(34.201.11.222) 您好!臺灣時間:2021/02/25 13:57
字體大小: 字級放大   字級縮小   預設字形  
回查詢結果

詳目顯示:::

我願授權國圖
: 
twitterline
研究生:黃一軒
研究生(外文):I-Hsuan Huang
論文名稱:主動式網路入侵監測系統之設計
論文名稱(外文):Design of an Active Intrusion Monitor System
指導教授:楊正仁楊正仁引用關係
指導教授(外文):Cheng-Zen Yang
學位類別:碩士
校院名稱:元智大學
系所名稱:資訊工程學系
學門:工程學門
學類:電資工程學類
論文種類:學術論文
論文出版年:2004
畢業學年度:92
語文別:英文
論文頁數:51
中文關鍵詞:主動式網路入侵偵測系統分散式入侵偵測系統疊蓋式網路疊蓋式多點傳送
外文關鍵詞:Active NetworksIntrusion Detection SystemDistributed Intrusion Detection SystemOverlay NetworksOverlay Multicast
相關次數:
  • 被引用被引用:0
  • 點閱點閱:121
  • 評分評分:系統版面圖檔系統版面圖檔系統版面圖檔系統版面圖檔系統版面圖檔
  • 下載下載:0
  • 收藏至我的研究室書目清單書目收藏:0
因為網路科技快速發展,網路入侵的問題也越來越顯得嚴重。早期的中央式主機入侵偵測系統(HIDS)或是網路入侵偵測系統(NIDS),由於是單機架構,對於現在的網路入侵方式已顯得力拙。分散式入侵偵測系統(DIDS)是近幾年開始受到重視的領域。它從多個感應器收集入侵資訊,並且可以利用許多收集到的片段資料進行入侵偵測。然而,雖然有許多研究已經探討如何設計分散式入侵偵測系統,但是它們卻沒有討論如何有效地維護入侵偵測系統所涵蓋的區域。因為用以維護系統的控制訊息的量與以指數成長的新型態攻擊的數量是成比例成長的,所以必須設計一種新的架構來考慮這個議題。
在這篇碩士論文中,我們提出了一個基於疊蓋式多點傳輸 (Overlay multicasting)和領域覆疊 (Domain overlapping) 的分散式入侵偵測系統架構,叫做AIMS (Active Intrusion Monitor System)。它有三個設計上的特點。第一,利用疊蓋式多點傳輸,控制訊息可以被侷限在整個偵測涵蓋區的一小部分。因此,控制訊息的量被減少了。第二,利用領域覆疊,系統更新的訊息可以用最少的訊息交換次數而有效率地被攜帶到協同運作的領域。第三,利用以上特點,當AIMS用以建構一個大規模的DIDS時是很有彈性的。我們的實驗結果也顯示AIMS可以在100Mbps的網路環境下正常運作。總結來說,因為運用了疊蓋式多點傳輸,AIMS的控制訊息的量被減少了。另一方面,因為領域覆蓋的協同運作機制,即使在一個規模很大的網路環境中,AIMS也可以很快的分享彼此的資訊。

Since the rapid development of the network technologies, network intrusions become serious problem. Due to the single node architecture, the early centerized host-based intrusion detection system (HIDS) or the network-based intrusion detection system (NIDS) can no longer be powerful enough to fight with current network intrusions. Distributed intrusion detection systems (DIDS) are an emgering research area recently. A DIDS collects intrusion information from multiple sensors and can be used to detect intrusions from several small pieces data. However, although many research efforts have concentrated on designing a DIDS, they do not address the effectiveness of detection coverage maintenance. Since the number of maintenance control messages is proportional to the exponentially growing number of intrusions of new types, a new architecture is required to consider this issue.
In this thesis, we present a novel DIDS architecture called AIMS (Active Intrusion Monitor System) based on overlay multicasting and domain overlapping. It has three distinct design features. First, with overlay multicasting, control messages are localized in a small subset of the overall detection coverage. Therefore, the number of control messages is reduced. Second, with domain overlapping, system update messages can be efficiently propagated to cooperative domains by exchanging a minimal number of messages. Third, as benefited by the previous features, AIMS is highly scalable to construct a large-scale DIDS. Our experimental results also show that AIMS is capaible to be operative in a 100Mbps network environment. To conclude, with overlay multicasting, the number of control messages in AIMS is reduced. Besides, because of the cooperative domain overlapping mechanism, AIMS can share intrusion information with others repidly, even in a large-scale network environment.

