請用此 Handle URI 來引用此文件:
http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/45489完整後設資料紀錄
| DC 欄位 | 值 | 語言 |
|---|---|---|
| dc.contributor.advisor | 孫雅麗(Yeali S. Sun) | |
| dc.contributor.author | Chang-Huan Wu | en |
| dc.contributor.author | 吳昌桓 | zh_TW |
| dc.date.accessioned | 2021-06-15T04:23:03Z | - |
| dc.date.available | 2009-10-05 | |
| dc.date.copyright | 2009-10-05 | |
| dc.date.issued | 2009 | |
| dc.date.submitted | 2009-09-30 | |
| dc.identifier.citation | [1] M. Roesch. Snort - Lightweight Intrusion Detection for Networks. In Proceeding of the 13th USENIX conference on System administration, 1999.
[2] V. Paxson, Bro: A system for Detecting Network Intruders in Real-Time. Computer Networks, 31:2435-2463, 1999. [3] Peng Ning, and Dingbang Xu. Adapting Query Optimization Techniques for Efficient Intrusion Alert Correlation. In Proceeding of the 17th IFIP WG 11.3 Working Conference on Data and Application Security. 2003. [4] P. Porras, and R. Kemmerer. Penetration State Transition Analysis: A Rule based Intrusion Detection Approach. In Proceeding of the 8th Annual Computer Security Applications Conference, 1992. [5] A. Lakhina, M. Crovella, and C. Diot. Characterization of Network-Wide Anomalies in Traffic Flows. In Proceeding of the 4th ACM SIGCOMM conference on Internet measurement, 2004. [6] A. Wagner, and B. Plattner. Entropy Based Worm and Anomaly Detection in Fast IP Networks. In Proceeding of the IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprise, 2005. [7] D. Moore, C. Shannon, G. M. Voelker, and S. Savage. Network telescopes: Technical report. CAIDA, Tech. Rep. TR-2004-04, 2004. [8] C. C. Zou, W. Gong, D. Toesley, and L. Goa. The Monitoring and Early Detection of Internet Worms. IEEE/ACM Transaction on Networking, 2005. [9] D. R. Ellis, J. G. Aiken, K. S. Attwood, and S. D. Tenaglia. A Behavioral Approach to Worm Detection. In Proceedings of the 2004 ACM Workshop on Rapid Malcode (WORM ‘04), 2004. [10] G. Vigna, and R. A. Kemmerer. NetSTAT: A Network-Based Intrusion Detection Approach. In Proceeding of 14th Annual Computer Security Applications Conference (ACSAC), 1998. [11] J. Treurniet and J.H. Lefebvre, 'A Finite State Machine Model of TCP Connections in the Transport Layer,' Defence R&D Canada - Ottawa, Ottawa, DRDC Ottawa TM 2003-139, Nov. 2003. [12] Zhou, J., A. J. Carlson, and N. Bishop, 'Verify Results of Network Intrusion Alerts Using Lightweight Protocol Analysis,' Proceedings of the 21st Annual Computer Security Applications Conference (ACSAC), pp. 117-126, IEEE Computer Society, 2005. [13] http://www.wireshark.org/ [14] Lippmann, R., et al., 'The 1999 DARPA Off-Line Intrusion Detection Evaluation', Computer Networks 34(4) 579-595, 2000. | |
| dc.identifier.uri | http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/45489 | - |
| dc.description.abstract | 網際網路(Internet)的普及,一方面使得人們的生活更加多元及便利,另一方面則出現了不少網路攻擊,如電腦蠕蟲的攻擊,常常造成巨大的影響及損失。此外,隨著網路攻擊的手法愈來愈複雜,傳統的偵測方法,如比對封包內容的特徵或是觀察網路traffic pattern的變化,已經無法有效地偵測網路攻擊。
電腦蠕蟲之所以能夠造成如此大的破壞及影響,主要是因為其自動攻擊以及散布的特性,蠕蟲通常會攻擊帶有弱點的提供網路服務的程式,在攻擊成功後,該程式往往會產生嚴重錯誤,並且無法繼續提供正常的服務,因此,我們認為藉由監測網路通訊協定的執行行為,可以偵測是否有網路攻擊發生。 我們先藉由真實網路中的traffic trace找出描述該通訊協定正常執行行為的model,利用該model可以區分出哪些行為與正常行為有所差異。本系統會監控每個使用通訊協定的行為,並且與代表正常執行行為的model作比較,若該行為與正常行為有所差異,則判斷該行為為網路攻擊。 最後,根據我們的實驗結果,我們相信這樣的機制可以有效的偵測以提供網路服務程式的弱點為目標的網路攻擊。 | zh_TW |
| dc.description.abstract | As Internet becomes more and more popular, it makes our life more colorful and convenient. In the other hand, more and more attacks happened on the Internet. Attacks by computer worms often make enormous impacts and damages. Besides, as attacks become more sophisticated, traditional intrusion detection approaches, like payload signature matching and network traffic pattern monitoring are not sufficient to detect new attacks.
