跳到主要內容

臺灣博碩士論文加值系統

(18.97.14.86) 您好!臺灣時間:2025/02/20 04:37
字體大小: 字級放大   字級縮小   預設字形  
回查詢結果 :::

詳目顯示

: 
twitterline
研究生:鄭光宏
研究生(外文):Kuang Hung Cheng
論文名稱:預防擬態攻擊之入侵偵測防禦系統
論文名稱(外文):An Intrusion Prevention System against Mimicry Attacks
指導教授:蔡文能蔡文能引用關係
學位類別:碩士
校院名稱:國立交通大學
系所名稱:資訊工程系所
學門:工程學門
學類:電資工程學類
論文種類:學術論文
論文出版年:2005
畢業學年度:93
語文別:中文
論文頁數:62
中文關鍵詞:入侵偵測系統
外文關鍵詞:IDSMimicry Attack
相關次數:
  • 被引用被引用:0
  • 點閱點閱:267
  • 評分評分:
  • 下載下載:28
  • 收藏至我的研究室書目清單書目收藏:2
隨著硬體與網際網路技術的發達,各種資訊領域之應用紛紛在網路上出現,然而在這開放的網路環境中,卻充斥著許多惡意的攻擊者。許多學者專家設計出不同的入侵偵測技術,然而攻擊者則是針對這些技術的弱點加以攻擊、或是規避其偵測,更增加了設計入侵偵測防禦技術的難度。我們分析比較各種入侵偵測防禦技術和其弱點,並提出解決一部份問題的方法。
本篇論文以攔截系統呼叫(System Call)技術為基礎,設計出一套即時的入侵偵測與防禦系統,AMA-IPS(An Intrusion Prevention System against Mimicry Attacks)。使用者可以圖形介面,狀態轉換之方式描述攻擊樣板。我們針對傳統入侵偵測技術上的弱點進行改進,提高了入侵偵測防禦的準確度。另外,我們以人體免疫系統模型(Immunity Model)來檢驗攻擊樣板的精確性,以減少誤判。本系統可攔截所有應用程式所請求的系統呼叫,基於使用者所定義之攻擊樣板,持續追蹤可疑的應用程式,於攻擊動作尚未成功前就終止其執行,以提供精確,即時,有效的防護網。
With the development of the hardware and Internet technologies, there are lots of applications available on the Internet. However, there are always hostile assailants in the open network environment. Though many different intrusion detection techniques had been developed, assailants can always attack against the weakness on these techniques, and try to evade from IDS detection.
Based on system call interception technique, we develop a real-time intrusion detection and prevention system, called AMA-IPS (An Intrusion Prevention System against Mimicry Attacks). In this system, users can describe the model of attacking, through a GUI interface, in the form of state changes. We integrated the immunity-based techniques into the state-based IPS to detect mimicry attacks and thus improve the detection accuracy of the IPS. In addition, we examine penetration pattern's accuracy with the human immune system model, and thus reduce false positive. This system intercepts every system call invoked by an application program and tries to match any penetration pattern. Once there is an evidence showing some penetration is undertaking, the system can terminate the penetration process before injury.
摘 要 i
目 錄 iv
表 目 錄 vi
圖 目 錄 vii
圖 目 錄 vii
第一章、緒論 1
1.1 動機與目的 2
1.2 論文架構 2
第二章、背景知識 4
2.1 入侵偵測與入侵預防技術簡介 4
2.2 傳統入侵偵測技術 6
2.2.1 不當行為偵測(Misuse Detection) 8
2.2.2 異常偵測(Anomaly Detection) 9
2.3 攔截系統呼叫(System call interception) 9
2.3.1 可載入核心模組(Loadable Kernel Module) 9
2.3.2 核心層之系統呼叫攔截 11
2.4 人體免疫系統(Human Immune Systems) 13
第三章、相關研究 16
3.1 相關入侵偵測技術(Related IDS Techniques) 16
3.1.1 N-gram技術 16
3.1.2 以狀態轉換為基礎之技術(State-Transition-Based Technique) 18
3.2 基於人體免疫系統之入侵偵測系統(Immunity-Based IDS Systems) 21
3.2.1 基於人體免疫系統之網路型入侵偵測系統 21
3.2.2 IGSTAM 24
3.3 主機型入侵偵測系統上之攻擊 26
3.3.1 插入no-op系統呼叫之攻擊 26
3.3.2 繼承程式間之合作攻擊 28
第四章、系統需求與設計方法 29
4.1 不當攻擊樣板之檢測(Examine Improper Penetration Pattern) 29
4.1.1 建立正常行為資料庫(Normal Behavior Database) 29
4.1.2 負選擇作用(Negative Selection)之方法 30
4.2 防止插入no-op系統呼叫之攻擊 31
