跳到主要內容

臺灣博碩士論文加值系統

(18.97.14.89) 您好!臺灣時間:2024/12/13 07:28
字體大小: 字級放大   字級縮小   預設字形  
回查詢結果 :::

詳目顯示

我願授權國圖
: 
twitterline
研究生:陳威宇
研究生(外文):Wei-Yu Chen
論文名稱:安全管理營運中心中警訊整合與關聯呈現之研究與實作
論文名稱(外文):The Study and Implementation of Alert Integration, Correlation and Presentation System in SOC
指導教授:賴溪松賴溪松引用關係
指導教授(外文):Chi-Sung Laih
學位類別:碩士
校院名稱:國立成功大學
系所名稱:電腦與通信工程研究所
學門:工程學門
學類:電資工程學類
論文種類:學術論文
論文出版年:2006
畢業學年度:94
語文別:英文
論文頁數:76
中文關鍵詞:警訊關聯攻擊圖安全管理營運中心
外文關鍵詞:Attack GraphAlert CorrelationSecurity Operation Center
相關次數:
  • 被引用被引用:2
  • 點閱點閱:174
  • 評分評分:
  • 下載下載:0
  • 收藏至我的研究室書目清單書目收藏:0
由於資訊化時代的來臨,網際網路也跟著發展的越來越迅速,所能提供的服務日益增多。但在快速與便捷之餘,伴隨而來的竟是各式各樣的網路入侵攻擊、病毒與蠕蟲,並且隨著高速網路快速的擴散於世界各地,因此網路安全設備早已成為不可或缺的基本配備。大部分的組織機關都會配置網路安全設備,然而卻有以下三點問題存在。首先,這些設備所產生的警告資料不但有高的誤判率也有嚴重的多餘;第二,越大的環境就需要佈署越多層的防火牆、入侵偵測系統,分別維護這些設備所產生出來的警訊則大大增加了管理上的困擾;第三,加上各個設備所產生的警訊格式與表達方式不同,需要分別研究後才能瞭解發生了何種的攻擊事件,並且需要足夠的經驗才正確判斷出攻擊的種類以及主機是否被攻陷等情形;
在本論文中我們提出一個資訊安全營運中心的架構,並且設計了警訊整合與關聯的相關各個單元進行實做。在組成我們提出的SOC架構當中,包含下列幾個單元:1.警訊生成單元:意指產生警訊產生器以及格式轉換模組將產生出來的警訊轉成正規化的IDMEF格式;2.SOC資料庫:將警訊與整合關聯後的事件分類儲存;3.核心程序單元:此單元為最主要的警訊處理程序,包含依照我們提出的分類法進行分類、對警訊作相關性的驗證、整合警訊成為事件並將各個事件進行關聯;4系統運作單元:使得系統自動運行並自行發出事故票給管理者;5.事件反應區:包含使用者能看到的事件報表,安全狀態統計以及我們提出的視覺化攻擊圖呈現。最後,我們在台灣網路安全測試平台上執行數個攻擊實例來測試我們的系統。測試的結果如預期,本系統可以展現整合的警訊、利用關聯產生攻擊圖,並且自動產生事故票協助管理者維護網路安全。
With the coming of information era, Internet has been developed rapidly and offered more and more services. However, intrusions, viruses, and worms follow with the development of Internet, and spread swiftly all over the world with high speed network. In order to defense these threats, network security devices, such as intrusion detection systems (IDSs), firewalls, and antivirus software, have become essential equipments. Network security devices have been deployed in most of the organizations. However, there are at least three problems existing. First, the alarms generated by these devices are with high false positive rate and redundancies. Second, it requires deploying multiple IDSs and firewalls in large environments, which cause the administrators have difficulty to maintain and manage these alerts generated by those scattered devices. Third, because different devices generate alerts with different types, formats, and presentations, the administrators should investigate these reports and recognize what happen on the protected hosts. In addition, it requires sufficient experiences to determine the types of attacks precisely.
In this thesis, we propose an architecture of security operation center (SOC), design and implement the related components concerning alert integrations and correlations. In our proposed SOC, it contains five units: (1) Alert Generator Unit, which is used to generate alert and transfer to IDMEF format, (2) SOC Database, which operates and stores alerts, (3) Core Procedure unit, which is the main unit, including our proposed classification, verification, integration and correlation, (4) System Operation Unit, which automate the system to operate and announce incident tickets to administrator, and (5) Event Reaction, which is the user interface, including incident lists, security statistics and attack graph presentation. Finally, we enumerate several real attacks to test and verify our SOC architecture on TWANST (Taiwan Network Security Testbed). The results show that our proposed SOC cannot only show the integrated alert, but also generate attack graph and announce automatically. Therefore, we are convinced such the SOC can help administrators maintain network security more effectively in a large enterprise environment.
Chapter 1. Introduction                      1
1.1 The Role of Security Operation Centers (SOCs) in Internet   1
1.2 Motivation                          1
1.3 Contribution                         3
1.4 Thesis Organization                      4
Chapter 2. Overview of Security Operation Centers         5
2.1 A Typical Architecture of a SOC                5
2.2 Components and Functionalities in SOCs            5
2.3 Security Operation Center in Taiwan              7
Chapter 3. Related Works                     9
3.1 Event Generators                       9
3.2 Intrusion Detection Message Exchange Format (IDMEF)     11
