簡易檢索 / 詳目顯示
| 研究生: |
陳俊佑 Chun-yu Chen |
|---|---|
| 論文名稱: |
一個以TCP連線行為基礎來防禦後門程式的機制 A Novel Behavior-Based Solution to Backdoors |
| 指導教授: |
許富皓
Fu-hau Hsu |
| 口試委員: | |
| 學位類別: |
碩士 Master |
| 系所名稱: |
資訊電機學院 - 資訊工程學系 Department of Computer Science & Information Engineering |
| 畢業學年度: | 96 |
| 語文別: | 中文 |
| 論文頁數: | 46 |
| 中文關鍵詞: | 入侵偵測 、行為基礎 、後門程式 |
| 外文關鍵詞: | Backdoor, Behavior-Based, Intrusion Detection |
| 相關次數: | 點閱:21 下載:0 |
| 分享至: |
| 查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報 |
惡意程式的發展,從早期的病毒﹙Virus﹚,蠕蟲﹙Worm﹚,木馬﹙Trojan Horse﹚與後門﹙Backdoor﹚程式,至今日的Rootkit、間諜軟體﹙Spyware﹚、垃圾信件發送軟體﹙Spamware﹚等,其使用的技術不斷地改變,滲透的手段日趨多元,而造成的損失也日益龐大,這些惡意軟體藉由網路多樣化的傳播途徑達散播的目的,對網路以及網路上的主機系統安全帶來巨大的威脅。
在眾多攻擊方式中,攻擊者為了掌控受害的主機,開啟後門是最重要的步驟,常見的木馬與後門程式,大多都會偽裝成一般正常程式,像是取與正常程式相同的名稱,以避免被使用者發覺,一旦攻擊者取得具有系統管理員﹙root﹚權限的後門程序,攻擊者便可對受害電腦為所欲為。
在本論文中,我們提出新的防禦機制,以程序使用網路的行為﹙behavior-based﹚為基礎來區分正常程式與後門程式,有效的保護系統不被後門程式操控,我們在系統資訊被不正常的透過網路傳出之前,即偵測出攻擊存在的可能性,在傷害尚未擴大之時,便終止可疑的程序,可阻止攻擊者利用後門程式進行後續的惡意行為,提高系統與網路伺服器的安全性。
With the popularity of computers and Internet, more information security problems are taken into consideration. From the old-time virus to the newfashioned worm, Trojan horse and backdoor, nowadays, attackers develop a variety of malware to gain lots of personal benefit. Like rootkit, spyware, or spamware, these malwares spread via all kinds of network applications. It is a huge threat to Internet and system security.
In order to control the victim computers, open the backdoor is the most important step in all attacking methods. The conventional Trojan house and backdoor may mask themselves as normal programs, like having the same name with normal program, in order to cheat users. Once attackers get the backdoor process with root privilege, attackers can do everything to the victim.
In this thesis, we propose a new behavior-based defensive mechanism to detect whether a program is a backdoor or not. This mechanism can protect system from controlling by backdoor. We can find out the backdoor before the system information is sent by Internet abnormally. Before the attack succeeds, we can terminate the suspicious process and stop the follow-up malicious activities in advanced. This mechanism can raise the security level of system and network server.
〔1〕Dorothy E. Denning, Information Warfare and Security, Addsion Wesley, 1999.
〔2〕Stephen Northcutt, et al., Inside Network Perimeter Security, New Riders Press, 2003.
〔3〕Ed Skoudis and Lenny Zeltser, Malware – Fighting Malicious Code, Prentice Hall PTR, 2003.
〔4〕Bruce Schneier. “Attack Trends: 2004 and 2005”. ACM Queue, Vol.3, Iss.5; p.52-53, June, 2005.
〔5〕Y. Zhang, V. Paxson, “Detecting Backdoors,” 9th USENIX Security Symposium, August 2000.
〔6〕Moheeb Abu Rajab, et al., “A Multifaceted Approach to Understanding the Botnet Phenomenon,” 6th ACM SIGCOMM on Internet Measurement, 2006.
〔7〕David Dagon, Cliff Zou, Wenke Lee., “Modeling Botnet Propagation Using Time Zones,” 13th Annual Network and Distributed System Security Symposium, 2006.
〔8〕Symantec, “Symantec Global Internet Security Threat Report”, April 2008, http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_internet_security_threat_report_xiii_04-2008.en-us.pdf
〔9〕J. P. Anderson, “Computer Security Threat Monitoring and Surveillance,” 1980.
〔10〕Zhenkai Liang and R. Sekar, “Automatic Generation of Buffer Overflow Attack Signatures: An Approach Based on Program Behavior Models,” 21st Annual Computer Security Applications Conference 2005.
〔11〕Zhenkai Liang, R. Sekar, “Fast and automated generation of attack signatures: a basis for building self-protecting servers,” 12th ACM conference on Computer and communications security, 2005
〔12〕Hao Wang, Somesh Jha and Vinod Ganapathy, “NetSpy: Automatic Generation of Spyware Signatures for NIDS,” 22nd Annual Computer Security Applications Conference, 2006.
〔13〕Kevin D. Mitnick, The Art of Deception – Controlling the Human Element of Security, Wiley, 2002.
〔14〕ESET, “Global Treat Report 2007,” Jan. 2008, http://www.eset.com/threat-center/case_study/GlobalThreatReport(Jan2008).pdf
〔15〕Hung, J.C., Kuan-Cheng Lin, Chang, A.Y., Lin, N.H., Lin, L.H., “A behavior-based anti-worm system,” 17th International Conference on Advanced Information Networking and Applications, 2003.
〔16〕Yong Tang and Shigang Chen, “Defending Against Internet Worms: A Signature-Based Approach,” IEEE INFOCOM, Miami, FL, March 2005.
〔17〕C. Taylor and J. Alves-Foss. Nate – Network Analysis of Anomalous Traffic Events, a low-cost approach. New Security Paradigms Workshop, 2001.
〔18〕Daniel P. Bovet and Marco Cesati, Understanding the Linux Kernel, third edition, O’Reilly, 2005
〔19〕Thomas F. Herbert, The Linux TCP/IP stack networking for embedded systems, first edition, Charles River Media, 2004
〔20〕Klaus Wehrle, The Linux Networking Architecture : Design and Implementation of Network Protocols in the Linux Kernel, second edition, Pearson Prentice Hall, 2004
〔21〕L. T. Heberlein, G. V. Dias, K. N. Levitt, B. Mukherjee, J. Wood, and D. Wolber, “A network security monitor,” IEEE Computer Society Symposium, 1990
〔22〕S. Kornexl, V. Paxson, H. Dreger, A. Feldmann and R. Sommer, “Building a Time Machine for Efficient Recording and Retrieval of High-Volume Network Traffic,” ACM IMC, October 2005.
〔23〕H. Dreger, A. Feldmann, M. Mai, V. Paxson and R. Sommer, “Dynamic Application-Layer Protocol Analysis for Network Intrusion Detection,” 15th conference on USENIX Security Symposium, August 2006.
〔24〕V. Paxson, “Bro: A System for Detecting Network Intruders in Real-Time,” 7th conference on USENIX Security Symposium, January 1998.
〔25〕Snort, http://www.snort.org/
〔26〕Tripwire, http://www.tripwire.com/
