隨著網路技術的蓬勃發展，人們可以更有效率且容易地透過網路來進行通訊。然而網路的可用性卻容易遭受惡意行為的破壞，因此網路安全則成為相當重要的研究議題。一般而言，若單獨只採用一種安全技術來保護網路是相當不足的，在本論文中，我們將會設計多種相關的網路安全技術來保護網路，包含：網路型入侵偵測系統、IP來源追蹤以及群體金鑰管理。
近年來，有許多的企業或組織藉由部署入侵偵測系統來偵測已知的網路攻擊行為，本論文採用資料探勘的技術來萃取攻擊封包的行為特徵，並設計一個入侵行為偵測器來即時分析網路上的封包是否帶有入侵行為。但是由於IP位址可以被偽造，使得入侵偵測器從攻擊封包上所看到的來源IP位址未必是真正發送攻擊封包的來源，因此，我們利用中國餘式定理設計一個機率式封包戳記演算法讓路由器在將使用者的封包轉送至網路前會有一定的機率在封包上面蓋上一個代表自己的戳記，讓受害者能夠藉由蒐集這些攻擊封包上的戳記來還原攻擊的路徑以找到攻擊封包的來源。
此外，隨著愈來愈多基於IP群播的群組應用程式(例如：隨選電視、視訊會議…等)大量的被使用，因此，需要有安全的機制來保護群組資料在傳輸上的安全，並且保證只有合法的群組成員才能得到群組通訊的內容，在此我透過(2, 2)門檻式秘密分享的技術來開發一套群組金鑰管理機制除了可以滿足群組通訊上的安全性需求，也能防止許多網路攻擊行為。

As the rapid progress in network technology, people can communicate efficiently and easily via internet. However, there are various malicious activities to sabotage the network usage. That makes people to concern seriously about the network security. It is well known that applying only one network security technology to protect a system is inadequate. In this dissertation, we focus on designing three network security technologies: network intrusion detection, IP traceback scheme and group key management.
Today most enterprises and organizations deploy intrusion detection system (IDS) to detect the known attacks. We apply the data mining technique to extract intrusion pattern, and design an intrusion behavior detection engine to real-time analyze the packets to detect possible attacks. It is difficult to find out the real source of an attack since “IP spoof” is easy. We also design an IP traceback scheme based on the Chinese Remainder Theorem (CRT) to require routers to probabilistically mark packets with partial path information when packets through the Internet. After detecting attacks, our scheme will reconstruct the attack paths from the marked packets to trace the real source of the attacks.
Besides, group key generation and management is becoming increasingly important since more and more applications transmit their data by IP multicast to reduce the bandwidth consumption of network. Many group applications require certain security mechanisms to protect the integrity of the group traffic from modification, guard for confidentiality of data from eavesdrop, and validate both message and user’s authenticity. To provide the above security-enhanced services, we design an authenticated group key management protocol based on (2, 2) secret sharing scheme to provide the following security services: confidentiality, integrity, forward secrecy, backward secrecy and mutual authentication. The proposed group key management also can resist against the replay attack, the impersonating attack, group key disclosing attack and the malicious insider attack.

