臺灣博碩士論文加值系統

越來越多的電腦以網路相互連接，且電腦病毒和網路攻擊事件與日遽增，所以網路安全也越來越被公眾所重視。現在有一些網路設備已經被使用來增加安全性，像是防火牆(Firewalls)或是入侵偵測系統(Intrusion Detection System, IDS)。但是對入侵偵測系統來說，先前的研究或成果大多著重於被動模式，主要是提供偵測並發出警報。但是以最近的網路攻擊和病毒的行為模式來看，這不足以應付現今的網路威脅。主動式網路入侵偵測系統(Active Network IDS, ANIDS)將有助於解決這個問題。
本論文將說明主動式網路入侵偵測系統的主要優點為將攻擊阻絕於第一線，以及主動積極的防禦，可以對攻擊前預先的偵測活動予以阻絕或是混淆攻擊者視聽。不過，它也有和其他網路安全設備和被動式入侵偵測系統相似的缺點。相關的研究成果和系統，如Firewalls、被動式入侵偵測系統、Protocol Scrubber以及Hogwash將被提出來比較研究。設計和實作一個主動式網路入侵偵測系統牽涉許多考慮和折衷因素，像是效能和擴充性，在本論文中將提出來。本論文將提出一個具有彈性、有效率、可擴充性的系統架構，提供主動式網路入侵偵測系統設計的基礎。我們將據此在Linux 2.4上實作一個系統雛形，效能和偵測能力將和Hogwash作相對比較。

The network security is getting more awareness by public because the computers are network connected and there are increasing worms and network attacks in recent years. Some network devices are introduced to help increasing security, like firewalls and intrusion detection systems (IDS). But for IDS, previous works mostly focused on passive model, which aims at detections and alerting. But it is not enough to cope with current network threats. An active network IDS (ANIDS) would help to patch the rift.
The thesis introduces that the main advantage of ANIDS is to stop attacks at first line and proactive defense. The ANIDS also has some limits like other security gateways and passive IDS. Several related works are surveyed, and a comparison among passive IDS, active IDS and other gateways is given. The issues of designing an ANIDS involve several considerations and trade-offs, such as performance and extensibility. The thesis presents a flexible, efficient, extensible framework for designing an ANIDS. An implementation based on this framework is developed on Linux 2.4 kernel. Performance and detection ability is compared with Hogwash.

1. Introduction 5
1.1 Introduction 5
1.2 Objectives 6
1.3 Related Works and Background 7
1.3.1 Firewall 7
1.3.2 Passive IDS 7
1.3.2.1 Snort 8
1.3.2.2 Bro 9
1.3.3 Protocol Scrubber 9
1.3.4 Hogwash 10
1.4 Thesis Organization 11
2. The Design of Active Network IDS 12
2.1 Design Issues 12
2.2 Limitations 13
2.3 Our Design 14
2.3.1 Packet Dispatcher 15
2.3.2 Basic Statistics 17
2.3.3 Event Dispatcher 17
2.3.4 Auxiliary Module 17
2.3.5 Detection Preprocessor Module 18
2.3.6 Control Panel 18
2.3.7 Detection Engine 19
2.3.8 Event Handler 19
2.3.9 Packet Journey 19
3. The Implementation 21
4. Performance 23
5. Conclusion 28
6. References 30

[1] R. Heady, G. Luger, A. Maccabe, M. Servilla, “The Architecture of A Network Level Intrusion Detection System”, Technical Report CS-90-20, Dept. of Computer Science, University of New Mexico, August 1990.
[2] S. Axelsson, “Research in Intrusion-detection Systems: A Survey”, Technical Report 98─17, Dept. of Computer Engineering, Chalmers University of Technology, December 1998.
[3] R. Barber, “The Evolution of Intrusion Detection Systems - The Next Step”, Computers & Security, Volume 20 Issue 2, pp.132-145, April 2001.
[4] eEye Digital Security, “.ida Code Red Worm”, http://www.eeye.com/html/Research/Advisories/AL20010717.html, July 2001.
[5] Fyodor, “Remote OS Detection via TCP/IP Stack Fingerprinting”, http://www.insecure.org/nmap/nmap-fingerprinting-article.html”, April 1999.
[6] M. de Vivo, E. Carrasco, G. Iserm, and G. O. de Vivo, “A Review of Port Scanning Techniques”, Computer Communication Review, Volume 29, No. 2, April 1999.
[7] M. Smart, G. Robert Malan, and F. Jahanian, “Defeating TCP/IP Stack Fingerprinting”, Proceedings of the 9th USENIX Security Symposium, August 2000.
[8] D. B. Chapman and E. D. Zwicky, “Building Internet Firewalls”, pp. 17, O’Reilly & Associates, Inc. 1995.
[9] M. de Vivo, G. O. de Vivo, R. Koeneke and G. Isern, “Internet Vulnerabilities Related to TCP/IP and T/TCP”, ACM SIGCOMM Computer Communication Review, Volume 29, No. 1, pp.81-85, January 1999.
[10] R., “FAQ: Network Intrusion Detection Systems”, http://www.robertgraham.com/pubs/network-intrusion-detection.txt, 1999.
[11] Snort, http://www.snort.org
[12] Libpcap, http://www.tcpdump.org
[13] D. Curry and H. Debar, “Intrusion Detection Message Exchange Format Data Model and Extensible Markup Language (XML) Document Type Definition”, IETF IDWG Internet Draft, http://www.ietf.org/internet-drafts/draft-ietf-idwg-idmef-xml-06.txt, December 2001.
[14] V. Paxson, “Bro: A System for Detecting Network Intruders in Real-Time”, Computer Networks, 31(23-24), pp. 2435-2463, December 1999.
[15] G. R. Malan, D. Watson, F. Jahanian and P. Howell,“Transport and Application Protocol Scrubbing”, Proceedings of the IEEE INFOCOM 2000 Conference, Tel Aviv, Israel, March 2000.
[16] Hogwash, http://hogwash.sourceforge.net/
[17] Libnet — Packet Assembly System, http://www.packetfactory.net/Projects/Libnet/.
[18] M. Fisk, G. Varghese, “Fast Content-Based Packet Handling for Intrusion Detection,” UCSD Technical Report CS2001-0670, University of California San Diego, May 2001.
[19] NetFilter, http://netfilter.samba.org/
[20] MITRE, “CVE-2000-0884,” http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884
[21] arachNIDS, “IDS297/WEB-MISC_HTTP-DIRECTORY-TRAVERSAL1,” http://www.whitehats.com/IDS/297
[22] arachNIDS, “IDS298/WEB-MISC_HTTP-DIRECTORY-TRAVERSAL2,” http://www.whitehats.com/IDS/298
[23] B. Cheswick, “An Eventing with Berford in Which a Cracker is Lured, Endured, and Studied,” Firewall and Internet Security, Chapter 10, Addison-Wesley, 1994.
[24] D.Klug, Honey Pots and Intrusion Detection, SANS Institute, September 2001.
[25] The Honeynet Project, Know Your Ememy: Honeynets, http://www.honeynet.org/papers/, April 2000.