臺灣博碩士論文加值系統

隨著科技的進步與連網裝置的普及，網路安全防護面臨嚴峻的挑戰。網路技術的快速發展也讓駭客的攻擊方式更加成熟且多樣化。如木馬病毒的散播、阻斷服務攻擊（Denial of Service, DoS）以及分散式阻斷服務攻擊（Distributed Denial of Service, DDoS）。其中最嚴重的資安問題之一便是分散式阻斷服務攻擊。網路技術的進步讓駭客的攻擊手法更加多元化，能夠透過切換不同的DDoS攻擊型態（SYN flooding、UDP flooding、ICMP flooding等）進行攻擊。若攻擊者發現攻擊方法無法達到預期目標時，也有可能轉換成其他的攻擊手法。如何有效偵測分散式阻斷服務攻擊並抵檔為重要的研究議題。
為了應付資訊安全易攻難守的問題，新型的防禦思維：移動目標防禦（Moving Target Defense, MTD）被提出，目的在於透過不斷地變動系統的資訊來拖延攻擊者探測的時程與攻擊成功的副作用。新型網路架構：軟體定義網路（Software Defined Network, SDN）與網路功能虛擬化（Network Function Virtualization, NFV）的出現也改變了未來網路安全防護的模式，未來網路安全架構的設計將朝可程式化與虛擬化的方向演進。本論文提出基於SDN、NFV與移動目標防禦之分散式阻斷服務攻擊防禦機制。利用多重模糊系統進行DDoS的偵測，並利用移動目標防禦進行DDoS的減緩與防禦。在DDoS攻擊發生時，透過多重模糊系統偵測並阻擋重點攻擊流量；若有可疑之DDoS流量，則利用SDN與移動目標防禦的概念重新導向流量，使用者能不受攻擊影響，正常獲取服務。

With the advancement of technology and popularity of networking devices, network security is facing severe challenges. The rapid development of Internet technology also makes the hacker's attack more mature and diversified. Such as Trojan virus, Denial of Service (DoS) and Distributed Denial of Service (DDoS). One of the most serious security problems is DDoS attack.The Development of Internet technology have made hacker's attack more diversified and can be switched to different DDoS attacks (UDP flooding, ICMP flooding, etc.). If the attacker found that the attack method can not achieve the desired goal, it may be converted into other attacks. How to effectively detect DDoS attacks and mitigate it is an important research topics.
In order to cope with information security issues, the new defensive thinking: Moving Target Defense (MTD) was proposed, the purpose of MTD is to constantly change the system information to delay the attacker detect and probe scheduling. The emergence of the new network architecture: Software Defined Network (SDN) and Network Function Virtualization (NFV) has also changed the future of network security scheme. The future design of the network security architecture will towards the programmable network and virtualized. This paper proposes a Distributed Denial of Service attack defense mechanism based on SDN, NFV and Moving Target Defense.Explicit multiple fuzzy systems to achieve DDoS detection and using Proxy VNF based Moving Target Defense mechanism to achieve DDoS mitigation. Using SDN to control and redirect packets flexibly. If there is suspicious traffic, the proposed approach can redirect suspicious traffic and quarantine, therefore shift the attack surface.

第一章 緒論 1
1.1 概要 1
1.2 研究動機 2
1.3 研究目的 3
1.4 章節架構 3
第二章 背景知識與相關研究 4
2.1 分散式阻斷服務攻擊 4
2.2 移動目標防禦技術 6
2.3 模糊系統 11
2.4 軟體定義網路 16
2.5 網路功能虛擬化 21
2.6 相關研究之比較 23
第三章 研究方法 26
3.1 系統架構與設計 26
3.1.1 Packet Handler 28
3.1.2 SYN Packet Handler 28
3.1.3 Flow Stat Monitor 28
3.1.4 Flow Modification 29
3.1.5 Flow Rule Production 30
3.1.6 Redirect Decision 31
3.1.7 Threshold Module 32
3.1.8 Fuzzy Rule Base 33
3.1.9 Multiple Fuzzy System 33
3.1.10 DDoS Alert Notification 34
3.1.11 Load Balance 34
3.1.12 Proxy Allocation 35
3.1.13 Proxy Mutation 35
3.1.14 Health Check agent 36
3.2 系統模組 36
3.2.1 系統定義與假設 36
3.2.2 資料符號表 37
3.2.3 系統功能與模組流程 39
3.2.4 Threshold模組運作流程 43
3.2.5 Multiple Fuzzy System模組運作流程 44
3.2.6 Proxy Allocation模組運作流程 49
3.2.7 Proxy Load Balance模組運作流程 50
3.2.8 Proxy Mutation模組運作流程 52
3.3 系統實作 53
第四章 實驗與討論 57
4.1 情境一：Reverse Proxy VNF 機制討論 57
4.1.1 Reverse Proxy VNF 導向流程驗證 57
4.1.2 Reverse Proxy VNF Load balance驗證 59
4.2 情境二：DDoS Detection討論 60
4.2.1 SYN Flooding Detection 60
4.2.2 Fuzzy Detection機制測試 62
4.3 情境三：DDoS Mitigation討論 67
4.3.1 Moving Target Defense機制測試 68
4.3.2 Proxy Harvesting Attack prevention測試 69
4.4 情境四：使用者獲取服務延遲實驗 73
4.4.1 Transmission delay with/without Reverse Proxy VNF 73
4.4.2 SYN Flooding 採樣次數延遲比較 77
第五章 結論與未來研究方向 81
參考文獻 85

[1] Siti Hajar Aminah Ali, Seiichi Ozawa, Tao Ban, Junji Nakazato and Jumpei Shimamura,"A neural network model for detecting DDoS attacks using darknet traffic features," 2016 International Joint Conference on Neural Networks (IJCNN), pp.2979-2985, Vancouver, Canada, July 2016.
