臺灣博碩士論文加值系統

隨著網際網路的廣泛連結與應用，以及頻寬的不斷增加，惡意程式的威脅層出不窮，由早期的電腦病毒逐漸轉變為網路蠕蟲為主的模式，網路蠕蟲透過大量而快速的傳播方式，造成嚴重的安全威脅及頻寬浪費。
現有的安全防禦機制多採用特徵比對方式，透過研究人員分析所得之結果，定期發佈病毒定義資訊，此一方法雖然擁有高精準度，但對於初始（Zero-day）攻擊和不斷變種的病毒，無法在第一時間進行防禦。
本研究提出一個無須倚賴特徵資訊之隔離機制，透過惡意程式進行掃瞄之異常行為特性，配合名稱解析所建立之基準，能夠即時偵測已知或未知的網路蠕蟲，並隔離攻擊來源，以確保網路安全。

According to the increase of bandwidth and the widespread usage of internet application, malicious program have infected hundreds and thousands of computers. The early stage of computer viruses has gradually changed to the form of network worms. Through fast and massive spread, the viruses and worms have caused severe damages and have become serious threat to the internet security.
Most engineers use signature comparison method to prevent internet security threads. Analysts and researchers announce the worm signature as soon as they discover new type of worm. Although signature comparison has better accuracy than other prevention methods, it is not able to prevent the Zero-day attack and the polymorphic worms at the first place.
In order to avoid the first attack of a worm or virus, our containment approach uses the network address resolution and the characteristics of abnormal activities of malicious program scanning to prevent internet attacks. By this method, we don’t have to depend on the signatures, we only need to focus on the known or unknown network worms, find out the spreading sources and block the sources. Thus, this thesis can ensure the safety of network prior damage takes place.

摘要 I
Abstract II
目錄 III
圖目錄 V
表目錄 VII
第一章　緒　論 1
1.1 研究動機 1
1.2 研究目的 1
1.3 研究範圍 2
1.4 論文架構 2
第二章　文獻探討 3
2.1 惡意程式之探討 3
2.2 網路蠕蟲之探討 4
2.2.1 網路蠕蟲的歷史 4
2.2.2 網路蠕蟲的特性 6
2.2.3 惡意攻擊程式發展趨勢 8
2.3 網路蠕蟲防治 9
2.3.1 抑制網路蠕蟲的關鍵因素 9
2.3.2 系統漏洞與修補 10
2.3.3 現有網路蠕蟲防禦機制 12
第三章　相關研究 17
3.1 Honeyd機制 17
3.2 Honeycomb機制 18
3.3 Autograph機制 20
3.4 Earlybird機制 21
3.5 Weaver之機制 22
第四章　本文所提之網路蠕蟲偵測機制 25
4.1 系統架構與偵測範圍 25
4.2 系統設計 27
4.2.1 平行多階段雜湊法 28
4.2.2 偵測表格設計 29
4.3 本機制運作流程 32
4.3.1 連入偵測 32
4.3.2 連出偵測 33
4.3.3 回應機制 35
4.3.4 例外處理 36
第五章　實驗方法與結果 38
5.1系統開發及參數 38
5.1.1系統開發 38
5.1.2系統參數 40
5.2 實驗與分析 43
5.2.1連入偵測 43
5.2.2連出偵測 45
5.2.3回應機制與例外處理 50
5.3 與其他機制之比較 53
第六章　結論與未來研究 56
6.1 結論 56
6.2 未來研究建議 58
參考文獻 60

[1]趨勢科技，＜2005年第三季病毒綜合報告＞，http://www.trendmicro.com，2005年。
[2]王士豪，＜基於網路訊務動態基線分析之網路蠕蟲偵測機制＞，南投，暨南大學資訊管理學系碩士論文，2004年。
[3]王曠銘、羅孟彥、楊竹星，＜基於NetFlow之大型網路蠕蟲偵測系統＞，臺中，2005台灣網際網路研討會（TANET），Session 30，2005年。
[4]李倫銓，＜看不見的殺手? - 談蠕蟲（Worm）與蠕蟲的預警模式＞，臺北，HiNet防毒防駭服務技術文章，2004年。
[5]鄭輝，＜惡意移動代碼分析與研究＞，北京，CERNET第十一屆學術年會，2004年。
[6]CERT Coordination Center, “CERT Advisory CA-1989-04 WANK Worm On SPAN Network,” http://www.cert.org/advisories/CA-1989-04.html.
