跳到主要內容

臺灣博碩士論文加值系統

(18.97.14.84) 您好!臺灣時間:2024/12/09 17:55
字體大小: 字級放大   字級縮小   預設字形  
回查詢結果 :::

詳目顯示

: 
twitterline
研究生:林永彧
研究生(外文):Yung-Yu Lin
論文名稱:發掘可疑網路行為的聯合防禦分析方法
論文名稱(外文):A Study of Collaborative Discovering of Suspicious Network Behaviors
指導教授:曾憲雄曾憲雄引用關係
指導教授(外文):Shian-Shyong Tseng
學位類別:碩士
校院名稱:國立交通大學
系所名稱:資訊科學與工程研究所
學門:工程學門
學類:電資工程學類
論文種類:學術論文
論文出版年:2006
畢業學年度:94
語文別:英文
論文頁數:68
中文關鍵詞:聯合防禦入侵偵測知識導向警報
外文關鍵詞:Collaborative DefenseIntrusion DetectionKnowledge-BasedIDS Alerts
相關次數:
  • 被引用被引用:0
  • 點閱點閱:191
  • 評分評分:
  • 下載下載:22
  • 收藏至我的研究室書目清單書目收藏:1
隨著網路入侵工具的快速普及,網路入侵事件的型態也逐漸改變。參考最新的網路安全威脅報告,網路入侵行為正朝向隱密化與目標特定化而演進。許多研究已經針對底層的網路資料分析網路入侵行為,例如入侵偵測系統(IDS);然而這些方法可能產生數量龐大的錯誤警報,要從這些含錯誤警報的資料中找到有用的資訊,管理者須具備相關的經驗或知識。為了減輕管理者的負擔,必須先系統化擷取出有用的未知攻擊序列,再由管理者進行主機修復與攻擊事件研究。然而每種不同的攻擊都有自己的特性,目前並沒有任何單一方法可以完美的分析網路警報而同時找出實際的多種入侵。在這篇論文中,我們提出一個基於聯合防禦概念的可疑網路行為探勘知識(CDSNB)架構。這個架構主要包含三個階段的演算過程:分別是資料前處理階段,警報過濾階段及聯合分析階段。資料前處理階段被用來區分符合某些特定條件的主機,作為聯合分析階段的目標主機群組;此外,警報資料依據聯合分析階段的需求,被轉換成特定的資料格式。因為充斥錯誤警報,警報過濾階段便藉由建立警報的過濾模型(FM),藉此過濾多數的錯誤警報,以作為聯合分析階段的可靠資料來源。聯合分析階段則是從多台具有特定條件主機的觀點,分析各種攻擊模式,並將結果轉化為容易分析的格式提供管理者作為參考。在這個知識導向的分析架構下,系統與管理者不斷進行互動,彈性的協助管理者進行各階段適當的演算法決策。最後,管理者可藉由經過整合的可疑入侵資訊,進行事件防禦或是修復主機弱點,甚至追溯攻擊起源。因此,我們希望可以藉此達到有效預防攻擊,並準確發掘新的攻擊模式,並同時減低管理者在分析階段的負擔。
As the rapid growth of network attacking tools, patterns of network intrusion events change gradually. Referring to the newest Symantec Internet Security Threat Report, we found that network intrusion behaviors evolve into more hidden and target-specific behaviors. There are many researches had been proposed to analyze network intrusion behaviors in accordance with low-level network data. However, since these researches might suffer a large mount of false alerts, it is very difficult for network administrators to discover useful information from these alerts. To reduce the load of administrators, by collecting and analyzing unknown attack sequences systematically, administrators can do the duty of fixing the root causes and researching attack events. However, due to the different characteristics for each intrusion, there is no single analysis method which can correlate IDS alerts perfectly and discover all kinds of real intrusion patterns up to the present. Therefore, a knowledge-based framework for Collaborative Discovering Suspicious Network Behaviors (CDSNB) is proposed in this thesis. The framework of CDSNB consists of three phases: Data Preprocessing Phase, Alert Filtering Phase and Collaborative Analysis Phase. The Data Processing Phase is used to divide sensors into groups with specific system and network profiles, and IDS alerts of these groups are transformed into alert transactions with specific data formats according to requirements in the Collaborative Analysis Phase. Because of numerous of false alerts, the Alert Filtering Phase is used to construct Filter Model (FM) of sensors in specific group to filter most false alerts. The Collaborative Analysis Phase is used to analyze each alert pattern and classify the results into aggregated information for administrators as references of intrusion defense in the viewpoint of specific sensor groups with similar backgrounds and behaviors. In this knowledge-based analysis framework, the system interacts with administrators to assist them making appropriate decisions in each phase. According to the urgent situations of different levels, Network administrators can do event protecting or vulnerability repairing, even or cause tracing of attacks. Therefore, the knowledge-based framework of CDSNB can prevent attacks effectively, find novel attack patterns exactly and reduce the load of administrators efficiently.