Computer worms made huge impact and damage due to its auto-attacking and spreading characteristic. Worms often attack vulnerable programs of network services. After the success of attack, it usually makes the program erroneous and cannot provide service anymore. Therefore, we believe that we can detect network intrusions by monitoring network protocol execution behaviors. We construct a model which describes normal execution behaviors of the protocol, and we can distinguish that if a behavior deviates from normal behaviors. Then, we analyze the reason of those deviated behaviors, and determine if they are anomaly. Our system will monitor every protocol execution behaviors and use the normal model to distinguish if they are deviated. If a behavior is deviated, it will be marked as an intrusion. Based on our experiment results, we believe that our system can effectively detect network intrusions that exploit vulnerabilities of network service programs. | en |
| dc.description.provenance | Made available in DSpace on 2021-06-15T04:23:03Z (GMT). No. of bitstreams: 1 ntu-98-R96725022-1.pdf: 790845 bytes, checksum: 8d07143e3974733e7edeb0b9ad45e6e5 (MD5) Previous issue date: 2009 | en |
| dc.description.tableofcontents | 論文摘要 III
Thesis Abstract IV 1 序論 1 1.1 研究背景及動機 1 1.2 研究目標 2 1.3 方法概述 2 1.4 論文架構 4 2 文獻探討 5 3 建立model以描述通訊協定正常執行的行為 8 3.1 名詞定義 8 3.2 建立通訊協定FSM 9 3.3 建立通訊協定正常執行的行為模式 15 3.3.1 篩選出正常的行為 16 3.3.2 將正常的行為分群 17 3.3.3 找出每群正常行為中的代表行為 18 4 系統架構 22 4.1 Identification module 23 4.2 Protocol model module 23 4.3 Flow / connection status module 23 5 實驗結果 25 5.1 實驗一 25 5.1.1 使用的資料集 26 5.1.2 TCP的正常執行行為模式 26 5.1.3 RPC的正常執行行為模式 30 5.1.4 HTTP的正常執行行為模式 33 5.1.5 Blaster 38 5.1.6 CodeRed 39 5.1.7 CodeRed II 40 5.1.8 Sasser 41 5.1.9 Blaster (使用polymorphism技術) 42 5.1.10 Blaster (stealthy) 42 5.1.11 討論 43 5.2 實驗二 43 6 結論 45 參考文獻 46 附錄一 PCA流程簡述 48 附錄二 TCP state vector變數對照 49 附錄三 DTCP,normal中state vector列表 50 附錄四 RPC state vector變數對照 51 附錄五 HTTP state vector變數對照 52 附錄六 DHTTP,normal中state vector列表 53 | |
| dc.language.iso | zh-TW | |
| dc.subject | 模型 | zh_TW |
| dc.subject | 電腦蠕蟲 | zh_TW |
| dc.subject | 入侵偵測 | zh_TW |
| dc.subject | 通訊協定 | zh_TW |
| dc.subject | 有限狀態機 | zh_TW |
| dc.subject | protocol | en |
| dc.subject | model | en |
| dc.subject | Finite State Machine | en |
| dc.subject | Computer worm | en |
| dc.subject | intrusion detection | en |
| dc.title | 一個基於監測網路通訊協定執行行為的入侵偵測系統 | zh_TW |
| dc.title | An Intrusion Detection System Based On Network Protocol Behavior Monitoring | en |
| dc.type | Thesis | |
| dc.date.schoolyear | 98-1 | |
| dc.description.degree | 碩士 | |
| dc.contributor.oralexamcommittee | 陳孟彰(Meng-Chang Chen),林盈達(Ying-Dar Lin) | |
| dc.subject.keyword | 電腦蠕蟲,入侵偵測,通訊協定,有限狀態機,模型, | zh_TW |
| dc.subject.keyword | Computer worm,intrusion detection,protocol,Finite State Machine,model, | en |
| dc.relation.page | 53 | |
| dc.rights.note | 有償授權 | |
| dc.date.accepted | 2009-09-30 | |
| dc.contributor.author-college | 管理學院 | zh_TW |
| dc.contributor.author-dept | 資訊管理學研究所 | zh_TW |
| 顯示於系所單位: | 資訊管理學系 | |
文件中的檔案:
| 檔案 | 大小 | 格式 | |
|---|---|---|---|
| ntu-98-1.pdf 未授權公開取用 | 772.31 kB | Adobe PDF |
系統中的文件,除了特別指名其著作權條款之外,均受到著作權保護,並且保留所有的權利。