臺灣博碩士論文加值系統

隨著網際網路的普及，日常生活的各項應用也日益蓬勃，因而逐漸衍生許多的網路安全問題，面臨不斷變種的惡意程式和推陳出新的網路攻擊手法，使用傳統防火牆和入侵偵測系統被動式的防禦，已無法因應此一快速的變化。
為了有效解決所面臨的困境，必須要化以前的被動防禦，改採主動的探究方式，去了解目前系統可能存在的網路漏洞，研究攻擊者們正在或者可能採用的最新攻擊手法，所以有些安全研究人員提出了一個新的安全概念—蜜罐(honeypot)，也有人稱為誘捕系統(deception system)，主要是想改變之前在資訊安全領域中採用被動消極的防禦，只能在事後做補救，轉而利用積極主動的方式來蒐集攻擊者的相關資訊，可以用來瞭解攻擊者的攻擊手法及工具，防範攻擊於未然。
由於蜜罐系統並沒有提供任何實際對外的服務，因此任何的連線都可以懷疑是異常的連線，而且連線的資料量比較少，不包含過多的雜訊，資料價值很高，可以有效減輕安全研究人員的負擔，快速找到所需要的資料。蜜網則是由數個蜜罐所組成，可以針對所有進出的流量加以蒐集和監控，從蒐集全面性的攻擊資料，並分析這些資料，可以更加明確分析攻擊發生的原因與未知的攻擊型態或攻擊的趨勢。
本文利用分散式虛擬蜜網(Distributed Virtual Honeynet)積極主動吸引惡意攻擊，並蒐集和偵測網路安全入侵和攻擊資訊，並將相關的資訊標示在網頁地圖上，實作結果說明可以讓研究人員快速分析與查詢入侵和攻擊來源，並取得有價值和足夠的資訊來因應各種網路安全的威脅。

With the popularity of the Internet, the application of daily life is also booming, so many of the network gradually derivative security problems facing the program and continue to introduce new variants of malicious network attack techniques, the use of traditional firewall and intrusion detection systems Passive defense, has been unable to response to this rapid change.
In order to effectively resolve the difficulties faced, the previous passive way of defense has to be changed into an active way of exploration, so the possible existing network loopholes of the current systems can be understood. Researching the latest attack techniques that attackers are using or may use, some security researchers had proposed a new concept of security -- Honeypot, which was also known as the deception system. It changed the former way of passive defense that could only make remedies afterwards into an active way to collect relevant information of the attackers in the information security domain, so the attack techniques and tools of the attackers could be understood, and then people could prevent attacks before they occur.
Since the honeypot system does not provide any actual external services, so any connections can be suspected to be abnormal connections. When less amount of data are connected, there will be not much miscellaneous news contained. And with a high-value of the data, it can effectively reduce the burden of the security researchers and help them to find the required information quickly. The Honeynet is composed of several honeypots. It can collect and monitor the information of all the incoming and outgoing traffic. By way of collecting comprehensive attack information and analyzing the information, the causes of attacks, the unknown types of attacks, or the trends of attacks can be more explicitly analyzed.
In this paper, distributed virtual honeynet (Distributed Virtual Honeynet) initiative to attract malicious attacks, and the collection and detection of network security intrusion and attack information, and related information indicated on the website map, experimental results that allow researchers Rapid analysis and query the invasion and attack the source, and obtain valuable and sufficient information to cope with a variety of network security threats.

摘要………………………………………………………………….………………Ⅰ
Abstract………….………………………………………………………….………..Ⅱ
誌謝…..……………………….……………………………………………….……..Ⅲ
目錄…..……………………….……………………………………………….……..IV
圖目錄………………………………………………………………………………..VI
表目錄………………………………..……………………………………………..VⅢ
第一章 緒論………….………..…………………………………………………….1
1.1 研究背景…………………………………………………………………….1
1.2 研究動機………………….………………………………………………....2
1.3 論文架構…………………………………………………………………….3
第二章 相關文獻…….……….…….……………………………………………….4
2.1 蜜罐Honeypot……………………………………………………………….4
2.1.1 蜜罐的定義…………………………………………………………..4
2.1.2 蜜罐的分類…………………………………………………………..4
2.1.3 蜜罐部署的位置及方式……………………………………………..8
2.2 蜜網 Honeynet介紹…………………………………………………….….9
2.2.1 蜜網的發展過程……………………………………………………10
2.3 蜜網的架構…………………..…………………………………………….12
2.4 虛擬蜜網 Virtual Honeynet..……………………………………………...14
2.5 Honeywall Roo……………………………………………………………...15
第三章 蜜罐與蜜網………..………………….…………………………………..18
第四章 分散式虛擬蜜網…………………..…….…………………………..……21