摘要 I
Abstract III
誌謝 V
Table of Content VI
List of Figures VIII
List of Algorithms IX
Chapter 1: Introduction 1
Chapter 2: Related Work 5
2.1 Traditional Analysis Approaches for Network Intrusion 5
2.2 Using OLAP for Log Analysis 6
2.3 IDS Alert Aggregation 7
2.4 IDS Alert Reduction 9
Chapter 3: Knowledge-Based Framework for Collaborative Discovering of Suspicious Network Behaviors 10
3.1 Issues for Discovering Suspicious Network Behaviors 10
3.2 The Knowledge-Based Framework 12
3.3 The Scheme of System Profile and Alerts 14
Chapter 4: Data Preprocessing Phase 18
4.1 The Meta Knowledge of Grouping Sensors 19
4.2 The Heuristic of Grouping Sensors 21
4.3 The Format Transformation of Alerts 23
4.4 Example for Data Preprocessing 26
Chapter 5: Alert Filtering Phase 29
5.1 The Heuristic of Generating Filter Model 30
5.2 The Method for Alert Filtering 32
5.3 Example for Alert Filtering 34
Chapter 6: Collaborative Analysis Phase 38
6.1 The Collaborative Concept 39
6.2 Intra-Group Collaborative Heuristic 40
6.3 Inter-Group Collaborative Heuristic 42
6.4 Example for Collaborative Analysis 44
Chapter 7: Case Study 52
7.1 The Overview of The Related Tools 53
7.2 The Environment Design 54
7.3 The Results 55
Chapter 8: Concluding Remarks 59
References 61
Appendix 64
[1] Alharby, A. and Imai, H. (2005) "IDS False Alarm Reduction Using Continuous and Discontinuous Patterns", Proceedings of ACNS 2005, 2005, pp.192-205.
[2] Valdes, A. and Skinner, K. (2001) "Probabilistic Alert Correlation", Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection, 2001, pp.54-68.
[3] Morin, B. and Debar, H. (2003) "Correlation of Intrusion Symptoms: an Application of Chronicles", Proceedings of the 6th symposium on Recent Advances in Intrusion Detection (RAID 2003), September 2003.
[4] Cabrera, J. B. D., Lewis, L., Qin, X., Lee,W., Prasanth, R. K., Ravichandran, B. and Mehra, R. K. (2001) "Proactive detection of distributed denial of service attacks using MIB traffic variables - A feasibility study.", Proceedings of the 7th IFIP/IEEE International Symposium on Integrated Network Management, 2001.
[5] Erhard, W., Gutzmann, M. M. and Libati, H. M. (2000) "Network Traffic Analysis and Security Monitoring UniMon", Proceeding of the IEEE Conference on High Performance Switching and Routing, 2000, ATM 2000, pp 439-46.
[6] Cuppens, F. and Miege, A. (2002) "Alert correlation in a cooperative intrusion detection framework", Proceedings of the 2002 IEEE Symposium on Security and Privacy, May 2002.
[7] Goldman, R. P., Heimerdinger, W., Harp, S. A., Geib, C. W., Thomas, V. and Carter, R. L. (2001) "Information Modeling for Intrusion Report Aggregation", In DARPA Information Survivability Conference and Exposition II, 2001.
[8] Debar, H. and Wespi, A. (2001) "The intrusion-detection console correlation mechanism", In 4th International Symposium on Recent Advances in Intrusion Detection (RAID 2001), October 2001.
[9] Hsin, W. Y. (2005) "A Study of Alert-Based Collaborative Defense", National Chiao Tung University, Master Thesis, 2005.
[10] Chen, J., DeWitt, D. J., Tian, F. and Wang, Y. (2000) "NiagaraCQ: A scalable continuous query system for internet databases", Proceedings of ACM SIGMOD 2000, 2000, pp.379-390.
