跳到主要內容

臺灣博碩士論文加值系統

(18.97.14.80) 您好!臺灣時間:2025/01/26 01:17
字體大小: 字級放大   字級縮小   預設字形  
回查詢結果 :::

詳目顯示

我願授權國圖
: 
twitterline
研究生:林子紘
研究生(外文):Lin, Zih-Hong
論文名稱:採用MITRE Engage框架並應用於SSH蜜罐的主動式防禦系統
論文名稱(外文):An Active Defense System Based on SSH Honeypot in Accordance with MITRE Engage
指導教授:黃仁竑黃仁竑引用關係
指導教授(外文):HWANG, REN-HUNG
口試委員:林柏青黃俊穎黃仁竑
口試委員(外文):Lin, Po-ChingHuang, Chun-YingHwang, Re-Hung
口試日期:2024-07-24
學位類別:碩士
校院名稱:國立陽明交通大學
系所名稱:智慧系統與應用研究所
學門:工程學門
學類:電資工程學類
論文種類:學術論文
論文出版年:2024
畢業學年度:112
語文別:中文
論文頁數:39
中文關鍵詞:主動式防禦蜜罐欺騙技術MITRE EngageSSH強化學習威脅情報
外文關鍵詞:Active defenseHoneypotDeception techniquesMITRE EngageSSHReinforcement Learning (RL)Threat intelligence
相關次數:
  • 被引用被引用:0
  • 點閱點閱:10
  • 評分評分:
  • 下載下載:0
  • 收藏至我的研究室書目清單書目收藏:0
這篇論文提出了一個基於MITRE Engage框架的主動防禦系統,專為SSH服務設計,以解決現有蜜罐的不足之處。
與傳統的被動觀察攻擊的蜜罐不同,本系統採用從MITRE Engage活動衍生的欺騙與阻斷策略,積極與對手進行互動。
關鍵組件包括用於實時行為分析和MITRE ATT&CK對應的Wazuh模組,用於Engage策略選擇的攻防對應模組,以及利用增強式學習動態回應對手的Engage處理模組。
強化學習的決策受到反饋函數引導,而反饋函數包含建議的Engage活動,以此確保生成的回應具備合理性與策略性。
另外,這篇論文設計的攻擊模組模擬現實世界的攻擊來訓練和評估系統,展示系統在提高對手互動多樣性的效果。
與Cowrie和早期的SSH蜜罐QRASSH的實驗結果比較顯示出會話多樣性有顯著改善,凸顯了系統在對手互動和情報收集方面的能力確有提高。
這篇論文為網絡安全中的主動防禦貢獻了一個嶄新的框架,利用強化學習和MITRE Engage提升SSH蜜罐在威脅情報收集中的效能。
This thesis addresses the shortcomings of existing honeypots by proposing an active defense system based on the MITRE Engage framework, tailored for SSH services.
Unlike traditional honeypots that passively observe attacks, the proposed system actively engages adversaries using deceptive and denial strategies derived from MITRE Engage activities.
Key components include the Wazuh module for real-time behavior analysis and MITRE ATT&CK mapping, an attack-defense mapping module for Engage strategy selection, and an Engage handler module utilizing Reinforcement Learning (RL) to dynamically respond to adversaries.
RL decisions are guided by a reward function aligned with Engage activities, ensuring the generation of strategic responses.
Besides, this thesis also designs an attack module that simulates real-world attacks to train and evaluate the system, demonstrating its effectiveness in session diversity.
Experimental results comparing the proposed system with Cowrie and QRASSH, an earlier SSH honeypot, illustrate significant improvements in session diversity, highlighting the system's enhanced capability in adversary engagement and data collection.
This thesis contributes a new framework for active defense in cybersecurity, leveraging RL and MITRE Engage framework to advance SSH honeypot effectiveness in threat intelligence gathering.
Chinese Abstract .....................................................................................................................i
English Abstract......................................................................................................................ii
Contents .................................................................................................................................. iii
List of Figures .........................................................................................................................v
List of Tables........................................................................................................................... vi
1 Introduction.......................................................................................................................1
2 Background .......................................................................................................................4
3 System Model and Problem Formulation ......................................................................... 10
3.1 Notations .................................................................................................................. 10
3.2 Problem Statement ................................................................................................... 11
4 MITRE Engage-Based Honeypot for SSH Service .......................................................... 13
4.1 Module Interaction................................................................................................... 13
