請用此 Handle URI 來引用此文件:
http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/25057完整後設資料紀錄
| DC 欄位 | 值 | 語言 |
|---|---|---|
| dc.contributor.advisor | 孫雅麗(Yeali S. Sun) | |
| dc.contributor.author | Ting-Sheng Lo | en |
| dc.contributor.author | 羅鼎盛 | zh_TW |
| dc.date.accessioned | 2021-06-08T06:01:15Z | - |
| dc.date.copyright | 2007-07-30 | |
| dc.date.issued | 2007 | |
| dc.date.submitted | 2007-07-30 | |
| dc.identifier.citation | [1]D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver, 'Inside the Slammer Worm,' IEEE Security and Privacy Magazine, vol. 1, no. 4, pp. 33-39, Jul.-Aug. 2003.
[2]James Newsome, Brad Karp and Dawn Song, “Polygraph: Automatically Generating Signatures for Polymorphic Worms,” Security and Privacy, 2005 IEEE Symposium. [3]H.-A.Kim and B. Karp, “Autograph: toward automated, distributed worm signature detection,” InProceedingsofthe13th USENIX Security Symposium, August 2004. [4]V. Paxson, “Bro: a system for detecting network intruders in real-time,” Computer Networks,31(23-24), December 1999. [5]C. Kreibich and J. Crowcroft, “Honeycomb - creating intrusion detection signatures using honeypots,” In Proceedings of the Second Workshop on Hot Topics in Networks (HotNets-II),November 2003. [6]S. Singh, C. Estan, G. Varghese, and S. Savage, “Automated worm fingerprinting,” In Proceedings of the 6thACM/USENIX Symposium on Operating System Design and Implementation (OSDI),Dec. 2004. [7]David Moore, Vern Paxson, Stefan Savage, Colleen Shannon, Stuart Staniford and Nicholas Weaver, “Inside the Slammer Worm,” IEEE Security and Privacy, July 2003. [8]C. C. Zou, L. Gao, W. Gong, and D. Towsley, “Monitoring and early warning for internet worms,” In Proceedings of the 10th ACM Conference on Computer and Communication Security (CCS’03), Washington DC, USA, October 27–31 2003. [9]Niels Provos, “A Virtual Honeypot Framework,” Proceedings of the 13th USENIX Security Symposium, August 2004. [10]E. Ukkonen, “On-line construction of suffix trees,” Algorithmica, no. 14, pp. 249–260, 1995. [11]J. Wang, I Hamadeh, G. Kesidis, and D. J. Miller, 'Polymorphic worm detection and defense: system design, experimental methodology, and data resources', in Proc. the 2006 SIGCOMM workshop on Large-scale attack defense (LSAD '06), Pisa, Italy, Sep. 2006, pp. 169-176. [12]http://vx.netlux.org/ [13]http://tcpreplay.synfin.net/trac/ | |
| dc.identifier.uri | http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/25057 | - |
| dc.description.abstract | 近年來網路的日益普及,系統弱點的知識比以往更易於網路中取得,導致網路攻擊事件層出不窮、日新月異,時至今日都還沒有完善的機制可以改善現行的網路安全架構。而既有的signature-based的入侵偵測系統與防火牆等,這些將各個封包獨立檢視的非記憶性(stateless)偵測方式,已經不能及時的阻擋網路蠕蟲(worm)的攻擊。而且當駭客的技術愈來愈容易取得的未來,網路蠕蟲勢必會更加的精密(sophisticated),而攻擊步驟亦會更加複雜,且將更難用目前非記憶性的方式來偵測。而polymorphic技術亦在網路上愈來愈普遍,未來的網路蠕蟲如果都經過polymorphism之技術改進過,封包內容裡將不再有不變的signature,傳統的入侵偵測系統所採取的非記憶性而將封包視為獨立個體的字串比對方式,將無法偵測出此一攻擊。
我們之前曾提出一個跨層級(cross-layer)狀態化(Stateful)的行為模式(behavior-based)偵測系統Security Monitor (SecMon),針對網路攻擊在不同層級之protocol layer、service layer、以及attack symptoms都以有限狀態機(FSM)來加以描述其可能攻擊的重要行為。並且採用狀態化檢測(stateful inspection)的方式來完整追蹤網路封包流通的狀態與內容,以及偵測可疑的複雜的攻擊步驟。目的是達到有效即早偵測網路異常狀況。這個方法較 Signature-based的入侵偵測系統更有能力偵測polymorphic網路蠕蟲攻擊以及未知的、新的網路攻擊。本論文主要是根據這個方法設計並實作一套網路封包採集記錄架構來達到有效率地採集、紀錄網路可疑的攻擊事件過程中所有的重要封包流通之證據。以作為事後(post-mortom)網路犯罪鑑識分析之用。根據所採集記錄的資料,再藉由cross-layer stateful SecMon系統完整還原事件的真相。 | zh_TW |
| dc.description.abstract | In today’s world, exploit codes are being created more easily and faster than ever. As a result, more and more attack events are happened on the Internet. Unfortunately, current Internet security architecture can not efficiently control those malicious activities. Traditional intrusion detection systems used stateless approach in which network traffic is inspected packet by packet. Because stateless approaches can not monitor the behavior of the network, they will fail to detect a sequence of complicated attack procedure. In addition, due to more and more exploit programs available in the public domain, attackers are now capable of launching more sophisticated attacks such as stealthy worms. Attack procedure of stealthy worms will become more complicated to evade detection. Furthermore, there are some attacks such as polymorphic worms can mutate themselves and will not have clear signature. The stateless approach with simple pattern-matching techniques is not sufficiently to detect sophisticated attacks and polymorphic worms.
