跳到主要內容

臺灣博碩士論文加值系統

(3.236.124.56) 您好!臺灣時間:2021/07/31 04:54
字體大小: 字級放大   字級縮小   預設字形  
回查詢結果 :::

詳目顯示

我願授權國圖
: 
twitterline
研究生:黃卓揚
研究生(外文):Cho-yang Huang
論文名稱:以Netkeeper與異常行為偵測建立的混合型網站應用程式入侵偵測系統之設計與實作
論文名稱(外文):A Design and Implementation of Hybrid Web Application IDS Built with Netkeeper and Anomaly Detection
指導教授:賴溪松賴溪松引用關係
指導教授(外文):Chi-sung Laih
學位類別:碩士
校院名稱:國立成功大學
系所名稱:電腦與通信工程研究所
學門:工程學門
學類:電資工程學類
論文種類:學術論文
論文出版年:2009
畢業學年度:97
語文別:英文
論文頁數:74
中文關鍵詞:入侵偵測系統網站應用程式
外文關鍵詞:Web applicationIDS
相關次數:
  • 被引用被引用:0
  • 點閱點閱:142
  • 評分評分:
  • 下載下載:0
  • 收藏至我的研究室書目清單書目收藏:0
網際網路應用程式在我們的生活中已日益普及,它帶給我們新的便利與服務。然而這些網路應用程式卻可能暗藏著弱點而遭受到攻擊。而為了偵測這些攻擊行為,入侵偵測系統應用了一些特徵比對方法來偵測攻擊。此外,由於網站架構與網站應用程式的多樣性,也產生出各種多變的攻擊手法。以特徵偵測為基礎的入侵偵測系統可偵測出已知的攻擊,但卻無法對於新的攻擊做偵測。為了彌補這個缺點,我們利用異常偵測方法透過訓練系統之正常行為而可以迅速的發現新的攻擊行為。而結合兩種偵測方法則不但可準確偵測出攻擊的型態,並且也可透過偵測出異常的行為而加以分析。
因此,我們開發了混合型網站入侵偵測系統來偵測網頁應用程式的攻擊行為。根據OWASP Top 10所做的調查顯示,XSS和injection flaw為目前最嚴重的網站應用程式之弱點,這些弱點所使用的攻擊手法為利用HTTP request URL中的參數來傳遞惡意攻擊字串,而達到攻擊網站應用程式弱點的目的。因此,本論文研究以request URL參數做為特徵來偵測。而目前並沒有一套有效地將特徵偵測以及異常行為偵測結合在一起的入侵偵測系統。所以我們將兩種偵測方法結合,且實作至我們所設計的系統中並產生實驗結果。而我們從計算誤報率和偵測率來評估此系統的偵測效能以及實驗結果來證明我們所提出的方法是有效的偵測出網頁應用程式的攻擊。
The Internet and its applications have pervaded our lives. It introduces us new conveniences and services. However, these web applications can also harbor highly vulnerable attack avenues. To detect web-based attacks, intrusion detection systems are configured with a number of signatures to detect attacks. Because of the diversity of websites and web applications, there great amount of various attack techniques. Though a signature-based IDS can detect known attacks, one major drawback is it can not detect new attacks. To remedy this shortcoming, we can use an anomaly-based IDS in conjunction that learns the normal behavior of the system so that new attacks can also be detected. Combining these two detection systems can not only detect attack types accurately, but also provide detected anomaly behavior for analysis.
For the reason above, we develop a Hybrid Web Application Intrusion Detection System (HWAIDS) to detect web-based attacks. According to the OWASP Top Ten Project, Cross Site Scripting (XSS) and injection flaws are the most critical web application vulnerabilities. These kinds of attacks inject malicious strings through attributes in HTTP request URLs in order to exploit the vulnerabilities of the web applications. In this thesis, we consider features of attributes in HTTP request URLs. Currently, there is no effective system which combines signature-based and anomaly-based IDS. So, we combine these two types of IDS and implement the result. We evaluate our approaches to assess detection effectiveness by computing the false positive and detection rates of the system.
Contents..........IV
List of Tables..........VI
List of Figures..........VII
Chapter 1 Introduction..........1
1.1 Motivation..........1
1.2 Contribution..........3
1.3 Thesis Organization..........5
Chapter 2 Background Knowledge..........7
2.1 Web Application..........7
2.2 Intrusion Detection System..........8
2.3 Netkeeper..........9
2.4 Critical Web Attacks..........11
2.5 HTTP Request..........13
2.6 Related Work..........15
Chapter 3 Hybrid Web Application Intrusion Detection System..........18
3.1 System Architecture..........18
3.2 Features of our HWAIDS..........20
3.3 System Configurations..........22
3.4 System User Interface..........25
Chapter 4 Signature-based IDS Analysis and Implementation..........29
4.1 Signature-based IDS Analysis..........29
4.1.1 Netkeeper..........29
4.1.2 Netkeeper Rules..........30
4.1.3 Our Enhanced Rules..........31
4.2 Signature-based IDS Implementation..........32
4.2.1 Web Vulnerability Checking Phase..........33
4.2.2 Enhancing Rules Phase..........34
4.2.3 Detection Phase..........36
Chapter 5 Anomaly-based IDS Analysis and Implementation..........38
5.1 Anomaly Algorithms Analysis..........38
5.1.1 String Length..........39
5.1.2 Character Distribution..........39
5.1.3 Structural Inference..........40
5.1.4 Token Finder..........40
5.1.5 Attribute Order..........41
5.1.6 Combined Model..........43
5.2 Anomaly-based IDS Implementation..........45
5.2.1 Training Phase..........46
5.2.2 Detection Phase..........50
Chapter 6 Experiments..........53
6.1 Experimental Environment..........53
6.2 Experimental Results..........56
6.2.1 Signature Detection Results..........56
6.2.2 Anomaly Detection Results..........59
6.2.3 Hybrid Detection Results..........64
6.3 Experimental Discussion..........66
