跳到主要內容

臺灣博碩士論文加值系統

(44.200.169.3) 您好!臺灣時間:2022/12/05 18:12
字體大小: 字級放大   字級縮小   預設字形  
回查詢結果 :::

詳目顯示

: 
twitterline
研究生:蘇漢君
研究生(外文):Han-jyun Su
論文名稱:小型資通安全營運中心聯防系統之研究與應用
論文名稱(外文):Study of a Mini-Security Operation Center
指導教授:蕭裕弘
指導教授(外文):Yu-Hung Hsiao
學位類別:碩士
校院名稱:國立聯合大學
系所名稱:電子工程學系碩士班
學門:工程學門
學類:電資工程學類
論文種類:學術論文
論文出版年:2009
畢業學年度:97
語文別:中文
論文頁數:110
中文關鍵詞:資通安全營運中心階段性攻擊異質設備警訊融合警訊關聯
外文關鍵詞:security operation centerstaged attacksheterogeneous equipmentsalert fusionalert correlation
相關次數:
  • 被引用被引用:1
  • 點閱點閱:409
  • 評分評分:
  • 下載下載:123
  • 收藏至我的研究室書目清單書目收藏:0
網際網路的迅速普及與電子商務興起,雖然帶給人們生活中許多便利性及高效率,但隨之而來的卻是各式各樣的網路攻擊或入侵行為,以及這些行為所造成的嚴重資訊安全威脅及機密資料外洩損失。近年來雖然各單位對於資訊安全的認知有所提升,對於資訊安全設備的投資也日漸增加,但是市面上大多數的資訊安全設備均只偏向於產生獨立且低階的攻擊警訊。這些低階攻擊警訊的數量隨著網路連線頻寬與網路服務應用系統的增加而大幅成長,若無法進一步加以自動化整理及分析,一旦發生大規模或階段性的網路攻擊事件,資訊安全管理人員將無法有效率地分析警訊的內容與重要性,因而無法擬定因應措施以確保網路安全,造成單位在資訊或財產方面的損失。
在本研究中,我們將利用數種異質資訊安全監控設備建構一小型資通安全營運中心,其可自動蒐集並彙整所使用之資訊安全設備產生的低階警訊,經過警訊融合及合併作業之後,除了可大幅減少冗餘警訊之外,透過攻擊方案樣板的建立,並可自動阻斷多階段的網路攻擊行為。系統根據管理人員提供的攻擊方案風險值自動計算每種攻擊的平均風險值,並據以對網路攻擊事件適時且自動地執行相關因應措施,以減少網路攻擊事件所帶來的傷害。另外,此小型資通安全營運中心也可提供歷史攻擊事件查詢及攻擊趨勢分析,進一步有效協助資訊安全人員維護及建構攻擊方案,方便在後續的警訊分析作業中可達到預先警示的效果,以大幅提昇單位內部網路的安全性。
在本論文中,第一章說明了我們的研究動機與論文架構。第二章介紹了常見的惡意程式種類、系統弱點和網路安全的攻擊方式與種類等。另外,我們也介紹了資通安全營運中心的基本架構,以及用於建構營運中心的相關網路設備與工具軟體。在第三章中,我們參考基本資通安全營運中心五大模組的架構,分別利用開放式原始碼軟體與自行開發的應用程式,搭配既有的網路設備建構一小型資通安全營運中心,並說明此營運中心的系統作業流程以及資料流程圖。
我們在第四章中介紹了三種建立警訊關聯的技術,以及本研究建立攻擊方案樣板的方法與流程。為了讓資通安全營運中心可以自動判斷是否加以阻斷網路攻擊行為,系統管理人員必須為每個攻擊方案樣板設定一個風險值,以代表該攻擊方案可能造成的資訊安全危害程度。然後系統便會依據所指定的攻擊方案風險值換算各方案中之各階段攻擊的風險值,繼而計算系統中所有攻擊方案中具有相同攻擊的平均風險值。在進行警訊分析時,若警訊所關聯之攻擊平均風險值大於或等於管理人員設定的攻擊風險門檻值時,系統便會自動通知防火牆子系統加以阻斷。
在第五章中,我們利用四個網路攻擊案例進行系統測試與建立攻擊方案樣板,以驗證系統所有資料表格內容的正確性,並確定小型資通安全營運中心可正常運作。另外,為了改善無法及時建立攻擊方案的問題以及考量獨立網路攻擊行為,我們在系統中也提供管理人員以人工方式對攻擊警訊設定直接阻斷選項的功能。第六章則是本論文的研究結論與未來的研究方向。
在本研究中,我們利用了一些個人電腦、網路設備、開放式原始碼軟體與自行開發的應用程式建構了一套可整合與管理異質資訊安全設備的小型資通安全營運中心。經過我們利用實際網路攻擊案例測試後,營運中心所有功能均可正常運作並產生適當的連線阻斷命令至防火牆子系統。只是此營運中心仍屬於雛形階段,在未來仍有相當大的發展空間,也是我們需要持續努力研究的方向。
The rapid popularization of the Internet and development of e-Commerce have brought people the convenience and efficiency in daily lives. However, a verity of network attacks and intrusions occur often and cause a more serious threat to information security and a loss of confidential data. In recent years, the awareness of information security has been improved in various organizations, and the investment on security equipments is also increased. But, a number of information security equipments in the market tends to produce low-level alerts of attacks only. The volume of low-level alerts is growing quickly with the increase of network bandwidth and network service applications. If these alerts can’t be further processed and analyzed, information security managers are very difficult to efficiently analyze the content and importance of alerts. When the event of large-scale attack or stage attack occurred, the manager can’t draw up measures to ensure network security in time, and thus result in the loss of organization’s information or property.
