跳到主要內容

臺灣博碩士論文加值系統

(18.97.14.85) 您好!臺灣時間:2025/01/21 17:40
字體大小: 字級放大   字級縮小   預設字形  
回查詢結果 :::

詳目顯示

: 
twitterline
研究生:柯盈圳
研究生(外文):Ying-Jiun Ko
論文名稱:以系統呼叫為基礎之程式行為異常偵測
論文名稱(外文):The Study of Program Behavior Anomaly Detection Based on System Calls
指導教授:王智弘博士
指導教授(外文):Chih-Hung Wang, Ph. D.
學位類別:碩士
校院名稱:國立嘉義大學
系所名稱:資訊工程學系研究所
學門:工程學門
學類:電資工程學類
論文種類:學術論文
畢業學年度:96
語文別:中文
中文關鍵詞:入侵偵測異常偵測系統呼叫程式行為隱藏式馬可夫模型
外文關鍵詞:Intrusion detectionanomaly detectionsystem callprogram behaviorhidden markov model
相關次數:
  • 被引用被引用:0
  • 點閱點閱:207
  • 評分評分:
  • 下載下載:16
  • 收藏至我的研究室書目清單書目收藏:0
網路安全的威脅在近年來不斷被提起,由於網路的便利使得網路安全成為一門不可不研究的課題。對於此類的情況,入侵偵測系統因而誕生,從分析網路流量或者系統呼叫的資訊來分析研究使用者的行為,建立起一個行為模型,並利用這個模型進而研究出一套針對攻擊行為的偵測系統。在異常偵測研究上,大部份採用網路封包做為模型建立之資料來源,異常偵測的正常行為模型建立需經過訓練來產生,因此在資料來源上必須要無攻擊且經過分析過後的正常網路封包資料,這並不是一件容易的事。故而本篇論文採用系統呼叫做為正常行為模型的依據,系統呼叫是在程序進行時所產生,因此系統呼叫的序列可以視為程序執行的一種行為,我們可以透過這種行為來建立一個較為嚴謹的正常行為模型。
我們提出兩個以系統呼叫為基礎所建立的異常偵測模型,第一個方法是採一個簡化狀態的隱藏式馬可夫模型,第二個方法結合位址偏差與系統呼叫路徑的異常偵測系統,從系統呼叫路徑來確保程序執行的正常行為,然後結合位址偏差避免程序執行到未經允許的記憶體位址。並藉由已分析過的攻擊行為的系統呼叫路徑,將其集合為資料庫,讓異常偵測系統能夠辯識已知的攻擊行為,做出進一步的警告。

Because of the convenience of internet, many applications and services on it have been rapidly developed. For this reason, the security issues on internet become more and more important. Intrusion detection system was born due to an open and lawless network environment and it can help manager to analyze the information of internet traffic or system calls to create a normal behavior model for detecting attacks. Most researches of anomaly detection adopt network traffic for training and building normal behavior model by normal datasets which are clean and free of attack. But it is hard to obtain such kinds of normal datasets. The system call sequences produced by executing processes can be considered as normal behavior of processes; therefore, we employ system call analysis as building model.
In this thesis, we propose two schemes of anomaly detection on system calls. The first scheme, we use a reduced state hidden markov model for anomaly detections on system calls. Second, we combine the differences of addresses between system calls and the executing paths of system call sequences to create a normal behavior model. The executing paths of system call sequences ensure normal behavior of processes, and recording the differences of addresses between system calls can avoid unauthorized address taken by system call services. Moreover, we collect executing paths of system call sequences by known attacks as a database for detecting.

摘要.....................................................i
ABSTRACT................................................ii
誌謝...................................................iii
第一章 導論..............................................1
1.1 研究動機.............................................1
1.2 研究目的.............................................3
1.3 論文架構.............................................3
第二章 相關研究..........................................4
2.1 入侵偵測系統.........................................4
2.2誤用偵測..............................................5
2.3異常偵測..............................................6
2.4使用系統呼叫之入侵偵測系統............................7
2.5資料集...............................................10
第三章 方法架構.........................................11
3.1 運用簡化狀態隱藏式馬可夫模型在系統呼叫上之異常偵測研究......................................................11
3.1.1 隱藏式馬可夫模型..................................11
3.1.2 方法架構..........................................13
3.2 運用位址偏差與系統呼叫路徑上之異常偵測研究..........16
3.2.1系統呼叫路徑.......................................16
3.2.2 位址偏差..........................................18
3.2.3 方法架構..........................................18
第四章 實驗與分析.......................................21
4.1 方法一(簡化狀態隱藏式馬可夫模型)....................21
4.2 方法二(以位址偏差與系統呼叫路徑為基礎之模型)........24
4.2.1 DOS攻擊...........................................24
4.2.1 Buffer Overflow攻擊...............................27
第五章 結論與未來工作...................................33
參考文獻................................................34

