跳到主要內容

臺灣博碩士論文加值系統

(54.227.97.219) 您好!臺灣時間:2021/12/01 02:50
字體大小: 字級放大   字級縮小   預設字形  
回查詢結果 :::

詳目顯示

我願授權國圖
: 
twitterline
研究生:林佳潤
研究生(外文):Chia-Jun Lin
論文名稱:即時血清系統:具攻性防壁之自動化蠕蟲治癒系統
論文名稱(外文):Infectious Real-time Serum System: Automatic worm curing system
指導教授:許富皓許富皓引用關係
指導教授(外文):Fu-Hau Hsu
學位類別:碩士
校院名稱:國立中央大學
系所名稱:資訊工程研究所
學門:工程學門
學類:電資工程學類
論文種類:學術論文
論文出版年:2008
畢業學年度:96
語文別:中文
論文頁數:52
中文關鍵詞:蠕蟲清除緩衝區溢位遠端攻擊血清血清系統蠕蟲傀儡網路網路安全攻性防壁蠕蟲治癒
外文關鍵詞:serum systemwormbuffer overflowworm curingbotnetattack barrierwhite wormsecurityremote exploit
相關次數:
  • 被引用被引用:0
  • 點閱點閱:326
  • 評分評分:
  • 下載下載:0
  • 收藏至我的研究室書目清單書目收藏:0
具自行散播能力的蠕蟲程式,由於能讓攻擊者竊取數量龐大的主機的控制權,因此長期以來一直是網路世界中致命的安全威脅之一。本篇論文提出了一個新的架構與方法,可以以高精準度且自動化的解決與恢復遭受蠕蟲攻擊感染的主機 —「即時蠕蟲恢復系統」(Serum System)。

本系統之基礎架構是以具備攻擊性的防禦為概念,建立攻性防壁,對攻擊來源作出反擊。一旦具備Serum System的主機收到惡意程式之攻擊字串時,首先動態即時修改攻擊字串的payload,之後對攻擊來源主機的相同漏洞進行反擊,再複製Serum System到該主機上並修復漏洞。攻擊來源主機不僅對於該攻擊之蠕蟲免疫,此外更可進一步的以相同的方式反擊任何攻擊此免疫主機的其他惡意主機。借由此種具備正當性之連鎖型式的擴散反擊,可以在signature不精確之情況下,仍能自動精準且受控制地清除散播在 Internet 各處受蠕蟲感染的主機,不論其規模大小。

本論文亦將討論關於蠕蟲感染的模型,分析證明此系統對蠕蟲傳播抑止之有效性。此分析不僅可描述蠕蟲造成的破壞跟時間的關係,同時也可以看出即時反擊主機的佈署對蠕蟲壓制的效果。

論文中也提出了區域型自動化程式漏洞修補之架構,使企業以及各型機構能夠及時修復漏洞。此項成果有助於資安事件研究者未來面對緩衝區溢位型蠕蟲的攻擊時,能夠快速反應並從危害中恢復。
Although the implementations of ASLR and Non-executable stack decrease the risks of worm spreading via buffer overflow exploits, there are still numerous ways to defeat or circumvent the protections. In this paper we propose a system of automatic worm curing – Infectious Real-time Serum System (IRSS).

Our approach is based on the concept of “attack barrier” which will counter back to the attackers. Once the host with Serum System was attacked by attacker, it will modify the payload of attacking string dynamically, then counter back to the attacking source and setup patches which clone the Serum System entirely to target source. The original attacking host thus not only immune to this kind of the vulnerability, but also has the ability of counter back to any hosts who are trying to attack this host.

By the behavior of infectious counterattack with catenation of Serum System, we can automatically cure the hosts of worm precisely and under control. Otherwise, we can clean the worms all around the world and only a few Serum System Servers are demanded to the entire environment.

