隨著電腦與電腦網路的普及，電腦安全受到越來越多的注意。在眾多的電腦安全問題中，網路與系統入侵事件發生日漸頻繁而廣泛，所造成的經濟損失日益嚴重。因此入侵偵測在電腦安全防護機制中的重要性與日遽增。所以入侵偵測系統後端弱點資訊管理系統的建置與應用相形重要。
入侵行為要能造成對安全的威脅必然要運用網路或系統的弱點，相對地要偵測俱威脅力的入侵行為的發生也是要查核網路流量與系統運作中是否有運用弱點的行為，所以入侵偵測系統需要對弱點資訊有充分的掌握。目前已有許多資訊安全單位在做弱點資訊發現、蒐集及整理的工作，因此能在弱點資訊公開時自動取得弱點資訊的內容，並將此內容納入機構中入侵偵測系統的偵測範圍，就能增進入侵偵測系統運作效能，並在補強程式尚未產生前的空窗期防範入侵行為對系統造成損害。基於這樣的了解，我們設計了一個弱點資訊管理架構，管理弱點資訊從自動化收集、多重資訊的整合、運用於入侵偵測到評估個別弱點週期循環的進程並分析此弱點被運用程度的過程，我們已完成這個管理架構的實做系統，實際地驗證這個管理系統架構是可以有效的改進系統的安全防禦能力，並能對個別弱點產生的安全危害量化，使得更進一步的安全分析成為可能。

With the prevalence of computer and computer network, computer security has gained more and more attention. Among all the computer security incidents, the occurrences of instruction to computer systems and networks has become highly frequent and extensive, which results in serious damage financially and makes intrusion detection an important sector in the overall computer security protection mechanism. Consequently, the vulnerability information management system supporting the operations an instruction detection system becomes more and more important.
As the security of a system or a network is only threatened by instruction activities exploiting its vulnerabilities, the detection of such activities can be achieved by monitoring the system operations or the network traffic to see if any vulnerability is being exploiting. Therefore, an effective misuse-based intrusion detection system needs to have its knowledge to vulnerabilities up to date. With many computer security organization discovering, collecting, and organizing vulnerability information, being able to automatically obtain the vulnerability information once it is publicized and apply it to enhance the detection capability of an intrusion detection system will improve the effectiveness of the intrusion detection system and protect the computer environment from loss before a patch to the vulnerability is available. With this understanding, we proposed a vulnerability information management framework managing operations from automatic information collection, integration and automated application to intrusion detection, to the evaluation of a vulnerability’s progression in its life cycle and the analysis of the extent the vulnerability was exploited. A system adapting this management framework has been implemented. Experiment result shows that the defense capability of a computer environment can be effectively enhanced. In addition, the potential threat of a vulnerability is quantized, which makes further analysis on security possible.


Keyword: vulnerability database, vulnerability life cycle, vulnerability evaluate.

目錄
第一章 導論1
1.1 背景1
1.2 動機1
1.3 目標2
1.4 論文架構3
第二章 相關研究4
2.1 弱點資料庫4
2.2入侵特徵7
2.3 弱點週期9
2.4 弱點驗證方式12
第三章 弱點資訊管理系統設計14
3.1 系統架構14
3.2系統規劃與流程16
3.3 記錄弱點週期規劃18
第四章 弱點資訊管理系統實作20
4.1 弱點資訊管理20
4.2 弱點特徵管理25
4.3 回應分析27
4.4 弱點生命週期分析27
第五章 系統評估與討論29
第六章 結論與未來發展33
參考文獻34
附錄38