4.3 防止繼承程式間之合作攻擊 35
第五章、系統架構 37
5.1 系統架構概觀 37
5.2 使用者層模組(User level module) 39
5.2.1 樣板制定介面(State-based Rule configuration interface) 40
5.2.2 樣板分析與檢驗模組(Template analysis and testing module) 40
5.3 核心層模組(Kernel level module) 42
5.3.1 正常行為收集模組(Normal Behavior Collector) 42
5.3.2 合作攻擊處理模組(Co-operation handle module) 43
5.3.3 其他核心層模組 44
第六章、實驗與評估 46
6.1 實驗環境與實驗方法 46
6.2 執行時間負擔(Runtime overhead) 46
6.3 攻擊偵測實驗 50
6.3.1 插入no-op攻擊實驗 50
6.3.2 程式間合作攻擊實驗 52
6.4 不當樣板之預警 54
第七章、討論與結論 56
7.1 討論與結論 56
7.2 未來工作 58
參考文獻 59
[1]
A. Somayaji, S. Forrest, “Automated Response Using System-Call Delays,”in Proceding of 9th Usenix Security Symposium, 2000, pp.185.
[2]
Bai, Y., Kobayashi, H., “Intrusion Detection Systems: technology and development,”in Proceding of 17th International Conference on 27-29 March, 2003 Page(s):710 – 715.
[3]
Caberera, J.B.D., Ravichandran, B., Mehra, R.K., and Sci. Syst. Co., Woburn, “Statistical traffic modeling for network intrusion detection,” in Proceedings of the 8th International Symposium on Modeling, Analysis and Simulation of Computer and Telecommunication Systems, 2000, pp 466-473.
[4]
D. Wagner and P. Soto ., “ Mimicry Attacks on Host-Based Intrusion Detection Systems,”in Proceding of ACM Conference on Computer and Communications Security,2002, pages 255-264
[5]
Dozier, G.,Brown, D., Hurley, J., Cain, K, “Vulnerability analysis of AIS-based intrusion detection systems via genetic and particle swarm red teams,” Evolutionary Computation, 2004. CEC2004. Congress on Volume 1, 19-23 June 2004 Page(s):111 - 116 Vol.1.
[6]
Eskin, E., Wenke Lee, Stolfo, S.J., “Modeling system calls for intrusion detection with dynamic window sizes,” in Proceding of DARPA Information Survivability Conference & Exposition II, 2001. DISCEX '01. Proceedings Volume 1, 12-14 June 2001 Page(s):165 - 175 vol.1.
[7]
F. Besson, T. Jensen, D. L. Metayer, and T. Thorn., “Model checking security properties of control flow graphs,” Journal of Computer Security, 9:217-250, 2001.
[8]
F Gonzalez and D Dasgupta, “Anomaly detection using real-valued negative selection,” Journal of Genetic Programming and Evolvable Machines, 4:383--403, 2003.
[9]
Feng, H.H., Kolesnikov, O.M., Fogla, P., Lee,W., Gong, W., “Anomaly Detection Using Call Stack Information,” in Proceedings of the 2003 IEEE Symposium on Security and Privacy,Berkeley, p62, CA (2003)
[10]
Ghosh, A.K., Wanken, J., Charron, F., “Detecting anomalous and unknown intrusions against programs,” in Proceedings of the 14th Annual Computer Security Applications Conference, 1998.,pp. 259-267.
[11]
Iguchi, M., Goto, S., “Network surveillance for detecting intrusions,”Internet Workshop, 1999. IWS 99 ,pp 99-106.
[12]
Joseph, M. McAlerne and Stuart Staniford, James A. Hoagland, “Practical Automated Detection of Stealthy Portscans,” Silicon Defense Publications, http://downloads.securityfocus.com/library/spice-ccs2000.pdf