中文摘要 i
ABSTRACT ii
誌謝 iv
Table of Contents v
List of Tables vii
List of Figures viii
Chapter 1. Introduction 1
1.1. Motivation 1
1.2. Intrusion Detection System 3
1.3. IP Treaceback 4
1.4. Group Key Management 5
1.5. Organization of Dissertation 7
Chapter 2. Background 9
2.1. Snort 9
2.1.1. Snort’s Architecture 9
2.1.2. Snort Rules 9
2.2. IP Traceback Schemes based on Packet Marking 11
2.2.1. Fragment Marking Scheme (FMS) 12
2.2.2. Advance Marking Scheme (AMS) 16
2.2.3. Fast Internet Traceback (FIT) 19
2.3. Group Key Management Schemes 21
2.3.1. Authenticated Group Key Transfer Protocol (AGKTP) 21
2.3.2. A Suite of Algorithms for Key Distribution and Authentication (SAKDA) 23
Chapter 3. Network Intrusion Detection System 25
3.1. The Proposed Scheme 25
3.1.1. System Architecture 25
3.1.2. Single Intrusion Pattern Miner 28
3.1.3. Sequential Intrusion Pattern Miner 35
3.1.4. Intrusion Behavior Detection Engine 40
3.2. Experiment 44
3.2.1. Mining Experiments 44
3.2.2. Comparison of Correctness 49
3.2.3. Comparison of Performance 50
Chapter 4. CRT-based IP Traceback 54
4.1. The Proposed Scheme 54
4.1.1. Marking Information 54
4.1.2. Marking Procedure 55
4.1.3. Attack Paths Reconstruction 59
4.2. Simulation Results 62
Chapter 5. Authenticated Group Key Management based on (2, 2) Secret Sharing 67
5.1. The Proposed scheme 67
5.1.1. System Initialization 69
5.1.2. Group Creation 69
5.1.3. Member Join 70
5.1.4. Member Leave 72
5.2. Security Analysis 72
5.3. Performance Analysis 74
5.3.1. The Number of Rekeying Messages 74
5.3.2. The Size of Rekeying Messages 74
5.3.3. The Number of Stored Keys 75
5.3.4. Computation Overhead 75
Chapter 6. Conclusion and Future Works 77
6.1. Conclusion 77
6.2. Future Works 78
References 80

1.P. Adusumilli, X. Zou and B. Ramamurthy, “DGKD: distributed group key distribution with authentication capability,” Proc. 2005 IEEE Workshop on Information Assurance and Security, United States Military Academy, West Point, NY, pp.286-293, June 2005.
2.R. Agrawal and R. Srikant, “Fast Algorithms for Mining Association Rules”, Proc. 20th Int. Conf. on Very Large Databases (VLDB), pp.487-499, 1994.
3.R. Agrawal and R. Srikant, “Mining Sequential Patterns”, IEEE Data Engineering, pp.3-14, 1995.
4.G. Ateniese, M. Steiner, and G. Tsudik, “New multiparty authentication services and key agreement protocols,” IEEE Journal on Selected Areas in Communications, Vol. 18, No. 4, pp.628-639, Apr. 2000.
5.J. Ayres, J. Flannick, J. Gehrke and T. Yiu, “Sequential PAttern mining using a bitmap representation“, Proc. 8th ACM SIGKDD Int. Conf. on Knowledge discovery and data mining, pp. 429 - 435, 2002.
6.D. Barbarra, J. Couto, S. Jajodia, L. Popyack and N. Wu, “ADAM: Detecting Intrusions by Data Mining”, Proc. 2001 IEEE Workshop on Information Assurance and Security, pp.11-16, 2001.
7.S. Bellovin, M. Leech, and T. Taylor, “The ICMP traceback message”, Internet Draft, October, 2001.
8.E. Bloedorn, A.D. Christiansen, W. Hill, C. Skorupka, L.M. Talbot and J. Tivel, “Data Mining for Network Intrusion Detection: How to Get Started”, 2001. http://www.mitre.org/work/tech_papers/tech_papers_01/ bloedorn_data mining/index.html.
9.D. Bolzoni, S. Etalle and P. Hartel, “POSEIDON: a 2-tier anomaly-based network intrusion detection system”, Proc. Fourth IEEE Int. Workshop on Information Assurance, 10pp, 2006.
10.H. Burch and B. Cheswick, “Tracing anonymous packets to their approximate source”, in Proceedings of USENIX LISA2000, 2000, pp. 319-327.
11.CERT/CC, 1988. CERT Coordination Center. http://www.cert.org/.
12.Y. P. Chou, S. J. Horng, H. Y. Gu, C. L. Lee, Y. H. Chen and Y. Pan, “Detecting pop-up advertisement browser windows using support vector machines”, Journal of the Chinese Institute of Engineers, Vol. 31, No. 7, 2008, pp. 1180-1198.
