於雲端環境下考量誘捕系統抵禦協同攻擊以最大化網路存活度之研究

I-Tang Chang; 張怡棠

請用此 Handle URI 來引用此文件： http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/55974

完整後設資料紀錄

DC 欄位	值	語言
dc.contributor.advisor	林永松(Yeong-Sung Lin)
dc.contributor.author	I-Tang Chang	en
dc.contributor.author	張怡棠	zh_TW
dc.date.accessioned	2021-06-16T05:12:03Z	-
dc.date.available	2014-08-25
dc.date.copyright	2014-08-25
dc.date.issued	2014
dc.date.submitted	2014-08-18
dc.identifier.citation	[1] Symantec (2013). Internet Security Threat Report, 2012 Trends, Volume 18. California. [2] IBM Internet Security Systems X-Force research and development team (2013, March). IBM X-Force 2012 Trend and Risk Report. New York. [3] Australia’s National Computer Emergency Response Team (2012). CYBER CRIME & SECURITY SURVEY REPORT 2012. Australia. [4] Yu, S., Doss, R., Zhou, W., & Guo, S. (2013, June). A general cloud firewall framework with dynamic resource allocation. In Communications (ICC), 2013 IEEE International Conference on, pp. 1941-1945. [5] Xing, T., Huang, D., Xu, L., Chung, C. J., & Khatkar, P. (2013, March). SnortFlow: A OpenFlow-Based Intrusion Prevention System in Cloud Environment. In Research and Educational Experiment Workshop (GREE), 2013 Second GENI (pp. 89-92). [6] Yang, L., Zhang, T., Song, J., Wang, J. S., & Chen, P. (2012, May). Defense of DDoS attack for cloud computing. In Computer Science and Automation Engineering (CSAE), 2012 IEEE International Conference on (Vol. 2, pp. 626-629). [7] Kumar, N., & Sharma, S. (2013, July). Study of intrusion detection system for DDoS attacks in cloud computing. In Wireless and Optical Communications Networks (WOCN), 2013 Tenth International Conference on (pp. 1-5). [8] Deutsch, M. S., & Willis, R. R. (1988). Software quality engineering: a total technical and management approach. Prentice-Hall, Inc.. [9] Zolfaghari, A., & Kaudel, F. J. (1994). Framework for network survivability performance. Selected Areas in Communications, IEEE Journal on, 12(1), 46-51. [10] Shi, J., & Fonseka, J. P. (1995, November). Traffic-based survivability analysis of telecommunications networks. In Global Telecommunications Conference, 1995. GLOBECOM'95., IEEE (Vol. 2, pp. 936-940). [11] Wilson, M. R. (1998). The quantitative impact of survivable network architectures on service availability. Communications Magazine, IEEE, 36(5), 122-126. [12] Moitra, S. D., & Konda, S. L. (2000). A simulation model for managing survivability of networked information systems (No. CMU/SEI-2000-TR-021). CARNEGIE-MELLON UNIV PITTSBURGH PA SOFTWARE ENGINEERING INST. [13] Westmark, V. R. (2004, January). A definition for information system survivability. In System Sciences, 2004. Proceedings of the 37th Annual Hawaii International Conference on (pp. 10-pp). [14] Al-Zahrani, F. A. (2006, April). Survivability performance evaluation of slotted multi-fiber optical packet switching networks with and without wavelength conversion. In Information and Communication Technologies, 2006. ICTTA'06. 