一個基於監測網路通訊協定執行行為的入侵偵測系統

Abstract

網際網路(Internet)的普及，一方面使得人們的生活更加多元及便利，另一方面則出現了不少網路攻擊，如電腦蠕蟲的攻擊，常常造成巨大的影響及損失。此外，隨著網路攻擊的手法愈來愈複雜，傳統的偵測方法，如比對封包內容的特徵或是觀察網路traffic pattern的變化，已經無法有效地偵測網路攻擊。 電腦蠕蟲之所以能夠造成如此大的破壞及影響，主要是因為其自動攻擊以及散布的特性，蠕蟲通常會攻擊帶有弱點的提供網路服務的程式，在攻擊成功後，該程式往往會產生嚴重錯誤，並且無法繼續提供正常的服務，因此，我們認為藉由監測網路通訊協定的執行行為，可以偵測是否有網路攻擊發生。 我們先藉由真實網路中的traffic trace找出描述該通訊協定正常執行行為的model，利用該model可以區分出哪些行為與正常行為有所差異。本系統會監控每個使用通訊協定的行為，並且與代表正常執行行為的model作比較，若該行為與正常行為有所差異，則判斷該行為為網路攻擊。 最後，根據我們的實驗結果，我們相信這樣的機制可以有效的偵測以提供網路服務程式的弱點為目標的網路攻擊。

As Internet becomes more and more popular, it makes our life more colorful and convenient. In the other hand, more and more attacks happened on the Internet. Attacks by computer worms often make enormous impacts and damages. Besides, as attacks become more sophisticated, traditional intrusion detection approaches, like payload signature matching and network traffic pattern monitoring are not sufficient to detect new attacks. Computer worms made huge impact and damage due to its auto-attacking and spreading characteristic. Worms often attack vulnerable programs of network services. After the success of attack, it usually makes the program erroneous and cannot provide service anymore. Therefore, we believe that we can detect network intrusions by monitoring network protocol execution behaviors. We construct a model which describes normal execution behaviors of the protocol, and we can distinguish that if a behavior deviates from normal behaviors. Then, we analyze the reason of those deviated behaviors, and determine if they are anomaly. Our system will monitor every protocol execution behaviors and use the normal model to distinguish if they are deviated. If a behavior is deviated, it will be marked as an intrusion. Based on our experiment results, we believe that our system can effectively detect network intrusions that exploit vulnerabilities of network service programs.