隨著資訊化時代的來臨，網際網路發展愈益迅速，所能提供的服務也日益增多。但便利之下伴隨而來的卻是各式各樣的網路入侵
攻擊、病毒與蠕蟲。這些攻擊方式都很容易造成系統危害，儘管
目前大部分的組織機關都會配置網路安全設備，但卻仍然有下面
幾點問題存在。第一，越大的環境就需要佈署越多層的防火牆(Firewall)、入侵偵測系統(Intrusion detection system, IDS)，分別維護以及管理這些設備所產生出來的龐大警訊(Alert)資料有
困難度存在；第二，設備產生的警訊大多重覆且有高的誤判率，造成系統運算與儲存的負擔以及系統管理者進行錯誤的修補與防禦；第三，沒有任何機制檢查警訊間之關聯性，網路管理者無法正確地鑑識其所管轄的網路遭受何種類型攻擊；第四，缺乏預警系統，網路管理者無法依據目前的警訊推測攻擊者下一步的攻擊行為進行即時性防禦。

基於以上因素，本實驗室已著手進行資訊安全營運中心(Security Operation Center, SOC)相關技術的研發與攻擊腳本資料庫(Attack Scenario Database)建置。在資訊安全營運中心架構中包含了五個單元為：1.) 警訊生成單元：意指警訊產生器以及格式轉換模組將產生出來的警訊轉成正規化的IDMEF格式；2.) SOC資料庫：將警訊與整合關聯後的事件分類儲存；3.) 核心程序單元：此單元為最主要的警訊處理程序，包含依照自行制定的分類法進行分類、對警訊作相關性的驗證、整合成為事件(Incident)並將各個事件進行關聯；4.) 系統運作單元：使得系統自動運行並自行發出事故票給管理者；5.) 事件反應區：包含使用者能看到的事件報表，安全狀態統計以及視覺化攻擊圖呈現。

攻擊腳本資料庫的部份則是利用本實驗室發展之因果關聯模型語言(Attack Scenario Generation with Causal Relationship, ASGCR) 進行建置，主要有四個單元為：1.) 攻擊腳本資料庫：事先收集目前實際攻擊的樣本，分析樣本彼此間的關聯性，架構成為腳本資料庫，並且設計成未來可擴充的型態；2.) 系統內部偵測單元：主要發展系統內的偵測工具，並且產生警訊；3.) 整合警訊單元：整合重複且有計畫性的攻擊，產生重要的攻擊事件；4.) 攻擊狀態及預警單元：分析網路與系統端的事件，轉換成攻擊狀態圖。

然而本實驗室發展之資訊安全營運中心與攻擊腳本資料庫仍有不足的地方，例如Sensor數目過少致使警訊關聯正確性降低、未考慮偵測的網路環境資訊、假警報過多致使系統儲存與運算負擔提升、攻擊種類不足、預測數量過多造成網路管理者判讀困難等等。因此在本研究將會針對上述之不足提供相關改善與加強之方法，並重新規劃系統相關單元如下：1.) 警訊擷取單元：本論文預計將擴增7個Sensor種類共計13個Sensors，以提升攻擊腳本資料關聯正確性；2.) 警訊整合與環境評估單元：刪除語意重覆之警訊以及不符當前網路環境之假警報，降低系統運算與儲存負擔；3.) 攻擊腳本資料庫：增加Windows 系統入侵行為與分散式阻斷攻擊之攻擊腳本資料庫；4.) 風險評估單元：提供網路管理者在眾多攻擊預測結果中最具危害亦或最易達成攻擊之項目，幫助網路管理者進行即時性防禦以降低遭受攻擊之損失。

As the coming of information era, Internet becomes popular and starts to offer more and more services. But the account for the security incidents, such as intrusions, viruses, and worms also increases simultaneously. Although many network security devices are used in most enterprises and departments of government for protecting assets, there still exist some problems: First, more network security devices make it difficult to manage and analyze alerts; Second, most duplicate and false positive alerts increase system computing load, storage size and correlation time; Third, we do not have any method to observe the relationship among alerts, system managers cannot identify whether monitored hosts are under attacks and which kinds of attacks they are suffered from; Fourth, no warning system is developed to tell system managers the most possible follow-up attacks that will be launched in the directory future, that’s always leading to very high loss.

