請用此 Handle URI 來引用此文件:
http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/60536
完整後設資料紀錄
DC 欄位 | 值 | 語言 |
---|---|---|
dc.contributor.advisor | 廖婉君(Wanjiun Liao) | |
dc.contributor.author | Li-Ming Chen | en |
dc.contributor.author | 陳力銘 | zh_TW |
dc.date.accessioned | 2021-06-16T10:20:55Z | - |
dc.date.available | 2013-12-31 | |
dc.date.copyright | 2013-08-26 | |
dc.date.issued | 2013 | |
dc.date.submitted | 2013-08-16 | |
dc.identifier.citation | [1] E. Skoudis and T. Liston. Counter Hack Reloaded: A Step-by-Step Guide to Computer Attacks and Effective Defenses (2nd Edition). Prentice Hill, 2006.
[2] T. Nash. An undirected attack against critical Infrastructure - a case study for improving your control system security. In Tech. Report, US-CERT Control Systems Security Center, Sept 2005. [3] L. Garber. Melissa virus creates a new type of threat. IEEE Computer, 32(6):16--19, Jun 1999. [4] M. Masterson. Love bug costs billions. CNN news. http:// money.cnn.com/2000/05/05/technology/virus impact. [5] S. Staniford, V. Paxson, and N. Weaver. How to 0wn the internet in your spare time. In Proc. USENIX Security Symposium, Aug 2002. [6] C. C. Zou, W. Gong, and D. Towsley. Code red worm propagation modeling and analysis. In Proc. of ACM Conference on Computer and Communication Security (CCS), Nov 2002. [7] J. B. Grizzard, V. Sharma, C. Nunnery, B. B. Kang, and D. Dagon. Peer-to-peer botnets: Overview and case study. In Proc. of USENIX HotBots, 2007. [8] T. Holz, C. Gorecki, K. Rieck, and F. Freiling. Measuring and detecting fast-flux service networks. In Symposium on Network and Distributed System Security (NDSS), 2008. [9] W. Yu, X. Wang, A. Champion, D. Xuan, and D. Lee. On detecting active worms with varying scan rate. Computer Communications, 2011. [10] G. Kataria, G. Anand, R. Araujo, R. Krishnan, and A. Perrig. A distributed stealthy coordination mechanism for worm synchronization. In Proc. of SecureComm, 2006. [11] J. Newsome, B. Karp, and D. Song. Polygraph: Automatically generating signatures for polymorphic worms. In Proc. of IEEE Symposium on Security and Privacy, May 2005. [12] D. Wagner and P. Soto. Mimicry attacks on host-based intrusion detection systems. In Proc. of ACM Conference on Computer and Communications Security (CCS), 2002. [13] J. Ma, G. M. Voelker, and S. Savage. Self-stopping worms. In Proc. of ACM Workshop on Rapid Malcode (RAID), 2005. [14] M. Roesch. Snort – lightweight intrusion detection for net-works. In Proc. Conference on Systems Administration (LISA), pages 229--238, 1999. [15] H. Kim and B. Karp. Autograph: Toward automated distributed worm signature detection. In Proc. of USENIX Security Symposium, 2004. [16] Z. Li, M. Sanghi, B. Chavez, Y. Chen, and M. Kao. Hamsa: Fast signature generation for zero-day polymorphic worms with provable attack resistance. In Proc. of IEEE Symposium on Security and Privacy, 2006. [17] D. R. Ellis, J. G. Aiken, K. S. Attwood, and S. D. Tenaglia. A behavioral approach to worm detection. In Proc. of ACM Workshop on Rapid Malcode, 2004. [18] X. Jiang and D. Xu. Profiling self-propagating worms via behavioral footprinting. In Proc. of ACM Workshop on Rapid Malcode, 2006. [19] H. J. Wang, C. Guo, D. R. Simon, and A. Zugenmaier. Shield: vulnerability-driven network filters for preventing known vulnerability exploits. In Proc. of ACM SIGCOMM Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, 2004. [20] J. T. Giffin. Model-based intrusion detection system design and evaluation. Ph.D. Dissertation, University of Wisconsin-Madison, 2006. [21] S. Forrest, S. A. Hofmeyr, A. Somayaji, and T. A. Longstaff. A sense of self for unix processes. In Proc. of IEEE Symposium on Security and Privacy, 1996. [22] C. Ko, G. Fink, and K. Levitt. Automated detection of vulnerabilities in privileged programs by execution monitoring. In Proc. of Annual Computer Security Applications Conference (ACSAC), 1994. [23] V. Paxson. Bro: A system for detecting network intruders in real-time. Computer Networks, Dec 1999. [24] C. C. Zou, W. Gong, D. Towsley, and L. Gao. The