4.1 系統概述……………………………………………………………….…..21
4.2 部署位置…………..…………………………………………………….…21
4.2.1 外部網路.………………………………………………………..….22
4.2.2 內部網路…….…………………………………………………...…23
4.3 部署方式……….…………………………………………………….…….24
4.3.1 虛擬機器建置….…………………………..……………………….24
4.3.2 安裝所需套件..……………………………………………………..25
4.3.3 增加flow資料表欄位……………………………………………..26
4.3.4 增加wholocations資料表………………..………………………..28
4.4 系統架構…………..……………………………………………….………29
4.4.1 資料控制……….…………………………..……………………….32
4.4.2 資料擷取……..……………………………………………………..33
4.4.3 資料蒐集………………..…………………………………………..35
4.4.4 資料分析………………..…………………………………………..36
4.5 系統功能……………..…………………………………………………….39
第五章 實驗結果與分析…….….…………….………………………………...…42
5.1 部署情境…………….……………………………………………………..42
5.1.1 部署對外部網路的虛擬蜜網主機….……..……………………….43
5.1.2 部署對內部網路的虛擬蜜網主機..………………………………..45
5.2 實驗結果…………………………………………………………………...45
5.2.1 依攻擊來源IP統計..………………………………………………45
5.2.2 依攻擊目的IP統計..………………………………………………47
5.2.3 依被攻擊的目的埠統計……………………………………………48
5.2.4 依被攻擊的通訊協定統計…………………………………………50
5.2.5 依攻擊來源國家統計………………………………………………51
5.2.6 來自臺灣的攻擊統計………………………………………………52
5.2.7 內部蜜網攻擊統計....………………………………………………54
5.3 實驗分析………….…………………………………………………..……56
5.3.1 Windows平台………………………………………………….……56
5.3.2 Linux平台..…………………………………………………….……56
5.3.3 每天攻擊連線次數…………………………………………………58
5.3.4 攻擊來源IP的分布..………………………………………….……63
5.3.5 攻擊次數的分析統計………………………………………………64
5.4 實驗結果建議………….……………………………………………..……65
第六章 結論與未來工作…………………………………………….……………69
參考文獻……..……………………………..……………………….……….………70

[1] Levine, J.G, Grizzard, J.B. and Owen, H.L, “Using Honeynets to Protect Large Enterprise Networks,” IEEE Security & Privacy, vol. 2, no. 6, pp. 56-58, Nov. 2004.
[2] Robert R, “CSI Computer Crime and Security Survey”, pp 6-8, FBI, Dec. 2009.
[3] Provos, N, “A Virtual Honeypot Framework,” In Proceedings of the 13th USENIX Security Symposium, pp. 1-14, Aug. 2004.
[4] Spitzner, L, “Honeypots: Tracking Hackers, ” ISBN 0-321-10895-7 2nd Printing, Oct. 2002.
[5] Chuvakin, A, “Honeynets: High Value Security Data: Analysis of Real Attacks Launched at a Honeypot,” Network Security (2003:8), pp. 11-15, Aug. 2003.
[6] The Honeynet Project，http://www.honeynet.org/
[7] Spitzner, L., “To Build a Honeypot,” http://www.spitzner.net/honeypot.html
[8] Kuwatly, I, Sraj, M, Masri, Z.A, and Artail, H, “A Dynamic Honeypot Design for Intrusion Detection,” IEEE Computer Society, Nov. 2004.
[9] Artaila, H., Safab, H., Sraja, M., Kuwatlya, I. and Al-Masria, Z. “A Hybrid Honeypot Framework for Improving Intrusion Detection Systems in Protecting Organizational Networks,” Comuters & Security, vol. 25, pp. 274-288, June 2006.
[10] C.H. Lin, C.H. Yang, S.J. Chen, and J.S. Wu, “An Implementation of a Malware Collection and Data Sharing System Based on Honeypot, ” The 5th Joint Workshop on Information Security (JWIS), South China Agricultural University, Guangzhou, China, pp. 82-96, Aug. 2010.
[11] Mokube, I. and Adams, M., “Honeypots: concepts, approaches, and challenges, ” In ACM-SE 45: Proceedings of the 45th annual southeast regional conference (New York, NY, USA), pp. 321–326, 2007.
[12] Diebold P, Hess A, and Schäfer G, “A Honeypot Architecture for Detecting and Analyzing Unknown Network Attacks, ” 14th Kommunikation in Verteilten Systemen, Feb. 2005.
[13] Mohammadi S, and Nikkhahan B, “A fault tolerance honeypots network for securing E-government, ” 2009 International e-Conference on Advanced Science and Technology, pp. 13-17, March 2009.
[14] Xiaoyan S., Yang W., Jie R., Yuefei Z., and Shengli L., “Collecting Internet Malware Based on Client-side Honeypot, ” 2008 The 9th International Conference for Young Computer Scientists, pp. 1493 - 1498, Nov. 2008.
[15] Know Your Enemy: Honeynets，http://old.honeynet.org/papers/honeynet/index.html
[16] Abbasi F.H, Harris R.J, “Experiences with a Generation III Virtual Honeynet, ” Telecommunication Networks and Applications Conference (ATNAC), pp. 1-6, Nov. 2009.
[17] The Honeynet Project，http://www.honeynet.org/.