Take these problems into account, our lab stars to research Security Operation Center (SOC) and has developed several related technologies. Our proposed prototype SOC [8] has 5 main units: 1.) Alert Generator Unit: including 2 sensors and IDMEF format transformation method; 2.) SOC Database: used to store normalized alerts; 3.) Core Procedure Unit: with the functionalities of alert classification, verification, integration and correlation; 4.) System Operation Unit: announcing incident tickets to administrator when monitored hosts are under attacks; 5.) Event Reaction: an user interface to represent incident lists, security statistics and attack graphs.

In order to predict all possible trajectories the intruders will go through, our lab also established Attack Scenario Database [5,10], and developed an algorithm, ASGCR, to generation attack scenarios. The enhanced SOC has 4 main units: 1.) Attack Scenario Database: used to store Pre/Post conditions and attack patterns; 2.) Host Detection Unit: adding the account for the sensors to 7; 3.) Alert Correlation Unit: correlating low-level alerts into high-level attack scenarios; 4.) Attack Status and Prediction Unit: generating attack status graphs, including current state and predictive attack scenarios.

However, our proposed SOC still has some shortcomings to improve, such as more sensors can be expanded to enhance the ability to detect various attack types, more duplicate alerts and false positive alerts reported from sensors, more attack types can be expanded into attack scenario database, more false positive predictive attack scenarios generated by our developed prediction approach, lacking for a risk evaluation mechanism to help system managers effectively find out the most critical attack scenario,…etc.

In order to prove these problems, we expand 4 units in this paper: 1.) Alert Generator Unit: we add 7 types, 13 sensors, to enhance the detection ability; 2.) Alert (attack scenario) Reduction Unit: discarding duplicate alerts or false positive alerts (attack scenarios) to reduce the computing load, system storage and correlation time; 3.) Attack Scenario Database: expanding two attack types “Windows Intrusive” and “DDoS Attack”; 4.) Risk Evaluation and Ranking Unit: provide a list of the most n critical attack scenarios to help system managers understand the most possible follow-up attacks and rapidly make right decision to reduce loss.

Abstract (Chinese)....................................i
Abstract............................................iii
Acknowledgement (Chinese).............................v
Content..............................................vi
List of Tables.......................................ix
List of Figures....................................xiii
Chapter 1~Introduction................................1
1.1 Background.....................................1
1.2 Security Operation Center (SOC)................3
1.2.1 Multi-Stage Internet Attack................4
1.2.2 Attack Scenario Strategies.................5
1.2.3 Attack Trajectory Prediction...............6
1.3 Motivation.....................................6
1.4 Goal (Contributions............................9
1.5 Thesis Organization...........................10
Chapter 2~Current Development of SOC.................11
2.1 Internet Protection Policy....................11
2.1.1 Recent Network Environment................12
2.1.2 Strategies of Deploying Security Device...13
2.1.3 Necessity of SOC..........................15
2.2 SOC Current Situation and Related Products....17
2.3 SOC Architecture and Components...............23
2.4 Expandable Mechanisms of SOC..................37
Chapter 3~Related works..............................39
3.1 Classification of Security Device.............39
3.2 Intrusion Detection Message Exchange Format
(IDMEF).......................................49
3.3 Attack Scenario Modeling Language.............52
3.3.1 Terminology and Definition................52
3.3.2 Representative Approaches.................55
3.3.3 Visualized Technologies...................61
3.4 Windows Intrusion and DDoS Attack.............64
3.4.1 Intrusion Behavior of Windows System......64
3.4.2 Intrusion Behavior of DDoS Attack.........65
3.5 Risk evaluation mechanism.....................69
Chapter 4~System Design and Implement................75
4.1 System Design Stage...........................75
4.1.1 Considerations............................75
4.1.2 Expanded System Architecture..............81
4.1.3 Functionalities of Augmented Modules......82
4.1.4 Summary System Operation Flow.............86
4.2 System Implement Stage........................88
4.2.1 Database Structure........................88
4.2.2 Alert Aggregation Mechanism...............91
4.2.3 Alert Reduction Mechanism.................95
4.2.4 Attack Scenario Generation Mechanism......97
4.2.5 Incident Ranking Mechanism...............103
Chapter 5~Experiments and Results...................107
5.1 Experiment Environment.......................107
5.2 Experiment Description.......................109
5.3 Evaluation Indices...........................117
5.4 Experiment Result............................122
5.4.1 Results (Experiment 1)...................123
5.4.2 Results (Experiment 2)...................129
Chapter 6~Discussion................................140
Chapter 7~Conclusion and Future Works...............142
7.1 Conclusion...................................142
7.2 Future Works.................................145
References..........................................146
Appendix............................................151

