跳到主要內容

臺灣博碩士論文加值系統

(44.211.34.178) 您好!臺灣時間:2024/11/03 07:36
字體大小: 字級放大   字級縮小   預設字形  
回查詢結果 :::

詳目顯示

我願授權國圖
: 
twitterline
研究生:林宣燁
研究生(外文):Hsuan-Yeh Lin
論文名稱:行動安全管理營運中心警告整合群組之研究
論文名稱(外文):Alert Integration in Mobile SOC
指導教授:李忠憲李忠憲引用關係
指導教授(外文):Jung-Shian Li
學位類別:碩士
校院名稱:國立成功大學
系所名稱:電腦與通信工程研究所
學門:工程學門
學類:電資工程學類
論文種類:學術論文
論文出版年:2007
畢業學年度:95
語文別:中文
論文頁數:76
中文關鍵詞:安全管理營運中心警告整合行動代理人
外文關鍵詞:SOCmobile agentalert correlation
相關次數:
  • 被引用被引用:0
  • 點閱點閱:170
  • 評分評分:
  • 下載下載:0
  • 收藏至我的研究室書目清單書目收藏:0
隨著網際網路的普及化,網路的使用已成為現在人生活的一部份,例如政府單位的電子化、商品交易、金融服務…等,當我們從事這些活動時,各種的攻擊行為、惡意行為都存在潛在的危險性;此外,由於我們把愈來愈多的隱私資料存於網路主機中,因此當此主機遭受攻擊而使我們的資料遺失或遭到竊取之風險的可能性也愈來愈高。
目前已經有很多安全軟體來防護上述情形,但這些安全軟體(如:入侵偵測/防禦系統、防毒軟體)仍存在相當多的問題,例如:誤判率高、產生一堆多餘的警告;在愈大的組織或機關中,其安全軟體就必然愈多,佈署必然愈複雜,產生的警告數量勢必相當龐大,甚至警告的格式隨著不同的設備而不同,進而告成管理上的困難。安全管理營運中心(Security Operation Center,SOC)提供安全管理、組織與資料搜集的機制,能夠有效解決上述問題。
我們提出一套階層式且使用行動代理人的安全管理營運中心,階層式可以使得整個整合的範圍擴大,分散式則是可以減低系統被攻擊的機率。在警告整合的部份則有二種模式。我們並在台灣網路安全測試平台(TWANST)上執行數個攻擊實例來測試我們的系統,測試結果符合預期。
With the universal of Internet, the use of network has become a part of our daily life, for example: e-government, commodity trade, banking service…etc. There are a lot of dangers of attacks, malice behaviors in network when we deal with all of those above. Besides, we put more and more privacy data in network, hence, the risks that hosts suffered attack that made our data lose or be stolen will be more and more serious.
There have been already a lot of security software to prevent from all of those above (for example: IDS, IPS, anti-virus software, firewalls…etc), but there are still a lot of problem in these security software, such as “High False Positive Rate”, large amounts of non-relevant events. The bigger the organization is, the more the security software is, as a result, its deploy must be more complex, and the amount of these alerts they generated must be surplus. Because the alert is different as the different equipment, to manage those things is very difficult. Security Operation Center (SOC) that provides assistance in automation to security policy management, security organizational management and security operation management at the upper level could solve all of those problems above.
We present one hierarchical-SOC using mobile agent, hierarchy will expand the range of the network that one manages, and the distributed system could reduce the probability of being attacked. Under the part—“alert correlation”, there are two components. We enumerate several real attacks to test and verify our architecture on Taiwan Network Security Testbed, and the result match what we expected.
Chapter 1 Introduction 1
1.1安全管理營運中心 1
1.2行動代理人(mobile agent) 2
1.3動機 2
1.4貢獻 3
1.5論文架構 4
Chapter 2 Related work 6
2.1警告的整合(alert correlation) 6
2.2入侵偵測訊息交換格式 7
2.3相關工具簡介 9
Chapter 3使用行動代理人偵測慢速掃描 14
3.1入侵偵測系統 14
3.2掃描埠號行為 16
3.3實作與整體架構 22
3.4實驗場景與分析結果 26
Chapter 4安全管理營運中心之警告整合行動代理人群組之架構與實現 31
4.1整體架構 31
4.2 Alert Fusion 37
4.3 Alert verification 43
4.4最終的警告與管理者使用介面 48
Chapter 5安全管理營運行動代理人群組之實驗及結果 50
5.1場景一:Nature Traffic in NCKU EE 50
5.2場景二:DARPA 1999 53
5.3場景三:Treasure Hunt 55
5.4場景四:DARPA 2000 57
5.5場景五:U.C Davis 59
Chapter 6結論以及未來工作 61
References 62
[1] J. Hendler. “Introduction to the Special Issue: AI, Agents, and the Web,” Intelligent Systems, IEEE Intelligent Systems and Their Applications, p11 vol.11, Jan.-Feb. 2006
[2]林敬皇、陳威宇、姜忠志、陳建宏、鄭毓芹、賴溪松,”安全管理營運中心實現有效警訊整合與呈現攻擊事件之因果關聯圖”,TANET 2006, Nov,2006。
[3]D. Xu and P. Ning. “Alert Correlation through Triggering Events and Common Resources”. In Proceedings of the 20th Annual Computer Security Applications Conference(ACSAC’04), 2004.