monitoring and early detection of internet worms. IEEE/ACM Transaction on Networking, 2005. [25] Y. Xie, V. Sekar, D. Maltz, M. K. Reiter, and H. Zhang. Worm origin identification using random moonwalks. In Proc. IEEE Symposium on Security and Privacy, May 2005. [26] F. Akujobi, I. Lambadaris, and E. Kranakis. An integrated approach to detection of fast and slow scanning worms. In Proc. International Symposium on Information, Computer, and Communications Security (ASIACCS), 2009. [27] V. Sekar, Y. Xie, M. K. Reiter, and H. Zhang. A multi-resolution approach for worm detection and containment. In Proc. International Conference on Dependable Systems and Networks (DSN), 2006. [28] D. Dash, B. Kveton, J. M. Agosta, E. Schooler, J. Chandrashekar, A. Barchrah, and A. Newman. When gossip is good: Distributed probabilistic inference for detection of slow network intrusions. In Proc. National Conference on Artificial Intelligence (AAAI), 2006. [29] F. Akujobi, I. Lambadaris, and E. Kranakis. Detection of slow malicious worms using multi-sensor data fusion. In Proc. IEEE International Conference on Computational Intelligence for Security and Defense Applications (CISDA), 2009. [30] S. Stafford and J. Li. Behavior-based worm detectors compared. In Proc. International Conference on Recent Advances in Intrusion Detection (RAID), 2010. [31] A. Kumar, V. Paxson, and N. Weaver. Exploiting underlying structure for detailed reconstruction of an internet-scale event. In Proc. USENIX/ACM Internet Measurement Conference (IMC), Oct 2005. [32] M. A. Rajab, F. Monrose, and A. Terzis. Worm evolution tracking via timing analysis. In Proc. Workshop on Rapid Malcode (WORM), Nov 2005. [33] I. Hamadeh and G. Kesidis. Toward a framework for forensic analysis of scanning worms. In Proc. International Conference on Emerging Trends in Information and Communication Security (ETRICS), 2006. [34] Y. Xiang, Q. Li, and D. Guo. Online accumulation: Reconstruction of worm propagation path. In Proc. IFIP International Conference on Network and Parallel Computing (NPC), 2008. [35] Q. Wang, Z. Chen, and C. Chen. Characterizing internet worm infection structure. In Proc. USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), Mar 2011. [36] W. Wang and T. E. Daniels. A graph based approach toward network forensics analysis. ACM Trans. Inf. Syst. Secur. (TISSEC), 12(1), Oct 2008. [37] K. Shanmugasundaram, N. Memon, A. Savant, and H. Bronnimann. Fornet: A distributed forensics network. In Proc. International Workshop on Mathematical Methods, Models and Architectures for Computer Networks Security (MMM), 2003. [38] N. Liao, S. Tian, and T. Wang. Network forensics based on fuzzy logic and expert system. Computer Communications, 32(17):1881--1892, 2009. [39] E. Anaya, M. Nakano-Miyatake, and H. P. Meana. Network forensics with neurofuzzy techniques. In Proc. IEEE International Midwest Symposium on Circuits and Systems (MWSCAS), 2009. [40] E. S. Pilli, R. C. Joshi, and R. Niyogi. Network forensic frameworks: Survey and research challenges. Digital Investigation, pages 14--27, Oct 2010. [41] B. Bloom. Space/time tradeoffs in hash coding with allowable errors. Communications of the ACM, 13(7):422--426, Jul 1970. [42] J. Mai, C. N. Chuah, A. Sridharan, T. Ye, and H. Zang. Is sampled data sufficient for anomaly detection? In Proc. ACM Internet Measurement Conference (IMC), Oct 2006. [43] S. Staniford, J. A. Hoagland, and J. M. McAlerney. Practical automated detection of stealthy portscans. Journal of Computer Security, 10:105--136, 2002. [44] M. Bailey, E. Cooke, F. Jahanian, N. Provos, K. Rosaen, and D. Watson. Data reduction for the scalable automated analysis of distributed darknet traffic. In Proc. ACM Internet Measurement Conference (IMC), Oct 2005. [45] G. Maier, R. Sommer, H. Dreger, A. Feldmann, V. Paxson, and F. Schneider. Enriching network security analysis with time travel. In Proc. ACM SIGCOMM, Aug 2008. [46] P. Giura and N. Memon. Netstore: An efficient storage infrastructure for network forensics and monitoring. In Proc. International