[1] Ofir Arkin and Fyodor Yarochkin, “Xprobe v2.0: A
Fuzzy Approach to Remote Active Operating System
Fingerprinting,” 2002
[2] Andre Arnes, Fredrik Valeur, Giovanni Vigna and R.A
Kemmerer, “Using Hidden Markov Models to Evaluate the
Risks of Intrusions,” Recent Advances in Intrusion
Detection (RAID) Workshop, On page(s):145-164, 2006.
[3] Andre Arnes, Karin Sallhammar, Kjetil Haslum, Tonnes
Brekne, Marie Elisabeth Gaup Moe and Svein Johan
Knapskog, “Real-Time Risk Assessment with Network
Sensors and Intrusion Detection Systems,”
International Conference on Computational Intelligence
and Security (CIS), 2005.
[4] Cacti, “Cacti: the complete rrdtool-based graphing
solutions,” http://www.cacti.net
[5] C.H. Chen “Building an Attack Scenario Database with
Causal Relationship of Intrusive Behaviors in Unix-
like Systems and its Applications,” NCKU, 2007
[6] Yu Chen, Kai Hwang and Wei-Shinn Ku, “Collaborative
Detection of DDoS Attacks over Multiple Network
Domains,” IEEE TRANSACTIONS ON PARALLEL AND
DISTRIBUTED SYSTEMS, On page(s): 1649-662, 2007.
[7] Y.C. Cheng, C.H. Chen, C.C. Chiang, J.W. Wang, C.S.
Laih, “Generating Attack Scenarios with Causal
Relationship,” IEEE International Conference on
Granular Computing (GRC 2007), On page(s): 368-373,
Nov. 02-04, 2007.
[8] W.Y. Chen “The Study and Implementation of Alert
Integration, Correlation, and Presentation System In
SOC,” NCKU, 2006.
[9] Steven Cheung, Ulf Lindqvist and Martin W.Fong,
“Modeling Multistep Cyber Attacks for Scenario
Recognition,” Proceedings of the Third DARPA
Information Survivability Conference and Exposition,
On page(s): 284-292 Vol.1, 2003.
[10] C.C. Chiang “Building an Attack Scenario Database
with Causal Relationship of Worm Attack Behaviors and
its Applications,” NCKU, 2007
[11] Cisco, “Cisco PIX 506E Firewall Quick Start Guide,”
http://www.conticomp.com/
[12] Frederic Cuppens and Alexandre Miege, “Alert
Correlation in a Cooperative Intrusion Detection
Framework,” Proceedings of the 2002 IEEE Symposium
on Security and Privacy, On page(s): 202- 215, 2002.
[13] Frederic Cuppens and Rodolphe Ortalo, “LAMBDA: A
Language to Model a Database for Detection of
Attacks,” Recent Advances in Intrusion Detection
(RAID) Workshop, On page(s): 197-216, 2000.
[14] D. Curry and H. Debar, “Intrusion Detection Message
Exchange Format: Data Model and Extensible Markup
Language (XML) Document Type Definition,” Intrusion
DetectionWorking Group, June 20, 2002. Work in
progress, IETF Internet-Draft draft-ietf-idwg- idmef-
xml-07.txt
[15] Kristopher Daley, Ryan Larson and Jerald Dawkins, “A
Structure Framework for Modeling Multi-Stage Network
Attack,” Proceedings of the International Conference
on Parallel Processing Workshops, On page(s): 5-10,
2002.
[16] Christos Douligeris and Aikaterini Mitrokotsa, “DDOS
ATTACKS AND DEFENSE MECHANISMS: A CLASSIFICATION,”
