跳到主要內容

臺灣博碩士論文加值系統

(18.97.14.84) 您好!臺灣時間:2025/01/20 09:49
字體大小: 字級放大   字級縮小   預設字形  
回查詢結果 :::

詳目顯示

我願授權國圖
: 
twitterline
研究生:宋奕儒
研究生(外文):Yi-Ju Sung
論文名稱:在聯防系統下為Hyper-alertCorrelation建立攻擊警訊的相互關聯性
論文名稱(外文):Construct Alert Relationship for Hyper-alert Correlation in Union Defense System
指導教授:黃能富黃能富引用關係
指導教授(外文):Nen-Fu Huang
學位類別:碩士
校院名稱:國立清華大學
系所名稱:通訊工程研究所
學門:工程學門
學類:電資工程學類
論文種類:學術論文
論文出版年:2003
畢業學年度:91
語文別:英文
中文關鍵詞:入侵偵測
外文關鍵詞:intrusion detectionalert correlation
相關次數:
  • 被引用被引用:0
  • 點閱點閱:208
  • 評分評分:
  • 下載下載:0
  • 收藏至我的研究室書目清單書目收藏:2
入侵偵測系統主要的設計理念是能夠確實的回報網路上的攻擊,但是目前市面上入侵偵測統的產品,產生錯誤的攻擊警訊的頻率一直高居不下,而這些入侵偵測系統大都產生為數過多的攻擊警訊,普遍缺乏有效的過濾及篩選的能力,使得網路安全的管理者在處理這些低階且準確度不高的警訊時,無法做出正確合理的判斷。目前已經有一些關於建立攻擊警訊的相互關聯性的技術被提出來解決這個問題,Hyper-alert Correlation就是其中之一,這項技術主要的觀念是認為網路上的攻擊不是單一的,大多都會具有關聯性,所以我們可以利用攻擊警訊要成立的先決條件以及攻擊警訊產生之後所會引發的後續事件來建立攻擊警訊間的相互關聯性,就可以輕易地把相關的攻擊警訊歸類在一起,但是這個方法的效果與怎麼去定義攻擊事件的關係習習相關。另一方面,隨著網路上攻擊事件不斷推層出新,假使以人工的方式去定義攻擊事件的關係的話,將會是一件相當複雜且煩瑣的事情。而本篇論文提出一個實際可行的方法輔助Hyper-alert Correlation來解決這個問題,由入侵偵測系統的攻擊特徵以及在Hyper-alert Correlation所定義的警訊類別為基礎,自動去建立攻擊警訊間的相互關聯性,此外,考量攻擊種類繁多,有些事件的關聯性可能會被遺漏,這時再輔以人工方式微調,便可以有效解決以上的問題。

In response to the attacks against internet networks, intrusion detection systems are deployed for this purpose. But current intrusion detection systems generate too many false alerts. The raising alerts are too elementary and do not accurate enough to be managed by a security administrator. Several alert correlation techniques have been proposed to solve this problem, such as hyper-alert correlation. The hyper-alert correlation takes advantage of the prerequisites and consequences of the attack to correlate the related alerts together. But the performance of this approach highly depends on the quality of the modeling of attacks. On the other hand, with growing of the network attacks, specifying the relationship for alert correlation would be quite complex and tedious task to perform mutually. This thesis presents a practical technique to address this issue for hyper-alert correlation. On the basis of the attack signatures and the hyper-alert types defined in hyper-alert correlation, the proposed approach constructs alert relationship automatically. Furthermore, to take the various kinds of attacks into consideration, some of the relationships between attacks may be neglected. At this time, fine tuning the relationship by human user can efficiently deal with the above problem.

Table of Contents
List of Tables i
List of Figures ii
Chapter 1 Introduction 1
1.1. Motivation 1
1.2. Organization 5
Chapter 2 Related Work 6
Chapter 3 A Framework for Alert Correlation 15
3.1. Alert Correlation Architecture 15
3.2. Previous work 17
3.2.1. Hyper-alert Architecture 17
3.2.2. Hyper-alert type and Hyper-alert 18
3.2.3. Hyper-alert Correlation Graph 20
3.3. Modeling the Alert Relationship 21
3.3.1. Template Correlation 22
3.3.2. Implicit Correlation 31
3.3.3. Explicit Correlation 32
Chapter 4 Experimental Result 33
4.1. Single Attacker vs. Single Victim 33
4.2. Multiple Attackers vs. Single Victim 34
4.3. Single Attacker vs. Multiple Victims 36
4.4. Multiple Attackers vs. Multiple Victims 37
Chapter 5 Conclusion and Future Work 39
5.1. Conclusion 39
5.2. Future Work 40
5.2.1. Alert Aggregation 40
5.2.2. Correlate Alert from Different IDSs 40
5.2.3. Intrusion Plan Recognition 41
5.2.4. Attack Prevention 41
References 42