4.2 Wazuh Module ......................................................................................................... 15
4.3 Attack-Defense Mapping Module............................................................................ 16
4.4 Engage Handler Module .......................................................................................... 16
4.4.1 Reinforcement Learning ................................................................................. 17
4.4.2 State of RL ...................................................................................................... 17
4.4.3 Action of RL ................................................................................................... 18
4.4.4 Reward Function of RL................................................................................... 21
4.4.5 Q Value of RL ................................................................................................. 22
4.4.6 Conclusion for RL........................................................................................... 22
4.5 Attack Module ......................................................................................................... 23
5 Evaluation ......................................................................................................................... 27
5.1 Experimental Design................................................................................................ 27
5.2 Training Result......................................................................................................... 27
5.3 Comparison with QRASSH and Cowrie.................................................................. 29
5.3.1 Comparison with QRASSH ............................................................................ 29
5.3.2 Comparison with Cowrie ................................................................................ 32
6 Conclusions....................................................................................................................... 35
References............................................................................................................................... 37
[1] Matrix | MITRE Engage™. Accessed on February 22, 2024. [Online]. Available: https://engage.mitre.org/matrix/
[2] GitHub - cowrie/cowrie: Cowrie SSH/Telnet Honeypot https://cowrie.readthedocs.io. Accessed on February 22, 2024. [Online]. Available: https://github.com/cowrie/cowrie
[3] A. Pauna, I. Bica, F. Pop, and A. Castiglione, “On the rewards of self-adaptive iot honeypots,” Annals of Telecommunications, vol. 74, pp. 501–515, 2019.
[4] L. Huang and Q. Zhu, “Adaptive honeypot engagement through reinforcement learning of semi-markov decision processes,” in Decision and Game Theory for Security: 10th International Conference, GameSec 2019, Stockholm, Sweden, October 30–November 1, 2019, Proceedings 10. Springer, 2019, pp. 196–216.
[5] S. Suratkar, K. Shah, A. Sood, A. Loya, D. Bisure, U. Patil, and F. Kazi, “An adaptive honeypot using q-learning with severity analyzer,” Journal of Ambient Intelligence and Humanized Computing, vol. 13, no. 10, pp. 4865–4876, 2022.
[6] D. Fraunholz, M. Zimmermann, and H. D. Schotten, “An adaptive honeypot configuration, deployment and maintenance strategy,” in 2017 19th International Conference on Advanced Communication Technology (ICACT). IEEE, 2017, pp. 53–57.
[7] A. Pauna, A.-C. Iacob, and I. Bica, “Qrassh-a self-adaptive ssh honeypot driven by q-learning,” in 2018 international conference on communications (COMM). IEEE, 2018, pp. 441–446.
[8] S. Touch and J.-N. Colin, “Asguard: Adaptive self-guarded honeypot.” in WEBIST, 2021, pp. 565–574.
[9] MITRE ATT&CK. Accessed on February 22, 2024. [Online]. Available: https://attack.mitre.org/
[10] M. M. Chowdhury, J. M. Del Toro, and K. Kambhampaty, “Active cyber defense by benevolent worms,” in 2022 IEEE International Conference on Electro Information Technology (eIT). IEEE, 2022, pp. 580–585.
