應用於網路安全情境察覺系統之警訊衝突解析模型

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：64

、訪客IP：18.117.162.107

姓名

游靖芬(Ching-fen Yu) 查詢紙本館藏

畢業系所

資訊管理學系

論文名稱

應用於網路安全情境察覺系統之警訊衝突解析模型
(Alert Conflict Resolution Model in Network Security Situation Awareness System)

相關論文

★ 應用數位版權管理機制於數位影音光碟內容保護之研究	★ 以應用程式虛擬化技術達成企業軟體版權管理之研究
★ 以IAX2為基礎之網頁電話架構設計	★ 應用機器學習技術協助警察偵辦詐騙案件之研究
★ 擴充防止詐欺及保護隱私功能之帳戶式票務系統研究-以大眾運輸為例	★ 網際網路半結構化資料之蒐集與整合研究
★ 電子商務環境下網路購物幫手之研究	★ 網路安全縱深防護機制之研究
★ 國家寬頻實驗網路上資源預先保留與資源衝突之研究	★ 以樹狀關聯式架構偵測電子郵件病毒之研究
★ 考量地區差異性之隨選視訊系統影片配置研究	★ 不信任區域網路中數位證據保留之研究
★ 入侵偵測系統事件說明暨自動增加偵測規則之整合性輔助系統研發	★ 利用程序追蹤方法關聯分散式入侵偵測系統之入侵警示研究
★ 一種網頁資訊擷取程式之自動化產生技術研發	★ 應用XML/XACML於工作流程管理系統之授權管制研究

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

[檢視]

[下載]

本電子論文使用權限為同意立即開放。
已達開放權限電子全文僅授權使用者為學術研究之目的，進行個人非營利性質之檢索、閱讀、列印。
請遵守中華民國著作權法之相關規定，切勿任意重製、散佈、改作、轉貼、播送，以免觸法。

摘要(中)

情境察覺(Situation Awareness, SA)簡單來說就是知道現在發生什麼事並能知道如何回應，而其觀念由最初之飛航安全領域被引申於其他動態的、複雜的及需要人力介入之情境中，近年來也在資訊安全研究的領域中興起，即網路安全情境察覺(Network Security Situation Awareness)。然而，在情境察覺概念中使用多種警訊系統來確保對外在環境的瞭解並予以回應，其中所牽涉的問題可能包括發生資訊超載(Alert Overload)以擾亂管理人員，或儘管各系統回報之狀況並沒有錯誤，但資訊依然可能發生衝突(Alert Conflict)使管理人員不知所措等，所衍生之問題同樣的也將在網路安全防護資安監控中心(Security Operation Center, SOC)中發生。因此我們提出了異質網路感應器管理服務(HNSMS)，目的則是為了解析警訊的衝突。首先利用各異質網路感應器所回報警訊之可信度及其權重之衡量進行警訊融合(Alert Fusion)，此外也考慮經由單一時間點之警訊融合後尚可能造成的偵測漏報問題，進一步配合安全政策，利用其它輔佐資訊再次進行警訊融合，最後以模擬案例的方式進行系統的推演，期望藉由最終警訊以了解系統/網路整體之安全狀態，舒緩警訊衝突所帶來之風險。

摘要(英)

SA is simply “knowing what is going on so you can figure out what to do”. The term was first used by U.S. Air Force (USAF) fighter aircrew and was considered to be essential for those who are responsible for being in control of complex, dynamic systems and high-risk situations. In recent years, Network Security Situation Awareness is a hot research in the domain of information security. However, these different types of sensor for better situation awareness could result in two problems. First is the “Alert Overload”, and it could disturb the security administrators. Second is the “Alert Conflict”. Though each of these sensors did not report the wrong message, it could be happened. Therefore, these problems could occur in SOC as well. This thesis addresses these problems in SOC using a Heterogeneous Network Sensors Management Service (HNSMS) in order to solve the alert conflict. We use Alert Confidence Fusion method at first to fuse the alerts from different sensors and consider the confidence and weight of alerts in the fusion technique. Moreover, we also consider that some attack cannot be detected in a single time, so we use Fuzzy Cognitive Maps (FCM) and policy to fuse the multiple inputs. Finally, the final alerts help to improve the understanding of whole system security and allow security administrators to take appropriate responses. To summarize, HNSMS refine the alert from different sensors by means of two data fusion techniques and relieve the risk from alert conflict.

