(3.238.7.202) 您好!臺灣時間:2021/02/26 16:05
字體大小: 字級放大   字級縮小   預設字形  
回查詢結果

詳目顯示:::

我願授權國圖
: 
twitterline
研究生:李倫銓
研究生(外文):Lun-Chuan Lee
論文名稱:網路入侵偵測系統的叢集式架構
論文名稱(外文):A Clustered Architecture for Network Intrusion Detection System
指導教授:謝續平謝續平引用關係
指導教授(外文):Shiuh-Pyng Shieh
學位類別:碩士
校院名稱:國立交通大學
系所名稱:資訊工程系
學門:工程學門
學類:電資工程學類
論文種類:學術論文
論文出版年:2002
畢業學年度:90
語文別:英文
論文頁數:66
中文關鍵詞:網路入侵偵測系統入侵偵測系統叢集
外文關鍵詞:network intrusion detection systemIDSclustersnortdispatchersession-basedcluster intrusion detection systemcluster ids
相關次數:
  • 被引用被引用:0
  • 點閱點閱:289
  • 評分評分:系統版面圖檔系統版面圖檔系統版面圖檔系統版面圖檔系統版面圖檔
  • 下載下載:0
  • 收藏至我的研究室書目清單書目收藏:3
網路入侵偵測系統可以偵測網路上的異常行為或攻擊,但是在高速網路環境底下,網路入侵偵測系統無法處理如此高速的流量而可能會遺失封包,因而降低偵測能力。在本篇論文中,我們提出了一個適用於高速網路環境下的網路入侵偵測系統的叢集式架構,此叢集式架構以網路連線為單位將封包分派到每個網路入侵偵測系統上。由於分配器可以將雙向網路封包分配到同一個網路入侵偵測系統,此方式可以使得網路入侵偵測系統保持監測真實網路流量的能力。另外由於以連線為單位的分派方式,可以使得每台網路入侵偵測系統維持IP 碎片重組與TCP封包重組的能力。某些跨連線的攻擊,像是網路掃瞄,SYN洪水攻擊,因為這類攻擊是由正常的許多封包或連線所組成,跨連線的封包或連線將會被分派到不同的網路入侵偵測系統,可能會導致此叢集式架構有偵測上的困難。我們可以經由一個中央系統收集各網路入侵偵測系統上的必要資訊而達到偵測此類攻擊的目的。經由分析我們發現此叢集式架構可以偵測到許多種類的攻擊。

Network intrusion detection system (NIDS) can detect anomaly behaviors and attacks over the networks. In a high speed network, NIDS cannot handle the large amount of packets, and will eventually drop packets and fail to detect intrusions. In this thesis, we propose the cluster NIDS architecture for high-speed networks. The clustered architecture uses session dispatching schemes to distribute packets to its cluster nodes, where each node runs the intrusion detection system. The dispatcher in the high-speed network segment can balance the bi-directional traffic to the cluster nodes so that the NIDS can keep the TCP stateful inspection ability. The session-based approach also keeps the IP fragment reassembly and TCP reassembly abilities of each cluster node. The cross-session attacks, like Portscan or SYN Flooding, make intrusion detection very difficult in clustered architectures. These types of attacks are normally detected by anomaly behaviors which deviate from user normal behaviors. Distributing sessions to different nodes of NIDS makes each node difficult to discover the anomaly statistics. To cope with the problem, a master node is designated to collect and analyze the collected statistics from all nodes. As the analysis showed, the clustered architecture is able to detect various kinds of attacks.