In this study, we make use of several heterogeneous information security equipments to construct a mini-security operation center, which can automatically collect and analyze the low-level alerts generated by the security equipments used. After alert fusing and merging, the center can reduce redundancy alerts substantially. Moreover, the center can automatically block multi-stage network attacks by using the information stored in attack scenario templates. After the risk value of attack scenario has being assigned by system manager when building the attack scenario template, the center calculates the average risk value of each attack automatically. By using the average risk values calculated, the center can defense network attacks automatically and timely, and thus reduce the harm caused by attack. In addition, the mini-security operation center also provides a historical attack profile to help security managers maintain and build attack scenario, and achieve the effect of early alarming and enhance organization’s internal network security.
In this thesis, Chapter 1 describes research motivation and paper organization. Chapter 2 introduces some common types of malicious software, system vulnerabilities, and the types of attacks on network security. In addition, we also introduce the basic structure of a security operation center and related network equipments and tools in this chapter. In Chapter 3, we use the five-module security operation center introduced in Chapter 2 as a base to build a mini-security operation center by using open-source software, self-developed applications, and several existing network equipments. The operation and data flow diagrams of the operation center are introduced, too.
In Chapter 4, we introduce three types of correlation technologies and explain the process of building attack scenario templates used in our study. In order to block network attack automatically, system manager of the mini-security operation center must give a risk value for each attack scenario template at first, which represents the level of information security injure caused by the attack. Then, the system will calculate the risk values associated with the attacks listed in the scenario template and the average risk values associated with the attacks in all templates. In alert analysis process, if the average risk value of the attack associated with the alert generated is greater than or equal to the threshold of risk value set by the manager, the system will automatically notify the firewall subsystem to block the network connection.
In Chapter 5, we use four network attack cases to build attack scenario templates and verify the accuracy of data tables created in the system, and thus prove that the center can operate correctly. In order to solve the problem of can’t build attack scenario timely and take the independent network attacks into considering, we also provide manager an option to block network connection which generates alert in a manual way. In Chapter 6, the conclusions and future works are present.