3.3 Alert Correlation                      15
3.4 Attack Graphs                        19
Chapter 4. System Design and Implement              23
4.1 System Architecture                     24
4.2 Sensor Group Region                     26
4.2.1 Alert Generator                      26
4.2.2 Format Transform Module                  27
4.3 Security Operation Center Region               28
4.3.1 SOC DB                           28
4.3.2 Core Procedure Unit                    34
4.3.3 System Operation Unit                   44
4.4 User Interface Region                    46
4.4.1 Attack Graph Presentation                 46
Chapter 5. Experiments and Results                48
5.1 System Environment                      48
5.2 Experiments                         49
5.2.1 The Attack Scenario I ( in Inside Network )        49
5.2.2 The Attack Scenario II ( in Internet )           54
5.2.3 The Attack Scenario III (MS SQL worm )           58
5.2.4 The Attack Scenario IV (DARPA 2000 DDOS )         60
5.2.5 The Attack Scenario V (U.C. Davis)             62
5.2.6 The Attack Scenario VI (Nature Traffic in TWANST)     64
5.2.7 The Presentation of Accident Tickets            67
Chapter 6. Conclusions and Future Works             70
References                            71
Appendix                             74
I. The Format of Snort Raw Data Table              74
II. Original Snort Classification                76
[1]M. Attig and J. Lockwood. “A Framework for Rule Processing in Reconfigurable Network Systems”, Field-Programmable Custom Computing Machines, 2005. FCCM 2005. 13th Annual IEEE Symposium, April 2005.
[2]D. Barbara, N. Wu, and S. Jajodia. “Detecting Novel Network Intrusions Using Bayes Estimators”, SIAM International Conf. Data Mining, 2001.
[3]P. T. Chen, C. S. Laih, F. Pouget, and M. Dacier. “Comparative Survey of Local Honeypot Sensors to Assist Network Forensics”. Systematic Approaches to Digital Forensic Engineering, 2005. First International Workshop, SADFE, June 2005.
[4]S. Cheung, U. Lindqvist, and M. W. Fong. “Modeling Multistep Cyber Attacks for Scenario Recognition”. In Proceedings of the Third DARPA Information Survivability Conference and Exposition (DISCEX III), Washington, D.C, April 2003.
[5]M. Christodorescu, and S. Jha. “Static Analysis of Executables to Detect Malicious Patterns” USENIX Security Symposium, 2003.
[6]F. Cuppens and A. Miege. “Alert Correlation in a Cooperative Intrusion Detection Framework”. In Proceedings of the 2002 IEEE Symposium on Security and Privacy, Oakland, CA, May 2002.
[7]K. J. Farn, A. Fung, and A. C. Lin. “Recommendation of Information Sharing, and Analysis Center” Proceedings of IEEE 37th Annual 2003 International Carnahan Conference on 14-16, Oct. 2003.
[8]R. P. Goldman, W. Heimerdinger, and S. A. Harp. “Information Modeling for Intrusion Report Aggregation”. In DARPA Information Survivability Conference and Exposition (DISCEX II), June 2001.
[9]H. Hajji. “Statistical Analysis of Network Traffic for Adaptive Faults Detection”, Neural Networks, IEEE Transactions on, Sept. 2005.
[10]Y. Liao, and V. R. Vemuri. “Using Text Categorization Techniques for Intrusion Detection”, 11th USENIX Security Symposium, August 5-9, 2002.
[11]C. C. Lin, H. K. Wong, and T. C. Wu. “Enhancing Interoperability of Security Operation Center to Heterogeneous Intrusion Detection Systems”. Security Technology, CCST '05. 39th Annual 2005 International Carnahan Conference on 11-14, Oct. 2005.
[12]B. Morin and H. Debar. “An Application of Chronicles”. In Proceedings of the 6th International Symposium on Recent Advances in Intrusion Detection (RAID 2003), Pittsburgh, PA, Sept. 2003.
[13]D. Newman, K. M. Manalo, and E. Tittel. “Intrusion Detection Overview”, June 2004.
[14]P. Ning, Y. Cui, and D. S. Reeves. “Constructing Attack Scenarios through Correlation of Intrusion Alerts”. In 9th ACM Conference on Computer and Communications Security, Nov. 2002.
[15]P. Ning, D. Xu, C. G. Healey, and R. S. Amant. “Building Attack Scenarios through Integration of Complementary Alert Correlation Methods” Network and Distributed System Security Symposium Conference Proceedings, 2004.
