臺灣博碩士論文加值系統

隨著乙太網路(Ethernet)傳輸技術的進步與普及，現今之區域網路大多使用交換器(Switch)做為連接設備。有效的改善以往使用集線器(Hub)在區域網路內資料封包遭到竊聽(Sniff)的網路安全問題。然而取而代之的是利用ARP通訊協定設計上的缺陷進行ARP欺騙攻擊(ARP Spoofing)以達到竊聽的目的。本研究提出以收集網路設備之SNMP流量資訊，利用資料探勘研究中的分類分析技術偵測ARP欺騙攻擊之系統架構。
在我們的系統架構中，使用了三種現今普遍被使用的資料探勘技術，分別為貝式分類、決策樹以及支援向量機作為本研究分類預測模組中的分類演算法並評估何者較為合適。此外，本研究分別收集了一分鐘、三分鐘以及五分鐘之網路流量資料以作為三種訓練資料的取樣時間間隔，藉以探究不同的資料取樣時間間隔在本研究所提出之ARP欺騙攻擊分類預測模組中的效能影響程度。實驗結果顯示，隨著資料取樣時間間隔的增長，分類預測模組之準確度隨之提升。而在三種分類法中，決策樹分類法之準確度分別在三種不同的資料收集時間單位中達到99%以上，且遺漏率與誤報率的表現亦屬優良。顯示決策樹演算法在我們的實驗資料中，分類準確性穩定較不易受資料取樣時間間隔的不同所影響。

As Ethernet Switches have replaced Hubs on local network, it reduced the threats of network sniffing attack. Today, there is another sniffing technique have been used popularly, that is ARP (Address Resolution Protocol) Spoofing attack. This kind attack uses the vulnerability of ARP protocol to eavesdrop data on local area network. In this research, we propose a detection system which be established by mining the SNMP network traffic data, to detect ARP Spoofing attack on Internet environment.
This research evaluates three popular classification techniques for the detection module, Na��ve Bayesian Classification, Decision Tree and Support Vector Machine. The empirical experiments show that the detection module has good performance to detect ARP Spoofing attack. Furthermore, this research gathers network traffic date for constructing prediction module by different time interval, which are 1 ,3 and 5 minutes for evaluating the influence of prediction accuracy. The results show that, the performance of attack event prediction will increment with longer time interval of collection data. Moreover, the accuracy of Decision Tree in three time intervals is all above 99%, the missing rates and the false alarm rate are acceptable. It shows that, the Decision Tree is a suitable classification technique to construct ARP Spoofing attack detection module.

第一章 前言 1
第二章 文獻探討 4
2.1 ARP通訊協定簡介 4
2.2 ARP欺騙攻擊技術 7
2.3偵測ARP欺騙攻擊之相關研究 11
第三章 研究架構 15
3.1 SNMP與實驗變數 16
3.2分類預測模組 19
3.2.1貝氏分類法(Na��ve Bayesian Classification) 19
3.2.2 決策樹(Decision Tree) 21
3.2.3支援向量機(Support Vector Machine) 22
第四章 實證評估 24
4.1實驗數據收集 24
4.2 效能評比指標 25
4.3 實驗結果 26
第五章 結論與未來研究 31
參考文獻 33

1.Bernardo, J.M. and Smith, A.F.M., “Bayesian theory”, Measurement Science and Technology, 2001.
2.Boser, B.E., Guyon, I.M. and Vapnik, V.N., “A training algorithm for optimal margin classifiers”, Proceedings of the fifth annual workshop on Computational learning theory, ACM New York, NY, USA, p. 144-152, 1992.
3.Burges, C.J.C., “A tutorial on support vector machines for pattern recognition”, Data mining and knowledge discovery, p. 121-167,1998.
4.Carnut, M.A. and Gondim, J.J.C., “ARP spoofing detection on switched ethernet networks: A feasibility study”, Proc. 5th Simposio Seguranca em Informatica, San Jose, 2003.
5.Cortes C. and Vapnik V. N., “Support vector networks,” Machine Learning, p. 273-297, 1995.
6.Droms, R., “Dynamic host configuration protocol”, RFC 2131, 1997.
7.Fewer, S., “ARP Poisoning: An investigation into spoofing the Address Resolution Protocol”, Harmony Security, 2007.
8.Gelman, A., “Bayesian data analysis” , CRC press, 2004.
9.Gordon, L.A., et al., “CSI/FBI Computer crime and security survey”, COMPUTER SECURITY JOURNAL, p. 1, 2006.
10.Han, J., Kamber, M., “Data Mining: Concepts and Techniques”, Second Edition, Morgan Kaufmann Publishers, 2006.
11.Kumar, S., “Impact of Distributed Denial of Service (DDoS) Attack Due to ARP Storm” , ICN, p. 997–1002, 2005
12.Mauro, D.R. and Schmidt, K.J., “Essential SNMP”, O'Reilly, 2001.
13.Plummer, D., “An Ethernet address resolution protocol”, RFC 826, 1982
14.Postel, J., “Internet protocol”, RFC 791, 1981.
15.Quinlan, J.R., “Induction of decision trees”, Machine learning, p. 81-106, 1986.
16.Quinlan, J.R., “C4. 5: programs for machine learning”, Morgan Kaufmann. 1993.
17.Ramachandran, V. and Nandi, S., “Detecting ARP spoofing: An active technique”, Lecture Notes in Computer Science, p. 239, 2005.
18.Socolofsky, T. and Kale, C., “TCP/IP Tutorial”, RFC 1180, 1991.
19.Spangler, R., “Packet Sniffing on Layer 2 Switched Local Area Networks”, Packetwatch Research, 2003.
20.Stallings, W., “SNMP, SNMPv2, SNMPv3, and RMON 1 and 2”, Addison-Wesley Longman, 1998.
21.Stevens, W.R., “TCP/IP illustrated: the protocols”, Addison-Wesley Longman, 1993.
22.Sumit D., “Switch Sniff”, Linux Journal, 2002.
23.Trabelsi, Z. and Shuaib, K., “Spoofed ARP packets detection in switched LAN networks”, ICETE 2006, CCIS 9, p. 81–91, 2006.
24.Vapnik, V.N., “The nature of statistical learning theory”, Springer, 2000.
25.Wagner, R., “Address resolution protocol spoofing and man-in-the-middle attacks”, The SANS Institute, 2001.
26.Weiss, S.M. and Kulikowski, C.A. “Computer systems that learn: classification and prediction methods from statistics, neural nets, machine learning, and expert systems“, Morgan Kaufmann, 1991.
27.Witten, I.H. and Frank, E., “Data Mining: Practical Machine Learning Tools and Techniques”, Morgan Kaufmann, ISBN 0-12-088407-0, 2005.
28.丁一賢、陳牧言， “資料探勘”，滄海書局，ISBN 986-7777-98-0，2005。
29.楊文龍，“基於SNMP之ARP攻擊偵測研究”， TANet2008，2008。
30.蕭漢威、吳宗儒、劉則明、曾金山、梁明章，”惡意程式自動更新行為分析之研究”，TANet2008，2008。
31.蕭漢威、張思揚、吳宗儒，“以網路流量分析ARP欺騙攻擊之研究”，TANet2008，2008。