關鍵字(中)

★ 警訊衝突
★ 權重評估
★ 安全政策
★ 可信度
★ 情境察覺
★ 安全營運中心
★ 警訊/資料融合

關鍵字(英)

★ Alert Weight
★ Alert Confidence
★ Situation Awareness
★ Security Policy
★ Alert Conflict
★ Alert/Data Fusion
★ Security Operation Center

論文目次

中文摘要..................................................i
英文摘要.................................................ii
目錄....................................................iii
圖目錄....................................................v
表目錄..................................................vii
一、緒論.................................................1
1-1 研究背景.............................................1
1-2 研究動機與目的.......................................6
1-3 研究假設、研究流程及主要成果.........................7
1-4 章節架構.............................................8
二、相關研究.............................................9
2-1 情境察覺(Situational Awareness)......................9
2-2 資料融合(Data Fusion)...............................11
2-2-1 警訊信度融合(Alert Confidence Fusion)...........13
2-2-2 模糊認知圖 (Fuzzy Cognitive Maps, FCM)模型......15
2-3 警訊衝突(Alert Conflict)............................17
三、解析警訊衝突之模型..................................19
3-1 系統設計考量.........................................19
3-2 系統架構.............................................20
3-2-1 權重設定(Weight Assign)...........................23
3-2-2 安全政策定義(Policy Definition)...................25
3-2-3 知識庫及回饋(Knowledge Base and Feedback)..........27
3-3 模型比較.............................................32
四、案例模擬分析........................................37
4-1 案例一：遠端入侵.....................................38
4-2 案例二：病毒入侵.....................................41
4-3 案例分析之比較.......................................43
五、結論................................................44
5-1 研究結論.............................................44
5-2 研究貢獻.............................................44
5-3 未來研究方向.........................................45
參考文獻.................................................47

