( 您好!臺灣時間:2021/05/12 21:39
字體大小: 字級放大   字級縮小   預設字形  


研究生(外文):Wen-Yang Luo
論文名稱(外文):A Lightweight System of Detecting DoS/Probe Attacks Based on Packet Header
指導教授(外文):Shi-Jinn Horng
外文關鍵詞:Denial of Service (DoS)Packet HeaderEntropyDARPA dataset
  • 被引用被引用:0
  • 點閱點閱:167
  • 評分評分:系統版面圖檔系統版面圖檔系統版面圖檔系統版面圖檔系統版面圖檔
  • 下載下載:0
  • 收藏至我的研究室書目清單書目收藏:0
A denial-of-service (DoS) attack is a serious threat to the Internet security nowadays. According to a 2006 CSI/FBI Computer Crime and Security Survey, 25 percent of respondents whose computer detected DoS attacks in the last 12 months. Moreover, the Symantec Internet Security Threat Report showed that an average of 6,110 DoS attacks occurred per day in the first half year of 2006. In the early days, many DoS attacks spoofed source addresses in the attack packets. Now they can use a number of zombies simultaneously to send tremendous packets to a victim and this makes it more difficult to trace the attackers.
In this research, we applied an entropy-based method to analyze the characteristic of network traffic and revealed that it is helpful to detect great scale of DoS/Probe attacks by observing the variation of the entropy of each header field. To accomplish this idea in real-time network, we had to simplify the process and turn it into three detection approaches: Distributed Addresses Detection Approach, S/R Ratio Detection Approach and TCP Connection Detection Approach. Based on the result of DARPA 98 testing dataset, we proved that our proposed lightweight system could detect DoS/probe attacks efficiently in an actual network and keep a low false positive rate.
摘  要 I
目錄 VI
圖目錄 VIII
表目錄 X
第一章 緒論 1
 第一節 研究背景 1
 第二節 研究動機 5
第二章 阻斷服務攻擊與網路探測 6
 第一節 (分散式)阻斷服務攻擊 6
 第二節 (分散式)阻斷服務攻擊分類 9
 第三節 典型阻斷服務攻擊介紹 13
 第四節 網路探測 16
 第五節 常見網路探測攻擊介紹 18
 第六節 相關研究 20
第三章 網路流量分析 22
 第一節 網路封包格式 22
 第二節 網路流量資料集 26
 第三節 網路流量分析 31
第四章 系統實作 41
 第一節 系統概述 41
 第二節 取樣封包數 43
 第三節 位址分散偵測機制 45
 第四節 傳接比值偵測機制 47
 第五節 TCP連線偵測機制 53
 第六節 系統流程設計 55
第五章 實驗結果 58
 第一節 DARPA測試集實驗 58
 第二節 即時模擬實驗 63
第六章 結論 69
參考文獻 71
[1]Access Control List, http://en.wikipedia.org/wiki/Access_control_list.
[2]Ali, K., M. Zulkernine and H. Hassanein, “ Packet Filtering Based on Source Router Marking and Hop-Count,” in Proceedings of Local Computer Networks, 15-18 Oct. 2007.
[3]Athanasiades, N., R. Abler, J. Levine, H. Owen and G. Riley, “Intrusion Detection Testing and Benchmarking Methodologies,” in Proceedings of First IEEE International Workshop on Information Assurance (IWIA'03), 24 Mar. 2003, pp. 63-72.
[4]Basic Security Module (BSM), http://www.sun.com/software/security/audit/.
[5]Baxter, Watt, Header Drawings, http://www.visi.com/~mjb/Drawings/.
[6]Brugger, S. and J. Chow, “An assessment of the DARPA IDS Evaluation Dataset Using Snort,” in UC Davis Technical Report CSE-2007-1, Davis, CA, 2006.
[7]Campbell, P. L., “The Denial-of-Service Dance,” IEEE Security and Privacy, vol. 3, no. 6, pp. 34-40, Nov./Dec. 2005.
[8]CERT CC, Denial of Service Attacks, http://www.cert.org/tech_tips/denial_of_service.html.
[9]Chan, E. Y. K., H. W. Chan, K. M. Chan, V. P. S. Chan, S. T. Chanson, M. M. H. Cheung, C. F. Chong, K. P. Chow, A. K. T. Hui, L. C. K. Hui, L. C. K. Lam, W. C. Lau, K. K. H. Pun, A. Y. F. Tsang, W. W. Tsang, S. C.W. Tso, D. Y. Yeung and K. Y. Yu, “IDR: an intrusion detection router for defending against distributed denial-of-service (DDoS) attacks,” in Proceedings of Parallel Architectures, Algorithms and Networks, 10-12 May 2004.
[10]Chang, R. K. C., “Defending against flooding-based distributed denial-of-service attacks: A tutorial,” IEEE Communications Magazine, vol. 40, no.10, pp. 42-51, Oct. 2002.