[16]S. Noel, E. Robertson, and S. Jajodia. “Correlating Intrusion Events and Building Attack Scenarios through Attack Graph Distances”. 20th Annual Computer Security Applications Conference, Dec. 2004.
[17]S. K. Park, K. Y. Kim, J. S. Jang, and B. N. Noh. ”Supporting interoperability to heterogeneous IDS in secure networking framework” Inf. Security Res. Div., Electron. & Telecommun. Res. Inst., Taejeon, South Korea.
[18]P. A. Porras, M.W. Fong, and A. Valdes. “A Mission-Impact- Based approach to INFOSEC alarm correlation”. In Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID), October 2002.
[19]X. Qin, and W. Lee. “Attack Plan Recognition and Prediction using Causal Networks” Computer Security Applications Conference, 20th Annual Publication., 2004.
[20]X. Qin, and W. Lee. “Statistical Causality Analysis of INFOSEC Alert Data”. In Proceedings of the 6th International Symposium on Recent Advances in Intrusion Detection (RAID 2003), Pittsburgh, PA, Sept. 2003.
[21]S. Singh, and S. Kandula. “Argus A Distributed Network-Intrusion Detection System”, Intl. System Administration and Networking Conf., 2002.
[22]Y. Tang, and S. Chen. “Defending against Internet Worms: A Signature-Based Approach”, INFOCOM 2005. 24th Annual Joint Conference of the IEEE Computer and Communications SOCieties. Proceedings IEEE Volume 2, March 2005
[23]Y. Tang, H. P. Hu, X. Lu, and J. Wang. “HonIDS: Enhancing Honeypot System with Intrusion Detection Models”. Information Assurance, Fourth IEEE International Workshop, April 2006.
[24]L. Teo, Y. A. Sun, and G. J. Ahn. “Defeating Internet Attacks Using Risk Awareness and Active Honeypots” Information Assurance Workshop, Proceedings. Second IEEE International, 2004.
[25]J. F. Tian, J. L. Wang, X. H. Yang, and R. L. Li. “A Study of Intrusion Signature Based on Honeypot”. Parallel and Distributed Computing, Applications and Technologies, 2005.
[26]A. Valdes and K. Skinner. “Probabilistic alert correlation”. In Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection (RAID), Oct. 2001.
[27]F. Valeur, G. Vigna, C. Kruegel, R. A. Kemmerer, “Comprehensive Approach to Intrusion Detection Alert Correlation”, Dependable and Secure Computing, IEEE Transactions on. On page(s): 146- 169, Volume: 1, Issue: 3, July-Sept. 2004.
[28]Y. S. Wu, B. Foo, Y. Mei, and S. Bagchi. “Collaborative intrusion detection system (CIDS): a framework for accurate and efficient IDS “, Computer Security Applications Conference, 2003. Proceedings. 19th Annual, Page(s):234-244, 2003.
[29]D. Xu and P. Ning. “Alert Correlation through Triggering Events and Common Resources”. In Proceedings of the 20th Annual Computer Security Applications Conference (ACSAC'04), 2004.
[30]A. T. Zhou, J. Blustein, and N. Zincir-Heywood. “Improving Intrusion Detection Systems through Heuristic Evaluation;” Electrical and Computer Engineering, Canadian Conference on Volume 3, 2-5, Page(s):1641-1644, Vol.3, May 2004.
[31]“Basic Analysis and Security Engine”, http://secureideas.sourceforge.net/.
[32]“Developments of the Honeyd Virtual Honeypot” , http://www.honeyd.org/.
[33]“Intrusion Detection, Honeypots” , http://www.Honeypots.net/.
[34]“Security Operation Center Concepts & Implementation”, http://www.iv2-technologies.com/~rbidou/SOCConceptAndImplementation.pdf.
[35]“Snort 2.1 Intrusion Detection Second Edition”
[36]“Taiwan Network Security Testbed”, http://twanst.icsc.ncku.edu.tw/.
[37]“TCPDUMP public repository”, http://sourceforge.net/projects/libpcap/.
[38]“Lincoln Laboratory Scenario (DDoS) 2.0.2 DMZ Tcpdump file”, http://www.ll.mit.edu/IST/ideval/data/2000/LLS_DDOS_2.0.2/
data_and_labeling/tcpdump_dmz/LLS_DDOS_2.0.2-dmz.dump.gz
[39]“attack Dump file” http://www.cs.ucdavis.edu/
%7Ewu/tcpdump/MINOS_worm_traces/
連結至畢業學校之論文網頁點我開啟連結
註: 此連結為研究生畢業學校所提供,不一定有電子全文可供下載,若連結有誤,請點選上方之〝勘誤回報〞功能,我們會盡快修正,謝謝!
QRCODE
 
 
 
 
 
                                                                                                                                                                                                                                                                                                                                                                                                               
第一頁 上一頁 下一頁 最後一頁 top