[18] Taiwan Honeynet Project, http://www.honeynet.org.tw/
[19] Robert M., “Experiences with Honeypot Systems: Development, Deployment, and Analysis, ” in Proceedings of the 39th Annual International Conference on System Sciences, Hawaii, Jan. 2006.
[20] Levine J., Labella R., Owen H., Contis D., and Culver B., “The use of Honeynets to detect exploited systems across large enterprise networks, ” Information Assurance Workshop on IEEE Systems, Man and Cybernetics Society, pp. 92-99, Sep. 2003.
[21] Know Your Enemy: GenII Honeynets，http://old.honeynet.org/papers/gen2/index.html
[22] Spitzner L., “Honeypots: Catching the Insider Threat, ” in Proceedings of the 19th Annual Computer Security Applications Conference, Las Vegas, NV, USA, Aug. 2003.
[23] Zhuge J., Holz T., Han X., Song C., and Zou W., “Collecting Autonomous Spreading Malware Using High-interaction Honeypots, ” the 9th International Conference on Information and Communications Security (ICICS’07), Zhengzhou China, Dec. 2007.
[24] Balas E, and Viecco C, “Towards a Third Generation Data Capture Architecture for Honeynets, ” Proceedings of the 2005 IEEE Workshop on Information Assurance and Security, Aug. 2005.
[25] Dornseif M., Freiling F., and Gedicke N., “Design and Implementation of the Honey-DVD, ” Proc. 2006 IEEE Workshop on Information Assurance, US Military Academy, West Point, NY, June 2006.
[26] Sven K., Julian B. Grizzard, Henry L. Owen, and John G. Levine, “Use of Honeynets to Increase Computer Network Security and User Awarenes, ” Journal of Security Education, vol 1, issue 2/3, pp. 23-37, April 2005.
[27] Honeynet Project and Research Alliance, “Know Your Enemy: Honeywall CDROM,” http://old.honeynet.org/papers/cdrom/roo/index.html, May 2009.
[28] Know Your Enemy: Virtual Honeynets, http://old.honeynet.org/papers/virtual/
[29] Aaron Lanoy and Gordon W. Romney (2006), “A Virtual Honey Net as a Teaching Resource, ” Information Technology Based Higher Education and Training, 2006. ITHET '06. 7th International Conference on, pp. 10-13, July 2006.
[30] O'Leary M., Azadegan S., Lakhani J., “Development of a Honeynet Laboratory: a Case Study, ” Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computing, 2006. SNPD 2006. Seventh ACIS International Conference on, pp. 401-406, June 2006.
[31] Honeywall，https://projects.honeynet.org/honeywall/
[32] Viecco, C, “Improving Honeynet Data Analysis,” IEEE Workshop on Information Assurance and Security, US Military Academy, West Point, NY, pp.17 – 19, June 2007.
[33] Johnson E.L, Koenig J.M, and Wagner P, “Development and Implementation of the Honeynet on a University Owned Subnet, ” n Proc. 40th The Midwest Instruction and Computing Symposium, April 2007.
[34] Jan Gerrit Göbel, “Advanced honeynet based intrusion detection, ” Aachen, den 27, July 2006.
[35] Pei-Sheng Huang, Chung-Huang Yang, and Tae-Nam Ahn, “Design and Implementation of A Distributed Early Warning System Combined with Intrusion Detection System and Honeypot, ” International Conference on Convergence and Hybrid Information Technology (ICHIT 2009), Daejeon, Korea, Aug. 2009.
[36] Kyi Lin Lin Kyaw, “Hybrid Honeypot System for Network Security, ” World Academy of Science, Engineering and Technology 48, pp. 260-270, 2008.
[37] Zanoramy W., Zakaria A., Rohaidah, S., and Norazah A, “Deploying virtual honeypots on virtual machine monitor,” in Proceedings of the IEEE ITSim International Symposium on Information Technology, pp. 1-5, Sep. 2008.
[38] Defibaugh-Chavez P., Veeraghattam R., Kannappa M., Mukkamala S., Sung, A.H., “Network Based Detection of Virtual Environments and Low Interaction Honeypots,” Proceedings of the 2006 IEEE SMC, Workshop on Information Assurance, pp. 283-289, July 2006.
[39] David W, Jamie R, “The Honeynet Project: Data Collection Tools, Infrastructure, Archives and Analysis,” WOMBAT Workshop on Information Security Threats Data Collection and Sharing, pp. 24-30, May 2008.
[40] Ponweera R.J.C., Koggalage R., Wickramage N., “Evaluation and demonstration of the usage of a virtual honeynet for monitoring and recording online attacks, ” Industrial and Information Systems, 2007. ICIIS 2007. International Conference on, pp. 21-26, Aug. 2007.
[41] GeoIP, http://www.maxmind.com/app/ip-location
[42] State of the Internet Report, http://www.akamai.com/stateoftheinternet/, http://www.akamai.com/dl/whitepapers/Akamai_State_Internet_Q4_2010.pdf
[43] Koobface - Wikipedia, the free encyclopedia, http://en.wikipedia.org/wiki/Koobface