1 Introduction
1.1 Background
1.2 Research Motivations
1.3 The Organization of the Thesis
2 Related Work
2.1 Intrusion Detection Techniques
2.1.1 HIDS and NIDS
2.1.2 DIDS
2.1.3 Anomaly Detection and Misuse Detection
2.2 Overlay Networks
2.3 Active Networks
2.4 Summary
3 System Architecture Design
3.1 System Architecture
3.2 AIMS Nodes
3.3 The AIMS Manager
3.4 Overlay Multicasting
3.5 Cooperative Domain Overlapping
3.6 Access Control
3.7 Summary
4 Prototype Implementation and Experiments
4.1 Prototype Implementation
4.2 Experiments
4.2.1 Experiment I: CodeRed Detection
4.2.2 Experiment II: Control Message Deployment
4.2.3 Experiment III: Detection Performance
4.2.4 Experiment IV: Performance/Security Tradeoffs
4.3 Summary
5 Conclusions
Bibliography

[1] Kostas G. Anagnostakis, Sotiris Ioannidis, Stefan Miltchev, Michael B. Greenwald, Jonathan M. Smith, and John Ioannidis. “Efficient Packet Monitoring for Network Management.” In Proceedings of the 8th IEEE/IFIP Network Operations and Management Symposium (NOMS 2002), Florence, Italy, April 2002, pp. 423—436.
[2] James P. Anderson. Computer Security Threat Monitoring and Surveillance, Technical Report, James P. Anderson Co., Fort Washington, Pennsylvania, April 1980.
[3] Rebecca Gurley Bace. Intrusion Detection, Macmillan Technical Publishing, 2000.
[4] Suman Banerjee, Bobby Bhattacharjee, and Christopher Kommareddy. “Scalable Application Layer Multicast.” In Proceedings the 2002 ACM Conference on Applications,
Technologies, Architectures, and Protocols for Computer Communications (SIGCOMM’02), Pittsburgh, Pennsylvania, August 2002, pp. 205—217.
[5] Adriano M. Cansian, Artur R. A. da Silva, and Marcelo de Souza. “An Attack Signature Model to Computer Security Intrusion Detection.” In Proceedings of the 2002 IEEE Military Communications Conference (MILCOM’02), Anaheim, California, October 2002, pp. 1368—1373.
[6] Yang-Hua Chu, Sanjay G. Rao, and Hui Zhang. “A Case for End System Multicast.”In Proceedings of the 2000 ACM SIGMETRICS International Conference on Measurement and Modeling of Computer Systems, Santa Clara, California, June 2000, pp. 1—12.
[7] Thomas E. Daniels and Eugene H. Spafford. “A Network Audit System for Host-Based Intrusion Detection (NASHID) in Linux.” In Proceedings of the 16th Annual Computer Security Applications Conference (ACSAC’00), New Orleans, Los Angeles,
December 2000, pp. 178—187.
[8] Stephen E. Deering and David R. Cheriton. “Multicast Routing in Datagram Internetworks and Extended LANs.” ACM Transactions on Computer Systems, Vol. 8, No. 2, May 1990, pp. 85—110.
[9] Dorothy E. Denning. “An Intrusion Detection Model.” IEEE Transactions on Software Engineering, Vol. 13, No. 2, February 1987, pp. 222—232.
[10] Diego Doval and Donal O’Mahony. “Overlay Networks: A Scalable Alternative for P2P.” IEEE Internet Computing, Vol. 7, No. 4, July/August 2003, pp. 79—82.
[11] eEye Digital Security. “.ida Code Red Worm.” Security Advisory, July 2001.
http://www.eeye.com/html/Research/Advisories/AL20010717.html.
[12] Anup K. Ghosh, James Wanken, and Frank Charron. “Detecting Anomalous and Unknown Intrusions Against Programs.” In Proceedings of the 14th Annual Computer Security Applications Conference (ACSAC’98), Scottsdale, Arizona, December 1998, pp. 259—267.
