Responsive image
博碩士論文 etd-0110112-183807 詳細資訊
Title page for etd-0110112-183807
論文名稱
Title
多節點異常警告之關聯研究
Mutilple Sensor Anomaly Correlation
系所名稱
Department
畢業學年期
Year, semester
語文別
Language
學位類別
Degree
頁數
Number of pages
45
研究生
Author
指導教授
Advisor
召集委員
Convenor
口試委員
Advisory Committee
口試日期
Date of Exam
2011-12-28
繳交日期
Date of Submission
2012-01-10
關鍵字
Keywords
日誌過濾、警告關聯
meta-log filtering, Alert correlation
統計
Statistics
本論文已被瀏覽 5887 次,被下載 392
The thesis/dissertation has been browsed 5887 times, has been downloaded 392 times.
中文摘要
IDS偵測入侵,並產生警告通知管理者,隨著網路的廣泛使用,許多重要服務透過網路提供,因此攻擊事件增多,警告數量大量增多,管理者需花費大量時間分析方能得知網路狀況。許多服務透過網路提供,服務日誌大量增加,管理者同樣要花費大量時間分析才能得知服務提供狀況。 為了解決IDS警告數量太多、誤判率太高,以及無法偵測所有攻擊的缺點,警告關聯使用屬性相似度、事先定義攻擊架構、定義兩兩攻擊類型間的關係,與利用驗證過濾誤判的警告等方法,解決這些問題。 網路攻擊由許多步驟組成,攻擊過程會留下紀錄在各種警告與日誌中,日誌中詳細記載服務細節,正常使用行為與攻擊行為皆混雜其中。本研究使用屬性相似度,將日誌與警告合併成meta-log與meta-alert,利用兩個特徵過濾meta-log,並利用日誌裡詳細記載的服務狀況,對每一筆meta-log給予不同的valid值,標明其危險層級,接著將meta-log與meta-alert進行關聯,得出報告給管理者。
Abstract
IDS (Intrusion Detection System) detect intrusions and generate alerts to administrator. With Internet more and more popular, IDS products a lot of alerts make administrators spend much time to analyze to understand the network situation. Many online services record services details on the log, as the same administrators spend much time to analyze logs. IDS suffer from several limitations : amount of alerts, most of the alerts are false positive, certain attacks may not be detected by IDS. To solve limitations of IDS, four alert correlation techniques : alert attributions similarity, predefined attack scenarios, multi-stage approaches, verification to filter positive alerts. Network attack consist of multiple steps, each step may leave evidences on log or detected by IDS. Service logs record normal and abnormal detail behaviors, IDS alerts record single attack step. Alerts and logs first merge into meta-alert and meta-log. Second, we use two features to filter meta-log. Then, correlate meta-alert and filtered meta-log to produce report to administrators.
目次 Table of Contents
第一章 緒論 .................................. 1
第一節 研究背景 .............................................................................................................................................. 1
第二節 問題描述及目的 .................................................................................................................................. 3
第二章 相關研究 .............................. 4
第一節 聚合 ...................................................................................................................................................... 4
第二節 警告關聯相關文獻 .............................................................................................................................. 5
第三章 系統設計 ............................. 11
第一節 TYPE II資料聚合 ............................................................................................................................... 12
第二節 TYPE I 資料聚合................................................................................................................................ 14
第三節 META-LOG FILTERING ........................................................................................................................ 15
第四節 META-LOG與META-ALERT關聯 ........................................................................................................ 17
第四章 實驗與分析 ........................... 18
第一節 實驗一 ................................................................................................................................................ 19
第二節 實驗二 ................................................................................................................................................ 22
第三節 實驗三 ................................................................................................................................................ 26
第四節 實驗補充 ............................................................................................................................................ 31
第五章 結論 ................................. 34
第六章 參考文獻 ............................. 35
參考文獻 References
[1] H. Elshoush and I. Osman, ─Alert Correlation in Collaborative Intelligent Intrusion Detection systems—A survey,∥ In Soft Computing for Information System Security, Volume 11, Issue 7, October 2011, pp. 4349-4365
[2] D. Xu, P. Ning, ─Correlation analysis of intrusion alerts,∥ In R. Di Pietro, L.V.
Mancini (Eds.), Intrusion Detection Systems, Advances in Information Security,
vol. 38, Springer, 2008, pp. 65–92.
