請用此 Handle URI 來引用此文件:
http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/32528
標題: | 設計與實作狀態化高速入侵偵測系統 Design and Implementation of a Stateful High Speed Intrusion Detection System |
作者: | Chia-Fang Chung 鍾佳芳 |
指導教授: | 孫雅麗(Yeali S. Sun) |
關鍵字: | 狀態化,入侵偵測,事件關聯,多步驟攻擊, Stateful,IDS,Event Correlation,Multi-stage Attack, |
出版年 : | 2006 |
學位: | 碩士 |
摘要: | 隨著網路的普及,許多個人生活及企業運作都與網路息息相關。然而,近年來系統弱點突破以及攻擊行為都有日益增多的現象,使得網路安全越來越受到重視。
入侵偵測系統(IDS)因為能夠即時偵測攻擊行為以及做出適當的防範措施,在網路安全領域具有相當高的重要性。在現行的系統中,規則式(Rule-based)技術最為常見。然而傳統的規則式入侵偵測系統將每個封包視作獨立個體,分別比對每條規則來偵測攻擊行為。此種不記憶狀態(stateless, memoryless)的偵測方式已無法偵測今日越來越複雜的攻擊行為。 因此,我們設計了狀態化高速入侵偵測系統。針對日益普遍的狀態化的應用層協定(stateful application protocol),我們提出了狀態化應用層檢測(application layer stateful inspection)來完整瞭解網路行為及偵測複雜的攻擊行動。此外,我們也觀察到今日的攻擊行為大多採取多步驟的攻擊方式。為了能夠瞭解此種攻擊的行為模式,以及提供有效的偵測,我們設計了多步驟事件關聯(Multi-staged Event Correlation)。並且我們將此雛形系統實作在系統單晶片(SoC)的環境下,利用硬體加速字串比對模組功能以提高整體系統效能。根據實驗評估,我們系統不論在處理速度以及偵測能力上都超越Snort的表現。 As technologies are greatly advanced, more and more individuals and companies rely on Internet for communication and business. However, with the continuous disclosure of vulnerabilities associated with computers and network systems, network security has become an increasing important issue. Intrusion Detection System (IDS) plays an important role in addressing these security problems by providing timely identification of potential attacks and effective responses. Among IDSs currently available, rule-based technique is most popular due to the convenience in inserting or modifying rules incrementally for newly discovered intrusions. However, traditional IDS used a stateless approach in which network traffic is inspected packet by packet and compared with numerous rules to identify possible attacks. With the growing popularity and variety of intrusions, these simple pattern-matching techniques may not be sufficient to detect sophisticated attacks. Thus, we consider that there is a need to develop a stateful IDS for high speed network. We adopt the idea of stateful inspection that continuously inspects content of packets with memory of related ones and maintains the current “state” information to detect and analyze intrusions in an integrated way. Besides stateful TCP inspection, we also provide application layer stateful inspection to understand the complete network behavior. Moreover, we thoroughly study on multi-staged event correlation and proposed an approach to fully realize and effectively detect multi-stage attacks. Furthermore, we implement the prototype system on a System-on-a-Chip (SoC) and offload CPU-intensive string matching function to the FPGA based hardware component to boost the performance. Through intensive evaluations, our designed IDS is shown outperforming snort in terms of effective and efficiency. |
URI: | http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/32528 |
全文授權: | 有償授權 |
顯示於系所單位: | 資訊管理學系 |
文件中的檔案:
檔案 | 大小 | 格式 | |
---|---|---|---|
ntu-95-1.pdf 目前未授權公開取用 | 2.33 MB | Adobe PDF |
系統中的文件,除了特別指名其著作權條款之外,均受到著作權保護,並且保留所有的權利。