ABSTRACT
CHAPTER 1. INTRODUCTION 9
1.1. BACKGROUND 9
1.2. MOTIVATION 11
1.3. PROBLEMS IN CLUSTERED NETWORK IDS 12
1.3.1. The NIDS abilities 12
1.3.1.1. IP fragment reassembly 12
1.3.1.2. TCP reassembly 14
1.3.1.3. TCP stateful inspection 16
1.3.1.4. Cross-session Attacks 19
CHAPTER 2. RELATED WORK 22
2.1. DISTRIBUTED NIDS 22
2.2. TOPLAYER/ISS GIGABIT ETHERNET INTRUSION DETECTION SOLUTIONS 23
2.3. OTHER LOAD BALANCING APPROACH 24
2.3.1. Packet-based Clustering 24
2.3.2. Protocol-based Clustering 25
CHAPTER 3. PROPOSED ARCHITECTURE 28
3.1. DISPATCHER 29
3.1.1. Dispatching Scheme 31
3.1.1.1. XOR folding of source IP, source port, destination IP, destination port 32
3.1.1.2. Analysis of 16 bits XOR folding 33
3.1.1.3. XOR folding of source IP, source port, destination IP, destination port (IP address only use last 2 bytes) 37
3.1.1.4. Hashing Collision 37
3.1.2. Table-based Hashing function 39
3.2. CLUSTER NODES 42
3.3. CROSS-SESSION ATTACK DETECTION SCHEME 43
3.4. ANALYSIS OF ATTACKS 49
3.4.1. Attack Taxonomy for Evaluation 50
CHAPTER 4. EVALUATION 58
4.1. HASHING FUNCTION EVALUATION 60
CHAPTER 5. CONCLUSION 63
REFERENCE 63

