Responsive image
博碩士論文 etd-0726115-160447 詳細資訊
Title page for etd-0726115-160447
論文名稱
Title
以社交網路分析整合貝氏網路偵測網路入侵
Detecting Intrusions Using Social Network Analysis And Bayesian Network
系所名稱
Department
畢業學年期
Year, semester
語文別
Language
學位類別
Degree
頁數
Number of pages
61
研究生
Author
指導教授
Advisor
召集委員
Convenor
口試委員
Advisory Committee
口試日期
Date of Exam
2015-08-04
繳交日期
Date of Submission
2015-08-26
關鍵字
Keywords
貝氏網路模型、入侵偵測系統、目標式攻擊
Bayesian Network Model, Intrusion Detection System, Targeted Attack
統計
Statistics
本論文已被瀏覽 5935 次,被下載 114
The thesis/dissertation has been browsed 5935 times, has been downloaded 114 times.
中文摘要
近幾年來攻擊型態開始逐漸轉變,在網路戰爭當中,明槍易躲,暗箭難防,不同以往傳統隨機的攻擊手法,現在多數攻擊型態是以針對特定攻擊目標的攻擊模式,也漸漸形成一種新的趨勢。目標式攻擊(Targeted Attack)是一種策略性型態的攻擊手法,由於目標明確且攻擊模式以滲透性的方式進行,加上潛伏期長,讓現行的偵測系統難以防範,當發現此攻擊時多數已經為時已晚。即便大部分能夠在偵測系統及垃圾郵件偵測系統中被發現,但是仍有使用者會無意間點擊打開經過設計的信件與連結,這是網路入侵防禦系統以及傳統火牆等傳統網路偵測技術無法應對的客製化攻擊,更別說要遏止使用者擅自或執意要瀏覽網站或打開文件,造成惡意程式植入並接著後續的資料竊取。雖然現今的偵測系統可以將外來的攻擊加以阻擋,但卻無法防範內部人員不慎點開連結以及檔案所造成的感染,加上目標式攻擊常伴隨著新型的攻擊手法或零時攻擊,入侵偵測系統無法即時檢測出導致內部被入侵的風險,而且一般目標式攻擊在初期都是低調潛伏,更加劇了偵測的困難度,因此無法依靠一般的資安解決方案來完全解決目標式攻擊問題。
透過本研究針對目標式攻擊第一階段偵測搜查的部分強化,從駭客最常使用也是使用者最無防備的社交網站以及電子郵件著手,模擬仿效駭客進行情資蒐查的前置動作,像是會透過信件以及社交網站傳送檔案或訊息,接著再利用貝氏網路的學習能力與架構圖表示出各階段事件或行為的發生機率,並結合以特徵值為基礎之風險評估預測入侵行為的發生,除了找出目前可能已經成為攻擊目標的名單,更能依其風險值評估預測受害目標。對於容易受到攻擊的重要主機以及人員,能夠及時發出警報,並找出可疑的IP提供給資訊安全人員進行鑑識,減少受到攻擊的機會,並在最短的時間做出應對措施,提早預防以達到將傷害減至最低的目標,並斷絕未來可能發生之攻擊,達到協助入侵偵測系統提高偵測率以及降低誤報率目標。
Abstract
The type of attack has been change from random attack to non-random attack which called Targeted Attack. This means the attack has an obvious target and this kind of attack need more time and skills to break in to target. Most hackers possess high knowledge and rich resource about attacked target such as important department of government or companies, and the major object is steal sensitive information. Such attack type usually accompanies social engineering or zero-day exploits attacks, and the intrude period may arrive several years.
In order to detect Targeted Attack, this paper proposed a conceptual framework for observing the steps of Targeted Attack and through these steps constructed a Bayesian Network detection model which combined risk assessment. Risk assessment including compute each steps of risk of Targeted Attack in order to be prepared for attack. Most of the Targeted Attack uses social engineering breaking into the target successfully. So in this paper, we collected social network and e-mail records from Intrusion Detection System (IDS) to enhance the accuracy of detection. In this paper, we detected Targeted Attack and provide the suspicious IP to be ready for future attack and reduce the chances of data theft.