[13] Ahsan Habib, Maleq Khan, and Bharat Bhargava. “Edge-to-Edge Measurement-Based Distributed Network Monitoring.” Computer Networks, Vol. 44, No. 2, May 2004, pp. 211—233.
[14] Hong Han, Xian Liang Lu, Jun Lu, Chen Bo, and Ren Li Yong. “Data Mining Aided Signature Discovery in Network-Based Intrusion Detection System.” ACM SIGOPS Operating Systems Review, Vol. 36, No. 4, October 2002, pp. 7—13.
[15] L. Todd Heberlein, Gihan V. Dias, Karl N. Levitt, Biswanath Mukherjee, JeffWood, and David Wolber. “A Network Security Monitor.” In Proceedings of the 1990 IEEE Symposium on Research in Security and Privacy, Oakland, California, May 1990, pp. 296—304.
[16] Gianluca Iannaccone, Christophe Diot, Ian Graham, and NickMcKeown. “Monitoring Very High Speed Links.” In Proceedings of the First ACM SIGCOMM Workshop on Internet Measurement (IMW’03), San Francisco, California, November 2001, pp. 267—271.
[17] Charles Iheagwara and Andrew Blyth. “Evaluation of the Performance of ID Systems in a Switched and Distributed Environment: the RealSecure Case Study.” Computer Networks, Vol. 39, No. 2, June 2002, pp. 93—112.
[18] Koral Ilgun, Richard A. Kemmerer, and Phillip A. Porras. “State Transition Analysis: A Rule-Based Intrusion Detection Approach.” IEEE Transactions on Software Engineering, Vol. 21, No. 3, March 1995, pp. 181—199.
[19] Ramaprabhu Janakiraman, Marcel Waldvogel, and Qi Zhang. “Indra: A Peer-to-Peer Approach to Network Intrusion Detection and Prevention.” In Proceedings of the 12th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (WET ICE’03), Linz, Austria, June 2003, pp. 226-231.
[20] John Jannotti, David K. Gifford, Kirk L. Johnson, M. Frans Kaashoek, and James W. O’Toole, Jr. “Overcast: Reliable Multicasting with an Overlay Network.” In Proceedings of the 4th USENIX Symposium on Operating System Design and Implementation (OSDI’00), San Diego, California, October 2000.
[21] Trevor Jim, Greg Morrisett, Dan Grossman, Michael Hicks, James Cheney, and Yanling Wang. “Cyclone: A Safe Dialect of C.” In Proceedings of the 2002 USENIX Annual Technical Conference (USENIX’02), Monterey, California, June 2002.
[22] Richard A. Kemmerer and Giovanni Vigna. “Intrusion Detection: A Brief History and Overview.” IEEE Computer, Vol. 35, No. 4, April 2002, pp. 27—30.
[23] Sandeep Kumar and Eugene H. Spafford. “A Pattern Matching-Model for Intrusion Detection.” In Proceedings of the 17th National Computer Security Conference (NCSC’94), Washington, DC, October 1994, pp. 11—21.
[24] Bo Li, Yiwei Thomas Hou, Kazem Sohraby,Mehmet Ulema, Zhensheng Zhang, and Larry L. Peterson. “Guest Editorial Recent Advances in Service Overlay Networks.”IEEE Journal on Selected Areas in Communications, Vol. 22, No. 1, January 2004,
pp. 1—5.
[25] Zhi Li and Prasant Mohapatra. “QRON: QoS-Aware Routing in Overlay Networks.”IEEE Journal on Selected Areas in Communications, Vol. 22, No. 1, January 2004, pp. 29—49.
[26] Ulf Lindqvist and Phillip A. Porras. “eXpert-BSM: A Host-Based Intrusion Detection Solution for Sun Solaris.” In Proceedings of the 17th Annual Computer Security Applications Conference (ACSAC’01), New Orleans, Los Angeles, December 2001,