13.Computer Emergency Response Team (CERT), “CERT advisory CA-2000-01 denial-of-service developments”, 2000, http://www.cert.org/ advisories/CA-2000-01.
14.V. Daza, J. Herranz, and G. Saez, “On the Computational Security of a Distributed Key Distribution Scheme,” IEEE Transactions on Computers, Vol. 57, No. 8, pp.1087-1097, Aug. 2008.
15.J.E. Dickerson, J. Juslin, O. Koukousoula and J.A. Dickerson, “Fuzzy intrusion detection”, IEEE IFSA World Congress and 20th NAFIPS Int. Conf., Vol. 3, pp.1506-1510, 2001.
16.D. Ditrich, “Distributed denial-of-service (DDoS) attacks/tools resource page”, http://staff.washington.edu/dittrich/misc/ddos/.
17.J. Elliott, “Distributed denial of service attack and the zombie and effect”, IP Professional, March/April, 2000.
18.W. Feller, “An Introduction to Probability Theory and Its Applications (2nd edition)”, volume 1. Wiley and Sons, 1996.
19.J.W. Han, J. Pei and Y.W. Yin, “Mining frequent patterns without candidate generation”, Proc. ACM Int. Conf. on Management of Data, pp 1-12, 2000.
20.H. Han, X.L. Lu, J. Lu, C. Bo and R.L. Yong, “Data Mining Aided Signature Discovery in Network-based Intrusion Detection System”, ACM SIGOPS Operating Systems Review, Vol. 36, pp.7-13, 2002.
21.L. Harn and C. Lin, “Authenticated Group Key Transfer Protocol Based on Secret Sharing,” IEEE Transactions on Computers, Vol. 59, No. 6, pp.842-846, June 2010.
22.H. Harney, C. Muckenhirn and T. Rivers, “Group key management protocol (GKMP) architecture,” RFC 2094, 1997.
23.IETF RFC 988, “Host Extensions for IP Multicasting”, http://www.ietf.org/rfc/rfc988.txt.
24.IETF RFC 2627. “Key Management for Multicast: Issues and Architectures”, http://www.ietf.org/rfc/rfc2627.txt.
25.K. Ilgun, “USTAT: a real-time intrusion detection system for UNIX”, IEEE Computer Society Symposium, pp.16-28, 1993.
26.D. H. Je, J. S. Lee, Y. Park and S.W. Seo, “Computation-and-storage -efficient key tree management protocol for secure multicast communications”, Computer Communications, Vol. 33, Issue 2, pp.136-148, Feb. 2010.
27.S. S. Kulkarni and B. Bruhadeshwar, “Key-update distribution in secure group communication“, Computer Communications, Vol. 33, No. 6, pp.689-705, Apr. 2010.
28.D.W. Kwak and J. Kim, “A Decentralized Group Key Management Scheme for the Decentralized P2P Environment,” IEEE Communications Letters, Vol. 11, No. 6, pp.555-557, June 2007.
29.W. Lee and S.J. Stolfo, “Data mining approaches for intrusion detection”, 7th USENIX Security Symposium, pp.79-94, 1998.
30.W. Lee, S.J. Stolfo and K.W. Mok, “A data mining framework for building intrusion detection models”, Proc. IEEE Symposium on Security and Privacy, pp.120-132, 1999.
31.W. Lee, “A Data Mining Framework for Constructing Features and Models for Intrusion Detection Systems”, PhD thesis, Columbia University, 1999.
32.W. Lee, S.J. Stolfo and K.W. Mok, “Data mining in work flow environments: Experiences in intrusion detection”, Proc. ACM SIGKDD Int. Conf. on Knowledge Discovery &; Data Mining (KDD-99), pp.114-124, 1999.
33.W. Lee, S.J. Stolfo and K.W. Mok, “Adaptive Intrusion Detection: a Data Mining Approach”, Artificial intelligence Review, Kluwer Academic Publishers, pp.533-567, 2000.
