跳到主要內容

臺灣博碩士論文加值系統

(18.97.14.85) 您好!臺灣時間:2025/01/21 16:36
字體大小: 字級放大   字級縮小   預設字形  
回查詢結果 :::

詳目顯示

我願授權國圖
: 
twitterline
研究生:邱業宸
研究生(外文):Ye-Chen Chiou
論文名稱:使用動態特徵權重自動化提取攻擊策略之警報關聯系統研究
論文名稱(外文):Study of Alert Correlation System with Automatic Extraction of Attack Strategies by Using Dynamic Feature Weights
指導教授:王智弘王智弘引用關係
指導教授(外文):Chih-Hung Wang
學位類別:碩士
校院名稱:國立嘉義大學
系所名稱:資訊工程學系研究所
學門:工程學門
學類:電資工程學類
論文種類:學術論文
畢業學年度:103
語文別:英文
論文頁數:45
中文關鍵詞:警報關聯攻擊圖入侵偵測雲端計算網路安全
外文關鍵詞:alert correlationattack graphintrusion detectioncloud computingnetwork security
相關次數:
  • 被引用被引用:0
  • 點閱點閱:135
  • 評分評分:
  • 下載下載:0
  • 收藏至我的研究室書目清單書目收藏:0
隨著網路發展日新月異,網路安全顯得格外重要。人們使用入侵偵測系統(Intrusion Detection Systems, IDS)來監控系統的網路環境,當入侵偵測系統在網路檢測到可疑的行為時,將會發出大量的警報給網路安全管理者。警報關聯技術可以由這些大量的警報裡提取出有用的資訊給網路安全管理者,所以警報關聯成為了一項重要的議題。然而科技的迅速發展,某些新的漏洞如雨後春筍般冒出來,同時也要面臨許多利用這些新漏洞所產生的攻擊。某些警報關聯的方法是依照系統的已知漏洞以或是前先建立知識庫,對於未知漏洞所造成的攻擊無法達到好的偵測效果。而且由系統環境找出所有的漏洞也是不容易的,因此對於警報關聯,自動化的提取出警報中的攻擊情境是非常重要的。
本篇論文提出了一個自動提取攻擊情境的警報關聯方法,藉由評估Equality Constraints Sets (ECS)動態調整權重計算兩警報間的關聯度,並將計算結果紀錄在警報關聯矩陣(Alert Correlation Matrix, ACM),無須先建立事前知識庫以及訓練資料,也不需要因環境不同而重新建立模組,利用觀察警報連接性以及前後關係來提取攻擊者所做的攻擊情境,達到防範未然且能夠偵測利用未知漏洞所產生的攻擊。
Growing with the network technology, it is important for network security. The Intrusion Detection Systems (IDS) can monitor the network environment of system. When IDS detects the suspicious behavior in network, IDS will raise a lot of alerts to the network administrator. Alert Correlation can extract useful information from lots of alerts. With the growth in popularity of the computer technology, new vulnerabilities of systems and unknown risks continuously increase. Some methods developed out of the knowledge base have been unable to deal with the attacks generated by unknown vulnerabilities. Moreover, it is hard to find potential vulnerabilities of the whole system environment. Therefore, it is very important to automatically extract attack strategies in the alert correlation system.
In this thesis, we proposed an alert correlation system with automatic extraction of attack strategies. The proposed system estimates all correlation cell values of peer alerts by using Equality Constraints Sets (ECS) and records them in the Alert Correlation Matrix (ACM). Our system does not need to create the predefined knowledge base and prepare the training data. Moreover, our system needs not to reestablish the modules according to different environments. We extract the attack scenarios from attackers by observing the connectivity and relationship among the receiving alerts.
中文摘要 i
Abstract ii
誌 謝 iii
CONTENTS iv
LIST OF FIGURES vi
LIST OF TABLES vii
Chapter 1. Introduction 8
1.1 Overview 8
1.2 Motivation 9
1.3 Contribution 10
1.4 Organization of This Thesis 11
Chapter 2. Related Works 12
2.1 Alert Correlation with Knowledge Base 12
2.2 Alert Correlation Based on Neural Network 14
2.3 Alert Correlation Based on Bayesian Networks 17
Chapter 3. Proposed Alert Correlation Method 18
3.1 Alert Filter 20
3.2 Equality Constraint Sets Table 21
3.3 Feature Extractor 24
3.4 Correlation Engine 26
3.5 Correlation Strength Processor 29
3.6 Improved Alert Correlation Matrix with Attenuation 32
Chapter 4. Experiment Results 34
4.1 DARPA 2000 Intrusion Dataset 34
4.2 Improved method with Attenuation 38
4.3 Comparison and Analysis 40
Chapter 5. Conclusions 41
Reference 42
[1] S. H. Ahmadinejad, and S. Jalili, “Alert correlation using correlation probability estimation and time windows,” International conference on computer technology and development , vol. 2, pp. 170–175, 2009.