Proceedings of the 3rd IEEE International Symposium
on Signal Processing and Information Technology, On
page(s): 190-193, 2003.
[17] Christos Douligeris and Aikaterini Mitrokotsa, “DDoS
attacks and defense mechanisms: classification and
state-of-the-art,” Computer Networks, On page(s):
643-666, 2004.
[18] Ashish Gehani and Gershon Kedem, “RheoStat: Real-
time Risk Management,” Recent Advances in Intrusion
Detection (RAID), On page(s): 296-314, 2004.
[19] Kjetil Haslum and Andre Arnes, “Multisensor Real-
time Risk Assessment using Continuous-time Hidden
Markov Models,” International Conference on
Computational Intelligence and Security, On page(s):
1536-1540, 2006.
[20] Honeypot, “Developments of the Honeyd Virtual
Honeypot,” http://www.honeyd.org
[21] Honeypot, “Intrusion Detection, Honeypots,”
http://www.Honeypots.net
[22] Yen-Hung Hu, Hongsik Choi, Hyeong-Ah Choi, “Packet
Filtering to Defend Flooding-Based DDoS Attacks,”
IEEE/Sarnoff Symposium on Advances in Wired and
Wireless Communication, On page(s): 39- 42, 2004.
[23] Zhou J., Heckman M., Reynolds B., Carison A., and
Bishop M., “Modeling Network Intrusion Detection
Alert for Correlation,” ACM transaction on
Information and System Security, Vol.10, No.1, 2007.
[24] A. Kuehlmann, K. L. McMilan, and R. K. Brayton.
“Probabilistic state space search,” In Proceedings
of ACM/IEEE international conference on Computer
Aided Design, 1999.
[25] Zhi-tang Li, Jie Lei, Li Wang and Dong Li,
“Assessing Attack Threat by the Probability of
Following Attacks,” International Conference on
Networking, Architecture, and Storage (NAS), On page
(s): 91-100, 2007.
[26] Wang Li, Li Zhi-tang Wang Qi-hong, “A novel
technique of recognizing multi-stage attack
behaviour,” Signal Processing and Its Applications,
On page(s): 188-193, 2003. Proceedings. Seventh
International Symposium on.
[27] Lersak Limwiwatkul and Arnon Rungsawangr,
“Distributed Denial of Service Detection using TCP/IP
Header and Traffic Measurement Analysis,”
lntanational Syinposium on Communications and
Information Technologies, On page(s): 605- 610,
Vol.1, 2004.
[28] Wei Lu and Issa Traore, “An Unsupervised Approach
For Detecting DDOS Attacks Based On Traffic-Based
Metrics,” IEEE Pacific Rim Conference on
Communications, Computers and signal Processing, On
page(s): 462- 465, 2005.
[29] McAfee Avert Labs, “Top 10 Threat Predictions for
2007,” 2006.
[30] McAfee Avert Labs, “Top 10 Threat Predictions for
2008,” 2007.
[31] Vaibhav Mehta, Constantinos Bartzis, Haifeng Zhu,
“Ranking Attack Graphs,” Recent Advances in
Intrusion Detection (RAID) Workshop, On page(s): 127-
144 2006.
[32] Microsoft, “Windows XP Security Guide,”
http://www.microsoft.com/technet/security/prodtech
/windowsxp/secwinxp/
[33] MIT Lincoln Lab, “2000 DARPA intrusion detection
scenario specific datasets,”