[11]Chen, Y., K. Hwang and W. S. Ku, “Collaborative Detection of DDoS Attacks over Multiple Network Domains,” IEEE Transactions on Parallel and Distributed Systems, vol. 18, no. 12, pp. 1649-1662, Dec. 2007.
[12]Cisco IOS NetFlow, http://www.cisco.com/en/US/products/ps6601/products_ios_protocol_group_home.html.
[13]DARPA Intrusion Detection Evaluation, http://www.ll.mit.edu/mission/communications/ist/corpora/ideval/data/index.html.
[14]Eimann, R., U. Speidel and N. Brownlee, “A T-Entropy Analysis of the Slammer Worm Outbreak,” in Proceedings of the 8th Asia-Pacific Network Operations and Management Symposium (APNOMS), 27-30 Sep. 2005, pp. 434-445.
[15]Eimann, R., U. Speidel, N. Brownlee and J. Yang, “Network Event Detection with T-entropy,” in University of Auckland CDMTCS Report 266, 2005.
[16]Expect From Wikipedia, http://en.wikipedia.org/wiki/Expect.
[17]Feinstein, L., D. Schnackenberg, R. Balupari and D. Kindred, “Statistical approaches to DDoS attack detection and response,” in Proceedings of DARPA Information Survivability Conference and Exposition, 22-24 Apr. 2003, vol. 1, pp. 303-314.
[18]Gao, Z. and N. Ansari, “Differentiating Malicious DDoS Attack Traffic from Normal TCP Flows by Proactive Tests,” IEEE Communications Letters, vol. 10, no. 11, pp. 793-795, Nov. 2006.
[19]Gordon, L. A., M. P. Loeb, W. Lucyshyn and R. Richardson, “2006 CSI/FBI Computer Crime and Security Survey,” Computer Security Institute, 2006.
[20]Green, J., D. Marchette, S. Northcutt, and B. Ralph, “Analysis techniques for detecting coordinated attacks and probes,” in Proceedings of the 1st Conference on Workshop on intrusion Detection and Network Monitoring , 9-12 Apr. 1999.
[21]Guo, X. B., D. P. Qian, M. Liu, R. Zhang and B. Xu, “Detection and protection against network scanning: IEDP,” in Proceedings of Computer Networks and Mobile Computing Conference, 16-19 Oct. 2001.
[22]Haines, J. W., R. P. Lippmann, D. J. Fried, E. Tran, S. Boswell and M. A. Zissman, “1999 DARPA Intrusion Detection System Evaluation: Design and Procedures,” in MIT Lincoln Laboratory Technical Report ESC-TR-99-061, 26 Feb. 2001.
[23]Internet Control Message Protocol, http://tools.ietf.org/html/rfc792.
[24]Internet Protocol, http://tools.ietf.org/html/rfc791.
[25]Intrusion Detection Attacks Database, http://www.ll.mit.edu/mission/communications/ist/corpora/ideval/docs/attackDB.html.
[26]Itani, S., N. Aaraj, D. Abdelahad and A. Kayssi, “Neighbor stranger discrimination: A new defense mechanism against DDoS attacks,” in Proceedings of the ACS/IEEE 2005 International Conference on Computer Systems and Applications, Jan. 2005.
[27]Kayacik, H. G., “The Challenges in Traffic and Application Modeling for Intrusion Detection System Benchmarking,” in Dalhousie University Technical Report CSTR-030600, CA, 2003.
[28]Kendall, K., “A Database of Computer Attacks for the Evaluation of Intrusion Detection Systems,” Master's Thesis, Massachusetts Institute of Technology, 1998.
[29]Kulkarni, A. and S. Bush, “Detecting Distributed Denial-of-Service Attacks Using Kolmogorov Complexity Metrics,” Journal of Network and Systems Management, vol. 14, no. 1, pp. 69-80, Mar. 2006.
[30]Lau, F., S. H. Rubin, M. H. Smith, and L. Trajkovic, “Distributed denial of service attacks,” in Proceedings of Systems, Man, and Cybernetics, 2000 IEEE International Conference, 8-11 Oct. 2000, vol. 3, pp. 2275-2280.
[31]Lee, F. Y. and S. P. Shieh, “Defending against spoofed DDoS attacks with path fingerprint,” Computers & Security, vol. 24, no. 7, pp. 571-586, Oct. 2005.
[32]Lippmann, R., “A Summary of the 1998 Evaluation with a Brief Outline of Changes for the 1999 Evaluation,” http://www.ll.mit.edu/mission/communications/ist/files/1999_NewPlans.PDF, 1999.
[33]Lippmann, R., J. W. Haines, D. J. Fried, J. Korba and K. Das, “The 1999 DARPA off-line intrusion detection evaluation,” Computer Networks, vol. 34, no. 4, pp. 579-595, Oct. 2000.
[34]Mahajan, R., S. Bellovin, S. Floyd, V. Paxson and S. Shenker, “Controlling high bandwidth aggregates in the network,” ACM Computer Communications Review, vol. 32, no. 3, pp. 62-73, Jul. 2002.
