跳到主要內容

臺灣博碩士論文加值系統

(35.172.136.29) 您好!臺灣時間:2021/07/29 08:38
字體大小: 字級放大   字級縮小   預設字形  
回查詢結果 :::

詳目顯示

我願授權國圖
: 
twitterline
研究生:李慧蘭
研究生(外文):Hui-Lan Lee
論文名稱:智慧型泛濫攻擊防禦網路架構之設計
論文名稱(外文):The Design of an Intelligent Flooding Unthreat Network Architecture
指導教授:黃能富黃能富引用關係
指導教授(外文):Nen-Fu Huang
學位類別:碩士
校院名稱:國立清華大學
系所名稱:通訊工程研究所
學門:工程學門
學類:電資工程學類
論文種類:學術論文
論文出版年:2004
畢業學年度:92
語文別:英文
論文頁數:49
中文關鍵詞:泛濫攻擊阻斷服務攻擊分散式阻斷服務攻擊入侵偵測系統
外文關鍵詞:flooding attackDoSDDoSIDS
相關次數:
  • 被引用被引用:0
  • 點閱點閱:155
  • 評分評分:
  • 下載下載:0
  • 收藏至我的研究室書目清單書目收藏:0
泛濫攻擊(Flooding Attack)在最近幾年是備受注目的課題,有心的駭客除了製作惡意的封包以外,使用大量正常的封包造成頻寬攻擊(bandwidth attack),佔用網路頻寬、耗盡系統資源,使系統無法提供服務。這是著名的DoS阻斷服務攻擊或DDoS阻斷服務攻擊。目前市面上「安全資訊管理系統(SIM)」主要對網路架構中異質的網路安全設備提供事件資料蒐集及分析能力,仍不具備主動式的防禦。並且協定異常入侵偵測系統、統計異常入侵偵測系統、防火牆和安全資訊管理系統已廣泛為企業所用,但「安全資訊管理系統」的產品目前尚未成熟,在未來幾年該產品有非常大的成長空間。有鑑於此,我們制定一智慧型主動式的防禦策略以改善「安全資訊管理系統」只能被動回報安全日誌,仍無法有效的控制網路設備的缺點。我們稱此種「安全資訊管理系統」為「智慧型的安全資訊管理系統(I-SIM)」。在此篇論文中,除了提出一個完整防禦泛濫攻擊的網路架構(Flooding Unthreat Network)之外。主要根據異常入侵偵測系統、統計異常入侵偵測系統的回報,制定一動態過濾機制在防火牆的第一道防線即可將可疑的攻擊者攔截出來。此外泛濫的攻擊往往是以大量正常的封包傳送,使得特徵比對偵測系統失效,這時以動態流量調整的方式,便可以有效的遏止惡意頻寬的攻擊。最後我們將透過模擬實驗證明遭遇泛濫攻擊時,正常使用者可以獲得較低的阻斷率。
Nowadays, flooding attack is the most common network threat and to alleviation this kind of attack is the most important security topic. Attacker makes a large amount of traffic to consume the bandwidth which causes network congestion and limits new connection establishment from other users. They also waste server capacity, cause the server always busy and deny services for normal users. These are well-known DoS attack and DDoS attack. All of current “security information management” (SIM) products only provide functions to report events, to monitor, and to trigger alerts. No active alleviation procedure is included, thus they can only detect attack without any prevention. Heterogeneous network security devices including SIM, statistically-based IDS, protocol anomaly IDS and firewall have been widely implemented in the most networks. In this thesis, based on heterogeneous network, we not only propose a flooding unthreat network (FUN) architecture to integrate different types of IDS systems but also explore a better intelligence mechanism to deterrent flooding attack. The “black list” and “fair allocation list” mechanisms are designed to block the attack traffic at its ingress firewall. The simulation result and performance improvement of the proposed FUN system are also illustrated.
[1]CERT/CC,”Security Statistics during 1988-2002”, Computer Emergency Response Team, Carnegie Mellon University, Oct. 20. 2002, http://www.cert.org/stats/cert_atates.html.
[2]Y. Bai, and H. Kobayashi,”Intrusion Detection Systems: Technology and Development”, International Conference on Advanced Information Networking and Applications (AINA’03), Fukuoka, Japan, March 2003, pp.710 – 715.
[3]Netscreen 100 Firewall Appliance, http://www.netscreen.com/.
[4]J. Lemon, “Resisting SYN Flooding DOS Attacks with a SYN Cache”, Proceedings of USENIX BSDC, San Francisco, California, USA February 2002, pp.89-98.
[5]D. J. Bermtan and E. Schenk, “Linux Kernel SYN Cookie Firewall Project”, http://www.bronzesoft.org/projects/scfw.
[6]C.L. Schuba, I.V. Krsul, M.G. Kuhn, E.H. Spafford, A. Sundaram, and D. Zamboni , “Analysis of a Denial of Service Attack on TCP”, IEEE Symposium on Security and Privacy, Oakland, CA, May 1997, pp.208 – 223.
[7]E. Lemonnier, “Protocol Anomaly Detection in Network-based IDSs”, June 2001. http://erwan.lemonnier.free.fr/exjobb/report/protocol_anomaly_detection.pdf
[8]Stephen W.Neville, “On the Sufficiency of Time-Based Correlation for Signature-Based IDS Alerts”, 2003 IEEE Pacific Rim Conference on Communications, Computers and Signal Processing (PACRIM’03), Victoria, Canada, 28-30 Aug 2003, pp.836-839.
[9]Cisco whitepaper,” The Science of Intrusion Detection System Attack Identification”, http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_white_paper09186a0080092334.shtml
[10]S. Zanero and Sergio M. Savaresi,” Unsupervised learning techniques for an intrusion detection system”, ACM Symposium on Applied Computing SAC'04, Nicosia, Cyprus, 4-17March 2004, pp.412-419.
[11]Denise Dubie, “Users shoring up net security with SIM”, Network World, http://www.nwfusion.com/news/2002/0930apps.html, 30 September 2002.
[12]NetForensics, http://www.netforensics.com/
[13]Network Security Manager (NSM), http://www.intellitactics.com/index.cfm
[14]NeuSECURE, http://www.guarded.net/
[15]Security Threat Manager (STM), http://www.open.com/
[16]E-Security, http://www.esecurityinc.com/
[17]ArcSight, http://www.arcsight.com/product.htm
[18]Network Intelligence Engine, http://www.network-intelligence.com/
[19]D. Curry and H. Debar, “Intrusion detection message exchange format “, draft-ietf-idwg-idmef-xml-12, 8 July, 2004.
[20]F. Baker and P. Savola, “Ingress Filtering for Multihomed Networks”, IETF RFC2827, March 2004.
[21]Internet Assigned Numbers Authority (IANA), "Special-Use IPv4 Addresses", IETF RFC 3330, September 2002.
[22]D. Moore, G. Voelker, and S. Savage, "Inferring Internet Denial of Service Activity", Proceedings of the 2001 USENIX Security Symposium, Washington D.C., USA, August 2001, pp. 13-17.
[23]M. Butto, E. Caverolla, and A. Tonietti, “Effectiveness of the `leaky bucket' policing mechanism in ATM networks”, IEEE Journal Selected Areas in Communications, Volume: 9, Issue: 3, April 1991, pp.335 – 342.
[24]H.K. Choi, John O. Limb, “A Behavioral Model of Web Traffic,” International Conference on Network Protocols (ICNP '99), Toronto, Canada, Oct. 1999, pp.327 – 334.
[25]S. Shakkottai, R. Srikant, N. Brownlee, A. Broido, and KC Claffy, “The RTT Distribution of TCP Flows in the internet and its Impact on TCP-based Flow Control”, Technical Report TR-2004-02, Cooperative Association for Internet Data Analysis (CAIDA), 2004, http://www.caida.org/outreach/papers/2004/tr-2004-02/.
[26]N. Brownlee and KC Claffy, “Understanding Internet Traffic Streams: Dragonflies and Tortoises”, IEEE Communication Magazine, October 2002, pp. 110-117.
[27]C. Fraleigh, S. Moon, B. Lyles,C. Cotton, M. Khan, D. Moll,R. Rockell, T. Seely, and S.C. Diot, “Packet-level traffic measurements from the Sprint IP backbone”, IEEE Networks, Nov.-Dec. 2003. pp.6-16.
[28]Microsoft knowledge base id: 262635, “Error Message: HTTP 403.9 - Access Forbidden: Too many users are connected”, http://support.microsoft.com/default.aspx?scid=kb;en-us;262635.
[29]Cisco system Inc, http://www.cisco.com/
QRCODE
 