2nd (Vol. 2, pp. 2242-2247). [15] Zhang, L. J., Wang, W., Guo, L., Yang, W., & Yang, Y. T. (2007, August). A survivability quantitative analysis model for network system based on attack graph. In Machine Learning and Cybernetics, 2007 International Conference on (Vol. 6, pp. 3211-3216). [16] Qian, Y., Lu, K., & Tipper, D. (2007). A design for secure and survivable wireless sensor networks. Wireless Communications, IEEE, 14(5), 30-37. [17] Ma, Z. (2008, March). Survival analysis approach to reliability, survivability and prognostics and health management (phm). In Aerospace Conference, 2008 IEEE (pp. 1-20). [18] Xu, S. (2009). Collaborative attack vs. collaborative defense. In Collaborative Computing: Networking, Applications and Worksharing (pp. 217-228). Springer Berlin Heidelberg. [19] Braynov, S., & Jadliwala, M. (2003, October). Representation and analysis of coordinated attacks. In Proceedings of the 2003 ACM workshop on Formal methods in security engineering (pp. 43-51). [20] Wood, T., Gerber, A., Ramakrishnan, K. K., Shenoy, P., & Van der Merwe, J. (2009). The case for enterprise-ready virtual private clouds. Usenix HotCloud. [21] Wu, X., & Wang, D. (2012, June). On-Demand VPC Topology Construction for Virtual Perimeter Defense in Public Clouds. In Distributed Computing Systems Workshops (ICDCSW), 2012 32nd International Conference on (pp. 427-435). [22] Spitzner, L. (2003). Honeypots: tracking hackers (Vol. 1). Reading: Addison-Wesley. [23] Provos, N. (2004, August). A Virtual Honeypot Framework. In USENIX Security Symposium (Vol. 173). [24] Kuwatly, I., Sraj, M., Al Masri, Z., & Artail, H. (2004, July). A dynamic honeypot design for intrusion detection. In Pervasive Services, 2004. ICPS 2004. IEEE/ACS International Conference on (pp. 95-104). [25] Sardana, A., & Joshi, R. C. (2008, December). Autonomous dynamic honeypot routing mechanism for mitigating DDoS attacks in DMZ. In Networks, 2008. ICON 2008. 16th IEEE International Conference on (pp. 1-7). [26] Carr, J. (2011). Inside cyber warfare: Mapping the cyber underworld. O'Reilly. [27] Fan, G., Yu, H., Chen, L., & Liu, D. (2013, June). A Game Theoretic Method to Model and Evaluate Attack-Defense Strategy in Cloud Computing. In Services Computing (SCC), 2013 IEEE International Conference on (pp. 659-666). [28] Wang, Q., & Jin, H. (2011, June). Data leakage mitigation for discretionary access control in collaboration clouds. In Proceedings of the 16th ACM symposium on Access control models and technologies (pp. 103-112). [29] Grobauer, B., Walloschek, T., & Stocker, E. (2011). Understanding cloud computing vulnerabilities. Security & Privacy, IEEE, 9(2), 50-57. [30] Subashini, S., & Kavitha, V. (2011). A survey on security issues in service delivery models of cloud computing. Journal of Network and Computer Applications, 34(1), 1-11. [31] Biedermann, S., Mink, M., & Katzenbeisser, S. (2012, October). Fast dynamic extracted honeypots in cloud computing. In Proceedings of the 2012 ACM Workshop on Cloud computing security workshop (pp. 13-18). [32] Fandel, G., Giese, A., & Mohn, B. (2012). Measuring synergy effects of a Public Social Private Partnership (PSPP) project. International Journal of Production Economics, 140(2), 815-824. [33] Cohen, R., Katzir, L., & Raz, D. (2006). An efficient approximation for the generalized assignment problem. Information Processing Letters, 100(4), 