In the previous work, we proposed Security Monitor (SecMon), a cross-layer Stateful intrusion detection system, to detect sophisticated attacks. In SecMon, we use finite state machines to maintain the transition of different layer protocols to understand the evolution of connections. SecMon is able to detect polymorphic worms and unknown attacks at early stage which can not be detected by Signature-based intrusion detection system. In this thesis, we proposed a sufficient logging mechanism based on SecMon to sufficiently log malicious activities and preserve the evidence to achieve the goal of post-mortem analysis. With the logging event and the cross-layer stateful SecMon intrusion detection system, the system administrator can reconstruct the attack procedure to understand what happened in the network. | en |
| dc.description.provenance | Made available in DSpace on 2021-06-08T06:01:15Z (GMT). No. of bitstreams: 1 ntu-96-R94725029-1.pdf: 990204 bytes, checksum: 33df4fa5889bf4ba9aa3ce262142523b (MD5) Previous issue date: 2007 | en |
| dc.description.tableofcontents | 口試委員會審訂書論文摘要 III
誌謝 IV 中文摘要 V 英文摘要 VI 第一章 序論 1 第一節 研究背景與動機 1 第二節 研究目標 3 第三節 論文架構 6 第二章 文獻探討 7 第三章 系統設計 10 第一節 系統架構 10 3.1.1 Stateful inspection module 10 3.1.2 Protocol Module 11 3.1.3 Vulnerable service module 12 3.1.4 Attack Symptom Module 14 3.1.5 Trigger Matrix 15 第四章 Logging technique 18 第一節 Schema 18 第二節 Reconstruction process 25 第五章 效能評估 27 第一節 系統設定 27 第二節 實驗一 32 5.2.1 目標 32 5.2.2 Traffic Trace: 32 5.2.3 Attack Scenario 33 5.2.4 實驗結果 38 第三節 實驗二 44 5.3.1 目標 44 5.3.2 Traffic Trace 45 5.3.3 Polymorphic technique 46 5.3.4 Attack scenario 47 5.3.5 實驗結果 52 第六章 結論 59 參考文獻 60 | |
| dc.language.iso | zh-TW | |
| dc.subject | 網路蠕蟲 | zh_TW |
| dc.subject | 入侵偵測 | zh_TW |
| dc.subject | 網路鑑識 | zh_TW |
| dc.subject | network forensics | en |
| dc.subject | worm | en |
| dc.subject | intrusion detection system | en |
| dc.title | 用於網路鑑識分析的跨層級狀態化封包採集紀錄之設計與實作 | zh_TW |
| dc.title | Cross-Layer stateful traffic logging for network forensic analysis | en |
| dc.type | Thesis | |
| dc.date.schoolyear | 95-2 | |
| dc.description.degree | 碩士 | |
| dc.contributor.oralexamcommittee | 陳孟彰(Meng Chang Chen),林永松(F.Y.S. Lin),蔡志宏(Zsehong Tsai),李程輝(T. H. Lee) | |
| dc.subject.keyword | 網路蠕蟲,入侵偵測,網路鑑識, | zh_TW |
| dc.subject.keyword | worm,intrusion detection system,network forensics, | en |
| dc.relation.page | 62 | |
| dc.rights.note | 未授權 | |
| dc.date.accepted | 2007-07-30 | |
| dc.contributor.author-college | 管理學院 | zh_TW |
| dc.contributor.author-dept | 資訊管理學研究所 | zh_TW |
| 顯示於系所單位: | 資訊管理學系 | |
文件中的檔案:
| 檔案 | 大小 | 格式 | |
|---|---|---|---|
| ntu-96-1.pdf 未授權公開取用 | 967 kB | Adobe PDF |
系統中的文件,除了特別指名其著作權條款之外,均受到著作權保護,並且保留所有的權利。