參考文獻
[1] Y. Ephraim, D. Malah, B. H. Juang, On the Application of Hidden Markov Models for Enhancing Noisy Speech, IEEE Transactions on Acoustics, Speech, and Signal Processing, vol. 37, no. 12, 1989.
[2] S. Forrest, S.A. Hofmeyr, A. Somayaji, and T.A. Longstaff, A Sense of Self for Unix Processes. Proceedings of the IEEE Symposium on Security and Privacy, pp. 120-128, 1996.
[3] S. A. Hofmeyr, A. Somayaji, S. Forrest, Intrusion Detection Using Sequences of System Calls, Journal of Computer Security, vol. 6, pp. 151-180, 1998.
[4] A. Jones, S. Li, Temporal Signatures for Intrusion Detection, Proceedings of the 17th Annual Computer Security Applications Conference (ACSAC) , pp. 252-261, 2001.
[5] R. P. Lippmann, D. J. Fried, I. Graf, J. W. Haines, K. R. Kendall, D. McClung, D. Weber, S. E. Webster, D. Wyschogrod, R. K. Cunningham, and M. A. Zissman, Evaluating Intrusion Detection Systems: The 1998 DARPA Off-Line Intrusion Detection Evaluation, Proceedings of Conference on DARPA Information Survivability and Exposition (DISCEX) , vol. 2, pp. 12-26, Jan, 2000.
[6] R. P. Lippmann, and J. W. Haines, D. J. Fried, J. Korba, K. Das, Analysis and Results of the 1999 DARPA Off-Line Intrusion Detection Evaluation, Proceedings of the Third International Workshop on Recent Advances in Intrusion Detection, pp. 162-182, Springer Verlag, 2000.
[7] N. McAulifle, D. Wolcott, L. Schaefer, N. Kelem, B. Hubbard, T. Haley, Is your computer being misused, A survey of current intrusion detection system technology, Proceedings of the Sixth Conference on Computer Security Applications, pp. 260-272, 1990.
[8] B. Mukherjee, L. T. Heberlein, and K. N. Levitt, Network Intrusion Detection, IEEE Network, vol. 8, issue 3, pp. 26-41, May-June 1994.
[9] Y. Qiao, X. W. Xin, Y. Bin. S . Ge, Anomaly Intrusion Detection Method Based on HMM, Electronics Letters, vol. 38, no.13, pp. 663-664, 2002.
[10] I. Sanches, Noise-Compensated Hidden Markov Models, IEEE Transactions on Speech and Audio, vol. 8, no. 5, 2000.

[11] Y. Shen, F. Yu, L.-F. Zhang, J.-Y. An, M.-L. Zhu, An Intrusion Detection System Based on System Call, Proceedings of the First IEEE and IFIP International Conference in Central Asia on Internet, pp. 4, 2005.
[12] D. Wagner, P. Solo, Mimicry attacks on host-based intrusion detection systems , Proceedings of the 9th ACM conference on Computer and communications security, pp. 255-264, 2002.
[13] L. Wang, G. Yu, G Wang, D. Wang, Method of Evolutionary Neural Network-based Intrusion Detection, Proceedings of International Conferences on Info-tech and Info-net (ICII) , vol 5, pp. 13-18, 2001.
[14] Q. Yin, L. R. Shen, R. B. Zhang, X. Y. Li, H. Q. Wang, Intrusion Detection Based on Hidden Markov Model, Proceedings of the Second International Conference on Machine Learning and Cybernetics, vol. 5, pp. 3115-3118, 2003.
[15] F. Yu, C. Xu, Y. Shen, J.-Y. An, L.-F. Zhang, Intrusion Detection Based on System Call Finite-State Automation Machine, Proceedings of IEEE International Conference on Industrial Technology, pp. 63-68, 2005.
[16] X. Zhang, P. Fan, Z. Zhu, A New Anomaly Detection Method Based on Hierarchical HMM, Proceedings of the Fourth International Conference on Parallel and Distributed Computing, Applications and Technologies (PDCAT) , pp. 249-252, 2003.
[17] X. Zhang, Z. Zhu, P. Fan, Intrusion Detection Based on Cross-correlation of System Call Sequences, Proceeding of the 17th IEEE International Conference on Tools with Artificial Intelligence (ICTAI) , pp. 7, 2005.
[18] Smashing The Stack For Fun And Profit
http://insecure.org/stf/smashstack.html
[19]SNORT http://www.snort.org/
[20] Strace http://sourceforge.net/projects/strace/
[21] TFN http://staff.washington.edu/dittrich/misc/tfn.analysis
[22] Zero-day Attack http://en.wikipedia.org/wiki/Zero_day_attack

連結至畢業學校之論文網頁點我開啟連結
註: 此連結為研究生畢業學校所提供,不一定有電子全文可供下載,若連結有誤,請點選上方之〝勘誤回報〞功能,我們會盡快修正,謝謝!
QRCODE
 
 
 
 
 
                                                                                                                                                                                                                                                                                                                                                                                                               
第一頁 上一頁 下一頁 最後一頁 top
無相關期刊