 
 
 
 
                                                                                                                                                                                                                                                                                                                                                                                                               
第一頁 上一頁 下一頁 最後一頁 top
1. 杜友蘭(1997)。三角交叉法在護理研究上的應用。護理研究,5(6),546-549。
2. 林笑(2000)。靈性照護與人性關懷。榮總護理,17(2),153-158。
3. 林佳蓉(1995)。莊子靈性哲學之結構。華夏學報,29,11859-11874。
4. 林小玲、蔡欣玲(1998)。探討加護護理人員其倫理困境與相關因素。榮總護理,15(4),363-374。
5. 林子雯(2000)。成人學生角色扮演、社會支持與幸福感之相關研究。正修學報,13,269-290。
6. 林美玲、毛新春(1996) 。心靈困擾及其護理。醫學繼續教育,6(4),360-366。
7. 楊克平(1997)。整合護理研究法的分歧-論方法上的三角交叉檢視法。護理研究,6(5),436-441。
8. 楊克平(1998)。護理實務中之靈性照顧。護理雜誌,45(3),77-83。
9. 楊克平、尹祚芊(1999)。癌末病患相關生活品質內涵之確認。護理研究,7(2),129-143。
10. 楊麗齡(1993)。靈性護理的簡介。長庚護理,4(1),9-16。
11. 趙可式(1995)。從人性化護理理論看當代臨床護理。護理雜誌,41(1),21-23。
12. 趙可式(1998)。精神衛生護理與靈性照護。護理雜誌,45(1),16-20。
13. 劉秋固(1998)。超個人心理學與宗教心理學對靈性問題之研究。宗教哲學,4(3),173-188。
14. 劉淑娟(1999)。老人的靈性護理。護理雜誌,46(4),51-56。
15. 蕭雅竹(2002)。靈性概念之認識與應用。長庚護理,13(4),345-351。