[2] S. H. Ahmadinejad, S. Jalili, and M. Abadi, “A hybrid model for correlating alerts of known and unknown attack scenarios and updating attack graphs,” Computer Networks, vol. 55, pp. 2221-2240, 2011.

[3] F. Cuppens, and A. Miege, “Alert correlation in a cooperative intrusion detection framework,” Proceedings of the 2002 IEEE Symposium on Security and Privacy, pp. 202–215, 2002.

[4] F. Cuppens and R. Ortalo, “Lambda: A language to model a database for detection of attacks,” Proc. Recent Advances in Intrusion Detection, 3rd International Symposium, (RAID 2000), LNCS 1907, Springer-Verlag, Toulouse, France, Oct. 2000, pp. 197-216.

[5] S. T. Eckmann, G. Vigna, and R. A. Kemmerer, “STATL: an attack language for state-based intrusion detection,” Journal of Computer Security, vol. 10, no. 1-2, 2002, pp. 71-103.

[6] F. Kavousi and B. Akbari, “Automatic Learning of Attack Behavior Patterns Using Bayesian Networks,” Sixth International Symposium on Telecommunications (IST), pp. 999-1004, Nov. 2012.

[7] S. Lagzian, F. Amiri, A. Enayati and H. Gharaee, “Frequent Item set mining-based Alert Correlation for Extracting multi-stage Attack Scenarios,” Sixth International Symposium on Telecommunications (IST), pp. 1010-1014, Nov. 2012.

[8] S. Lee, B. Chung, H. Kim, Y. Lee, C. Park, and H. Yoon, “Real-time analysis of intrusion detection alerts via correlation,” Computers &; Security, vol. 25, no. 3, pp. 169-183, 2006.

[9] M. Marchetti, M. Colajanni and F. Manganiello, “Identification of correlated network intrusion alerts,” Third International Workshop on Cyberspace Safety and Security (CSS), pp. 15-20, Sep. 2011.

[10] P. Ning, Y. Cui, and D. S. Reeves, “Constructing Attack Scenarios through Correlation of Intrusion Alerts,” in Proceedings of the 9th ACM conference on Computer and communication security, pp. 245-254, New York, USA: ACM Press, Nov. 2002.

[11] P. Ning, Y. Cui, D. S. Reeves, and D. Xu, “Techniques and Tools for Analyzing Intrusion Alerts,” ACM Transactions on Information and System Security (TISSEC), vol. 7, no. 2, pp. 274-318, May 2004.

[12] X. Ou, S. Govindavajhala, and A. W. Appel “MulVAL: A Logic-based Network Security Analyzer,” 14th USENIX Security Symposium, pp. 113–128, 2005.

[13] X. Qin, and W. Lee, “Statistical causality analysis of INFOSEC alert data,” Recent Advances in Intrusion Detection (RAID), LNCS, vol. 2820, pp. 73-93, 2003.

[14] H. Ren, N. Stakhanova, and A.A. Ghorbani, “An online adaptive approach to alert correlation,” Proceedings of the 17th international conference on Detection of intrusions and malware, and vulnerability assessment, LNCS, vol. 6201, pp. 153–172, 2010.

[15] S. J. Templeton and K. Levitt, “A requires/provides model for computer attacks,” Proceedings of the 3rd ACM workshop on new security paradigms, pp. 31-38, 2000.

[16] A. Xie, G. Chen, Y. Wang, Z. Chen and J. Hu, "A New Method to Generate Attack Graphs," Third IEEE International Conference on Secure Software Integration and Reliability Improvement (SSIRI), pp. 401-406, July 2009.

[17] B. Zhu, and A. A. Ghorbani, “Alert Correlation for Extracting Attack Strategies,” International journal of network security, vol. 3, no. 3, pp. 244–258, Nov. 2006.

[18] S. Zhang, J. Li, X. Chen, and L. Fan, “Building network attack graph for alert causal correlation,” Computers &; Security, vol. 27, issuse 5-6, pp. 188-196, Oct. 2008.

[19] L. Zhiming, L. Sheng, H. Jin, X. Di and D. Zhantao, “Complex Network Security Analysis based on Attack Graph Model,” Second International Conference on Instrumentation, Me asurement, Computer, Communication and Control (IMCCC), pp.183-186, Dec. 2012.

[20] MIT Lincoln Laboratory, 2000 Darpa Intrusion Detection Scenario Specific Data Sets, 2000.
Available: http://www.ll.mit.edu/mission/communications/cyber/CSTcorpora/ideval/data/
連結至畢業學校之論文網頁點我開啟連結
註: 此連結為研究生畢業學校所提供,不一定有電子全文可供下載,若連結有誤,請點選上方之〝勘誤回報〞功能,我們會盡快修正,謝謝!
QRCODE
 
 
 
 
 
                                                                                                                                                                                                                                                                                                                                                                                                               
第一頁 上一頁 下一頁 最後一頁 top
無相關期刊