目次 Table of Contents
目錄
論文審訂書 i
致謝 ii
摘要 iii
Abstract iv
第一章 緒論 1
第一節 研究背景 1
第二節 研究動機目的 7
第二章 文獻探討 10
第一節 社交網路分析(Social Network Analysis) 10
第二節 目標式攻擊(Target Attack) 11
第三節 入侵偵測系統(Intrusion Detection System) 13
第四節 貝氏網路模型(Bayesian Network Model) 14
第三章 研究方法 19
第一節 系統流程 19
第二節 貝氏網路偵測模型 24
第三節 風險評估 27
第四章 系統評估 30
第一節 模擬實驗 31
第二節 測試實驗 35
第三節 預測目標式攻擊 40
第四節 系統比較 42
第五章 未來展望 48
參考文獻 49
參考文獻 References
[1] Trend Micro, "Trend_Micro_APT_Whitepaper_2013". Trend Micro Incorporated. Retrieved August 1, 2015, from
http://www.trend.com.tw/apt/whitepaper/trend_micro_apt_whitepaper_2013.pdf
[2] A. Lai, B. Wu and J. Chiu. (2011, July). "2011HIT 台灣駭客年會 APT的秘密(奧義)", 第七屆台灣駭客年會(HIT: Hacks in Taiwan). Xecure Lab. Retrieved August 1, 2015, from
http://hitcon.org/hit2011/downloads/06_APT_Secrets_In_Asia.pdf
[3] TREND LABS. "2012 技術通報:神不知鬼不覺的APT -- APT 案件分享". Trend Micro Incorporated. Retrieved August 1, 2015, from http://esupport.trendmicro.com/zh-tw/business/topic_knowledgedownload/topic_techsupportboard/20120430133619.aspx
[4] Wikipedia, "Operation Aurora". Wikipedia. Retrieved August 1, 2015, from http://en.wikipedia.org/wiki/operation_aurora.
[5] Mr. D-Day. "從日本三菱重工事件回顧今年的資安事件與個人防護". MMDays. Retrieved August 1, 2015, from http://mmdays.com/2011/12/20/security-news-2011/
[6] TREND LABS. "駭客跟你一樣關心「二代健保補充保險費扣繳辦法說明」–假冒健保局名義信件夾毒發送中! ". Trend Micro Incorporated. Retrieved August 1, 2015, from http://blog.trendmicro.com.tw/?p=4973
[7] J. Leopando. "Targeted Attacks Hit Asian, European Government Agencies". Trend Micro Incorporated. Retrieved August 1, 2015, from
http://blog.trendmicro.com/trendlabs-security-intelligence/targeted-attacks-hit-asian-european-government-agencies/
[8] TREND LABS. "How Tough Is It to Deal with APTs?". Trend Micro Incorporated. Retrieved August 1, 2015, from
http://www.trendmicro.com/cloud-content/us/pdfs/business/white-papers/wp_apt-primer.pdf
[9] E. Protalinski. "Facebook: Over 955 Million Users, 543 Million Mobile Users". CNET. Retrieved August 1, 2015, from
http://news.cnet.com/8301-1023_3-57480950-93/facebook-over-955-million-users-543-million-mobile-users/
[10] A. Pichel. "[INFOGRAPHIC] Public or Private? The Risks of Posting in Social Networks". Trend Micro Incorporated. Retrieved August 1, 2015, from
http://blog.trendmicro.com/trendlabs-security-intelligence/infographic-public-Or-Private-The-Risks-Of-Posting-In-Social-Networks/
[11] N. N. A. Molok, S. Chang, and A. Ahmad. " Information Leakage through Online Social Networking: Opening the Doorway for Advanced Persistence Threats". Journal of the Australian Institute of Professional Intelligence Officers (AIPIO), Vol.19(2), pp.38-55, 2011.