[7]Honeynet.org, “The Honeynet Project,” http://www.honeynet.org.
[8]Microsoft Corporation, “Microsoft Security Bulletin,” http://www.microsoft.com/technet/security/current.aspx.
[9]Microsoft Corporation, “Microsoft Security Bulletin MS02-039 Buffer Overruns in SQL Server 2000 Resolution Service Could Enable Code Execution,” http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx.
[10]Mldonkey.org, “MLDonkey Project,” http://mldonkey.org.
[11]RFC 1950, “ZLIB Compressed Data Format Specification Version 3.3,” http://www.faqs.org/rfcs/rfc1950.html, May 1996.
[12]SANS Institute, “Lion Worm,” http://www.sans.org/y2k/lion.htm.
[13]Snort.org, “Snort, the Open Source Network Intrusion Detection System,” http://www.snort.org.
[14]Symantec Corporation, “Symantec Security Response,” http://securityresponse.symantec.com.
[15]Symantec Corporation, “Symantec Security Response - Linux.Ramen.Worm,” http://www.symantec.com/avcenter/venc/data/linux.ramen.worm.html.
[16]Symantec Corporation, “Symantec Security Response - W32.Spybot.Worm,” http://www.symantec.com/avcenter/venc/data/w32.spybot.worm.html.
[17]Symantec Corporation, “Symantec Internet Security Threat Report, Trends for July 05-December 05,” http://www.symantec.com, March 2006.
[18]Carter, E. and Hogue, J., Intrusion Prevention Fundamentals, Cisco Press Publishing, January 2006.
[19]Castaneda, F., Sezer, E. C. and Xuy, J., “Worm vs. Worm: Preliminary Study of an Active Counter-Attack Mechanism,” In Proceedings of the 2004 ACM Workshop on Rapid Malcode, pp. 83-93, October 2004.
[20]Ellis, D., Aiken, J., Attwood, K. and Tenaglia, S., “A Behavioral Approach to Worm Detection,” In Proceedings of the 2004 ACM Workshop on Rapid Malcode, pp. 43-53, October 2004.
[21]Erbschloe, M., Trojans, Worms, and Spyware: A Computer Security Professional's Guide to Malicious Code, Butterworth-Heinemann Publishing, August 2004.
[22]Estan, C. and Varghese, G., “New Directions in Traffic Measurement and Accounting,” In Proceedings of the 2002 ACM Conference of the Special Interest Group on Data Communication (SIGCOMM), pp. 323-336, August 2002.
[23]Estan, C., Varghese, G. and Fisk, M., “Bitmap Algorithms for Counting Active Flows on High Speed Links,” In Proceedings of the 2003 ACM Internet Measurement Conference, pp. 153-166, October 2003.
[24]Forman, G., Eshghi, K. and Chiocchetti, S., “Finding Similar Files in Large Document Repositories,” In Proceeding of the 11th ACM SIGKDD International Conference on Knowledge Discovery in Data Mining, pp. 394-400, August 2005.
[25]Jung, J., Paxson, V., Berger, A. W. and Balakrishnan, H., “Fast Portscan Detection Using Sequential Hypothesis Testing,” In Proceedings of the 2004 IEEE Symposium on Security and Privacy, pp. 211-225, May 2004.
