雲端環境下基於入侵警報關聯性之動態網路鑑識分析系統

Hao-Tsung Lin; 林顥宗

請用此 Handle URI 來引用此文件： http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/63611

完整後設資料紀錄

DC 欄位	值	語言
dc.contributor.advisor	王勝德(Sheng-De Wang)
dc.contributor.author	Hao-Tsung Lin	en
dc.contributor.author	林顥宗	zh_TW
dc.date.accessioned	2021-06-16T17:14:47Z	-
dc.date.available	2014-08-20
dc.date.copyright	2012-08-20
dc.date.issued	2012
dc.date.submitted	2012-08-20
dc.identifier.citation	[1] V. Paxson, 'Bro: a system for detecting network intruders in real-time,' Computer Networks, pp. 2435-2463, 1999. [2] M. Roesch, 'Snort – lightweight intrusion detection for networks,' presented at the Proceedings of the Thirteenth Systems Administration Conference (LISA 1999), Seattle, Washington, USA, 1999. [3] 'Networkminer,' http://networkminer.wiki.sourceforge.net/NetworkMiner [4] 'Wireshark,' http://www.wireshark.org [5] W. Ren and H. Jin, 'Distributed Agent-based Real-time Network Intrusion Forensics System Architecture Design,' in Proceedings of the 19th International Conference on Advanced information Networking and Applications, New York, 2005, pp. 177-182. [6] L. Chen, Z. Li, C. Gao, and L. Liu, 'Dynamic Forensics based on Intrusion Tolerance,' in Proceedings of IEEE International Symposium on Parallel and Distributed Processing with Applications, 2009, pp. 469-473. [7] J. O. Nehinbe, 'Log analyzer for network forensics and incident reporting,' in 2010 International Conference on Intelligent Systems, Modeling and Simulation, 2010, pp. 356-361. [8] F. Raynal, Y. Berthier, P. Biondi, and D. Kaminsky, 'Honeypot forensics part 1: analyzing the network,' IEEE Security & Privacy, vol. 2, pp. 72-78, August 2004. [9] T. BASS, 'Intrusion detection systems and multisensor data fusion,' Communications of the ACM, vol. 43, pp. 99-105, April 2000. [10] F. Cuppens, 'Managing alerts in a multi-intrusion detection environment,' presented at the Proceedings of the 17th Annual Computer Security Applications Conference (ACSAC), New Orleans, 2001. [11] A. Valdes and K. Skinner, 'Probabilistic Alert Correlation,' in Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection (RAID 2001), 2001, pp. 54-68. [12] H. Debar and A. Wespi, 'Aggregation and correlation of intrusion-detection alerts,' in Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection (RAID 2001), 2001, pp. 85-103. [13] B. Morin and H. Debar, 'Correlation of intrusion symptoms: an application of chronicles,' presented at the Proceedings of the 6th International Conference on Recent Advances in Intrusion Detection (RAID 2003), 2003. [14] B. Morin, L. Me, H. Debar, and M. Ducasse, 'M2D2: A Formal Data Model for IDS Alert Correlation,' in Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection, Zurich, Switzerland, 2002, pp. 115-137. [15] F. Cuppens and A. Miege, 'Alert correlation in a cooperative intrusion detection framework,' presented at the Proceedings of the 2002 IEEE Symposium on Security and Privacy, Berkeley, California, USA, 2002. [16] P. Ning and D. Xu, 'Learning Attack Strategies from Intrusion Alert,' in Proceedings of the 10th ACM Conference on Computer and Communications Security, New York, 2003, pp. 200-209. [17] S. R. Snapp, J. Brentano, G. V. Dias, T. L. Goan, L. T. Heberlein, C.-L. Ho, K. N. Levitt, B. Mukherjee, S. E. Smaha, T. Grance, D. M. Teal, and D. Mansur, 'DIDS (Distributed Intrusion Detection System) - Motivation, Architecture, and an early Prototype,' in Proceedings of the 14th National Computer Security Conference, 1991, pp. 167-176. [18] D. L. Hancock and G. Lamont, 'Multi agent system for network attack classification using flow-based intrusion detection,' in Proceedings of 2011 IEEE Congress on Evolutionary Computation (CEC), 2011, pp. 1535-1542. [19] Y. Zhu, 'Attack Pattern Discovery in Forensic Investigation of Network Attacks,' IEEE Journal on Selected Areas in Communications, vol. 29, August 2011. [20] B. Kordy, S. Mauw, S. Radomirovic, and P. Schweitzer, 'Foundations of attack-defense trees,' in Proceedings of 7th Workshop on Formal Aspects in Security and Trust, Springer, Heidelberg, 2010, pp. 80-95. [21] E. S. Pilli, R. C. Joshi, and R. Niyogi, 'Data reduction by identification and correlation of TCP/IP attack attributes for network forensics,' presented at the Proceedings of the International Conference & Workshop on Emerging Trends in Technology (ICWET), 2011. [22] A. Li, L. Gu, and K. Xu, 'Fast anomaly detection for large data centers,' presented at the Proceedings of the IEEE Global Communications Conference (GLOBECOM 2010), 2010. [23] Yahoo! Research and Academic Relations. G4: Yahoo! network ﬂows data 1.0. http://research.yahoo.com/Academic_Relations [24] MIT Lincoln Lab, '2000 DARPA intrusion detection scenario speciﬁc datasets,' http://www.ll.mit.edu/IST/ideval/data/2000/2000_data_index.html [25] Forensics Challenge Network Trace, jhuisi-capture-1.pcap.bz2, DFRWS (2009) http://www.dfrws.org/2009/challenge/imgs/ [26] W. S. v. Dongen and A. v. Hoof. (2009). Digital Forensics Research Workshop Challenge 2009. Available: http://www.dfrws.org/2009/challenge/vandongen_vanhoof.pdf
dc.identifier.uri	http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/63611	-
dc.description.abstract	為了取得網路犯罪的證據，網路鑑識這門技術逐漸受到重視，現今主要的網路鑑識方法大多是事後人工的分析，此方法尤其在大量網路流量的雲端環境下十分耗時，因此，網路鑑識的自動化是個不可或缺的任務。本論文中，我們提出一個於雲端環境下的動態網路鑑識系統，當遭受攻擊時，此系統會在最短的時間內盡可能地蒐集證據。我們在論文中使用一個基於特徵碼的入侵偵測系統Snort，當作一個監視網路活動的工具。另外，本論文也提出一個兩階段式分析方法，能根據入侵警報分析網路資料。此論文的目標包括動態地蒐集相關證據、嘗試找出基於特徵碼的入侵偵測系統所偵測不到的攻擊，以及減少資料量來節省儲存空間。在實驗中，我們使用知名的數據集來測試系統，並呈現在不同入侵偵測系統的設置下，此系統分析結果的差異。實驗結果顯示我們的分析方法能夠有效率地萃取相關證據，並在跟相關研究的比較之下，更有效的節省空間。	zh_TW
dc.description.abstract	In order to confirm network criminals, network forensics techniques have become more and more important. Current network forensic approaches are primarily static and post-mortem investigation which is time-consuming with massive network traffic, especially in cloud environments. Therefore, the automation of network forensics turns into an essential task. In this thesis, we proposed a dynamic network forensics system for cloud environments to gather evidence as soon as possible. We use the popular signature-based Intrusion Detection System (IDS), Snort, as a network forensic tool to monitor network activities. Moreover, we propose a two-phase analysis approach to automatically analyze the network data based on intrusion alerts. In brief, the objectives of our approach include collecting relevant evidence dynamically, trying to discover the attacks missed by the signature-based IDS, and reducing data storage required to keep the evidences. In the experiments with well-known data sets, the performance of our approach under different IDS configuration has also been analyzed and presented in this thesis. The experimental results show that our analysis approach has ability to automatically extract relevant evidence and save more storage space.	en
dc.description.provenance	Made available in DSpace on 2021-06-16T17:14:47Z (GMT). No. of bitstreams: 1 ntu-101-R99921071-1.pdf: 1290550 bytes, checksum: d0c23d4191940ac78a9dcf16de869db8 (MD5) Previous issue date: 2012	en
dc.description.tableofcontents	口試委員會審定書 i 誌謝 ii 摘要 iii Abstract iv Chapter 1 Introduction 1 1.1 Network Forensics 1 1.2 Distributed Agent-based Framework for Cloud 3 1.3 Contributions 4 1.4 Thesis Organization 5 Chapter 2 Related Work 6 2.1 Dynamic Forensics 6 2.2 IDS and Alert Correlation 7 2.3 Distributed Agent-based Framework 8 Chapter 3 System Architecture 10 4.1 Client-VM 10 4.2 Forensic Server 11 Chapter 4 Design of Forensics 13 4.1 First Phase of Analysis 13 4.1.1 Attack-Defense Graph 13 4.1.2 Classification and Correlation 17 4.2 Second Phase of Analysis 20 4.2.1 Single-event Analysis 20 4.2.2 Threshold Analysis 23 Chapter 5 Experiments 27 5.1 Experiment with DARPA 2000 27 5.1.1 Scenarios 27 5.1.2 Experimental Results 30 5.2 Experiment with DFRWS 2009 Forensics Challenge 37 5.2.1 Scenarios 37 5.2.2 Experimental Results 38 Chapter 6 Conclusions & Future Work 41 References 43
dc.language.iso	en
dc.title	雲端環境下基於入侵警報關聯性之動態網路鑑識分析系統	zh_TW
dc.title	A Dynamic Network Forensic Analysis System based on Intrusion Alert Correlation for Cloud Environments	en
dc.type	Thesis
dc.date.schoolyear	100-2
dc.description.degree	碩士
dc.contributor.oralexamcommittee	雷欽隆(Chin-Laung Lei),羅乃維(Nai-Wei Lo)
dc.subject.keyword	網路鑑識,入侵檢測,警報關聯,	zh_TW
dc.subject.keyword	Network Forensics,Intrusion Detection,Alert Correlation,	en
dc.relation.page	44
dc.rights.note	有償授權
dc.date.accepted	2012-08-20
dc.contributor.author-college	電機資訊學院	zh_TW
dc.contributor.author-dept	電機工程學研究所	zh_TW
顯示於系所單位：	電機工程學系

文件中的檔案：

檔案	大小	格式
ntu-101-1.pdf 目前未授權公開取用	1.26 MB	Adobe PDF

顯示文件簡單紀錄

系統中的文件，除了特別指名其著作權條款之外，均受到著作權保護，並且保留所有的權利。