跳到主要內容

臺灣博碩士論文加值系統

(18.204.48.64) 您好!臺灣時間:2021/08/03 11:21
字體大小: 字級放大   字級縮小   預設字形  
回查詢結果 :::

詳目顯示

: 
twitterline
研究生:鄭思源
研究生(外文):Ssu-Yuan Cheng
論文名稱:以Snort與異常行為偵測建立的混合型網站應用程式入侵偵測系統之設計與實作
論文名稱(外文):A Design and Implementation of Hybrid Web Application IDS Built with Snort and Anomaly Detection
指導教授:賴溪松賴溪松引用關係
指導教授(外文):Chi-Sung Laih
學位類別:碩士
校院名稱:國立成功大學
系所名稱:電腦與通信工程研究所
學門:工程學門
學類:電資工程學類
論文種類:學術論文
論文出版年:2009
畢業學年度:97
語文別:英文
論文頁數:84
中文關鍵詞:入侵偵測系統網站應用程式
外文關鍵詞:IDSWeb Application
相關次數:
  • 被引用被引用:0
  • 點閱點閱:532
  • 評分評分:
  • 下載下載:176
  • 收藏至我的研究室書目清單書目收藏:0
近年來,網際網路與動態網頁技術蓬勃的發展,使得網站應用程式所提供的服務越來越多樣化。然而,隨著人們對於網路應用程式的使用率提高,針對網站伺服器以及網頁應用程式的弱點進行攻擊的事件也越來越多。根據Symantec於2008年公佈的Security Threat Report指出,大約有63%的網站弱點與網站應用程式相關,顯示出網站應用程式已經成為駭客的主要攻擊目標。由於網站是可以被公開存取的,任何人皆可以經由HTTP埠存取網站,因此,傳統的資安設備,如防火牆,並無法有效地防禦網站應用程式相關的攻擊。而網站應用程式防火牆(WAF)雖然可以在第一時間偵測並阻擋常見的網站應用程式攻擊,降低被入侵的機會。仍然需要入侵偵測系統的輔助,用以偵測更複雜的攻擊手法,達到更全面的防護。
本篇論文設計一個結合特徵比對與使用異常行為分析的混合型網站應用程式入侵測系統(HWAIDS)用以保護特定的網站。其中特徵比對部份採用知名的入侵偵測系統Snort,加上使用正規表示式撰寫的攻擊特徵以改善系統對於XSS及SQL injection的偵測能力。而異常行為分析則是結合了6種異常偵測演算法,用於偵測未知的攻擊。根據OWASP Top Ten 2007計畫的調查顯示,目前最嚴重的網站應用程式之弱點為XSS和injection flaws,駭客通常會藉由在HTTP request URL加入惡意字串用以探知網站應用程式的弱點並加以利用。由實驗結果可以發現我們的系統可以有效地偵測出這類的應用程式攻擊。
Recent years have seen rapid development of World Wide Web (WWW) techniques. The functions of web applications become more and more diverse. Web users can obtain the latest information, share information, e-commerce and so on through the WWW. Along with the rising popularity of web applications, the quantity of web application attacks has also increased. The 2008 Symantec Security Threat Report shows 63% of all web vulnerabilities are related to web applications and according to 2007 OWASP Top Ten project, the most critical web application vulnerabilities are XSS and injection flaws.
Websites are open to public access through the HTTP port. Traditional security appliances such as firewalls cannot work effectively to filter attacks. Web application firewall (WAF) can be used to defend against some common web application attacks, but fails to detect sophisticated attacks. IDS can be deployed to achieve more comprehensive protection against hackers that attempt to exploit flaws in web applications by sending malicious HTTP request URLs.
In order to detect web application attacks more efficiently, this thesis proposes a hybrid web application intrusion detection system (HWAIDS) which is composed of signature-based and anomaly-based detection techniques to protect a website. We employ Snort as signature-based detection engine with customized regular expression rules to improve the detection capability for XSS and SQL injection. The anomaly-based detection module utilizes 6 anomaly detection algorithms. Finally, we perform an experiment to verify the proposed system can detect most critical attacks efficiently.
Chapter 1 Introduction 1
1.1 Motivation and Objective 2
1.2 Contribution 3
1.3 Thesis Organization 5
Chapter 2 Background Knowledge 6
2.1 Introduction to Intrusion Detection and Snort 6
2.1.1 What is Intrusion Detection 6
2.1.2 What is Snort 7
2.2 Hypertext Transfer Protocol 8
2.2.1 Request Message Format 8
2.2.2 Response Message Format 12
2.3 Input Validation Attacks 16
2.4 Regular Expression 17
2.5 Related Research 19
Chapter 3 System Analysis and Design 22
3.1 Customized Hybrid Web Application Intrusion Detection System 22
3.1.1 System Design Configurations 23
3.1.2 System Architecture 25
3.1.3 System Features 27
3.2 User Request Analysis 28
3.3 Anomaly Detection Algorithms 29
3.3.1 String Length 29
3.3.2 Character Distribution 30
3.3.3 Structural Inference 30
3.3.4 Token Finder 31
3.3.5 Attribute Presence 31