[26]Kim, H. A. and Karp, B., “Autograph: Toward Automated Distributed Worm Signature Detection,” In Proceedings of the 13th USENIX Security Symposium, pp. 271-286, August 2004.
[27]Kreibich, C. and Crowcroft, J., “Honeycomb: Creating Intrusion Detection Signatures Using Honeypots,” ACM SIGCOMM Computer Communication Review, Vol. 34, No. 1, pp. 51-56, January 2004.
[28]Lehtinen, R., Computer Security Basics, 2nd Edition, O'Reilly Publishing, June 2006.
[29]McGraw, G., Software Security: Building Security In, Addison Wesley Publishing, January 2006.
[30]Moore, D., Paxson, V., Savage, S., Shannon, C., Staniford, S. and Weaver, N., “Inside the Slammer Worm,” IEEE Security and Privacy, Vol. 1, No. 4, pp. 33-39, July 2003.
[31]Moore, D., Shannon, C. and Brown, J., “Code-Red: A Case Study on the Spread and Victims of an Internet Worm,” In Proceedings of the 2002 ACM Internet Measurement Workshop, pp. 273-284, November 2002.
[32]Moore, D., Shannon, C., Voelker, G. M. and Savage, S., “Internet Quarantine: Requirements for Containing Self-Propagating Code,” In Proceedings of the 2003 IEEE Computer and Communications Societies, pp. 1901-1910, March 2003.
[33]Newsome, J., Karp, B. and Song, D., “Polygraph: Automatically Generating Signatures for Polymorphic Worms,” In Proceedings of the 2005 IEEE Symposium on Security and Privacy, pp. 226-241, May 2005.
[34]Northcutt, S., Zeltser, L., Winters, S., Kent, K. and Ritchey, R. W., Inside Network Perimeter Security (2nd Edition), Sams Publishing, March 2005.
[35]Provos, N., “A Virtual Honeypot Framework,” In Proceedings of the 13th USENIX Security Symposium, pp. 1-14, August 2004.
[36]Shoch, J. F. and Hupp, J. A., “The ‘Worm’ Programs – Early Experience with a Distributed Computation,” Communications of the ACM, Vol. 25, No. 3, pp. 172-180, March 1982.
[37]Singh, S., ESTAN, C., VARGHESE, G. and SAVAGE, S., “Automated Worm Fingerprinting,” In Proceedings of the 2004 USENIX Operating Systems Design and Implementation Symposium (OSDI), pp. 45-60, December 2004.
[38]Snoeren, A. C., Partridge, C., Sanchez, L. A., Jones, C. E., Tchakountio, F., Schwartz, B., Kent, S. T. and Strayer, W. T., “Single-Packet IP Traceback,” ACM/IEEE Transactions on Networking, Vol. 10, No. 6, pp. 721-734, December 2002.
[39]Stamp, M., Information Security: Principles and Practice, Wiley Publishing, October 2005.
[40]Staniford, S., Paxson, V. and Weaver, N., “How to 0wn the Internet in Your Spare Time,” In Proceedings of the 11th USENIX Security Symposium, pp. 149-167, August 2002.
[41]Szor, P., The Art of Computer Virus Research and Defense, Addison Wesley Publishing, February 2005.
[42]Warkentin, M. and Vaughn, R., Enterprise Information Systems Assurance and System Security: Managerial and Technical Issues, Idea Group Publishing, February 2006.
[43]Weaver, N., Staniford, S. and Paxson, V., “Very Fast Containment of Scanning Worms,” In Proceedings of the 13th USENIX Security Symposium, pp. 29-44, August 2004.
[44]Whyte, D., Kranakis, E. and Oorschot, P. V., “DNS-based Detection of Scanning Worms in an Enterprise Network,” In Proceedings of the 12th Network and Distributed System Security Symposium, February 2005.
[45]Williams, R. N., “A Painless Guide to CRC Error Detection Algorithms,” http://www.repairfaq.org/filipg/LINK/F_crc_v3.html, August 1993.