieh, V. D. Gligor, “On a Pattern-Oriented Model for Intrusion Detection”, IEEE TRANSACTIONS ON KNOWLEDGE AND DATA ENGINEERING, VOL. 9, NO. 4, JULY/AUGUST 1997, pp.661-667[11] 閻雪, “中國大陸的駭客技術”, 2001, 松崗[12] W.R. Stevens, “TCP/IP Illustrated Volume 1”, Addison Wesley[13] K. Y. Lam, L. Hui, S. L. Chung, “A Data Reduction Method for Intrusion Detection”, System Software, Vol. 33, 1996, pp 101 - 108[14] CERT® (Computer Emergency Response Team) http://www.cert.org/[15] The Open Source Network Intrusion Detection System, http://www.snort.org/