Chapter 7 Conclusions and Future work..........68
References..........70
[1]M. Almgren, H. Debar and M. Dacier, “A lightweight tool for detecting web server attacks,” Proceedings of the Network and Distributed System Security Symposium (NDSS 2000), pp. 157–170, February 2000.
[2]D. Balzarotti, M. Cova and V. Felmetsger and G. Vigna, “Multi-module vulnerability analysis of web-based applications,” Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS), 2007, pp.25-35.
[3]H. B. Chen, “Identifying critical web application attacks using risk assessment based on fuzzy algorithm,” Institute of Computer and Communication, National Cheng Kung University, Tainan, Taiwan, R.O.C., Thesis for Master of Science, July, 2008
[4]S. Y. Cheng, “A Design and Implementation of Hybrid Web Application IDS Built with Snort and Anomaly Detection,” Institute of Computer and Communication, National Cheng Kung University, Tainan, Taiwan, R.O.C., Thesis for Master of Science, June, 2009
[5]J. Y. Juang, "A design and implementation of web application IDS based on modeling user requests," Institute of Computer and Communication, National Cheng Kung University, Tainan, Taiwan, R.O.C., Thesis for Master of Science, July, 2008.
[6]S. Kals, E. Kirda, C. Kruegel and N. Jovanovic, “SecuBat: A web vulnerability scanner,” Proceedings of the 15th International Conference on World Wide Web, pp. 247-256, 2006.
[7]C. Kruegel and G. Vigna, “Anomaly detection of web-based attacks,” Proceedings of 10th ACM Conference Computer and Communication Security (CCS '03), pp. 251-261, Oct. 2003.
[8]C. Kruegel, G. Vigna and W. Robertson, “A multi-model approach to the detection of web-based attacks,” Elsevier Computer Networks, Vol. 48, Issue 5, 2005, pp. 717–738.
[9]C. Kruegel, T. Toth and E. Kirda, “Service specific anomaly detection for network intrusion detection,” Proceedings of the 2002 ACM Symposium on Applied Computing (SAC 2002), pp. 201-208, 2002.
[10]V. Paxson, “Bro: A system for detecting network intruders in real-time,” Computer Networks, 31(23-24), pp. 2435-2463, December 1999.
[11]W. Robertson, G. Vigna, C. Kruegel and R.A. Kemmerer, “Using generalization and characterization techniques in the anomaly based detection of web attacks,” Proceedings of Network and Distributed System Security Symposium Conference, 2006.
[12]M. Roesch, “Snort - lightweight intrusion detection for networks,” Proceedings of the 13th Systems Administration Conference, pp. 229-238, 1999.
[13]G. I. Saktion, “A design and implementation of web application IDS based on client-server response correlation,” Institute of Computer and Communication, National Cheng Kung University, Tainan, Taiwan, R.O.C., Thesis for Master of Science, July, 2008
[14]J. Shanmugam and M. Ponnavaikko, “A solution to block cross site scripting vulnerabilities based on service oriented architecture,” The 6th Annual IEEE/ACIS International Conference on Computer and Information Science (ICIS 2007), pp. 861-866, July 2007.
[15]G. Vigna and R. A. Kemmerer, “NetSTAT: a network-based intrusion detection approach,” Proceedings of the 14th Annual Computer Security Conference, 1998, pp.25.
[16]Acunetix Web Vulnerability Scanner, http://www.acunetix.com
[17]Bro, http://bro-ids.org
[18]Broadweb, http://www.broadweb.com
[19]Etheral, http://www.etheral.com
[20]Gartner Group, http://www.gartner.com
[21]HackAlert, http://www.armorize.com.tw.
[22]N-Stalker, http://www.nstalker.com
[23]Open Web Application Security Project (OWASP), “OWASP top 10, The Ten Most Critical Web Application Security Vulnerability 2007 Update,” [Online]. Available: http://www.owasp.org/images/e/e8/OWASP_Top_10_2007.pdf , 2007
[24]Paros, http://www.parosproxy.org
[25]phpBB http://www.phpbb.com
[26]Scrawlr, https://download.spidynamics.com/products/scrawlr/
[27]Snort, http://www.snort.org
[28]Tcpdump, http://www.tcpdump.org
[29]Tshark, http://www.wireshark.org/docs/man-pages/tshark.html
[30]Wireshark, http://www.wireshark.org
連結至畢業學校之論文網頁點我開啟連結
註: 此連結為研究生畢業學校所提供,不一定有電子全文可供下載,若連結有誤,請點選上方之〝勘誤回報〞功能,我們會盡快修正,謝謝!
QRCODE
 
 
 
 
 
                                                                                                                                                                                                                                                                                                                                                                                                               
第一頁 上一頁 下一頁 最後一頁 top