[12] J. C. Chen. "Banking Trojan Targets South Korean Banks; Uses Pinterest As C&C Channel". Trend Micro Incorporated. Retrieved August 1, 2015, from http://blog.trendmicro.com/trendlabs-security-intelligence/malware-campaign-targets-south-korean-banks-uses-pinterest-as-cc-channel/
[13] Fireeye Labs. "Operation Russiandoll: Adobe & Windows Zero-Day Exploits Likely Leveraged By Russia’s APT28 In Highly-Targeted Attack". Fireeye Labs. Retrieved August 1, 2015, from https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html
[14] Wikipedia, "Social Network". Wikipedia. Retrieved August 1, 2015, from http://en.wikipedia.org/wiki/social_network
[15] Mbalib. "Social Network Analysis". Mbalib. Retrieved August 1, 2015, from http://wiki.mbalib.com/wiki/社会网络分析
[16] R. Brendel and H. Krawczyk. "Detection of Roles of Actors in Social Networks Using the Properties of Actors' Neighborhood Structure". Third International Conference on Dependability of Computer Systems DepCoS-RELCOMEX. IEEE, pp.163 -170, 2008.
[17] I. Esslimani, A. Brun and A. Boyer. "Detecting Leaders in Behavioral Networks". International Conference on Advances in Social Networks Analysis and Mining, pp. 281-285, 2010.
[18] F. Bodendorf and C. Kaiser "Detecting Opinion Leaders and Trends in Online Communities". 2010 Fourth International Conference on Digital Society, pp.124-129, 2010.
[19] A. Sood and R. J. Enbody. "Targeted Cyberattacks: A Superset of Advanced Persistent Threats". IEEE security & privacy, Vol.11(1), pp.54-61, 2013.
[20] Trend Micro Incorporated . "對抗APT目標式攻擊". Trend Micro Incorporated. Retrieved August 1, 2015, from http://www.trendmicro.tw/tw/enterprise/challenges/advance-targeted-attacks/#understand-the-apt-lifecycle
[21] A. Juels and T. F. Yen. " Sherlock Holmes and The Case of the Advanced Persistent Threat ". The 5th USENIX conference on Large-Scale Exploits and Emergent Threats, 2012.
[22] Fortinet. "Threats On The Horizon:The Rise Of The Advanced Persistent Threat ". Fortinet. Retrieved August 1, 2015, from http://www.fortinet.com/sites/default/files/solutionbrief/threats-on-the-horizon-rise-of-advanced-persistent-threats.pdf
[23] Birdman. "南韓大顆首爾( Darkseoul) 大規模APT攻擊事件". Xecure Lab. Retrieved August 1, 2015, from
http://blog.xecure-lab.com/2013/03/darkseoul-apt.html
[24] T. Branigan. "South Korea On Alert For Cyber-Attacks After Major Network Goes Down ". theguardian. Retrieved August 1, 2015, from
http://www.theguardian.com/world/2013/mar/20/south-korea-under-cyber-attack
[25] 黃彥棻. "索尼影業遭駭事件始末大剖析". iThome . Retrieved August 1, 2015, from http://www.ithome.com.tw/news/93457
[26] 陳烱勳. "進階持續性滲透(APT)攻擊之認識與防禦". Twnic. Retrieved August 1, 2015, from http://security.twnic.tw/201303/tech2_1.html
[27] K. Scarfone and P. Mell. "Guide to Intrusion Detection and Prevention Systems (IDPS) ". NIST special publication, 2007.
[28] B. E. Binde, R. McRee and T. J. O’Connor. "Assessing Outbound Traffic to Uncover Advanced Persistent Threat". SANS Institute. Whitepaper, 2011.
[29] D. Heckerman and M. Wellman. "Bayesian Networks". Communication of the ACM, Vol.38(3), pp.27-30, 1995
[30] S. Sun, C. Zhang, and G. Yu. "A Bayesian Network Approach to Traffic Flow Forecasting ". Intelligent Transportation Systems, IEEE Transactions, Vol.7(1), pp.124-132, 2006.