[1] H. S. Vaccaro, G. E. Liepins, “Detection of Anomalous Computer Session Activity,” IEEE Symposium on Security and Privacy, 1989
[2] David Marchette, “A Statistical Method of Profiling Network Traffic,” USENIX 1999
[3] Postel, J., "Internet Protocol - DARPA Internet Program Protocol Specification," STD 5, RFC 791, DARPA, September 1981.
[4] W.Richard Stevens, TCP/IP Illustration Volume 1: The Protocols, Addison Wesley,1994.
[5] D.Song.Fragrouter.http://www.anzen.com/research/nidsbench/, 1999.
[6] Snort, the Open Source Network Intrusion Detection System, http://www.snort.org/
[7] ISS RealSecure Network sensor, Internet Security systems, http://www.iss.com/
[8] NFR network intrusion detection, NFR Security, http://www.nfr.com/
[9] Rain Forest Puppy “A look at whisker’s anti-IDS tactics,” http://www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html
[10] T.H.Ptacek and T.N.Newsham. ”Insertion, evasion and denial of service: Eluding network intrusion detection,” Technical report, Secure Networks, 1998.
[11] Giovanni, Cortez. "Fun with Packets: Designing a Stick," http://www.eurocompton.net/stick/, 2 Apr. 2001
[12] Richard P.Lippmann, Joshua W.Haines, David J Fried, Jonathan Korba, Kumar Das, “The 1999 Off-Line DARPA Intrusion Detection Evaluation,” submitted to Proceedings of 3rd International Workshop on Recent Advances in Intrusion Detection (RAID 2000)
[13] Joshua W. Haines, Richard P. Lippmann, David J. Fried, Eushiuan Tran, Steve Boswell, Marc A. Zissman,薗9;DARPAIntrusionDetectionSystemEvaluation:DesignandProcedures," A Lincoln Laboratory Technical Report, to be available late spring, 2000.
[14] CERT Advisory, CA-1996-21, TCP SYN Flooding and IP Spoofing Attacks
[15] CERT Advisory, CA-1998-01, Smurf IP Denial-of-Service Attacks
[16] CERT Advisory, CA-1997-28, IP Denial-of-Service Attacks
[17] H. Wang, D. Zhang and K. G. Shin, "Detecting SYN Flooding Attacks," to appear Infocom'02.
[18] Zhiruo Cao, Zheng Wang, and Ellen Zegura, "Performance of Hashing Based Schemes for Internet Load Balancing," Tech. Rep. GIT-CC-99-14, College of Computing, Georgia Tech, 1999
[19] James A Hoagland, Stuart Staniford, Silicon Defense, SPADE URL:http://www.silicondefense.com/software/spice/index.htm, 24 July 2001
[20] Standiford, Stuart, J. Hoagland, J.M. McAlerney, “Practical Automated Detection of Stealthy Portscans,” ACM CCS IDS Workshop, November 1, 2000. http://www.silicondefense.com/research/pubs.htm.
[21] F. Neri, “Comparing Local Search with Respect to Genetic Evolution to Detect Intrusion in Computer Networks”, Proceedings of Congress on Evolutionary Computation 2000, IEEE Press, in pp. 512-517
[22] Anup K. Ghosh, Aaron Schwartzbard, Michael Schatz, “Learning Program Behavior Profiles for Intrusion Detection,” USENIX 1999
[23] James Cannady, “Applying CMAC-Based On-Line Learning to Intrusion Detection”, Proceedings of the 2000 IEEEE/INNS Joint International Conference on Neural Networks
[24] Vern Paxon. “Bro: A system for detecting network intruders in realtime,” In Proceedings of the Seventh USENIX Security Symposium, pages 31--51, San Antonio, Texas, January 1998. USENIX
[25] J. Brentano, S.R. Snapp, G.V. Dias, T.L. Goan, L.T. Heberlein, C.L. Ho, K.N. Levitt, B. Mukherjee, (with S.E. Smaha), "An Architecture for a Distributed Intrusion Detection System," Proc. of the 14th Department of Energy Computer Security Group Conference, May 1991, pp.(17)25-(17)45.
[26] Steven R. Snapp, James Brentano, Gihan V. Dias, Terrance L. Goan, L. Todd Heberlein, Che-Lin Ho, Karl N. Levitt, Biswanath Mukherjee, et al. "DIDS (Distributed Intrusion Detection System) - Motivation, Architecture, and An Early Prototype", Proceedings of the 14th National Computer Security Conference, 1991
[27] Yarochkin Fyodor “SnortNet - A distributed IDS approach,“ Kyrgyz Russian Slavic University, Bishkek, Kyrgyzstan June 26, 2000 URL: http://snortnet.scorpions.net/
[28] IETF working group, Intrusion Detection Exchange Format (idwg) http://www.ietf.org/html.charters/idwg-charter.html
[29] Intrusion Detection Exchange Format Requirements by Wood, M. - October 1999. - http://www.ietf.org/internet-drafts/draft-ietf-idwg-requirements-02.txt
[30] Intrusion Detection Message Exchange Format Extensible Markup Language (XML) Document Type Definition by D. Curry - March 2000 - http://www.ietf.org/internet-drafts/draft-ietf-idwg-idmef-xml-01.txt
[31] Bran Laing, Jimmy Alderson “How to Guild-Implementing a Network Based Intrusion Detection System,” Internet Security Systems.
[32] TopLayer Gigabit Ethernet Intrusion Detection Solutions Top Layer Networks & Internet Security Systems, “ISS Realsecure Network Sensors& Toplayer AS3502 Gigabit AppSwitch Performance Test Results and Configuration Notes”.
[33] Raj Jain,"A Comparison of Hashing Schemes for Address Lookup in Computer Networks," IEEE Transactions on Communications, Oct.1992.
[34] Shiuh-Pyng Shieh, Chang-Han Jong, “Network Intrusion Detection for Distributed Denial of Service and Distributed Scanning,” DSNS lab. NCTU.
[35] Aleph One, “Smashing the Stack for Fun and Profit,” Phrack, Vol. 7 Issue 49, File 14 of 16, available at http://phrack.infornexus.com/search.phtml?view&article=p49-14.

QRCODE
 
 
 
 
 
                                                                                                                                                                                                                                                                                                                                                                                                               
第一頁 上一頁 下一頁 最後一頁 top
系統版面圖檔 系統版面圖檔