34.W. Lee, S.J. Stolfo, P. Chan, E. Eskin, W. Fan, M. Miller, S. Hershkop and J. Zhang, “Real Time Data Mining-based Intrusion Detection”, Proc. IEEE Second DARPA Information Survivability Conf. and Exposition, pp.I85-100, 2001.
35.B. Lent, R. Agrawal and R. Srikant, “Discovering Trends in Text Databases”, Proc. of KDD-97, pp.227-230, 1997.
36.K. Leunt and C. Leckie, “Unsupervised Anomaly Detection in Network Intrusion Detection Using Clusters”, Proc. 28th Australasian Computer Science Conf. (ACSC2005), Newcastle, pp.333-342, 2005.
37.Lucent Lab., “Internet mapping”, http://research.lumeta.com/ches/ map/ dbs/in dex.html, 1999.
38.T.F. Lunt, A. Tamaru, F. Gilham, R. Jagannathan, P.G. Neumann, P.G. and C. Jalali, “IDES: a progress report”, Proc. 6th Annual IEEE Computer Security Applications Conf., pp.273-285, 1990.
39.A. Mankin, D. Massey, C.-L. Wu, L. Zhang, “On design and evaluation of intention-driven ICMP traceback”, Proc. IEEE Int. Conf. on Computer Communications and Networks, October, 2001.
40.MStream Distributed Denial of Service Tool. http://www.cert.org /incident_notes/IN-2000-05.html.
41.MySQL, “The Open Source Database”, 1995. http://www.mysql.com/.
42.J.A.M. Naranjo, N. Antequera, L.G. Casado and J.A. L&;oacute;pez-Ramos, “A suite of algorithms for key distribution and authentication in centralized secure multicast environments”, Journal of Computational and Applied Mathematics, Vol. 236, No. 12, June 2012.
43.W.H.D. Ng, H. Cruickshank, and Z. Sun, “Scalable Balanced Batch Rekeying for Secure Group Communication,” Computers and Security, Vol. 25, No. 4, pp.265-273, June 2006.
44.W.H.D. Ng, M. Howarth, Z. Sun and H. Cruickshank, “Dynamic Balanced Key Tree Management for Secure Multicast Communications,” IEEE Transactions on Computers, Vol. 56, No. 5, pp.590-605, May 2007.
45.B. Parvatha Varthini and S. Valli, “Generation of Group Key Using Enhanced One Way Function Tree Group Rekey Protocol,” Proc. Int. Conf. on Computing: Theory and Applications, ICCTA ''07, pp. 176-181, March 2007.
46.T. Peng, C. Leckie, and K. Ramamohanarao, “Adjusted probabilistic packet marking for IP traceback”, Proc. IFIP Networking Conf., 2002.
47.T. Pham and P.A. Watters, “The Efficiency of Periodic Rekeying in Dynamic Group Key Management,” Proc. Fourth European Conf. on Universal Multiservice Networks, ECUMN ''07, pp.425-432, 2007.
48.P.E. Proctor, “Practical Intrusion Detection Handbook”, Prentice Hall, ISBN 0-13-025960-8, 2001.
49.M. Qin and K. Hwang, “Frequent episode rules for Internet anomaly detection”, Proc. 3rd IEEE Int. Symposium on Network Computing and Applications, pp.161-168, 2004.
50.K. H. Rosen, “Elementary Number Theory and Its Applications”, Addison Wesley Publishing Co., 1999.
51.S. Savage, D. Wetherall, A. Karlin, and T. Anderson, “Practical network support for IP traceback”, Proc. 2000 ACM SIGCOMM Conf., August, 2000.
52.A. Shamir, “How to share a secret,” Communications of the ACM, Vol. 22, No.11, pp.612-613, 1979.
53.S.P. Shieh and V.D. Gligor, “On a pattern-oriented model for intrusion detection”, IEEE Transactions on Knowledge and Data Engineering, Vol. 9, pp.661-667, 1997.