[1] Peng Ning, Yun Cui, Douglas S. Reeves, ”Analyzing Intensive Intrusion Alerts Via Correlation”. In Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID 2002), Zurich, Switzerland, October 2002.
[2] Peng Ning, Yun Cui, Douglas S. Reeves, ”Constructing Attack Scenarios through Correlation of Intrusion Alerts”. In Proceedings of the 9th ACM Conference on Computer & Communications Security, Washington D.C., November 2002.
[3] P. Ning, D. Reeves, and Yun Cui, “Correlating alerts using prerequisites of intrusions”. Technical Report TR-2001-13, North Carolina State University, Department of Computer Science, Dec. 2001.
[4] H. Debar and A. Wespi, “Aggregation and correlation of intrusion-detection alerts”. In Recent Advances in Intrusion Detection, LNCS 2212, pages 85-103, 2001.
[5] F. Cuppens and A. Miege, “Alert correlation in a cooperative intrusion detection framework”. In Proceedings of the 2002 IEEE Symposium on Security and Privacy, May 2002.
[6] F. Cuppens, “Managing alerts in a multi-intrusion detection environment”. 17th Annual Computer Security Applications Conference(ACSAC). New-Orleans, December 2001.
[7] A. Valdes and K. Skinner, “Probabilistic alert correlation”. In Proceedings of the 4th Int'l Symposium on Recent Advances in Intrusion Detection (RAID 2001), pages 54-68, 2001.
[8] S. Templeton and K. Levit, “A requires/provides model for computer attacks”. In Proceedings of New Security Paradigms Workshop, pages 31-38. September 2000.
[9] F. Cuppens and R. Ortalo. “LAMBDA: A language to model a database for detection of attacks”. In Proceedings of Recent Advances in Intrusion Detection (RAID 2000), pages 197—216, September 2000.
[10] Ning, P. and Xu, D. “Adapting query optimization techniques for efficient intrusion alert correlation”. Technical Report TR-2002-14, North Carolina State University, Department of Computer Science, September 2002.
[11] Vigna, G. and Kemmerer, R.A. “NetSTAT: A network-based intrusion detection system”. In Journal of Computer Security 7, pages 37—71, 1999
[12] Sheyner, O., Haines, J., Jha, S., Lippmann, R. and Wing, J. “Automated generation and analysis of attack graphs”. In Proceedings of IEEE Symposium on Security and Privacy, May 2002.
[13] John McHugh, Alan Christie, and Julia Allen. “Intrusion detection implementation and operational issues”. CERT, January 2001.
[14] D. Curry and H. Debar “Intrusion detection message exchange format data model and extensible markup language (xml) document type definition”. draft-ietf-idwg-idmef-xml-10.txt, January 2003.
[15] MIT Lincoln Lab. 2000 DARPA intrusion detection scenario specific datasets. http://www.ll.mit.edu/IST/ideval/data/2000/2000 data index.html, 2000.
[16] F. Cuppens, F. Autrel, and A. Miege, “Correlation in an intrusion detection process”. In Internet Security Communication Workshop (SECI'02), Tunis, Septembre 2002.
[17] C. Geib and R. Goldman. “Plan Recognition in Intrusion Detection Systems”. In DARPA Information Survivability Conference and Exposition (DISCEX), June 2001.
[18] Ulf Lindquist and Philip Porras. “Detecting Computer and Network Misuse Through the Production-Based Expert System Toolset (P-Best)”. In IEEE Symposium on Security and Privacy, Oakland, USA, 1999.
[19] Staniford, S., Hoagland, J. and McAlerney, J. “Practical automated detection of stealthy portscans”. In Journal of Computer Security, 2002.
[20] AT & T Research Labs. GraphViz — open source graph layout and drawing software.
[21] CERT, http://www.cert.org
[22] Snort, http://www.snort.org
[23] Security Focus, http://online.securityfocus.com
[24] X-Force, http://www.iss.net
[25] CVE, http://cve.mitre.org
[26] White Hats, http://www.whitehats.com

QRCODE
 
 
 
 
 
                                                                                                                                                                                                                                                                                                                                                                                                               
第一頁 上一頁 下一頁 最後一頁 top