3.3.6 Attribute Order 33
3.4 Signature-based Detection 33
3.4.1 VRT Certified Rules 34
3.4.2 Snort Rules Enhancement 35
Chapter 4 System Implementation 37
4.1 Anomaly-based Detection Module 37
4.1.1 Training Phase 37
4.1.2 Detection Phase 42
4.2 Implementation of Anomaly Detection Algorithms 44
4.2.1 Attribute Presence 45
4.2.2 Combined Model 47
4.3 Signature-based Detection Module 50
4.3.1 Snort Configuration 50
4.3.2 Snort Rule Development Process 50
4.3.3 Writing Enhanced Snort Rules 52
4.4 User Interface 55
Chapter 5 Experiments 59
5.1 Experimental Environment 59
5.2 Experimental Results 62
5.2.1 Anomaly Detection Results 62
5.2.2 Signature Detection Results 69
5.2.3 Hybrid Detection Results 73
5.3 Discussion 76
Chapter 6 Conclusions and Future Work 77
References 79
[1]M. Almgren, H. Debar and M. Dacier, “A Lightweight Tool for Detecting Web Server Attacks,” Proceedings of the Network and Distributed System Security Symposium (NDSS), February 2000, pp. 157–170.
[2]J. Beale, B. Caswell, “Snort 2.1 Intrusion Detection (Second Edition),” Syngress, May 2004.
[3]H. B. Chen, “Identifying Critical Web Application Attacks Using Risk Assessment Based on Fuzzy Algorithm,” Institute of Computer and Communication, National Cheng Kung University, Tainan, Taiwan, R.O.C., Thesis for Master of Science, July 2008.
[4]R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, T. Berners-Lee, “Hypertext Transfer Protocol -- HTTP/1.1,” Request for Comments 2616, Internet Engineering Task Force (IETF), June 1999
[5]M. Fossi, E. Johnson, T. Mack, D. Turner, J. Blackbird, M. K. Low, T. Adams, D. Mckinney, S. Entwisle, M. P. Laucht, C. Wueest, P. Wood, D. Bleaken, G. Ahmad, D. Kemp, A. Samnani, “Symantec Global Internet Security Threat Report: Trends for 2008,” Technical Report, Symantec Corportation, April 2009.
[6]J. E. F. Friedl, “Mastering Regular Expressions (Second Edition),” O’Reilly, 2002.
[7]R. Heady, G. Luger, A. Macabe and M. Servilla, “The Architecture of A Network Level Intrusion Detection System,” Technical Report CS90-20, Department of Computer Science, University of New Mexico, Aug 1990.
[8]C. Y. Huang, “A Design and Implementation of Hybrid Web Application IDS Built with Snort and Anomaly Detection,” Institute of Computer and Communication, National Cheng Kung University, Tainan, Taiwan, R.O.C., Thesis for Master of Science, July 2009.
[9]K. Ingham, A. Somayaji, S. Forrest and J. Burge, “Learning DFA Representations of HTTP for Protecting Web Applications,” Computer Networks, Vol. 51, No. 5, April 2007, pp. 1239–1255.
[10]H. S. Javits and A. Valdes, “The NIDES Statistical Component: Description and Justification,” Technical Report, SRI Computer Science Laboratory, March 1993.
[11]J. Y. Juang, "A Design and Implementation of Web Application IDS Based on Modeling User Requests," Institute of Computer and Communication, National Cheng Kung University, Tainan, Taiwan, R.O.C., Thesis for Master of Science, July 2008.
[12]C. Kruegel and G. Vigna, “Anomaly Detection of Web-based Attacks,” Proceedings of the 10th ACM Conference on Computer and Communications Security,” October 2003, pp. 251–261.
[13]C. Kruegel, G. Vigna and W. Robertson, “A Multi-model Approach to the Detection of Web-based Attacks,” Computer Networks, Vol. 48, No. 5, August 2005, pp. 717–738.
[14]M. Mahoney and P. Chan, “Learning Nonstationary Models of Normal Network Traffic for Detecting Novel Attacks,” Proceedings of the 8th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, July 2002, pp. 376–385.
[15]M.V. Mahoney and P.K. Chan, “PHAD: Packet Header Anomaly Detection for Identifying Hostile Network Traffic,” Technical Report, Florida Institute of Technology, April 2001.