http://www.ll.mit.edu/mission/communications/ist
/corpora/ideval/data/2000data.html
[34] HD Moore, Jay Beale, Haroon Meer, Roelof Temmingh,
Charl Van Der Walt and Renaud Deraison, “Nessus
Network Auditing,” 2005
[35] MRTG, “MRTG,” http://oss.oetiker.ch/mrtg/
[36] Peng Ning, Yun Cui and Douoglas S. Reeves
“Constructing Attack Scenarios through Correlation of
Intrusion Alerts,” ACM Conference on Computer and
Communicaiton Security (CCS), On page(s): 245-254,
2002
[37] Peng Ning, Dingban Xu, Christopher G. Healey and
Robert St.Amant “Building Attack Scenarios through
Integration of Complementary Alert Correlation
Methods,” IEEE Workshop on Information Assurance and
Security, On page(s): 97-111, 2001.
[38] Nmap, “nmap,” http://nmap.org/
[39] Ntop, “ntop,” http://www.ntop.org
[40] Phillip A. Porras, Martin W. Fong, and A. Valdes, “A
Mission-Impact-Based Approach to INFOSEC Alarm
Correlation,” Recent Advances in Intrusion Detection
(RAID), On page(s): 95-114, 2002.
[41] PRTG, “PRTG,” http://www.paessler.com/prtg
[42] Xinzhou Qin and Wenke Lee, “Attack Plan Recognition
and Prediction Using Causal Networks,” Computer
Security Applications Conference, On page(s): 370-
379, 2004.
[43] Yuji Soejima, Eric Y.Chen and Hitoshi Fuji,
“Detecting DDoS Attacks by analyzing Client Response
Patterns,” Proceedings of the 2005 Symposium on
Applications and the Internet Workshops, On page(s):
98 - 101.
[44] S. Staniford, J. Hoagland and J. McAlerney,
“Practical automated detection of stealthy
portscans.” To appear in Journal of Computer
Security, 2002.
[45] Symantec, “Internet Security Threat Report, Volume
XI,” 2007.
[46] Steven J. Templeton and Karl Levitt, “A
Requires/Provides Model for Computer Attacks,” In
Proceedings of New Security Paradigms workshop. ACM
Press, On page(s): 31-38, 2000.
[47] The Honeynet Project, “Know Your Enemy: Sebek,” 2003
[48] The Snort Project, “Snort Users Manual 2.6.1,” 2007.
[49] T. Tidwell, R. Larson, K. Fitch and J. Hale,
“Modeling Internet Attacks,” Proceedings of the IEEE
Workshop on Information Assurance and Security, On
page(s): 54–59, 2001.
[50] Trend Micro, “Trend Micro threat report and
forecast,” 2007.
[51] Tripwire, “Tripwire changing monitoring and
reporting solutions,” http://www.tripwire.com.
[52] Valdes and K. Skinner, “Probabilistic alert
correlation.” In Proceedings of the 4th
International Symposium on Recent Advances in
Intrusion Detection (RAID), Oct. 2001.
[53] Y.M Wang, Z.L Liu, X.Y Cheng and K.J Zhang, “AN
ANALYSIS APPROACH FOR MULTI-STAGE NETWORK ATTACKS,”
Proceedings of the Fourth International Conference on
Machine Learning and Cybernetics, On page(s): 3949-
3954, Vol. 7, 2005.
[54] Dingbang Xu and Peng Ning “Alert Correlation through
Trigger Events and Common Resource,” Annual Computer
Security Applications Conference, On page(s): 360-
369, 2004.