[1]劉其堅，「多型性弱點資料庫設計與對應缺陷運用程式產生器製作」，中原大學資訊工程研究所，碩士論文，中華民國89年六月。[2] 陳宗裕，「支援弱點稽核與入侵偵測之整合性後端資料庫設計研究」，中原大學資訊工程研究所，碩士論文，中華名國90年七月。[3]“Snort Rule Database”.<http://www.snort.org/Database/rules.asp> (12 Sep 2001)[4] Security Focus .“IDS”. <http://www.securityfocus.com> (20 Sep 2001)[5]Common Vulnerabilities and Exposures .“CVE”. <http://cve.mitre.org> (13 Sep 2001)[6]NSA Glossary of Terms Used in Security and Intrusion Detection. SANS Institute” .<http://www.sans.org/newlook/resources/glossary.htm> (21 Sep 2001)[8]Julia Allen ,Alan Christie ,William Fithen ,John McHugh ,Jed Pickel and Ed Stoner.State of the Practice of Intrusion Detection Technologie , 120[9]Gula, Ron. “Broadening the Scope of Penetration Testing Techniques”. <http://www.securityfocus.com/templates/forum_message.html?forum=2&head=7&id=7> (15 Oct 2001)[10]Farmer, Dan and Venema Wietse ,“Improving the Security of Your Site by Breaking Into It”,<http://www.clark.net/pub/roesch/public_html/improve_by_breakin.txt> ( 02 Oct 2001)[11]Nmap ,“IDS”,<http://www.nmap.com> (21 Oct 2001)[12]The Nessus Project ,“Documentation”,<http://www.nessus.org> (01 Nov 2001)[13]Renaud Deraison.The Nessus Attack Scripting Language Reference Guide，Version 1.0.0 , pre2 .[14]BIND vulnerable to overflows, “Nessus Login”,<http://cgi.nessus.org/plugins/dump.php3?id=10605> plugin ID:10605 (23 Nov 2001)[15]Wenke Lee and Salvatore J. Learning Patterns from Unix Process Execution Traces for Intrusion Detection ,Proc. AAAI-97 Work. on AI Methods in Fraud and Risk Management , 1997.[16]林秉忠、歐士源、劉其堅、賴冠州、黃世昆。「攻擊模式、入侵事件、與弱點缺陷資料庫分析研究」。中研院資科所 (2000)。[17]Snort,<http://www.snort.org/> (13 Dec 2001)[18]The Packet Capture library, (27 Dec 2001)[19]Martin Roesch，“Writing Snort Rules：How to write Snort rules and keep your sanity”，Current as of version 1.7，<http://www.snort.org/writing_snort_rules.htm> (12 Nov 2001)[20]取自Snort 程式套件，<http://www.snort.org/Files/snort-1.8p1.tar.gz> (13 Nov 2001)[21]CERT Coordinate Center,“Carnegie Mellon Software Engineering Institute”<http://www.cert.org/advisories/> (29 Dec 2001)[22]臺灣電腦網路危機處理中心，<http://www.cert.org.tw> (11 Nov 2001)[23]SecurityFocus.com，<http://www.securityfocus.com> (13 Nov 2001)[24]SecurityPortal：An atomic tangerine site，<http://www.securityportal.com> (15 Oct 2001)[25]redhat ,“Support and Docs”<http://www.redhat.com/apps/support/updates.html> (2 Jan 2002)[26]MandrakeSoft , <http://www.linux-mandrake.com/en/security/> (2 Jan 2002)[27]Rootshell , <http://www.rootshell.com> (23 Nov 2001)[28]Security Bugware ,<http://161.53.42.3/~crv/security/bugs/list.html> (13 Dec 2001)[29]Assessment Section ,“Packet Storm”<http://packetstorm.securify.com/assess.html> (20 Dec 2001)[30]Whitehats arachnids , <http://www.whitehats.com/ids/index.html> (13 Nov 2001)[31]World Wide Web Consortium , <http://www.w3c.org> (28 Dec 2001)[32]Huang, Hung-Hsuan，Web Navigation Description Language，IIS Sinica，2 Aug 2000。[33]Requirements and Recommendations for CVE Compatibility，<http://cve.mitre.org/compatible/requirements.html> (13 Dec 2001)[34]DBMaker , <http://www.dbmaker.com> (2 Jan 2002)[35]PHP：Hypertext Preprocessor , <http://www.php.org> (3 Jan 2002)[36]The Internet Engineering Task ForceIETF , <http://www.ietf.org> (3 Jan 2002)[37]IDMEF, “Intrusion Detection Message Exchange Format Data Model and Extensible Markup Language (XML) DTD”,<http://www.ietf.org/internet-drafts/draft-ietf-idwg-idmef-xml-03.txt> (3 Jan 2002)[38] 弱點對於風險與時間的關係圖 <http://www.counterpane.com/> (3 Jan 2002)[39] Ronald W. Ritchey Paul Ammann , ”Using Model Checking to Analyze Network Vulnerabilities” , Security and privacy, 2000. S&p; 2000. Proceedings. 2000 IEEE symposium on page(s): 156 — 165 , 14-17 may 2000[40] Victor C. S. Lee John A. Stankovic, and Sang H. Son , “Intrusion Detection in Real-time Database Systems Via Time Signatures“ , Proceedings of the Sixth IEEE Real Time Technology and Applications Symposium (RTAS 2000) , 2000[41] Cert.org , < http://www.cert.org/ > (30 Jun 2002)