162-166. [34]Dantzig, G. B. (1957). Discrete-variable extremum problems. Operations research, 5(2), 266-288. [35] Hwang, F. K., Richards, D. S., & Winter, P. (1992). The Steiner tree problem. Elsevier. [36] Kou, L., Markowsky, G., & Berman, L. (1981). A fast algorithm for Steiner trees. Acta informatica, 15(2), 141-145 [37] Tannous, O., Xing, L., Rui, P., Xie, M., & Ng, S. H. (2011, December). Redundancy allocation for series-parallel warm-standby systems. In Industrial Engineering and Engineering Management (IEEM), 2011 IEEE International Conference on (pp. 1261-1265). [38] Skaperdas, S. (1996). Contest success functions. Economic Theory, 7(2), 283-290. [39] Peng, R., Levitin, G., Xie, M., & Ng, S. H. (2010). Optimal defence of single object with imperfect false targets. Journal of the Operational Research Society,62(1), 134-141. [40] Hausken, K., & Levitin, G. (2008). Efficiency of even separation of parallel elements with variable contest intensity. Risk Analysis, 28(5), 1477-1486. [41] Cobb, C. W., & Douglas, P. H. (1928). A theory of production. The American Economic Review, 18(1), 139-165.
dc.identifier.uri	http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/55974	-
dc.description.abstract	近年來，由於許多資訊技術例如光纖網路、虛擬化技術與分散式運算等之快速發展，許多概念相繼被提出，雲端運算便是其中之一。因為雲端環境的特色，使用者可以依自己所需使用各式各樣不同且有彈性的服務，此特色省去了使用者在IT設備採購與維護的費用，同時吸引了許多企業選擇將其服務架構建置在雲端基礎建設之上。然而，仍然存在著一些惡意的駭客想要透過攻擊這些企業提供的服務來獲取非法的利益。除此之外，他們通常會集結成群發動所謂的協同攻擊。因此像是資料外洩以及網路服務中斷之類的資安事故層出不窮，同時也變成了服務提供商的夢靨。所幸網路防禦的工具發展至今也相當的成熟，這也代表著防禦者有更多的防禦措施可供選擇以保護服務不受外在威脅，誘捕系統便是其中之一。顧名思義，誘捕系統是一種佈署在網路上的防禦機制，其創造一個誘餌來吸引、偵測、誘導、監控、捕捉攻擊者，它能夠作為真正提供服務的實體之替身，並不含任何重要資訊。特別在雲端環境之下，誘捕系統能夠被更加有效率且更動態的應用。在本研究中，我們將會著重在幫助防禦方以最有效率的方式分配像是誘捕系統等防禦資源來抵抗外在的攻擊。研究問題會以數學模型呈現。此外由於我們問題中攻防策略內含有高度的不確定性，我們使用Monte Carlo simulation 來模擬出結果。最後我們會找出在攻方使用最佳策略下防禦者最好的防禦資源配置方式。	zh_TW
dc.description.abstract	Due to the flourish development of information technologies such as fiber-network, virtualization technologies and distributed computing in recent years, lots of new concepts are proposed, and one of them is cloud computing. According to the features of the cloud environment, users can subscribe different kinds of flexible and scalable services on demand without IT infrastructure establishing expenses as well as maintenance expenses, which attracts many enterprises to build their IT environment through the cloud platform. However, there are always some malicious hackers trying to get illegal profits from compromising services provided by enterprises; moreover, they usually group together to launch such a wave of collaborative attack. Hence, such as data breach and service disruption incidents take place frequently and become the nightmare of the service provider. On the other hand, the development of network defense tools also gets fully-fledged nowadays, which represents that the defender have more defense alternatives to protect the network from external threats. The honeypot is a representative one. As the name suggests, the honeypot is a defense mechanism used to create a decoy to attract, detect, deflect, monitor, and trap attackers, which can serve as a body stunt of the real service without important information. Especially in the cloud environment, honeypots