[3] H. T. Elshousha and I. M. Osmanb, ─Alert correlation in collaborative intelligent intrusion detection systems—A survey,∥ In Elsevier‘s Journal of Applied Soft Computing, vol. 11, issue 7 , October 2011, pp 4349-4365.
[4] P.Kabiri and A. Ghorbani, ─A Rule Based Temporal Alert Correlation System,∥ International journal of network security, 2007
[5] S. H. Ahmadinejad and S. Jalili, ─Alert Correlation Using Correlation Probability Estimation and Time Windows,∥ In 2009 International Conference on Computer Technology and Development
[6] F. Cuppens and A. Miege, ─Alert Correlation in a Cooperative Intrusion Detection Framework,∥ In Proceedings of the 2002 IEEE Symposium on Security and Privacy, pp.202-215
[7] F. Cuppens, ─Managing Alerts in a Multi-Intrusion Detection Environment,∥ In Proc. 17th Ann. Computer Security Applications Conf. (ACSAC ’01), pp. 22-31, 2001.
[8] F. Autrel and F. Cuppens, ─Using an Intrusion Detection Alert Similarity Operator to Aggregate and Fuse Alerts,∥ In Proc. Fourth Conf. Security and Network Architectures, pp. 312-322, 2005.
[9] A. Valdes and K. Skinner, ─Probabilistic Alert Correlation,∥ Recent Advances in Intrusion Detection, W. Lee, L. Me, and A. Wespi, eds. pp. 54-68, Springer, 2001.
[10] F. Valeur, G. Vigna, C. Kruegel and R.A. Kemmerer, ─A Comprehensive Approach to Intrusion Detection Alert Correlation,∥ In IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 1, NO. 3, JULY-SEPTEMBER 2004
[11] Bin Zhu and Ali A. Ghorbani, ─Alert Correlation for Extracting Attack Strategies,∥ In International Journal of Network Security, Vol.3, No.3, PP.244–258, Nov. 2006
[12] Keisuke Takemori*, Yutaka Miyake*, Chie Ishida**, and Iwao Sasase** , ─A SOC Framework for ISP Federation and Attack Forecast by Learning Propagation Patterns,∥ Intelligence and Security Informatics, 2007 IEEE, pp. 172 – 179
[13] H. Ren, N. Stakhanova, and A. A. Ghorbani, ─An Online Adaptive Approach to Alert Correlation,∥ In Proceedings of the 7th international conference on Detection of intrusions and malware, and vulnerability assessment, DIMVA’10, pages 153–172, Berlin, Heidelberg, 2010. Springer-Verlag
[14] C. Kruegel, W. Robertson and G. Vigna, ─Using Alert Verification to Identify Successful Intrusion Attempts,∥ In Practice in Information Processing and Communication (PIK), Vol.27, No.4 , 2004 , pp. 219-227
[15] PhpMyAdmin, http://www.phpmyadmin.net/home_page/index.php
[16] Status Code Definitions, http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html
[17] NESSUS, http://www.tenable.com/products/nessus
[18]PMASA-2009-3, http://www.phpmyadmin.net/home_page/security/PMASA-2010-4.php
[19]PMASA-2009-4, http://www.phpmyadmin.net/home_page/security/PMASA-2010-5.php
[20] ISC Diary, ─w00tw00t,∥ http://isc.Zans.edu/diary.html?storyid=900
[21] J.M. Kizza, ─System Intrusion Detection and Prevention, ∥ A Guide to Computer Network Security, pp.273-293
[22] IDMEF, ─The Intrusion Detection Message Exchange Format,∥ http://www.ietf.org/rfc/rfc4765.txt
電子全文 Fulltext
本電子全文僅授權使用者為學術研究之目的,進行個人非營利性質之檢索、閱讀、列印。請遵守中華民國著作權法之相關規定,切勿任意重製、散佈、改作、轉貼、播送,以免觸法。
論文使用權限 Thesis access permission:自定論文開放時間 user define
開放時間 Available:
校內 Campus: 已公開 available
校外 Off-campus: 已公開 available


紙本論文 Printed copies
紙本論文的公開資訊在102學年度以後相對較為完整。如果需要查詢101學年度以前的紙本論文公開資訊,請聯繫圖資處紙本論文服務櫃台。如有不便之處敬請見諒。
開放時間 available 已公開 available

QR Code