Conference on Recent Advances in Intrusion Detection (RAID), 2010. [47] P. McDaniel, S. Sen, O. Spatscheck, J. Merwe, W. Aiello, and C. R. Kalmanek. Enterprise security: A community of interest based approach. In Proc. Network and Distributed System Security Symposium (NDSS), Feb 2006. [48] P. Verkaik, O. Spatscheck, J. V. der Merwe, and A. C. Snoeren. Primed: Communityof-interest-based ddos mitigation. In Proc. SIGCOMM Workshop on Large-Scale Attack Defense, Sep 2006. [49] J. McHugh and C. Gates. Locality: A new paradigm for thinking about normal behavior and outsider threat. In Proc. Workshop on New Security Paradigms (NSPW), Aug 2003. [50] T. Karagiannis, K. Papagiannaki, and M. Faloutsos. Blinc: Multilevel traffic classification in the dark. In Proc. ACM SIGCOMM, Aug 2005. [51] N. Friedman, D. Geiger, and M. Goldszmidt. Bayesian network classifiers. Machine Learning, 29(2-3):131--163, Nov./Dec. 1997. [52] T. M. Cover and J. A. Thomas. Elements of Information Theory. New York: John Wiley & Sons, 1991. [53] T. M. Mitchell. Machine Learning. New York: McGraw-Hill, 1997. [54] R. Pang, V. Yegneswaran, P. Barford, V. Paxson, and L. Peterson. Characteristics of internet background radiation. In Proc. ACM Internet Measurement Conference (IMC), Oct 2004. [55] Cisco System Inc. Netflow services and application - white paper. [56] R. Sommer and A. Feldmann. Netflow: Information loss or win? In Proc. ACM SIGCOMM Workshop on Internet measurement (IMW), 2002. [57] Chrome team, the chromium projects. See: http://www.chromium.org/developers/design-documents/dns-prefetching. [58] S. Axelsson. The base-rate fallacy and the difficulty of intrusion detection. ACM Trans. Inf. Syst. Secur. (TISSEC), 3(3):186--205, Aug 2000. [59] F. Giroire, J. Chandrashekar, N. Taft, E. Schooler, and D. Papagiannaki. Exploiting temporal persistence to detect covert botnet channels. In Proc. International Symp. on Recent Advances in Intrusion Detection (RAID), 2009. [60] Y. Gao, Y. Zhao, R. Sch Schweller, S. Venkataraman, Y. Chen, D. Song, and M.-Y. Kao. Detecting stealthy spreaders using online outdegree histograms. In Proc. International Workshop on Quality of Service (IWQoS), 2007. [61] P. Barford, J. Kline, D. Plonka, and A. Ron. A signal analysis of network traffic anomalies. In Proc. ACM Internet Measurement Workshop (IMW), 2002. [62] M. Zhou and S. D. Lang. Mining frequency content of network traffic for intrusion detection. In Proc. IASTED International Conference on Communication, Network, and Information Security (CNIS), 2003. [63] B. Kim, H. Kim, and S. Bahk. Fdf: Frequency detection-based filtering of scanning worms. Computer Communications, 32:847--857, 2009. [64] R. G. Lyons. Understanding Digital Signal Processing. Prentice Hall, 2nd edition, 2004. [65] V. Paxson and S. Floyd. Wide-area traffic: the failure of poisson modeling. IEEE/ACM Trans. Networking, 3(3):226--244, 1995. [66] C. Nuzman, I. Saniee, W. Sweldens, and A. Weiss. A compound model for tcp connection arrivals for lan and wan applications. Computer Networks, 40:319--337, 2002. [67] J. Kannan, J. Jung, V. Paxson, and C. E. Koksal. Semi-automated discovery of application session structure. In Proc. of Internet Measurement Conference (IMC), Oct 2006. [68] I. W. C. Lee and A. O. Fapojuwo. Analysis and modeling of a campus wireless network tcp/ip traffic. Computer Networks, 53:2674--2687, 2009. | |
dc.identifier.uri | http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/60536 | - |
dc.description.abstract | A slow-paced attack, such as slow worm or bot, can remain undetectable indefinitely by slowing down the pace of its movement. Detecting slow attacks based on traditional anomaly detection techniques may yield high false alarm rates. Moreover, the long lifespan of a slow-paced attack is also challenging the forensic investigation because it is hard to get a high quality dataset for the analysis. In this dissertation, we study the detection and forensics problems of a slow-paced attacks in the aspect of temporal and spatial analysis of network activities.