[4]X. Qin, and W. Lee. “Statistical Causality Analysis of INFOSEC Alert Data”. In Proceedings of the 6th International Sympsium on Recent Advances in Intrusion Detection (RAID2003), Pittsburgh, PA, Sept.2003
[5]S. Cheung, U. Lindqvist, and M. W. Fong. “Modeling Multistep Cyber Attacks for Scenario Recognition”. In Proceedings of the Third DARPA Information Survivability Conference and Exposition (DISCEX III), Washington, D.C, April 2003.
[6]F. Cuppens and A. Miege. “Alert Correlation in a Cooperative Intrusion Detection Framework”. In Proceedings of the 2002 IEEE Symposium on Security and Privacy Oakland, CA, May 2002.
[7]P. Ning, Y.Cui, and D.S. Reeves. “Constructing Attack Scenarios through Correlation of Intrusion Alerts”. In 9th ACM Conference on Computer and Communications Security, Nov 2002.
[8]B. Morin and H. Debar. “An Application of Chronicles”. In Proceedings of the 6th International Symposium on Recent Advances in Intrusion Detection (RAID 2003), Pittsburgh, PA, Sept.2003
[9]P. A. Porras, M.W. Fong, and A. Valdes. “A Mission-Impact- Based approach to INFOSEC alarm correlation”. In Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID), October 2002.
[10]R. P. Goldman, W. Heimerdinger, and S. A. Harp. “Information Modeling for Intrusion Report Aggregation”. In DARPA Information Survivability Conference and Exposition (DISCEX II), June 2001.
[11]A. Valdes and K. Skinner. “Probabilistic alert correlation”. In Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection(RAID), Oct.2001.
[12]F. Valeur, G. Vigna, C. Kruegel, and R. A. Kemmerer. “A comprehensive approach to intrusion detection alert correlation”, IEEE Transactions on dependable and secure computing Vol1 No3 July September 2004.
[13]C. C. Lin, H.K Wong, and T.C. Wu. “Enhancing Interoperability of Security Operation Center to Heterogeneous Intrusion Detection Systems”. Security Technology, CCST’05 39th Annual 2005 International Carnahan Conference on 11-14, Oct. 2005.
[14]S. K. Park, K. Y. Kim, J. S. Jang, and B. N. Noh. “Supporting interoperability to heterogeneous IDS in secure networking framework” Inf. Security Res. Div. , Electron.& Telecommun. Res. Inst., Taejeon, South Korea.
[15] http://www.snort.org
[16] http://sourceforge.net/projects/libpcap
[17]M. Attig and J. Lockwood. “A Framework for Rule Processing in Reconfigurable Network Systems”, Field-Programmable Custom Computing Machines, 2005. FCCM 2005. 13th Annual IEEE Symposium, April 2005.
[18]M. Christodorescu, and S. Jha. “Static Analysis of Executables to Detect Malicious Patterns” USENIX Security Symposium, 2003.
[19]Y. S. Wu, B. Foo, Y. Mei, and S. Bagchi. “Collaborative intrusion detection system(CIDS): a framework for accurate and efficient IDS”, Computer Security Applications Conference, 2003. Proceedings. 19th Annual, Page(s):234-244, 2003.
[20]A. T. Zhou, J. Blustein, and N. Zincir-Heywood. “Improving Intrusion Detection Systems through Heuristic Evaluation” Electrical and Computer Engineering, Canadian Conference on Volume 3, 2-5, Page(s):1641-1644, Vol.3, May 2004.
[21] Suseela T. Sarasamma, Qiuming A. Zhu, and Julie Huff, ”Hierarchical Kohonenen Net for Anomaly Detection in Network Security,” IEEE TRANSACTIONS ON SYSTEMS, MAN, AND CYBERNETICS—PART b:CYBERNETICS, VOL. 35, 2, April, 2005
[22]D. Denning, “An intrusion-detection model” IEEE Trans. Software Eng. , Vol. SE-13, no.2, 99.222-232, Feb.1987
[23]Kuchimanchi G.K, Phoha V.V., Balagain K.S, Gaddam S.R, “Dimension reduction using feature extraction methods for real-time misuse detection systems” Information Assurance Workshop, 2004 Proceedings from the Fifth Annual IEEE SMC, 10-11 June 2004.
[24]Subhadrabandhu. D, Sarkar.S, Anjum F, “A Framework for Misuse Detection in Ac Hoc Networks”, Part I: Selected Areas in Communications, IEEE Journal on, Vol.24, p274-289, Feb 2006. PartII:p290-304.