In the thesis, we use a number of personal computers, network equipments, open-source software and self-developed applications to construct a mini-security operation center that can integrate and manage several heterogeneous information security equipments. After the testing of several network attacks, the mini-security operation center is proved that it can perform operation correctly and generate blocking commands to the firewall subsystem in a suitable manner. However, the mini-security operation center constructed is still a prototype now, more effort of research and development will be needed in the future.
誌 謝
摘 要
Abstract
目 錄
圖目錄
表目錄
第一章 緒論
1.1 研究背景
1.2 研究動機與目的
1.3 論文架構
第二章 相關技術與研究
2.1 惡意程式與系統弱點
2.2 常見攻擊方式
2.3 資通安全營運中心
2.4 防火牆與入侵偵測防禦系統介紹
2.5 連線主機資訊與弱點系統掃瞄
第三章 系統設計與實作
3.1 系統架構
3.2 系統作業環境
3.3 系統作業流程
3.4 Mini-SOC 資料流程圖
第四章 攻擊方案模式化
4.1 警訊關聯技術介紹
4.2 攻擊方案樣板建構方法
4.3 攻擊風險值計算
第五章 案例模擬分析
5.1 測試資料
5.2 攻擊案例
5.3 攻擊平均風險值
5.4 其它攻擊
第六章 結論
6.1 研究結論
6.2 未來研究方向
參考文獻
附錄 A 各資料表說明
A.1 子系統資訊資料庫
A.2 警訊資料庫
A.3 主要 Mini-SOC 資料庫系統主機
附錄 B 資料表關聯圖
[1]CVE, http://web.nvd.nist.gov/view/vuln/statistics?execution=e2s2
[2]CERT/CC Statistics 1998-2003, http://www.cert.org/stats/
[3]Identity Theft Resource Center | A Nonprofit Organization, http://www.idtheftcenter.org/artman2/publish/lib_survey/ITRC_2008_Breach_List.shtml
[4]Symantec Report on the Underground Economy, http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_underground_economy_report_11-2008-14525717.en-us.pdf
[5]O. Dain and R. Cunningham, “Fusing a Heterogeneous Alert Stream into Scenarios,” Proc. of the 2001 ACM Workshop on Data Mining for Security Applications, Nov. 2001.
[6]F. Valeur, G. Vigna, C. Kruegel, and R. A. Kemmerer, “A Comprehensive Approach to Intrusion Detection Alert Correlation,” IEEE Transactions on Dependable and Secure Computing, vol. 1, no. 3, pp. 146–169, 2004.
[7]Daniel Liang “White Paper - Build Your mini-SOC,” http://www.secure-engine.com/download/mini-SOC%20white%20Paper-Traditional%20Chinese.pdf
[8]R. Bidou, “Security Operation Center Concepts &; Implementation,” http://www.iv2-technologies.com/images/Iv2-WP-SOCConcept.pdf, August 1, 2005
[9]C. C. Lin, H. K. Wong, and T. C. Wu. “Enhancing Interoperability of Security Operation Center to Heterogeneous Intrusion Detection Systems”. Security Technology, CCST '05. 39th Annual 2005 International Carnahan Conference, 11-14, Oct. 2005.
[10]Malware, http://en.wikipedia.org/wiki/Malware
[11]Vulnerability, http://en.wikipedia.org/wiki/Vulnerability_(computing)
[12]SANS, http://www.sans.org/top20/
[13]歐士源、黃世昆,“網路攻擊模式簡介”,http://www.ascc.sinica.edu.tw/nl/89/1603/2.txt
[14]denial-of-service attack, http://en.wikipedia.org/wiki/Denial_of_service
[15]SYN flood, http://en.wikipedia.org/wiki/SYN_flood
[16]ping flood, http://en.wikipedia.org/wiki/Ping_flood
[17]ping of death ,http://en.wikipedia.org/wiki/Ping_of_Death
[18]LAND, http://en.wikipedia.org/wiki/LAND_attack
[19]十大 Web 資安漏洞列表, http://www.owasp.org/index.php/Taiwan
[20]The Honeynet Project, http://www.honeynet.org/
[21]IDMEF, http://www.ietf.org/rfc/rfc4765.txt