pp. 240—251.
[27] Teresa F. Lunt, Ann Tamaru, Fred Gilham, R. Jagannathan, Caveh Jalali, and Peter G. Neuman. A Real-time Intrusion Detection Expert System (IDES), Interim Progress Report #6784, SRI International, May 1990.
[28] Vishal Mittal and Giovanni Vigna. “Sensor-Based Intrusion Detection for Intra-Domain Distance-Vector Routing.” In Proceedings of the 9th ACM Conference on Computer and Communications Security (CCS’02), Washington, DC, November
2002, pp. 127—137.
[29] Biswanath Mukherjee, L. Todd Heberlein, and Karl N. Levitt. “Network Intrusion Detection.” IEEE Network, Vol. 8, No. 3, May/June 1994, pp. 26—41.
[30] Vern Paxson. “Bro: A System for Detecting Network Intruders in Real-Time.” In Proceedings of the 7th USENIX Security Symposium, San Antonio, Texas, January 1998.
[31] Dimitrios Pendarakis, Sherlia Shi, Dinesh Verma, and Marcel Waldvogel. “ALMI: An Application Level Multicast Infrastructure.” In Proceedings of the 3rd USENIX
Symposium on Internet Technologies and Systems (USITS’01), San Francisco, California, March 2001.
[32] Phillip A. Porras and Peter G. Neumann. “EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances.” In Proceedings of the 20th National Information Systems Security Conference (NISSC’97), Baltimore, Maryland, October
1997, pp. 353—365.
[33] Konstantinos Psounis. “Active Networks: Applications, Security, Safety and Architectures.”IEEE Communications Surveys, Vol. 2, No. 1, First Quarter, 1999.
[34] Kevin Richards. “Network Based Intrusion Detection: A Review of Technologies.”Computers and Security, Vol. 18, No. 8, November 1999, pp. 671—682.
[35] Martin Roesch. “Snort-Lightweight Intrusion Detection for Networks.” In Proceedings of the 13th System Administration Conference (LISA’99), Seattle, Washington, November 1999, pp. 229—238.
[36] R. Sekar, Ajay Gupta, James Frullo, Tushar Shanbhag, Abhishek Tiwari, Henglin Yang, and Sheng Zhou. “Specification-Based Anomaly Detection: A New Approach for Detecting Network Intrusions.” In Proceedings of the 9th ACM Conference on
Computer and Communications Security (CCS’02), Washington, DC, November 2002, pp. 265—274.
[37] Joseph S. Sherif and Rod Ayers. “Intrusion Detection: Methods and Systems. Part II.” Information Management & Computer Security, Vol. 11, No. 5, October 2003, pp. 222—229.
[38] JonathanM. Smith and ScottM. Nettles. “Active Networking: One View of the Past, Present, and Future.” IEEE Transactions on Systems, Man, and Cybernetics—Part C: Applications and Reviews, Vol. 34, No. 1, February 2004, pp. 4—18.
[39] Steven R. Snapp, James Brentano, Gihan V. Dias, Terrance L. Goan, Tim Grance, L. Todd Heberlein, Che-Lin Ho, Karl N. Levitt, Biswanath Mukherjee, Douglass L. Mansur, Kenneth L. Pon, and Stephen E. Smaha. “A System for Distributed Intrusion
Detection.” In Proceedings of the 36th IEEE International Computer Conference (COMPCON Spring’91), San Francisco, California, February 1991, pp. 170—176.
[40] Bo Song, Ming Ye, and Jie Li. “Intrusion Detection Technology Research Based High-Speed Network.” In Proceedings of the 4th International Conference on Parallel and Distributed Computing, Applications and Technologies (PDCAT’03), Chengdu, China, August 2003, pp. 206—210.
