透過您的圖書館登入
IP:3.81.221.121
  • 學位論文

基於網路服務行為側寫與機率推論模型之網路異常偵測方法

Service Behavior Profiling and Probabilistic Inference for Anomaly Detection

指導教授 : 孫雅麗

摘要


近年來剝削網路服務弱點的攻擊事件層出不窮。攻擊者可在網路遠端發送帶有惡意訊息的封包給具有弱點的網路服務主機,藉以攻擊該弱點並於受害主機上取得執行權限。現今大部分的網路蠕蟲以及部分的殭屍網路皆採用此類的攻擊手法。由於攻擊者可以取得遠端電腦的執行權限,因此這類型的剝削攻擊常造成電腦或網路系統嚴重的損害。 正常的網路服務是藉由預定的軟體和網路協定來執行正常的通訊程序與遠端伺服器共同完成某項任務。網路惡意程式也使用相似的方法和遠端的伺服器聯繫,但惡意行為與正常行為是不可能完全相同的,因此在本論文中我們設計一個創新的異常偵測架構來偵測此類的網路攻擊,該異常偵測架構是針對剝削網路服務弱點的攻擊而設計的。 對於異常偵測來說,最為關鍵的假設如下:若以「正常」的觀點為基準,未知而可疑的行為則可被視為「異常」。因此本文著眼於定義「正常」這個概念,並且以網路服務為基礎來偵測異常事件。一旦網路服務的「正常」行為被定義之後,不符合「正常」的網路行為則被定義為異常行為。在過去的觀察當中,我們發現某些特別而不正常通訊步驟可被用來描述異常和攻擊。當攻擊者和受害者暗地在進行一連串與弱點剝削有關的攻擊時,其中所顯露的異常通訊行為可被我們的偵測系統視為是攻擊徵兆,進而提出警告並推論攻擊是否發生。 過去在描述「正常」時所使用的描述模型方法通常有兩個缺點:缺乏驗證方法以及只使用單一的模型。為了降低第一個缺點所來的影響,我們使用靜態分析與動態分析的方法來建立網路通訊協定的正常模型,如此以確保其正確性和準確性。對於第二個缺點,我們合併多個網路協定或服務模型來建構一個複合式的行為模型,使得該模型可以更詳盡而精確地描述複雜的網路行為以及不同協定之間的關係。網路協定之間的互動以及交互關係皆於建立複合模型時被考慮進去。 於動態分析時,我們採用主成分析(Principal Component Analysis)的方法來分析網路行為,並且將重要的通訊狀態截取出來用以建立其通訊協定的正常模型。我們以真實世界的網路行為用於主成分析上,將同一通訊協定中不同的通訊行為區分開來。正常以及重要的行為狀態會被挑選出來重新建立正常的模型,並以有限狀態機的形式展現。 我們的雛型系統能狀態化地擷取和監控網路協定,藉由我們設計的多層式與跨層式的行為追蹤架構,再配合先前建立的正常模型,我們可以主動地偵測於不同通訊層的異常狀態或是相關的攻擊徵兆。 為了增加偵測過程中評估攻擊的信心水準,我們也發展了基於機率的攻擊推論模型。根據我們當下所觀察到的攻擊徵兆,推論模型可以計算並推論出當時的偵測信心指數。我們在觀察中發現,每一個攻擊徵兆會有不同的比重(表示他們具有不同的重要性)。因此我們採用機率這個數學方法來表示不同的比重並進行推論是適切的方向。 於最後的實驗中,我們搜集了數種不同的網路攻擊,並針對其底層的通訊協定製作正常的行為模型。我們的系統可以偵測其異常行為和攻擊徵兆,即使這些攻擊是已知的、未知的或是變種攻擊,甚至這些攻擊的弱點都不相同亦可以被偵測出異常。 本論文針對過去文獻未有琢磨的網路協定和服務為偵測基礎,同時採用靜態與動態的模型建構方法,並且建構複合式的模型以及跨層式偵測系統,以上皆為本論文創新之處,可以補足當前入侵偵測系統的不足。