[22]http://en.wikipedia.org/wiki/Firewall
[23]SANS Institute, Intrusion Detection Systems: Definition, Need and Challenges, 2001.
[24]Snort, http://www.snort.org/
[25]L. T. Heberlein, G. V. Dias, K. N. Levitt, B. Mukherjee, J. Wood and D. Wolber, “A Network Security Monitor,” Research in Security and Privacy, Proceeding of IEEE Computer Society Symposium, pp. 296-304, May 1990.
[26]G. Vigna and R. A. Kemmerer, “NetSTAT: A Network-Based Intrusion Detection Approach,” Proceedings of the 14th Annual Computer Security Conference, pp.25-34, 1998.
[27]LIDS, http://www.lids.org/
[28]tripwire, http://www.tripwire.com/
[29]The Snort Project, Snort Users Manual, http://www.snort.org/assets/82/snort_manual.pdf
[30]Nmap, http://nmap.org/
[31]Nessus, http:// www.nessus.org
[32]Juniper, http://www.juniper.net/us/en/
[33]王智弘、郭力瑋、游柏銓、楊博仁,“入侵防禦之異常偵測與警訊整合機制之研究現況及分析”,資通安全專論,2007。
[34]R. Yusof, S. R. Selamat, S. Sahib, “Intrusion Alert Correlation Technique Analysis for Heterogeneous Log,” IJCSNS International Journal of Computer Science and Network Security, vol. 8, no. 9, September 2008.
[35]P. Ning, D. S. Reeves, Y. Cui, “Correlating Alerts Using Prerequisites of Intrusions,” Technical Report, TR-2001-13, North Carolina State University, Department of Computer Science, 2001.
[36]F. Cuppens. “Managing Alerts in A Multi-Intrusion Detection Environment,” Proceedings of the 17th Annual Computer Security Applications Conference, December 2001.
[37]F. Cuppens, A. Mi&;egrave;ge, “Alert Correlation in a Cooperative Intrusion Detection Framework,” IEEE Symposium on Research in Security and Privacy, 2002.
[38]S. Cheung, U. Lindqvist, M. W. Fong, “Modeling Multistep Cyber Attacks for Scenario Recognition,” DARPA Information Survivability Conference and Exposition (DISCEX III), 2003.
[39]B. Zhu and A. A. Ghorbani, “Alert Correlation for Extracting Attack Strategies,” International Journal of Network Security, vol. 3, no. 3, pp. 244-258, Nov. 2006.
[40]A. Valdes and K. Skinner, “Probabilistic Alert Correlation,” Lecture Notes in Computer Science, LNCS 2212, pp. 53–68, 2001.
[41]L. Wang, A. Liu, S. Jajodia, “Using Attack Graphs for Correlating, Hypothesizing, and Predicting Intrusion Alerts,” Comput. Commun. vol. 29, pp. 2917–2933, 2006.
[42]林崇頤,適應於多量弱點資訊之智慧型攻擊圖形產生器,中原大學資訊工程學系碩士學位論文,2003。
[43]MIT Lincoln Lab, 2000 DARPA intrusion detection scenario specific datasets, http://www.ll.mit.edu/mission/communications/ist/corpora/ideval/data/2000data.html, 2009.
[44]The DEFCON Data Set, http://cctf.shmoo.com/data/cctf-defcon8/
[45]Snort Rule Search, http://www.snort.org/pub-bin/sigs-search.cgi
QRCODE
 
 
 
 
 
                                                                                                                                                                                                                                                                                                                                                                                                               
第一頁 上一頁 下一頁 最後一頁 top