[2] Walter Fuertes, Miguel Morales, Hernán Aules and Theofilos Toulkeridis," Software-based computing platform as an experimental topology assembled to detect and mitigate DDoS attacks using virtual environments," 2016 International Symposium on Performance Evaluation of Computer and Telecommunication Systems (SPECTS), pp.1-8, Montreal, Quebe, Canada, July 2016.
[3] D. Mcdysan, "Software defined networking opportunities for transport," IEEE Communications Magazine 51.3 (2013): 28-31.
[4] Wikipedia, "Network Function Virtualization",2017.[Online].Aailable: https://en.wikipedia.org/wiki/Network_function_virtualization .[Accessed: 19- Jul- 2017]
[5] Jin B. Hong and Dong Seong Kim,"Assessing the Effectiveness of Moving Target Defenses Using Security Models," IEEE Transactions on Dependable and Secure Computing, Volume 13, Issue 2, pp.163-177, 2016.
[6] Sachin Kailas Bhop and Nilima M. Dongre,"Study of Dynamic Defense technique to overcome drawbacks of movingtarget defense," 2015 International Conference on Information Processing (ICIP), pp.637-641, Quebec city, Canada, Dec. 2015.
[7] Wikipedia, “2016 Dyn cyberattack", 2017. [Online]. Aailable: https://en.wikipedia.org/wiki/2016_Dyn_cyberattack .[Accessed: 19- Jul- 2017]
[8] Cisco, "Cisco DDos Protection Solution-Delivering “Clean Pipes” Capabilities for Service Providers and Their Customers", Cisco Systems White Paper, pp.4-16, 2016.
[9] Cai Guilin, Wang Baosheng, Wang Tianzuo, Luo Yuebin, Wang Xiaofeng and Cui Xinwu, "Research and Development of Moving Target Defense Technology",Journal of Computer Research and Development, volume 53, Issue (5) pp.1,China, 2016.
[10] Sushil Jajodia, Anup K. Ghosh, Vipin Swarup, Cliff Wang, and X. Sean Wang. "Moving Target Defense: Creating Asymmetric Uncertainty for Cyber Threats" (1st ed.). Springer Publishing Company, Incorporated,Berlin, 2011.
[11] Rui Zhuang, Su Zhang, Alexandru G. Bardas, Scott A. DeLoach, Xinming Ou, and Anoop Singhal." Investigating the application of moving target defenses to network security," 6th International Symposium on Resilient Control Systems (ISRCS), San Francisco, CA, August, 2013.
[12] Rui Zhuang, Alexandru G. Bardas, Scott A. Deloach, and Xinming Ou."A Theory of Cyber Attacks -- A Step Towards Analyzing MTD Systems," In CCS 2015 MTD Workshop, Denver, CO, US, October, 2015.
[13] Mohamed Azab, Riham Hassan and Mohamed Eltoweissy, "ChameleonSoft: A moving target defense system", Collaborative Computing: Networking, Applications and Worksharing (CollaborateCom), 2011 7th International Conference on, Orlando, USA, 2012.
[14] Sushil Jajodia, Anup K. Ghosh, Vipin Swarup, Cliff Wang, and X. Sean Wang. "Moving Target Defense: Creating Asymmetric Uncertainty for Cyber Threats" (1st ed.).pp.77-98 Springer Publishing Company, Incorporated, Berlin, 2011.