[41] Eugene H. Spafford and Diego Zamboni. “Intrusion Detection using Autonomous Agents.” Computer Networks, Vol. 34, No. 4, October 2000, pp. 547—570.
[42] Carol Taylor and Jim Alves-Foss. “An Empirical Analysis of NATE-Network Analysis of Anomalous Traffic Events.” In Proceedings of the 10th New Security Paradigms Workshop (NSPW’02), Virginia Beach, Virginia, September 2002, pp. 18—26.
[43] David L. Tennenhouse and David J. Wetherall. “Towards an Active Network Architecture.”ACM SIGCOMM Computer Communication Review, Vol. 26, No. 2, April 1996, pp. 5—17.
[44] David L. Tennenhouse, JonathanM. Smith,W. David Sincoskie, David J.Wetherall, and Gary J. Minden. “A Survey of Active Network Research.” IEEE Communications Magazine, Vol. 35, No. 1, January 1997, pp. 80—86.
[45] Theuns Verwoerd and Ray Hunt. “Intrusion Detection Techniques and Approaches.”Computer Commnuications, Vol. 25, No. 15, September 2002, pp. 1356—1365.
[46] Giovanni Vigna and Richard A. Kemmerer. “NetSTAT: A Network-Based Intrusion Detection Approach.” In Proceedings of the 14th Annual Computer Security Applications Conference (ACSAC’98), Scottsdale, Arizona, December 1998, pp. 25—34.
[47] DavidWagner and Paolo Soto. “Mimicry Attacks on Host-Based Intrusion Detection Systems.” In Proceedings of the 9th ACM Conference on Computer and Communications Security (CCS’02), Washington, DC, December 2002, pp. 76—82.
[48] David J. Wetherall, John Guttag, and David L. Tennenhouse. “ANTS: A Toolkit for Building and Dynamically Deploying Network Protocols.” In Proceedings of the First IEEE Conference on Open Architectures and Network Programming (OPENARCH’98), San Francisco, California, April 1998, pp. 117—129.
[49] Gregory B. White, Eric A. Fisch, and Udo W. Pooch. “Cooperating Security Managers: A Peer-Based Intrusion Detection System.” IEEE Network, Vol. 10, No. 1,
January/February 1996, pp. 20—23.
[50] Du Ye, Wang Hui-Qiang, and Pang Yong-Gang. “Design of A Distributed Intrusion Detection System Based on Independent Agents.” In Proceedings of the 1st International Conference on Intelligent Sensing and Information Processing (ICISIP’04),
Chennai, India, January 2004, pp. 254—257.
[51] Vinod Yegneswaran, Paul Barford, and Somesh Jha. “Global Intrusion Detection in the DOMINO Overlay System.” In Proceedings of the 11th Annual Network and Distributed System Security Symposium (NDSS’04), San Diego, California, February
2004.
[52] Beichuan Zhang, Sugih Jamin, and Lixia Zhang. “Host Multicast: A Framework for Delivering Multicast to End Users.” In Proceedings of the 21st Annual Joint Conference of the IEEE Computer and Communications Societies (INFOCOM’02), New York, June 2002, pp. 1366—1375.

QRCODE
 
 
 
 
 
                                                                                                                                                                                                                                                                                                                                                                                                               
第一頁 上一頁 下一頁 最後一頁 top
系統版面圖檔 系統版面圖檔