[13]
K.M.C. Tan, K.S. Killourhy, R.A. Maxion, “Undermining an Anomaly-Based Intrusion Detection System Using Common Exploits,” to appear at RAID 2002 Page(s) : 54-73, 16-18 Oct. 2002
[14]
Koral Ilgun, Richard A. Kemmerer, and Phillip A. Porras, “State Transition Analysis: A Rule-Based Intrusion Detection Approach,”IEEE Transaction on Software Engineering, Page(s): 181-199, Vol.21, No.3, March 1995.
[15]
Phillip A. Porras, “Detecting Computer and Network Misuse Through the Production-Based Expert System Toolset (P-BEST)*,”in Proceedings of the 1999 IEEE Symposium on Security and Privacy, Oakland, California, MAY 9-12, 1999.Page(s): 146-161
[16]
Rapaka, A., Novokhodko, A., Wunsch, D.,“Intrusion detection using radial basis function network on sequences of system calls,”in Proceedings of the International Joint Conference on Volume 3, 20-24 July 2003 Page(s):1820 - 1825 vol.3.
[17]
S. A. Hofmeyr , S. Forrest , and A. Somayaji, “Intrusion detection using sequences of system calls,” Journal of Computer Security , 6 ( 3 ) : 151-180 , 1998.
[18]
S. Forrest , S. A. Hofmeyr , and A. Somayaji, “A sense of self for unix processes,” in Proceedings of the 1996 IEEE Symposium on Research in Security and Privacy , Los Alamitos , CA , 1996. Page(s):120-128
[19]
Snort Homepage. http://www.snort.org/

[20]
STAT Homepage. http://www.cs.ucsb.edu/~rsg/STAT/

[21]
T. Garfinkel, “Traps and pitfalls: Practical problems in system call interposition based security tools,” in Proceedings of Network and Distributed Systems Security Symposium, February 2003. Page(s):163-176
[22]
Tal Garfinkel, Ben Pfaff, Mendel Rosenblum, “Ostia: A Delegating Architecture for Secure System Call Interposition,”in Proceedings of the Internet Society's 2004 Symposium on Network and Distributed System Security.Page(s):187-201
[23]
Terrance Goan-PI, “ICE: Intelligent Correlation of Evidence for Intrusion Detection,” Technical Report #183, Stottler Henke Associate Inc.
[24]
Tsung-Yi Tsai, Kuang-Hung Cheng, Chi-Hung Chen, Wen-Nung Tsai, “An Intrusion Prevention System using Wrapper,”in in Proceedings of International Computer Symposium on 15-17 Dec 2004 page(s): 1218-1223
[25]
Warrender, C., Forrest, S., Pearlmutter, B.,“Detecting intrusions using system calls: alternative data models,”in Proceedings of the 1999 IEEE Symposium on 9-12 May 1999 Page(s):133 – 145.
[26]
Yan Qiao, Xie Weixin,“A Network IDS with low false positive rate,”in Proceedings of the 2002 Congress on Volume 2, 12-17 May 2002 Page(s):1121 – 1126.
[27]
Yasin, M.M., Awan, A.A., “A study of host-based IDS using system calls,” Networking and Communication, 2004. INCC 204. International Conference on 11-13 June 2004 Page(s):36 – 41.
[28]
Zhang Yanchao , Que Xirong , Wang Wendong , Cheng Shiduan , “ An immunity-based model for network intrusion detection,” in Proceedings of ICII 2001 - Beijing . 2001 International Conferences , Volume : 5 , 2001 page ( s ) : 24-29 vol.5.
[29]
Zhao Junzhong, Huang Houkuan,“An evolving intrusion detection system based on natural immune system,”in Proceedings of 2002 IEEE Region 10 Conference on Computers, Communications, Control and Power Engineering Volume 1, 28-31 Oct. 2002 Page(s):129 - 132 vol.1.
[30]
Zhou-Jun Xu , Ji-Zhou Sun , Xiao-Jun Wu , “An immune genetic model in rule-based state action IDS,” Machine Learning and Cybernetics , 2003 International Conference on Volume 4 , 2-5 Nov . 2003 Page ( s ) : 2472-2475 Vol.4.
[31]
李駿偉、田筱榮、黃世昆,入侵偵測分析方法評估與比較,Communications of the CCISA Vol. 8 No.2 March 2002. pp 21-37
QRCODE
 
 
 
 
 
                                                                                                                                                                                                                                                                                                                                                                                                               
第一頁 上一頁 下一頁 最後一頁 top