[25] Lindgvist, U., Porras, P.A., “Detecting computer and network misuse through the production-based expert system toolset (P-BEST),” Security and Privacy, 1999. Proceedings of the 1999 IEEE Symposium on, 9-12 May 1999.
[26] Ghosh. A.K, Wanken. J, Charron.F, “Detecting anomalous and unknown intrusions against programs,” Computer Security Applications Conference, 1998, Proceedings., 14th Annual, 7-11 Dec. 1998.
[27] Chein-I Chang, Shao-Shan Chiang, “Anomaly detection and classification for hyperspectral imagery,” Geoscience and Remote Sensing, IEEE Transactions on p1314-1325 Vol.40, June 2002.
[28] Wei Fan, Miller, M.,Stolfo,S.J, Wenke Lee, Chan, P.K, “Using artificial anomalies to detect unknown and known network intrusions,” Data Mining, 2001. ICDM 2001, Proceedings IEEE International Conference on, p123-130, 29 Nov.-2 Dec. 2001.
[29] Jiong Zhang, Zulkemine M., “A Hybrid Network Intrusion Detection Technique Using Random Forests,” Availability, Reliability and Security, 2006. ARES 2006. The First International Conference, 20-22 Arpil 2006
[30] Gadaud, F., Blanc, M. ,Combeau, F., “An adaptive instrumented node for efficient anomalies and misuse detections in HPC environment,” Cluster Computing and the Grid, 2005. CCGrid 2005. IEEE International Symposium on, p140-145 Vol.1, 9-12 May2005
[31] Wei Fan, Miller, M.,Stolfo,S.J, Wenke Lee, Chan, P.K, “Using artificial anomalies to detect unknown and known network intrusions,” Data Mining, 2001. ICDM 2001, Proceedings IEEE International Conference on, p123-130, 29 Nov.-2 Dec. 2001
[32] 李駿偉、田筱榮、黃世昆,”入侵測測分析方法評估與比較,” Communications of the CCISA, Vol.8 No.2 March 2002.
[33] Darren Mutz, Fredrik Valeur, Giovanni Vigna, Christopher Kruegel ,” Anomalous system call detection,” ACM Transactions on Information and System Security (TISSEC), Volume 9 Issue 1, February 2006
[34] C. C. Michael, Anup Ghosh, “Simple, state-based approaches to program-based anomaly detection,” ACM Transactions on Information and System Security (TISSEC), Volume 5 Issue 3, August 2002.
[35] Vaccaro and G.E. Liepins. Detection of anomalous computer session activity. In Proceedings of the 1989 IEEE Syrup. on Sec. and Privacy. pg. 280-289, Oakland, CA 1-3 May, 1989.
[36] Wu, H.C. Chang, F. Jou, F. Wang, F. Gong, C. Sargor, D. Au, R. Cleaveland. Ji Nao: Design and implementation of a scalable intrusion detection system
for the OSPF routing protocol, www.anr.mcnc.org, 1999.
[37] Zhou-Jun Xu, Ji-Zhou Sun, Xiao-Jun Wu, “An immune genetic model in rule-based state action IDS,” Machine Learning and Cybernetics, 2003 International Conference on, p2472-2475 Vol.4, 2-5 Nov. 2003.
[38] Chao-Tung Yang, The Self-diagnosing Intrusion Detection System Mechanism
[39] Karlton Sequeira, Mohammed Zaki, “Industry track papers: ADMIT: anomaly-based data mining for intrusions,” Proceedings of the eighth ACM SIGKDD international conference on Knowledge discovery and data mining, July 2002
[40] Prabhaker Mateti, Port Scanning, CEG 499/699 Internet Security
[41]U. Shankar and V. Paxson, “Active Mapping: Resisting NIDS Evasion Without Altering Traffic”, Proc. IEEE Symp. Security and Privacy, 2003.
連結至畢業學校之論文網頁點我開啟連結
註: 此連結為研究生畢業學校所提供,不一定有電子全文可供下載,若連結有誤,請點選上方之〝勘誤回報〞功能,我們會盡快修正,謝謝!
QRCODE
 
 
 
 
 
                                                                                                                                                                                                                                                                                                                                                                                                               
第一頁 上一頁 下一頁 最後一頁 top