[31] M. Sahami, S. Dumais, D. Heckerman and E. Horvitz. "A Bayesian Approach to Filtering Junk E-mail". Learning for Text Categorization: Papers from the 1998 workshop Vol.62, pp.98-105, 1998.
[32] Y. S. Lin. "A Bayesian-Network Risk Assessment Incorporating Human Factors Based On Continuous Fuzzy Set Theory". Journal of Taiwan Maritime Safety and Security Studies Vol.3(3), 2012.
[33] J. Pearl. "Probabilistic reasoning in intelligent systems: networks of plausible inference". Morgan Kaufmann, 1988.
[34] C. Starr and P. Shi. "An Introduction To Bayesian Belief Networks And Their Applications To Land Operations", DSTO Systems Sciences Laboratory, 2004.
[35] I. Ben-Gal. "Bayesian networks". Encyclopedia of statistics in quality & reliability. Oxford: Wiley & Sons, 2007.
[36] F.V. Jensen, and T.D. Nielsen. "Bayesian Networks and Decision Graphs". Springer Science and Business Media, 2007.
[37] E. Castillo, J. M. Gutierrez, and A. S. Hadi. "Expert systems and Probabilistic Network
Models". Springer, 1997.
[38] S. L. Lauritzen, B. Thiesson and D. J. Spiegelhalter. "Diagnostic systems by model selection: a case study ". Springer, pp.143-152, 1994.
[39] P. Truccoa, E. Cagnoa, F. Ruggerib and O. Grandea. "A Bayesian Belief Network modelling of organisational factors in risk analysis: A case study in maritime transportation ". Reliability Engineering & System Safety, Vol.93(6), pp.845-856, 2008.
[40] S. Timmer, J. J. Meyer, H. Prakken, S. Renooij, B. Verheij. "Inference and Attack in Bayesian Networks". The 25th Benelux conference on artificial intelligence, pp. 199-206, 2013.
[41] S. Axelsson. "The base-rate fallacy and its implications for the difficulty of intrusion detection". The 6th ACM Conference on Computer and Communications Security pp.1-7, 1999.
[42] K. Johansen and S. Lee. "CS424 network security: Bayesian Network Intrusion Detection (BINDS) ", 2003. Retrieved August 1, 2015, from http://www.cs.jhu.edu/~fabian/courses/CS600.424/course-papers/samples/Bayesian.pdf
[43] F. Jemili, M. Zaghdoud and M. B. Ahmed. "A Framework for an Adaptive Intrusion Detection System using Bayesian Network". Intelligence and Security Informatics, IEEE pp. 66-70, 2007.
[44] S. Zhang, S. Song. "A Novel Attack Graph Posterior Inference Model Based on Bayesian Network ". Journal of Information Security, Vol.2(1), pp.8-27, 2011.
[45] J. Ren, I. Jenkinson, J. Wang, D. L. Xu and J. B. Yang. "An offshore risk analysis method using fuzzy Bayesian network ". Journal of Offshore Mechanics and Arctic Engineering, Vol.131(4), 2009.
電子全文 Fulltext
本電子全文僅授權使用者為學術研究之目的,進行個人非營利性質之檢索、閱讀、列印。請遵守中華民國著作權法之相關規定,切勿任意重製、散佈、改作、轉貼、播送,以免觸法。
論文使用權限 Thesis access permission:自定論文開放時間 user define
開放時間 Available:
校內 Campus: 已公開 available
校外 Off-campus: 已公開 available


紙本論文 Printed copies
紙本論文的公開資訊在102學年度以後相對較為完整。如果需要查詢101學年度以前的紙本論文公開資訊,請聯繫圖資處紙本論文服務櫃台。如有不便之處敬請見諒。
開放時間 available 已公開 available

QR Code