The Serum System can deal with whatever attacks of BOA, even if the return into libc attacks, therefore the system is effective in defending the spreading of modern worms. This paper also builds a mathematic model of worm curing behavior to analyze the efficiency of serum system and provide the concept of automatic exploit patching.
中文摘要 i
英文摘要 ii
致謝 iii
目錄 iv
表目錄 vi
圖目錄 vii
第一章 序論 1
1-1 研究背景 1
1-2 研究動機與目的 1
第二章 蠕蟲傳播與攻擊之背景知識 3
2-1 Buffer Overflow Attack 3
2-2 Attacking String 3
2-3 蠕蟲特性 4
第三章 相關研究 6
3-1 緩衝區溢位相關研究 6
3-2 蠕蟲相關研究 7
3-2-1 蠕蟲行為之特徵值與偵測 7
3-2-2 蠕蟲傳播數學模型 8
3-2-3 蠕蟲與傀儡網路(Botnets) 8
3-2-4 自動化修補(Auto-Patch) 8
第四章 系統設計 9
4-1 系統架構 11
4-1-1 SSS與SSC 12
4-1-2 系統流程 14
4-2 系統功能探討 15
4-2-1 連線過濾與重新導向 15
4-2-2 惡意字串掃描 15
4-2-3 攻擊字串動態修改 16
4-3 免疫與反擊策略 17
4-3-1 反擊成功判定 17
4-3-2 免疫的時間長度 18
4-3-3 Serum System與IDS的結合 18
第五章 數學分析 20
5-1 蠕蟲傳播模型 20
5-2 環境中具有Serum System主機之蠕蟲傳播分析 21
5-2-1 反擊成功率為1之情況 21
5-2-2 反擊成功率低於1之情況 23
第六章 系統實驗與評估 25
6-1 Serum System造成的負擔與影響 25
6-1-1 網路流量負擔 25
6-1-2 效能影響 26
6-2 Serum System反應時間 28
6-2-1 系統反擊所需時間 28
6-2-2 系統即時架設所需時間 29
6-3 系統壓力測試 30
6-4 可能影響此系統之問題 30
6-4-1 ASLR 30
6-4-2 蠕蟲特殊行為 31
6-4-3 針對Serum System之攻擊 31
6-5 其他評估與討論 31
6-5-1 特徵值之調整 32
6-5-2 跳板主機之追蹤與傀儡網路(botnets) 32
6-5-3 Shellcode的長度 32
6-5-4 Return into libc Attack 33
第七章 結論與未來方向 34
附錄一 參考文獻 36
附錄二 連線基礎架構之shellcode 41
[1]Yong Tang and Shigang Chen, “Defending Against Internet Worms: A Signature-Based Approach “ IEEE INFOCOM, Miami, FL, March, 2005.
[2]Michele Garetto, Weibo Gong, and Don Towsley, “Modeling Malware Spreading Dynamics “ IEEE INFOCOM, San Francisco, CA, USA, April, 2003.
[3]“On the Effectiveness of Distributed Worm Monitoring “USENIX Security Symposium, 2005
[4]“Automatic Generation of Buffer Overflow Attack Signatures: An Approach Based on Program Behavior Models “Annual Computer Security Applications Conference (ACSAC 2005)
[5]Gaurav Kataria,Gaurav Anand, Rudolph Araujo, Ramayya Krishnan,Adrian Perrig "A Distributed Stealthy Coordination Mechanism for Worm Synchronization",IEEE Securecomm & Workshop, 2006.
[6]Zhenkai Liang, R. Sekar"Fast and automated generation of attack signatures: a basis for building self-protecting servers",Conference on Computer and Communications Security,Proceedings of the 12th ACM conference on Computer and communications security
[7]Randy Smith, Cristian Estan, Somesh Jha"Backtracking Algorithmic Complexity Attacks Against a NIDS ",Annual Computer Security Applications Conference (ACSAC 2006)
[8]“2003 CSI/FBI Computer Crime and Security Survey. Security”,http:// www.reddshell.com/docs/csi_fbi_2003.pdf
[9] “Linux Networking Kernel” http://www.ecsl.cs.sunysb.edu/elibrary/linux/network/LinuxKernel.pdf
[10]H. Shacham, M. Page, B. Pfaff, Eu-Jin Goh, N. Modadugu, and Dan Boneh . “On the Effectiveness of Address-Space Randomization ” Proceedings of the 11th ACM conference on Computer and communications security, 2004
[11]T. Bu, A. Chen, S. V. Wiel, and T. Woo “Design And Evaluation of A Fast And Robust Worm Detection Algorithm” INFOCOM 2006. In the Proceedings of 25th IEEE International Conference on Computer Communications.
[12]D. Moore, C. Shannon, G. M. Voelker, and S. Savage “Internet Quarantine: Requirements for Containing Self-Propagating Code” ,2003
[13]Fu-Hau Hsu, Fanglu Guo, and Tzi-cker Chiueh, “Scalable Network-based Buffer Overflow Attack Detection” in Proceedings of ACM/IEEE Symposium on Architectures for Networking and Communications Systems (ANCS 2006), San Jose, California, USA, December, 2006.
[14]S. Staniford, V. Paxson and N. Weaver “The Top Speed of Flash Worms” In the proceedings of the ACM Workshop on Rapid Malcode (WORM ), Fairfax, VA, Oct. 2004
[15] J. Xu, P. Ning, C. Kil, Y. Zhai, C. Bookholt, "Automatic diagnosis and response to memory corruption vulnerabilities" ACM Conference on Computer Communications Security (CCS 2005)
[16]J. Ma, G. M. Voelker, and Stefan Savage “Self-Stopping Worms” In the proceedings of the ACM Workshop on Rapid Malcode (WORM ), Fairfax, VA, Oct. 2005
[17]Zheng, H., & Duan, H. “Active Technologies to Contain Internet Worm.” Worm blog. Retrieved April 1, 2007, from “wiki.ccert.edu.cn/doc/spark/ActiveTechnologiestoContainInternetWorm.pdf”
[18]N. Weaver, V. Paxson, S. Staniford, and R. Cunningham “A Taxonomy of Computer Worms”, Proceedings of the 2003 ACM workshop on Rapid Malcode, 2003