We first discuss the problem and feasibility of back tracking the origin of a self-propagating stealth attack when given a network traffic trace for a sufficiently long period of time. We propose a network forensics mechanism that is scalable in computation time and space while maintaining high accuracy in the identification of the attack origin. We further develop a contact-based data reduction method to filter out attack-irrelevant data and only retain evidence relevant to potential attacks for a postmortem investigation. Using real-world trace driven experiments, we evaluate the performance of the proposed mechanism and show that we can trim down up to 97% of attack-irrelevant network traffic and successfully identify attack origin. For the forensics, we track outbound connections of hosts by using a time series. Our assumption is that since attacks are usually controlled by pre-programmed computer codes, their behaviors have regularity. Although the correlation among slow attacks' connections is temporally weak; the regularity of these connections remains preserved in the time series. Accordingly, we focus on time series spectrum analysis, and propose a detection method to identify peculiar spectral patterns which can represent the occurrence of a recurring and persistent activity in the time domain. We use both synthesized traffic and real-world traffic to evaluate our method. The results show that our method is efficient and effective in detecting slow-paced persistent activities even in a noisy environment with legitimate traffic. Future attacks are anticipated to be more sophisticated and stealthy to evade intrusion detection techniques which aggravate the security risks. In this dissertation, we try to understand and defend the potential threat of a slow-paced stealthy attack in the aspect of malware detection and forensics. We find that although the attack behavior is blend in with a huge amount of legitimate events, we can still identify the evidence of the attack and enhance the security of the monitored network environment. | en |
dc.description.provenance | Made available in DSpace on 2021-06-16T10:20:55Z (GMT). No. of bitstreams: 1 ntu-102-D95921021-1.pdf: 5756156 bytes, checksum: 398fc271979155f16cd932863c8cb94b (MD5) Previous issue date: 2013 | en |
dc.description.tableofcontents | 口試委員會審定書 i
致謝 ii 摘要 iii Abstract v Contents vii List of Figures x List of Tables xi 1 Introduction 1 1.1 Computer Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.2 Intrusion Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 1.2.1 Misused Detection . . . . . . . . . . . . . . . . . . . . . . . . . 7 1.2.2 Anomaly Detection . . . . . . . . . . . . . . . . . . . . . . . . . 8 1.3 Forensic Investigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 1.4 Problems of Slow-Paced Attacks . . . . . . . . . . . . . . . . . . . . . . 10 1.5 Dissertation Organization . . . . . . . . . . . . . . . . . . . . . . . . . . 11 2 A Scalable Long-term Network Forensics Mechanism 13 2.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 2.1.1 Overview of the RMW Algorithm . . . . . . . . . . . . . . . . . 15 2.1.2 The Challenge of RMW in Long-term Forensics . . . . . . . . . 16 2.1.3 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 2.2 Our Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 2.2.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 2.2.2 Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 2.2.3 System Architecture . . . . . . . . . . . . . . . . . . . . . . . . 21 2.3 Data Reduction in Detail . . . . . . . . . . . . . . . . . . . . . . . . . . 22 2.3.1 The Concept of Data Reduction . . . . . . . . . . . . . . . . . . 23 2.3.2 Building a Normal Behavior Profile . . . . . . . . . . . . . . . . 