[11] Clement, L. Y. S. (2003) "Log Analysis as an OLAP Application - A Cube to Rule Them All", Practical assignment for GIAC GSEC certification, June 2003.
[12] Sabhnani, M. and Serpen, G. (2003) "Application of Machine Learning Algorithms to KDD Intrusion Detection Dataset within Misuse Detection", Proceedings of the International Conference on Machine Learning; Models, Technologies and Applications. MLMTA'03, Jane 23-26, 2003.
[13] Shin, M. S., Kim, E. H. and Ryu, K. H. (2004) "False Alarm Classification Model for Network-Based Intrusion Detection System", Proceedings of IDEAL 2004, 2004, pp.259-265.
[14] Park, K. and Lee, H. (2001) "On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law Internets", Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications, Aug. 2001.
[15] Porras, P. A., Fong, M. W. and Valdes, A. (2002) "A Mission-Impact-Based Approach to INFOSEC Alarm Correlation", Lecture Notes in Computer Science, Proceedings Recent Advances in Intrusion Detection, 2002, pp.95-114.
[16] Ning, P., Cui, Y. and Reeves, D. S. (2002) "Constructing attack scenarios through correlation of intrusion alerts", 9th ACM Conference on Computer and Communications Security, November 2002.
[17] Ning, P., Xu, D., Healey, C. G. and Amant, R. A. St. (2004) "Building attack scenarios through integration of complementary alert correlation methods", Proceedings of the 11th Annual Network and Distributed System Security Symposium (NDSS'04), February 2004.
[18] Agrwal, R. and Srikant, R. (1995) "Mining Sequential Patterns", Proc. of the 11th Int'l Conference on Data Engineering, March 1995.
[19] Madden, S. R., Shah, M. A. and Hellerstein, J. M. (2002) "Continuously adaptive continuous queries over streams", Proceedings of ACM SIGMOD 2002, 2002.
[20] Cheung, S., Lindqvist, U. and Fong, M. W. (2003) "Modeling multistep cyber attacks for scenario recognition", Proceedings of the Third DARPA Information Survivability Conference and Exposition (DISCEX III), April 2003.
[21] Srikant, R. and Agrawal, R. (1996) "Mining sequential patterns: Generalizations and performance improvements", Proc. of the Fifth Int'l Conference on Extending Database Technology (EDBT), 1996.
[22] Tseng, Y. C. (2004) "Monitoring Network Intrusion by OLAP and Data Mining", National Chiao Tung University, Master Thesis, 2004.
[23] Symantec Corp. (2006) "Symantec Internet Security Threat Report: Trends for July 05-Decamber 05" Volume IX, Published March 2006,
URL: http://www.symantec.com/index.htm.
[24] Basic Analysis and Security Engine (BASE),
URL: http://secureideas.sourceforge.net/, 2005.
[25] CERT Coordination Center, URL: http://www.cert.org/, 2006.
[26] DRAMA Expert System, CORETECH Inc.,
URL: http://www.coretech.com.tw/c_DRAMA.htm, 2006.
[27] Snort�� Intrusion Detection/Prevention System, URL: http://www.snort.org/, 2006.
[28] Taiwan Computer Emergency Response Team/Coordination Center (TWCERT/CC),
URL: http://www.cert.org.tw/, 2006.
QRCODE
 
 
 
 
 
                                                                                                                                                                                                                                                                                                                                                                                                               
第一頁 上一頁 下一頁 最後一頁 top