簡易檢索 / 詳目顯示
| 研究生: |
黃志豪 Chih-Hao Huang |
|---|---|
| 論文名稱: |
一個使用模組化方式來重建多步驟攻擊情境的方法 |
| 指導教授: |
陳奕明
Yi-Ming Chen |
| 口試委員: | |
| 學位類別: |
碩士 Master |
| 系所名稱: |
管理學院 - 資訊管理學系 Department of Information Management |
| 畢業學年度: | 93 |
| 語文別: | 中文 |
| 論文頁數: | 78 |
| 中文關鍵詞: | 彩色派翠網 、多重樣版 、同屬樣版 、警訊關聯 、多步驟攻擊 |
| 外文關鍵詞: | Generic template, CPN, Multi-template |
| 相關次數: | 點閱:16 下載:0 |
| 分享至: |
| 查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報 |
目前入侵偵測系統所產生的資安警訊大多屬於低階資訊,未能讓管理人員很快地瞭解入侵行為的全貌。為解決此問題,近年來,入侵偵測系統的發展已從著重於提高警訊之效率、正確率,漸漸地轉移到將警訊關聯,以提供更全面的攻擊概觀。換句話說,如何將低階警訊資料關聯成為對資訊安全管理人員有用的資訊及知識,已成為目前網路安全研究的重點之一。然而,一個多步驟攻擊情境可以使用不同的手法達成相同的最終攻擊目的。單一攻擊步驟可以使用其他相等的入侵手法所替代,而不影響其最終攻擊目的的達成。本研究主要就是從資訊安全營運中心的角度,說明如何以彩色派翠網(Colored Petri Net,CPN)為理論基礎,利用模組化的方式來發展一個多步驟攻擊樣版的定義方法。在文中,我們提出同屬樣版與多重樣版的概念來關聯警訊。同屬樣版可以模組化的方式兼容進更多採取不同攻擊路徑的攻擊情境,讓系統將散落在各處的單一步驟攻擊警訊,透過多重樣版的處理,自動地組合成一個完整的攻擊情境,以還原入侵行為全貌。我們也使用美國MIT林肯實驗室提供的DARPA 2000 Data set、DEFCON 8 Data set以及我們自行錄製的校園警訊實際進行系統實驗。實驗結果證明,利用此模組化攻擊樣版,我們將可自動地偵測出採取可達成相同結果的不同入侵手法之攻擊情境。
中文參考文獻
[李勁頤2002]李勁頤,利用程序追蹤方法關聯分散式入侵偵測系統之入侵警
研究,國立中央大學資訊管理學系碩士論文,民國 91 年 6 月。
[游啟勝2003]游啟勝,合作式防火牆之設計與應用,國立中央大學資訊管理學系碩士論文,民國 92 年 6 月。
[翁興國2004]翁興國,“資訊安全營運中心之事件關聯處理的根本問題分析”, 2004網際網路安全工程研討會論文集,page57-84,台北,2004.
[陳劉翁2004]陳奕明、劉美君、翁興國,“多步驟攻擊的CPN塑模及其調適方法”, 九三年度國防科技學術合作計畫成果發表會,2004.
[劉美君2004] 劉美君,一種利用彩色派翠網關聯警訊以重建多步驟攻擊的方法,國立中央大學資訊管理學系碩士論文,民國 93 年 6 月。
英文參考文獻
[AFV1995] D.Anderson, T. Frivold, and A. Valdes., “Next-generation Intrusion Detection Expert System (NIDES)”, Technical report, Computer Science Laboratory, SRI International, Menlo Park, California, SRI-CSL-95-07, May 1995.
[CAMB2002a] F. Cuppens, F. Autrel, A. Miège, S. Benferhat., “Correlation in an intrusion detection process”, Internet Security Communication Workshop (SECI''02), Tunis, September 2002.
[CAMB2002b] F. Cuppens, F. Autrel, A. Miège, S. Benferhat, “Recognizing Malicious Intention in an Intrusion Detection Process”, Second International Conference on Hybrid Intelligent Systems, Santiago, Chili, 2002.