54.A. C. Snoeren, C. Partridge, L. A. Sanchez, C. E. Jones, F. Tchakountio, S. T. Kent, and W. T. Strayer, “Hash-based IP traceback”, Proc. ACM SIGCOMM 2001 Conf. on Application, Technologies, Architectures, and Protocols for Computer Communication, August, 2001.
55.D. Song and A. Perrig, “Advanced and authenticated marking schemes for IP traceback”, Proc. of IEEE Infocomm 2001, April, 2001.
56.Sourcefire, “The Open Source Network Intrusion Detection System(Snort)”, 1998. http://www.snort.org/.
57.I. Stoica and H. Zhang, “Providing guaranteed services without per flow management”, Proc. 1999 ACM SIGCOMM Conf., 1999.
58.R. Stone, “CenterTrack: an IP overlay network for tracking dos floods”, Proc. of 9th USENIX Security Symposium, 2000.
59.R. Srikant and R. Agrawal, “Mining Generalized Association Rules”, Proc. 21th Int. Conf. on Very Large Databases, pp. 407-419, 1995.
60.R. Srikant and R. Agrawal, “Mining sequential patterns: Generalizations and performance improvements”, Proc. 5th Int. Conf. on Extending Database Technology (EDBT), pp.3-17, 1995b.
61.Y. Sun and K.J.R. Liu, “Hierarchical Group Access Control for Secure Multicast Communications,” IEEE/ACM Transactions on Networking, Vol 15, No. 6, pp.1514-1526, Dec. 2007.
62.A. O. Tamaela, “An Autonomous System Traceback to Counter Large-Scale Anonymous Attack in Internet”, Master thesis, National Taiwan University of Science and Technology, 2008.
63.TCP SYN Flooding and IP Spoofing Attacks. http://www.cert.org / Advisories/CA-1996-21.html.
64.The Network Simulator NS (version 2), http://www.isi.edu/nsnam/ns.
65.G. Vigna and R.A. Kemmerer, “NetSTAT: a network-based intrusion detection approach”, Proc. IEEE Computer Security Applications Conf., pp.25-34, 1998.
66.W. Wu, M. Li and E. Chen, “Optimal tree structures for group key tree management considering insertion and deletion cost“, Theoretical Computer Science, Vol. 410, No. 27-29, pp.2619-2631, June 2009.
67.L.C. Wuu and H.C. Chen, “A Scalable Framework for Secure Group Communication,” Proc. First International Conf. on Networking-Part 2, LNCS vol. 2094, pp.225-238, 2001.
68.L. Xu and C. Huang, “Computation-Efficient Multicast Key Distribution,” IEEE Transactions on Parallel and Distributed Systems, Vol. 19, No. 5, pp.577-587, May 2008.
69.A. Yaar, A. Perrig, and D. Song, “FIT: fast Internet traceback”, in Proc. IEEE Infocomm, 2005.
70.S. Y. Yan, “Number Theory for Computing”, Springer-Verlag, 2000.
71.S.J. Yen and L.P. Chen, “An efficient approach for discovering knowledge from large database”, Proc. IEEE Int. Conf. on Parallel and Distributed Information Systems, pp.8-18, 1996.
72.X. Yi, “Authenticated Key Agreement in Dynamic Peer Groups,” Journal of Theoretical Computer Science, Elsevier, Vol. 326, No. 1-3, pp.363-382, Oct. 2004.
73.W. Yu, Y. Sun, and K.J.R. Liu, “Optimizing Rekeying Cost for Contributory Group Key Agreement Schemes,” IEEE Transactions on Dependable and Secure Computing, Vol. 4, No. 3, pp.228-242, July-Sept. 2007.
74.J. Zhang and M. Zulkernine, “A Hybrid Network Intrusion Detection Technique Using Random Forests”, Proc. 1st Int. Conf. on Availability, Reliability and Security, 8pp, 2006.