並列摘要


Network attacks that exploit network service vulnerabilities become popular in recent years. An attacker can remotely send malicious messages to a vulnerable service and gain the execution right to control the victim. Most of the Internet worms and part of the Botnet fall into this attack category, and such attacks often cause severe damages to our computers and network systems. As we know, benign software would perform normal procedure to communication with a server to accomplish a network task collaboratively via predefined network protocols. Although malware takes similar actions to communicate with the server that it intends to compromise, malware behavior is not exactly the same as normal behavior. In our work, we design a novel anomaly detection framework targets on the attack vector of vulnerability exploitation on network service. The key hypothesis to anomaly detection assumes anomalous behaviors are suspicious from a normality point of view. We focus on defining the notion of normality in a new perspective – network service – to detect anomalies. Once the definition of normality is specified, the violation of the normality (i.e., anomaly) is determined. We found certain abnormal communication procedures can be used to profile anomaly behavior. They are considered as the sign of an attack (i.e., attack symptom) when the attacker and the victim undergo sequences of compromising actions. Past models often suffer from lacking of model normality verification, and they only focus on individual model. To confront the first issue, we show how to construct underlying protocol models by static and dynamic approach to guarantee the normality. For the latter issue, we combine multiple protocol/service models to construct a composite model for complex network services. We propose a method to construct composite service model with protocol interaction and correlation. To build the normal protocol models for anomaly detection, we adopt the Principal Component Analysis (PCA) to analysis the normal behavior of a network protocol and extract the significant communication states. The PCA analyzes the real world network traffic traces and perform data classification to cluster different communication behaviors. Normal and significant behavior will be chosen to build the normal behavior model that is a form of finite state machine. Our prototype system can statefully capture and monitor activities between hosts, and it progressively assesses possible network anomalies by multi-level behavior tracking, cross-level behavior triggering, and correlation of different network protocols and services. To increase the confidence level of assessing attacks, we develop a probabilistic inference model to infer and compute the belief score of possible attacks based on the observation of the attack symptoms. In our observation, each attack symptom has a different degree of significance in the attack evaluation so that probability is an appropriate mathematical tool for attack inference. We collect several real world attacks and build the normal protocol models that they use. Several anomalies and attack symptoms are detected by our system; no matter the attack is known, unknown, or a variant; even they do not exploit the same vulnerability. The work has several novel research concepts. We focus on the network protocol and service as a basis to detect anomalies. We both adopt static and dynamic approach to build normal models. Using PCA to build normal model has not been seen in the past. Developing a cross-level monitoring system and composite service model are also new to this research field. The result shows our system can detect anomalies and is a good solution for intrusion detection. Keyword: Anomaly detection, network service, behavior profiling, principal component analysis, inference model, finite state machine.

參考文獻


[1] Aho, A. V., Corasick, M. J.: Efficient String Matching: An Aid to Biblio-graphic Search. Communications of the ACM. 18, 333-340 (1975)
[2] Blum, A., Song, D., Venkatraman, S.: Limits of Learning-based Signature Gen-eration with Adversaries. In: Proceedings of the Network and Distributed System Security Symposium (2008)
[3] Borisov, N., Brumley, D., Wang, H. J., Dunagan, J., Joshi, P., Guo, C.: A Generic Application-Level Protocol Analyzer and its Language. In: Proceedings of the 14th Annual Network & Distributed System Security Symposium. (2007)
[4] Brumley, D., Newsome, J., Song, D., Wang, H., Jha, S.: Towards Automatic Generation of Vulnerability-Based Signatures. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 2-16 (2006)
[7] Cui, W., Peinado, M., Wang, H. J., Locasto, M. E.: ShieldGen: Automatic Data Patch Generation for Unknown Vulnerabilities with Informed Probing. In: Pro-ceedings of the IEEE Symposium on Security and Privacy, pp. 252-266 (2007)

延伸閱讀