透過您的圖書館登入 IP:18.190.156.212
透過您的圖書館登入
IP:18.190.156.212
  • 精確檢索 : 冠狀病毒
  • 模糊檢索 : 冠狀病毒
  • 冠狀病毒感染
    冠狀病毒疾病
  • 查詢出版品: 冠狀病毒
進階查詢
查詢歷史
主題瀏覽
  • 學位論文

一個基於監測網路通訊協定執行行為的入侵偵測系統

An Intrusion Detection System Based On Network Protocol Behavior Monitoring

吳昌桓(Chang-Huan Wu)
指導教授 : 孫雅麗
國立臺灣大學/管理學院/資訊管理學研究所/碩士(2009年)
https://doi.org/10.6342/NTU.2009.03331
全文下載

摘要

網際網路(Internet)的普及,一方面使得人們的生活更加多元及便利,另一方面則出現了不少網路攻擊,如電腦蠕蟲的攻擊,常常造成巨大的影響及損失。此外,隨著網路攻擊的手法愈來愈複雜,傳統的偵測方法,如比對封包內容的特徵或是觀察網路traffic pattern的變化,已經無法有效地偵測網路攻擊。 電腦蠕蟲之所以能夠造成如此大的破壞及影響,主要是因為其自動攻擊以及散布的特性,蠕蟲通常會攻擊帶有弱點的提供網路服務的程式,在攻擊成功後,該程式往往會產生嚴重錯誤,並且無法繼續提供正常的服務,因此,我們認為藉由監測網路通訊協定的執行行為,可以偵測是否有網路攻擊發生。 我們先藉由真實網路中的traffic trace找出描述該通訊協定正常執行行為的model,利用該model可以區分出哪些行為與正常行為有所差異。本系統會監控每個使用通訊協定的行為,並且與代表正常執行行為的model作比較,若該行為與正常行為有所差異,則判斷該行為為網路攻擊。 最後,根據我們的實驗結果,我們相信這樣的機制可以有效的偵測以提供網路服務程式的弱點為目標的網路攻擊。

關鍵字

電腦蠕蟲 入侵偵測 通訊協定 有限狀態機 模型

並列摘要

As Internet becomes more and more popular, it makes our life more colorful and convenient. In the other hand, more and more attacks happened on the Internet. Attacks by computer worms often make enormous impacts and damages. Besides, as attacks become more sophisticated, traditional intrusion detection approaches, like payload signature matching and network traffic pattern monitoring are not sufficient to detect new attacks. Computer worms made huge impact and damage due to its auto-attacking and spreading characteristic. Worms often attack vulnerable programs of network services. After the success of attack, it usually makes the program erroneous and cannot provide service anymore. Therefore, we believe that we can detect network intrusions by monitoring network protocol execution behaviors. We construct a model which describes normal execution behaviors of the protocol, and we can distinguish that if a behavior deviates from normal behaviors. Then, we analyze the reason of those deviated behaviors, and determine if they are anomaly. Our system will monitor every protocol execution behaviors and use the normal model to distinguish if they are deviated. If a behavior is deviated, it will be marked as an intrusion. Based on our experiment results, we believe that our system can effectively detect network intrusions that exploit vulnerabilities of network service programs.

並列關鍵字

Computer worm intrusion detection protocol Finite State Machine model

參考文獻

[9] D. R. Ellis, J. G. Aiken, K. S. Attwood, and S. D. Tenaglia. A Behavioral Approach to Worm Detection. In Proceedings of the 2004 ACM Workshop on Rapid Malcode (WORM ‘04), 2004.
[2] V. Paxson, Bro: A system for Detecting Network Intruders in Real-Time. Computer Networks, 31:2435-2463, 1999.
[3] Peng Ning, and Dingbang Xu. Adapting Query Optimization Techniques for Efficient Intrusion Alert Correlation. In Proceeding of the 17th IFIP WG 11.3 Working Conference on Data and Application Security. 2003.
[4] P. Porras, and R. Kemmerer. Penetration State Transition Analysis: A Rule based Intrusion Detection Approach. In Proceeding of the 8th Annual Computer Security Applications Conference, 1992.
[5] A. Lakhina, M. Crovella, and C. Diot. Characterization of Network-Wide Anomalies in Traffic Flows. In Proceeding of the 4th ACM SIGCOMM conference on Internet measurement, 2004.

延伸閱讀

全文下載