[CERT2002] CERT/CC, “Overview of Attack Trends”, Software Engineering Institute, Carnegie Mellon University, 2002.
[CLF2003] Steven Cheung, Ulf Lindqvist, Martin W. Fong, “Modeling Multistep
Cyber Attacks for Scenario Recognition”, DARPA Information Survivability Conference and Exposition (DISCEX III), 2003.
[CM2002] Frédéric Cuppens, Alexandre Miège, “Alert Correlation in a Cooperative Intrusion Detection Framework”, IEEE Symposium on Research in Security and Privacy, 2002.
[CO2000] F. Cuppens, R. Ortalo, “LAMBDA:A Language to Model a Database for Detection of Attacks”, Third International Workshop on Recent Advances in Intrusion Detection (RAID''2000), Toulouse, Octobre 2000.
[CUI2002] Yun Cui, “A Toolkit for Intrusion Alerts Correlation Based on Prerequisites and Consequences of Attacks”, M.S. thesis, North Carolina State University, 2002.
[CUPP2001a] F. Cuppens, “Cooperative intrusion detection”, International Sysmposium on Information superiority: tools for crisis and conflict management, Paris, 24-26, Septembre 2001.
[CUPP2001b] F. Cuppens., “Managing alerts in a multi-intrusion detection environment”, In Proceedings of the 17th Annual Computer Security Applications Conference, December 2001.
[DLD2002] Kristopher Daley, Ryan Larson, Jerald Dawkins, “A Structural Framework for Modeling Multi-Stage Network Attacks”, In Proceedings of International Conference on Parallel Processing Workshop, 2002.
[DW2001] H. Debar and A. Wespi, “Aggregation and Correlation of Intrusion-Detection Alerts”, In the proceedings of Recent Advances in Intrusion Detection (RAID) 2001, pages: 85 ~ 103, November 2001.
[JENS1992] Kurt Jensen, “Coloured Petri Nets. Basic Concepts, Analysis Methods and Practical Use. Vol 1:Basic Concepts”, Monographs in Theoretical Computer Science, Spring-Verlag, 1992.
[LTGJ1992] T.F. Lunt, A. Tamaru, F. Gilham, R. Jagannathan, C. Jalali, P.G. Neumann, H.S. Javitz, and A. Valdes., “A Real-Time Intrusion Detection Expert System (IDES)”, Technical report, Computer Science Laboratory, SRI International, Menlo Park, California, 1992.
[MMDD2002] Benjamin Morin, Ludovic Mé, Hervé Debar, and Mireille Ducassé, “M2D2:A Formal Data Model for IDS Alert Correlation”, In Proceedings of the 5th symposium on Recent Advances in Intrusion Detection(RAID 2002), Zurich, Switzerland, October 2002. Springer LNCS 2516, pages 177-198
[NC2002] Peng Ning, Yun Cui, “An Intrusion Alert Correlator Based on Prerequisites of Intrusions”, Technical Report, TR- 2002-01, North Carolina State University, Department of Computer Science, 2002.
[NCR2002] Peng Ning, Yun Cui, Douglas S. Reeves, “Constructing Attack Scenarios through Correlation of Intrusion Alerts”, In Proceedings of the 9th ACM Conference on Computer & Communications Security, pages 245--254, Washington D.C., November 2002.
[NP1999] Peter G. Neumann and Phillip A. Porras., “EXPERIENCE WITH EMERALD TO DATE”, Proceedings of the Workshop on Intrusion Detection and Network Monitoring , April, 1999.
[NRC2001] Peng Ning, Douglas S. Reeves, Yun Cui, “Correlating Alerts Using Prerequisites of Intrusions”, Technical Report, TR-2001-13, North Carolina State University, Department of Computer Science, 2001.
[PN1997] P.A. Porras and P.G. Neumann., “EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances”, In Proceedings of the Nineteenth National Computer Security Conference, pages 353-365, Baltimore, Maryland, 22-25 October 1997. NIST/NCSC.