[19]S. Staniford, V. Paxson and N. Weaver “How To Own The Internet In Your Spare Time” In the Proceedings of USENIX Security Symposium, San Francisco, CA, Aug. 2002
[20]Newsome, J. Karp, B. Song, D. “Polygraph: automatically generating signatures for polymorphic worms”, Security and Privacy, IEEE Symposium , 8-11 May 2005
[21]Costa,M. Crowcroft, J. Castro,M. Rowstron,A. Zhou,L. Zhang,L. Barham,P. “Vigilante: end-to-end containment of internet worms”, ACM Symposium on Operating Systems Principles, 2005
[22]O. Kolesnikov and W. Lee. “Advanced polymorphic worms: Evading IDS by blending in with normal traffic”
[23]Lorenzo Cavallaro, Andrea Lanzi, Luca Mayer and Mattia Monga. “Automated Content-Based Signatures Generator for Zero-day Polymorphic Worms”
[24]Aurora
[25]Z. Chen, L. Gao, and K. Kwiat. “Modeling the Spread of Active Worms”. IEEE INFOCOMM, 2003.
[26]C. Zu, W. Gong, and D. Towsley. “Worm Propagation Modeling and Analysis under Dynamic Quarantine Defense”. In Proceedings of the ACM Workshop on Rapid Malcode (WORM), pages 51–60, 2003.
[27]Kelly Jackson Higgins, Senior Editor, Dark Reading. “Botnets Battle Over Turf” ,April 2007
[28]Kelly Jackson Higgins, Senior Editor, Dark Reading. “Black Hat: Botnets Go One-on-One”, Feb 2007.
[29]C. Cowan, C. Pu, D. Maier, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, Q. Zhang, and H. Hinton, “StackGuard: Automatic Adaptive Detection and Prevention of Buffer Overflow Attacks,” USENIX Security Conference, San Antonio, Texas, Jan.1998.
[30]Ali Rahbar , “An analysis of Microsoft Windows Vista’s ASLR”, Oct 2006.
[31]C. Zou, W. Gong, and D. Towsley. Code RedWorm Propagation Modeling and Analysis. In Proceedings of ACM Conference on Computer and Communication Security (CCS), pages 138–147, 2002.
[32]H.W. Hethcote. The Mathematics of Infectious Diseases. In SIAM Reviews, Vol. 42 No. 4, 2000.
[33]G. Gu, M. Sharif, X. Qin, D. Dagon, W. Lee, and G. Riley. Worm Detection, Early Warning and Response Based on Local Victim Information. In Proceedings of 20th Annual Computer Security Applications Conference, December 2004
[34]P. Barford and V. Yegneswaran, “An inside look at botnets,” in Special Workshop on Malware Detection, Advances in Information Security, 2006.
[35]J. Stewart, “Storm worm DDoS attack.” http://www.secureworks.com/research/threats/ view.html?threat=storm-worm, February 2007.
[36]Sumeet Singh, Cristian Estanm, George Varghese, Stefan Savage, “Automated Worm Fingerprinting”, 6th Symposium on Operating Systems Design and Implementation, 2004
[37]Hovav Shacham, "The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86)", 14th ACM Conference on Computer and Communications Security (October 2007)
[38]Z. Liang and R. Sekar, ``Fast and Automated Generation of Attack Signatures: A Basis for Building Self-Protecting Servers,’’ In Proceedings of the 12th ACM Conference on Computer and Communications Security, November 2005.
[39]Bulba and Kil3r, “Bypassing StackGuard and StackShield”. http://www.phrack.org/issues.html?issue=56&id=5
[40]S. Bhatkar, D. DuVarney, and R. Sekar “Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits,” Proc. 12th USENIX Sec. Symp, USENIX, Aug. 2003.
[41]StackShield. http://www.angelfire.com/sk/stackshield
[42]H.-A. Kim and B. Karp, ``Autograph: Toward Automated, Distributed Worm Signature Detection,’’ In Proceedings of the 13th USENIX Security Symposium, August 2004.
[43]Zheng H, Duan HX, “Active Defense System to Contain Internet Worm. XCON 2004”, Beijing
[44]Alexey Smirnov, Tzi-cker Chiueh, “Automatic Patch Generation for Buffer Overflow Attacks“, IAS 2007
[45]Weidong Cui, Marcus Peinado, Helen J. Wang, Michael E. Locasto, “ShieldGen Automatic Data Patch Generation for Unknown Vulnerabilities with Informed Probing“, Security and Privacy, 2007. SP ''07. IEEE Symposium on
QRCODE
 
 
 
 
 
                                                                                                                                                                                                                                                                                                                                                                                                               
第一頁 上一頁 下一頁 最後一頁 top