中文摘要 近年來網際網路發生許多網路入侵事件,目的多是為了竊取客戶或企業之資訊,資訊的竊取已經成為網路安全中最嚴重的安全威脅,由於個人資料及其重要資訊的竊取可以讓攻擊者獲利,所以竊取個人機密資料的病毒程式手法不斷翻新,即使是原廠剛發佈的修補漏洞通知,都可以變為病毒的工具,造成零時攻擊,因此如何保護網路的安全避免遭受攻擊,是目前大多數網路管理者面臨最重要的課題。 近年來,利用位址解析協定(ARP)發展而來的ARP欺騙攻擊竊取使用者密碼或機密資訊的安全威脅越來越嚴重。本論文研究以網路管理者的角度,提出一個基於SNMP網管協定的ARP攻擊偵測機制,此偵測機制在所轄交換器網路環境下使用SNMP網管協定結合網路路由器、DHCP伺服器和交換器之位址組態資訊,偵測所管轄區域網路內使用ARP 欺騙(Spoofing)技術的中間人攻擊以及阻斷服務攻擊,找出攻擊者所在的網路孔位置,進一步利用SNMP技術將攻擊者進行斷網,以阻止其繼續攻擊。經由實地的測試,實驗結果顯示本論文所提ARP攻擊偵測機制確實能有效偵測ARP攻擊。
Abstract In the recent years, many network intrusion attacks were performed to steal the confidential information of customers or enterprises. Information stealing has become one of the most serious security threats of networks. Obtaining personal information may bring benefits for attackers. Therefore, a lot of new malware is developed. As vulnerability reports or system patches are announced, hackers may develop corresponding virus/worms and issue zero-day attacks. Therefore, how to effectively protect the security of networks has become the most important issue for network managers. In the recent years, based on the vulnerability of the Address Resolution Protocol (ARP), ARP spoofing attacks are developed to steal passwords or confidential information of users. In this thesis, from the perspective of network managers, we shall propose an SNMP-based scheme for detecting ARP attacks. The proposed scheme correlates the address configuration information in routers, switches, and the DHCP server to detect ARP attacks, including man-in-the-middle and denial of service attacks, to identify the location of the attacker, and to isolate the attack. Experiments show that ARP attacks can be effectively detected by the proposed scheme.