can be leveraged more dynamically and efficiently. In this thesis, we focus on helping the defender to allocate defense resource such as honeypots in the most efficient way against external attacks. Our scenario is depicted by mathematical programming, and Monte Carlo simulation is applied to solve the problem because of the non-deterministic property of attack-defense strategies in our problem. The ultimate goal is to figure out the optimal defense strategy against the best attack strategy, which is also the defender’s worst case.	en
dc.description.provenance	Made available in DSpace on 2021-06-16T05:12:03Z (GMT). No. of bitstreams: 1 ntu-103-R01725047-1.pdf: 6079107 bytes, checksum: a4aff51b45a34e8f3bd08f273a976044 (MD5) Previous issue date: 2014	en
dc.description.tableofcontents	Table of Contents 致謝 I Thesis Abstract II 論文摘要 IV List of Figures VIII List of Tables IX Chapter 1 Introduction 1 1.1 Background 1 1.2 Motivation 5 1.3 Literature Survey 7 1.3.1 Survivability 7 1.3.2 Collaborative Attack 9 1.3.3 Topology Oriented Virtual Private Cloud 10 1.3.4 Honeypots 11 1.3.5 Cloud Warfare 13 1.4 Thesis Organization 14 Chapter 2 Problem Formulation 15 2.1 Problem Description 15 2.1.1 Honeypots 15 2.1.2 Attacker Perspective 16 2.1.3 Attack Algorithm 24 2.1.4 Attacker Optimization 28 2.1.5 Defender Perspective 33 2.2 Attack-Defense Scenarios 39 2.2.1 Contest Success Function 39 2.2.2 The View of the Network 41 2.3 Mathematical Formulation 50 Chapter 3 Solution Approach 57 3.1 Mathematical Programming 57 3.2 Monte Carlo Simulation 57 3.3 Problem Evaluation Process 58 3.4 Policy Enhancement 62 3.4.1 Commander Enhancement 62 3.4.2 Defender Enhancement 63 Chapter 4 Computational Experiment 69 4.1 Experiment environment 69 4.2 Simulation Result 71 4.2.1 Convergence Evaluation Times 71 4.2.2 Topology robustness 72 4.2.3 Attack strategy analysis 73 4.3 Enhancement results 76 Chapter 5 Conclusion and Future Work 79 Reference 81
dc.language.iso	en
dc.subject	協同攻擊	zh_TW
dc.subject	網路存活度	zh_TW
dc.subject	雲端運算	zh_TW
dc.subject	誘捕系統	zh_TW
dc.subject	最佳化	zh_TW
dc.subject	資源分配	zh_TW
dc.subject	數學規劃法	zh_TW
dc.subject	蒙地卡羅法	zh_TW
dc.subject	Honeypots	en
dc.subject	Mathematical Programming	en
dc.subject	Resource Allocation	en
dc.subject	Collaborative Attack	en
dc.subject	Network Survivability	en
dc.subject	Optimization	en
dc.subject	Cloud Computing	en
dc.subject	Monte Carlo Simulation	en
dc.title	於雲端環境下考量誘捕系統抵禦協同攻擊以最大化網路存活度之研究	zh_TW
dc.title	Maximization of Network Survivability with Honeypots against Collaborative Attacks in Cloud Environments	en
dc.type	Thesis
dc.date.schoolyear	102-2
dc.description.degree	碩士
dc.contributor.oralexamcommittee	鍾順平,林盈達,呂俊賢
dc.subject.keyword	協同攻擊,網路存活度,雲端運算,誘捕系統,最佳化,資源分配,數學規劃法,蒙地卡羅法,	zh_TW
dc.subject.keyword	Collaborative Attack,Network Survivability,Cloud Computing,Honeypots,Optimization,Resource Allocation,Mathematical Programming,Monte Carlo Simulation,	en
dc.relation.page	86
dc.rights.note	有償授權
dc.date.accepted	2014-08-19
dc.contributor.author-college	管理學院	zh_TW
dc.contributor.author-dept	資訊管理學研究所	zh_TW
顯示於系所單位：	資訊管理學系

文件中的檔案：

檔案	大小	格式
ntu-103-1.pdf 未授權公開取用	5.94 MB	Adobe PDF

顯示文件簡單紀錄

系統中的文件，除了特別指名其著作權條款之外，均受到著作權保護，並且保留所有的權利。