[11] Y. Jiang, J. Zhou, Y. Gan, and Z. Cai, “A method of in-depth-defense for network security based on immunity principles,” in 2009 IEEE International Symposium on Parallel and Distributed Processing with Applications. IEEE, 2009, pp. 484–487.
[12] M. Gutierrez and C. Kiekintveld, “Online learning methods for controlling dynamic cyber deception strategies,” Adaptive autonomous secure cyber systems, pp. 231–251, 2020.
[13] Z. Zhou, X. Kuang, L. Sun, L. Zhong, and C. Xu, “Endogenous security defense against deductive attack: When artificial intelligence meets active defense for online service,” IEEE Communications Magazine, vol. 58, no. 6, pp. 58–64, 2020.
[14] X. Wei and D. Yang, “Study on active defense of honeypot-based industrial control network,” in 2021 IEEE 23rd Int Conf on High Performance Computing & Communications; 7th Int Conf on Data Science & Systems; 19th Int Conf on Smart City; 7th Int Conf on Dependability in Sensor, Cloud & Big Data Systems & Application (HPCC/DSS/SmartCity/DependSys). IEEE, 2021, pp. 2019–2022.
[15] Y. Sun, X. Peng, Z. Tian, and S. Guo, “A deception defense and active defense based three-dimensional defense architecture: Da-3dd design and implementation plan,” in 2019 15th International Conference on Mobile Ad-Hoc and Sensor Networks (MSN). IEEE, 2019, pp. 422–427.
[16] X. Yu, “Research on active defence technology with host intrusion based on k-nearest neighbor algorithm of kernel,” in 2009 Fifth International Conference on Information Assurance and Security, vol. 1. IEEE, 2009, pp. 411–414.
[17] GitHub - magisterquis/sshhipot: High-interaction MitM SSH honeypot. Accessed on February 22, 2024. [Online]. Available: https://github.com/magisterquis/sshhipot
[18] Kojoney - A honeypot for the SSH Service. Accessed on February 22, 2024. [Online]. Available: https://kojoney.sourceforge.net/
[19] GitHub - desaster/kippo: Kippo - SSH Honeypot. Accessed on February 22, 2024. [Online]. Available: https://github.com/desaster/kippo
[20] A. Pauna and I. Bica, “Rassh-reinforced adaptive ssh honeypot,” in 2014 10th International Conference on Communications (COMM). IEEE, 2014, pp. 1–6.
[21] W. Cabral, C. Valli, L. Sikos, and S. Wakeling, “Review and analysis of cowrie artefacts and their potential to be used deceptively,” in 2019 International Conference on computational science and computational intelligence (CSCI). IEEE, 2019, pp. 166–171.
[22] P. Wang, L. Wu, R. Cunningham, and C. C. Zou, “Honeypot detection in advanced botnet attacks,” International Journal of Information and Computer Security, vol. 4, no. 1, pp. 30–51, 2010.
[23] GitHub - redcanaryco/atomic-red-team: Small and highly portable detection tests based on MITRE ATT&CK. Accessed on February 22, 2024. [Online]. Available: https://github.com/redcanaryco/atomic-red-team
[24] GitHub - jackaduma/SecBERT: pretrained BERT model for cyber security text, learned CyberSecurity Knowledge. Accessed on February 22, 2024. [Online]. Available: https://github.com/jackaduma/SecBERT
[25] H. Van Hasselt, A. Guez, and D. Silver, “Deep reinforcement learning with double q-learning,” in Proceedings of the AAAI conference on artificial intelligence, vol. 30, no. 1, 2016.
[26] GitHub - CVEProject/cvelistV5: CVE cache of the official CVE List in CVE JSON 5 format. Accessed on November 01, 2023. [Online]. Available: https://github.com/CVEProject/cvelistV5.git
[27] GitHub - adpauna/qrassh. Accessed on February 22, 2024. [Online]. Available: https://github.com/adpauna/qrassh
電子全文 電子全文(網際網路公開日期:20270730)
連結至畢業學校之論文網頁點我開啟連結
註: 此連結為研究生畢業學校所提供,不一定有電子全文可供下載,若連結有誤,請點選上方之〝勘誤回報〞功能,我們會盡快修正,謝謝!
QRCODE
 
 
 
 
 
                                                                                                                                                                                                                                                                                                                                                                                                               
第一頁 上一頁 下一頁 最後一頁 top