[35]Mahoney, M.V. and P. K. Chan, “An Analysis of the 1999 DARPA/Lincoln Laboratory Evaluation Data for Network Anomaly Detection,” in Proceedings of the Sixth International Symposium on Recent Advances in Intrusion Detection, Sep. 2003, pp. 220-237.
[36]Maximum Transmission Unit, http://en.wikipedia.org/wiki/Maximum_transmission_unit.
[37]McClure, S., J. Scambray and G. Kurtz, “Hacking Exposed – Network Security Secrets & Solutions,” McGraw-Hill, 2005, ISBN 0072260815.
[38]McHugh, J., “Testing Intrusion Detection Systems: A Critique of the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory,” ACM Transactions on Information and System Security (TISSEC), vol. 3, no. 4, pp. 262-294, Nov. 2000.
[39]Mirkovic, J. and P. Reiher, “A Taxonomy of DDoS Attack and DDoS Defense Mechanisms,” ACM SIGCOMM Computer Communications Review, vol. 34, no. 2, pp. 39-54, Apr. 2004.
[40]NetFlow, http://en.wikipedia.org/wiki/Netflow.
[41]Nychis, G., “An Empirical Evaluation of Entropy-based Anomaly Detection,” in Carnegie Mellon University Thesis, PA, USA, May 2007.
[42]Park, K. and H. Lee, “On the Effectiveness of Route-Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internets,” in Proceedings of ACM SIGCOMM, Aug. 2001, pp. 15-26.
[43]Paxson, V., “An analysis of using reflectors for distributed denial-of-service attacks,” Computer Communications Review, vol. 31, no. 3, pp. 38-47, 2001.
[44]Shannon, C. E., “A Mathematical Theory of Communication,” Bell System Technical Journal, vol. 27, pp. 379-423, 623-656, Jul., Oct. 1948.
[45]Speidel, U., R. Eimann and N. Brownlee, “Detecting network events via T-entropy,” in Proceedings of Information, Communications & Signal Processing, 2007 6th International Conference, 10-13 Dec. 2007, pp. 1-5.
[46]SNORT Official Website, http://www.snort.org/.
[47]Snort Preprocessors Development Kickstart, http://afrodita.unicauca.edu.co/~cbedon/snort/spp_kickstart.html.
[48]SQL Slammer, http://en.wikipedia.org/wiki/SQL_slammer_worm.
[49]Sun, H., J. C. S. Lui and D. K. Y. Yau, “Defending Against Low-rate TCP Attacks: Dynamic Detection and Protection,” in Proceedings of IEEE Conference on Network Protocols (ICNP2004), 5-8 Oct. 2004, pp. 196-205.
[50]Switched Port Analyzer (SPAN), http://www.cisco.com/warp/public/473/41.html.
[51]Symantec corp., “Symantec Global Internet Security Threat Report, Trends for July - December 07”, vol. XIII, Apr. 2008.
[52]Symantec corp., “Symantec Internet Security Threat Report, Trends for January 06 - June 06”, vol. X, Sep. 2006.
[53]Tcpdump, http://www.tcpdump.org/.
[54]Tcpreplay Official Website, http://tcpreplay.synfin.net/.
[55]The 1998 Intrusion Detection Off-line Evaluation Plan, http://www.ll.mit.edu/mission/communications/ist/files/id98-eval-ll.txt.
[56]The Expect Home Page, http://expect.nist.gov/.
[57]Transmission Control Protocol, http://tools.ietf.org/html/rfc793.
[58]User Datagram Protocol, http://tools.ietf.org/html/rfc768.
[59]Wagner, A. and B. Plattner, “Entropy based worm and anomaly detection in fast IP networks,” in Proceedings of 14th IEEE International Workshops on Enabling Technologies: Infrastructures for Collaborative Enterprises (WET ICE 2005), 13-15 Jun. 2005, pp. 172-177.
[60]Wan, K. K. K. and R. K. C. Chang, “Engineering of a global defense infrastructure for DDoS attacks,” in Proceedings of Networks, 2002. ICON 2002. 10th IEEE International Conference, pp. 419-427, 2002.
[61]Wu, N. and J. Zhang, “Factor Analysis Based Anomaly Detection,” Information Assurance Workshop, 2003. IEEE Systems, Man and Cybernetics Society, 18-20 Jun. 2003.
[62]Xu, K., Z. Zhang and S. Bhattacharyya, “Profiling internet backbone traffic: behavior models and applications,” in Proceedings of the 2005 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications (SIGCOMM’ 05), 22-26 Aug. 2005, pp. 169-180.
[63]Yaar, A., A. Perrig, and D. Song, “Stackpi: New packet marking and filtering mechanisms for ddos and ip spoofing defense,” IEEE Journal on Selected Areas in Communications, vol. 24, no. 10, pp. 1853-1863, Oct. 2006.
第一頁 上一頁 下一頁 最後一頁 top
系統版面圖檔 系統版面圖檔