多階段攻擊之入侵預測與識別

目前的入侵偵測系統(Intrusion detection system, IDS)只能偵測出單一步驟下的攻擊，無法反應較為複雜的多階段攻擊模式(Multi-stage attack)。因此，對安全管理員來說，是否可從安全警報中找出特殊關連性(Correlation pattern)來推斷多階段攻擊模式，此研究部分不僅重要，而且還相當具有挑戰性。此論文提出兩個演算法，即JEAN與GREENER，可共同作為多階段攻擊的入侵抵制策略。首先，此論文提出的第一個方法JEAN是利用現有網路管理中已蒐集的IDS安全警報與儲存在資料庫中的各種多階段攻擊的攻擊會議圖(Attack session graph, ASG)，經演算法作投影映射後決定其差異性，以此作為多階段攻擊的預測分析。此演算法命名為“Judge Evaluation of Attack intensioN” (JEAN)，取其意為“攻擊意圖的判斷評鑑”。實驗以DARPA 2000及DARPA GCP (Grand challenge problem)的基準資料集(Benchmark dataset)作為分析資料，並由實驗結果顯示效能，此JEAN演算法與最長共同子序列(Longest common subsequence, LCS)演算法相比，JEAN具有較佳的預測準確性。此外，強化網路服務與網路架構是減少網路入侵事件發生的解決方法之一。然而，目前並沒有一套有效解決方案來聯繫(correlate)所有弱點、網路之間的通連性(connectivity)、與入侵警報(alert)之間的關聯性，因此網管人員常習慣以單一警報事件來處理，僅治療表面上的單一症狀，而沒有對資料做分析，這是無法釐定與根治真正安全事件之起源(root cause)。因此，此論文亦提出「精通邪惡入侵根除者」演算法，「GReat Evil ENcroachments ERadicator (GREENER)」，深度分析網路攻擊警報與全面性網路弱點兩者之間關聯性，以建立入侵途徑圖的方式呈現攻擊者如何入侵以及此種攻擊方式的傳播範圍。入侵途徑圖呈現網路入侵事件的攻擊要點和相關弱點資訊，進而幫助系統管理者知道詳細入侵事件發生與迅速得知網路入侵的問題點，並且能幫助管理者擬定資安處理防護措施，加速處理網路入侵事件並強化網路系統，避免同樣的入侵再次成功，以強化網路可達到保護網路安全為目的。總結來說，此論文提出以JEAN演算法判斷網路攻擊行為類型，推測與資料庫中相似度最高的攻擊類型，並且以GREENER演算法產生入侵途徑圖，找出網路設備中的弱點關係。網路管理員可依據此二者資訊進行事件處理，判斷優先權較高的弱點並進行改善，解決已被入侵的弱點，強化網路並鞏固多階段攻擊的入侵抵制。

關鍵字

網路安全；多階段攻擊；鑑識；事件回應；圖形比對；入侵途徑；網路入侵偵測；攻擊圖；強化網路

並列摘要

Current intrusion detection systems (IDSs) can only discover single-step attacks but not complicated multi-stage attacks. Therefore, it is not only important, but also challenging for security managers to correlate security alerts with specific patterns to predict a multi-stage attack. In this thesis, it proposes two algorithms, JEAN and GREENER, collaboratively to perform intrusion countermeasures for multi-stage attacks. Firstly, the proposed “Judge Evaluation of Attack intensioN” (JEAN) algorithm inspects the security alerts in the network and provides a probabilistic approach for the projection of the multi-stage attack by measuring the difference between the stored and the actual multi-stage attack session graphs (ASG). The experimental results show that JEAN is able to project possible attacks with more accuracy than Longest Common Subsequence (LCS) based approaches on DARPA 2000 and DARPA GCP (Grand Challenge Problem) specific attack scenario datasets. Furthermore, hardening network services and network architecture is the best defense and the easiest way to reduce security risks. However, there is no effective solution to correlate all weaknesses, network topology with connectivity, and intrusion alerts. As a result, it can be difficult for network administrators to determine the root cause of a security incident. Secondly, in this thesis, it also proposes “GReat Evil ENcroachments Eradicator (GREENER)”, which can analyze the above network information in-depth and establish an intrusion path graph to display comprehensive information of security breaches. With the help of GREENER, system administrators can discover detailed information about an incident and rapidly remove network intrusion issues associated with the hardening process to prevent the same type of intrusion from happening again. GREENER meets the requirements for mitigating security threats and provides a practical security incident response solution. In conclusion, it can identify attack models by JEAN for forecasting with high similarity, and make the Intrusion Path Graph (IPG) by GREENER for finding the relationship between vulnerabilities. Network administrators can decide which vulnerability with high priority for improving network security, solve the vulnerabilities detected in the intrusion path, and then strengthen the network against multi-stage attacks.

並列關鍵字

network security ； multi-stage attack ； forensics ； incident response ； pattern matching ； forecasting ； intrusion path ； attack graph ； network hardening

參考文獻

[2] N. Liao, S. Tian and T. Wang, “Network forensics based on fuzzy logic and expert system”, Computer Communications, Vol. 32, Issue 17, pp. 1881-1892, November 2009.

[4] R.O. Duda and P.E. Hart, “Use of the Hough transformation to detect lines and curves in pictures”, Communications of the ACM, Vol. 15, Issue 1, pp. 11-15, January 1972.

[15] S. Savage, D. Wetherall, A. Karlin and T. Anderson, “Practical Network Support for IP Traceback”, The Conference on Applications, Technologies, Architectures, and Protocols for Computer Communication (ACM SIGCOM), pp. 295-306, Stockholm, Sweden, August 28-September 1, 2000.

[16] C. Gong and K. Sarac, “IP traceback based on packet marking and logging”, 2005 IEEE International Conference on Communications (ICC 2005), Vol. 2, pp. 1043-1047, May 2005.

[17] L.P. Swiler, C. Phillips, D. Ellis and S. Chakerian, “Computer-Attack Graph Generation Tool”, DARPA Information Survivability Conference & Exposition II, Vol. 2, pp. 307-321, DISCEX '01, 2001.

國際替代計量

多階段攻擊之入侵預測與識別

未授權

主題瀏覽