[16]A. Patcha and J. M. Park, “An Overview of Anomaly Detection Techniques: Existing Solutions and Latest Technological Trends,” Computer Networks, Vol. 51, No. 12, August 2007, pp. 3448–3470.
[17]V. Paxson, “Bro: A System for Detecting Network Intruders in Real-time,” Computer Networks, Vol. 31, No. 23–24, December 1999, pp. 2435–2463.
[18]M. Roesch, “Snort - Lightweight Intrusion Detection for Networks,” Proceedings of the 13th Systems Administration Conference, November 1999, pp. 229–238.
[19]W. Robertson, G. Vigna, C. Kruegel and R.A. Kemmerer, “Using Generalization and Characterization Techniques in the Anomaly Based Detection of Web Attacks,” Proceedings of the Network and Distributed System Security Symposium (NDSS), Febrary 2006.
[20]G. I. Saktion, “A Design and Implementation of Web Application IDS Based on Client-Server Response Correlation,” Institute of Computer and Communication, National Cheng Kung University, Tainan, Taiwan, R.O.C., Thesis for Master of Science, July 2008.
[21]J. Scambray, M. Schema, “Hacking Exposed: Web Applications (Second Edition),” McGraw-Hill, June 2006.
[22]D. Scott and R. Sharp, “Abstracting Application-Level Web Security,” Proceedings of 11th ACM International World Wide Web Conference, May 2002, pp. 396–407.
[23]A. V. D. Stock, J. Williams, and D. Wichers, “The Ten Most Critical Web Application Security Vulnerabilities (2007 Update),” Technical Report, OWASP Foundation, 2007.
[24]G. Vigna and R. A. Kemmerer, “NetSTAT: A Network-based Intrusion Detection Approach,” Proceedings of the 14th Annual Computer Security Applications Conference, 1998, pp. 25.
[25]K. Wang and S. J. Stolfo, “Anomalous Payload-based Network Intrusion Detection,” Proceedings of The 7th International Symposium on Recent Advances in Intrusion Detection (RAID), September 2004, pp. 203–222.
[26]Acunetix Web Vulnerability Scanner, http://www.acunetix.com.
[27]Bro, http://bro-ids.org.
[28]BugTraq, http://www.securityfocus.com/archive/1.
[29]CVE, http://cve.mitre.org.
[30]HTML URL Encoding Reference, http://www.w3schools.com/TAGS/ref_urlencode.asp.
[31]Information Security Service Center for Local Governments, http://www.sss.org.tw.
[32]Open Web Application Security Project (OWASP), http://www.owasp.org/index.php/Category:OWASP_Project.
[33]Paros proxy, http://www.parosproxy.org.
[34]Perl regular expressions main page, http://perldoc.perl.org/perlre.html.
[35]phpBB, http://www.phpbb.com.
[36]Netkeeper, http://www.broadweb.com.
[37]Nessus, http://www.nessus.org/nessus.
[38]N-Stalker, http://www.nstalker.com.
[39]Perl-compatible Regular Expressions, http://www.pcre.org.
[40]Scrawlr, http://www.communities.hp.com/securitysoftware/blogs/spilabs/archive/2008/06/23/finding-sql-injection-with-scrawlr.aspx.
[41]Snort, http://www.snort.org.
[42]Sourcefire, http://www.sourcefire.com/.
[43]SPADE - Silicon Defense, http://www.silicondefense.com/software/spice.
[44]Tcpdump, http://www.tcpdump.org.
[45]TShark, http://www.wireshark.org/docs/man-pages/tshark.html.
[46]VRT Certified Rules, http://www.snort.org/vrt/.
[47]Wireshark, http://www.wireshark.org.
[48]Wordpress, http://wordpress.org.
連結至畢業學校之論文網頁點我開啟連結
註: 此連結為研究生畢業學校所提供,不一定有電子全文可供下載,若連結有誤,請點選上方之〝勘誤回報〞功能,我們會盡快修正,謝謝!
QRCODE
 
 
 
 
 
                                                                                                                                                                                                                                                                                                                                                                                                               
第一頁 上一頁 下一頁 最後一頁 top