23 2.3.3 Normal Traffic Filter (Φ) . . . . . . . . . . . . . . . . . . . . . . 26 2.3.4 Background Noise Filter (Ψ) . . . . . . . . . . . . . . . . . . . . 27 2.4 Experiment Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . 28 2.4.1 Dataset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 2.4.2 Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 2.4.3 Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 2.4.4 Threshold Selection . . . . . . . . . . . . . . . . . . . . . . . . 36 2.5 Evaluation Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 2.5.1 Sensitivity Tests for Data Reduction . . . . . . . . . . . . . . . . 36 2.5.2 Specificity Tests for Data Reduction . . . . . . . . . . . . . . . . 38 2.5.3 Long-term Attacks . . . . . . . . . . . . . . . . . . . . . . . . . 39 2.5.4 Precision and DRR . . . . . . . . . . . . . . . . . . . . . . . . . 40 2.5.5 Forensic Investigation . . . . . . . . . . . . . . . . . . . . . . . 41 2.5.6 Summary of Experiment Evaluations . . . . . . . . . . . . . . . 44 2.6 Discussion and Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . 45 3 Spectrum Analysis for Detecting Slow-Paced Persistent Activities 47 3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 3.2 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 3.2.1 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 3.2.2 Discrete Fourier Transform . . . . . . . . . . . . . . . . . . . . . 51 3.2.3 Impulse Train . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 3.2.4 Connection Arrivals . . . . . . . . . . . . . . . . . . . . . . . . 53 3.3 Problem Formulation and Spectrum analysis . . . . . . . . . . . . . . . . 55 3.3.1 Problem Formulation . . . . . . . . . . . . . . . . . . . . . . . . 55 3.3.2 Attack Time Series Modeling and Analysis . . . . . . . . . . . . 56 3.3.3 Legitimate Time Series Modeling and Analysis . . . . . . . . . . 59 3.3.4 The Effects of Using Time Bin . . . . . . . . . . . . . . . . . . . 63 3.3.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 3.4 Detecting Slow-Paced Persistent Activities in the Frequency Domain . . . 66 3.4.1 Detection Concept . . . . . . . . . . . . . . . . . . . . . . . . . 66 3.4.2 Detection Algorithm . . . . . . . . . . . . . . . . . . . . . . . . 68 3.4.3 Practical Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 3.5 Evaluation Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 3.5.1 Datasets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 3.5.2 Simulation Results for i.i.d. Time Series . . . . . . . . . . . . . . 72 3.5.3 Simulation Results for non-i.i.d. Time Series . . . . . . . . . . . 74 3.5.4 Real-World Trace Results . . . . . . . . . . . . . . . . . . . . . 75 3.6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 4 Conclusion and Future Directions 77 Bibliography 78 Appendix A 84 | |
dc.language.iso | en | |
dc.title | 鑑識分析之針對慢速攻擊之偵測與來源鑑定 | zh_TW |
dc.title | On the Detection and Origin Identification of Slow-Paced Attacks in Forensic Investigation | en |
dc.type | Thesis | |
dc.date.schoolyear | 101-2 | |
dc.description.degree | 博士 | |
dc.contributor.coadvisor | 陳孟彰(Meng-Chang Chen) | |
dc.contributor.oralexamcommittee | 楊竹星(Chu-Sing Yang),吳曉光(Hsiao-kuang Wu),周立德(Li-Der Chou),林宗男(Tsungnan Lin),周承復(Cheng-Fu Chou) | |
dc.subject.keyword | 入侵偵測,網路鑑識,資料縮減,自動散佈攻擊,慢速攻擊,時間序列頻譜分析, | zh_TW |
dc.subject.keyword | Intrusion detection,Network forensics,Data reduction, Self-propagating attack,Slow-paced attack,Time series spectrum analysis, | en |
dc.relation.page | 85 | |
dc.rights.note | 有償授權 | |
dc.date.accepted | 2013-08-16 | |
dc.contributor.author-college | 電機資訊學院 | zh_TW |
dc.contributor.author-dept | 電機工程學研究所 | zh_TW |
顯示於系所單位: | 電機工程學系 |
文件中的檔案:
檔案 | 大小 | 格式 | |
---|---|---|---|
ntu-102-1.pdf 目前未授權公開取用 | 5.62 MB | Adobe PDF |
系統中的文件,除了特別指名其著作權條款之外,均受到著作權保護,並且保留所有的權利。