[15] Wikipedia, “Address space layout randomization", 2017. [Online]. Aailable: https://en.wikipedia.org/wiki/Address_space_layout_randomization.[Accessed: 19- Jul- 2017]
[16] S. Antonatos, P. Akritidis, E. P. Markatos, and K. G. Anagnostakis. "Defending against hitlist worms using network address space randomization". In Proceedings of the 2005 ACM workshop on Rapid malcode (WORM '05). ACM, New York, NY, USA, 30-40. 2005.
[17] H.C.J. Lee, V.L.L. Thing, "Port hopping for resilient networks", Vehicular Technology Conference, 2004. VTC2004-Fall. 2004 IEEE 60th, Los Angeles, USA,2005.
[18] Quan Jia, Kun Sun and Angelos Stavrou. "MOTAG: Moving Target Defense against Internet Denial of Service Attacks", Computer Communications and Networks (ICCCN), 2013 22nd International Conference on, Nassau, Bahamas,2013.
[19] Paul Wood, Christopher Gutierrez and Saurabh Bagchi, "Denial of Service Elusion (DoSE): Keeping Clients Connected for Less",Reliable Distributed Systems (SRDS), 2015 IEEE 34th Symposium on, Montreal, Canada.2015.
[20] D. M. Gabbay, Classical vs Non-classical Logics -- The Universality of Classical Logic, 2 ed.: Oxford University Press, Inc. New York, NY, USA, 1993.
[21] L. A. Zadeh, "Fuzzy sets.," Information and Control, vol. 8, pp. 338-535.
[22] R. Seising, E. Trillas, C. Moraga, and S. Termini, On fuzziness : a homage to Lotfi A. Zadeh. Heidelberg ; New York: Springer, 2013.
[23] J. T. Tou, "Pattern Recognition Principles," in Classification Methods for Remotely Sensed Data, 2 ed: CRC Press, 2009, pp. 41-75.
[24] 蘇木春 and 張孝德, 機器學習：類神經網路、模糊系統以及基因演算法則: 全華圖書股份有限公司, 2012.
[25] N.Ch.S.N. Iyengar, Arindam Banerjee and Gopinath Ganapathy , "A Fuzzy Logic Based Defense Mechanism against Distributed Denial of Services Attack in Cloud Environment", International Journal Of Communication Networks And Information Security, vol 6, No 3,India,2014.
[26] Phan Van Trung, Truong Thu Huong, Dang Van Tuyen, Duong Minh Duc, Nguyen Huu Thanh and Alan Marshall, "A multi-criteria-based DDoS-attack prevention solution using software defined networking", Advanced Technologies for Communications (ATC), 2015 International Conference on, Ho Chi Minh City, Vietnam,2015.
[27] IETF, "The Internet Engineering Task Force (IETF®)", 2017. [Online]. Aailable:,https://www.ietf.org/.[Accessed: 19- Jul- 2017]
[28] ONF,"OpenNetworkFoundation",2017.[Online].Aailable:https://www.opennetworking.org/ .[Accessed: 19- Jul- 2017]
[29] N. McKeown, T. Anderson, H. Balakrishnan, G. Parulkar, L. Peterson, J. Rexford, S. Shenker, and J. Turner, “OpenFlow: enabling innovation in campus networks,” SIGCOMM Comput. Commun. Rev., vol. 38, no. 2, pp. 69–74, Mar. 2008.
[30] Ryu."Ryu SDN Framework",2017.[Online].Aailable: https://osrg.github.io/ryu/. [Accessed: 19- Jul- 2017]
[31] Margaret Chiosi, Don Clarke, Peter Willis, Andy Reid et al., "Network Functions Virtualisation – Introductory White Paper", SDN and OpenFlow World Congress, Darmstadt, Germany, 2012.
[32] Wikipedia,”Censorship of GitHub”, 2017. [Online]. Aailable: https://en.wikipedia.org/wiki/Censorship_of_GitHub#DDoS_attack. [Accessed: 19- Jul- 2017]
[33] ArsTechnica,” GitHub battles “largest DDoS” in site’s history, targeted at anti-censorship tools”, 2017. [Online]. https://arstechnica.com/information-technology/2015/03/github-battles-largest-ddos-in-sites-history-targeted-at-anti-censorship-tools/[Accessed: 19- Jul- 2017]
[34] S. Yadav and S. Subramanian, “Detection of Application Layer DDoS attack by feature learning using Stacked AutoEncoder”, Computational Science and Engineering (CSE) and Embedded and Ubiquitous Computing (EUC), Guangzhou, China, 2017.