參考文獻

中文參考文獻
[1] 劉美君，一種利用彩色派翠網關聯警訊以重建多步驟攻擊的方法，國立中央大學資訊管理學系碩士論文，6 月2004。
[2] 官炳宏，結合隱藏式馬可夫模型與彩色派翠網以關聯多步驟攻擊警訊之方法，國立中央大學資訊管理學系碩士論文，6 月2005。
[3] 黃志豪，一個使用模組化方式來重建多步驟攻擊情境的方法，國立中央大學資訊管理學系碩士論文，6 月2006。
[4] Seednet教室-企業縱深防禦的最佳資安保鑣，HTUhttp://eservice.seed.net.tw/class/class97.htmlUTH，Accessed on March 28, 2007.。
[5] 樊國楨、林樹國及歐崇明，資安監控中心之終極目標：資訊分享與分析中心初探，資通安全專論T95002，HTUhttp://ics.stpi.org.tw/Treatise/doc/17.pdfUTH，Accessed on April 1, 2007.。
[6] 台灣電腦網路危機處理暨協調中心，保護及強化企業內部網路的安全，HUhttp://www.cert.org.tw/document/column/show.php?key=72UH，Accessed on April 20, 2007.。。
[7] 台灣賽門鐵克，管理企業內的資安事端(Security Incidents)，HTUhttp://www.symantec.com/region/tw/enterprise/article/security_incidents.html#what_if_notUTH，Accessed on Jan 1, 2007.。
[8] 凌羣電腦蔡坤家，SYSCOM SIM(Security Information Management)，HTUhttp://download.microsoft.com/download/5/3/7/5372d49c-fbee-4cb4-84b0-03a7b93b262f/6-2004MgmtDay_Syscom-SIM.pptUTH，Accessed on Jan 10, 2007.。。
[9] 網路聯防技術，HTUhttp://www.broadweb.com.tw/rdshow/3-2-2.phpUTH，Accessed on Jan 9, 2007.。。
[10] 聯合Juniper / Fortinet / McAfee等設備，縱深聯防，鎖住內敵！，HTUhttp://www.l7-networks.com/L7_2005/products.IL_features.b5.phpUTH，Accessed on Jan 9, 2007.。。
[11] 梁日誠，自建型資通安全防護中心—mini SOC簡介，2004/11/13，
HTUhttp://www.informationsecurity.com.tw/feature/view.asp?fid=285UTH，Accessed on March 3, 2007.。
英文參考文獻
[12] Adam L. Berger, Stephen A. Della Pietra, and Vincent J. Della Pietra, “A Maximum Entropy Approach to Natural Language Processing,” Computational Linguistics, Volume 22, Number 1, 1996.
[13] Adam Berger, “A Brief Maxent Tutorial,” Hhttp://www.cs.cmu.edu/afs/cs/user/aberger/www/html/tutorial/tutorial.htmlH, 1996.
[14] Adam Berger, Stephen Della Pietra, and Vincent Della Pietra, “A maximum entropy approach to natural language processing,” Computational Linguistics, March 1996.
[15] Andy Franz, Radek Mista, David Bakken, Curtis Dyreson, and Murali Medidi, “Mr. Fusion: A Programmable Data Fusion Middleware Subsystem with a Tunable Statistical Profiling Service,” In Proceedings of the International Conference on Dependable Systems and Networks (DSN-2002), IEEE/IFIP, 23-26 June, 2002, Washington, DC.
[16] Ambareen Siraj, “A Unified Alert Fusion Model for Intelligent Analysis of Sensor Data in an Intrusion Detection Environment,” A Dissertation Submitted to the Faculty of Mississippi State University, Mississippi, August 2006.
[17] Ambareen Siraj, Rayford B. Vaughm, and Susan M. Bridges, “Intrusion Sensor Data Fusion in an Intelligent Intrusion Detection System Architecture," In Proceedings of the 37th Hawaii International Conference on System Sciences, IEEE, 5-8 Jan, 2004.
[18] Ambareen Siraj, Susan M. Bridges, and Rayford B. Vaughn, “Fuzzy Cognitive Maps for Decision Support in an Intelligent Intrusion Detection System,” In IFSA World Congress and 20th NAFIPS International Conference, 25-28 July, 2001.
[19] Amy R. Pritchett and R. John Hansman, “Pilot Non-Conformance to Alerting System Commands During Closely Spaced Parallel Approaches,” MIT Aeronautical Systems Lab. Rep., ASL-97-2, Cambridge, MA, Jan. 1997.
[20] Andy Franz, Radek Mista, David Bakken, Curtis Dyreson, and Murali Medidi, “Mr. Fusion: A Programmable Data Fusion Middleware Subsystem with a Tunable Statistical Profiling Service,” In Proceedings of the International Conference on Dependable Systems and Networks, IEEE/IFIP, June 23-26, 2002, Washington, DC.
[21] Bart Kosko, “Fuzzy cognitive maps,” International Journal Man-Machine Studies, Vol24, 1986.
[22] CERT/CC Statistics 1988-2006, Hhttp://www.cert.org/stats/H, Accessed on March 16, 2007.
[23] David L. Hall, “Mathematical Techniques in Multisensor Data Fusion,” 1992, Atrech House, Boston, MA.
[24] Dong Yu and Deborah Frincke, “Alert Confidence Fusion in Intrusion Detection Systems with Extended Dempster-Shafer Theory,” 43rd ACM Southeast Conference, March 18-20, 2005, Kennesaw, GA, USA.
[25] Heeseo Ghae, Tae Yon Kim, Dong-hyun Lee, and Hoh Peter, “Conflict Resolution Model Based on Weight in Situation Aware Collaboration System,” In Proceedings of the 11th IEEE International Workshop on Future Trends of Distributed Computing Systems(FTDCS’07), 2007.
[26] Jason Hill, Robert Szewczyk, Alec Woo, Seth Hollar, David Culler, and Kristofer Pister, “System Architecture Directions for Networked Sensors,” In Proceedings of the Ninth International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS IX), pp. 93-104, ACM SIGPLAN, November 2000.
[27] Lai Jibao, Wang Huiqiang, and Zhu Liang, “Study of Network Security Situation Awareness Model Based on Simple Additive Weight and Grey Theory,” 2006.
[28] Lixia Song and James K. Kuchar, “Dissonance Between Multiple Alerting Systems Part I: Modeling and Analysis,” Systems, Man and Cybernetics, Part A, Volume 33, Issue 3, May 2003 Page(s): 366 – 375.
[29] John Harrald and Theresa Jefferson, “Shared Situational Awareness in Emergency Management Mitigation and Response,” In Proceedings of the 40th Hawaii International Conference on System Sciences, 2007.
[30] Maximilian Reiss, Bernhard Sick, and Markus Strassberger, “Collaborative Situation-Awareness in Vehicles by Means of Spatio-Temporal Information Fusion With Probabilistic Networks,” Adaptive and Learning Systems, 2006 IEEE Mountain Workshop on, 2006.
[31] Mica Endsley, “Design and evaluation for situation awareness enhancement,” In Proceedings of the Human Factors Society 32nd Annual Meeting, Human Factors Society, 1988, pp. 97-101.
[32] Mike Gilger, “Addressing Information Display Weaknesses for Situational Awareness,” In Military Communications Conference, 2006.
[33] Renaud Bidou, “Security Operation Center Concepts & Implementation,” Hhttp://www.iv2-technologies.com/images/Iv2-WP-SOCConcept.pdfH , Accessed on March 16, 2007.
[34] Shilad Sen, Werner Geyer, Michael Muller, Marty Moore, Beth Brownholtz, Eric Wilcox, and David R. Millen, “FeedMe: A Collaborative Alert Filtering System,”In Proceedings of the 2006 20th anniversary conference on Computer supported cooperative work, 2006.
[35] Situational awareness, from Wikipedia, the free encyclopedia, HTUhttp://en.wikipedia.org/wiki/Situational_awarenessUTH, Accessed on April 15, 2007.。.
[36] Soojin Lee, Byungchun Chung, Heeyoul Kim, Yunho Lee, Chanil Park, and Hyunsoo Yoon, “Real-time analysis of intrusion detection alerts via correlation,” Computers & Security (2006) 25, p169-183.
[37] Stephen G.Batsell, Nageswara S.Rao, and Mallikarjun Shankar, “Distributed Intrusion Detection and Attack Containment for Organizational Cyber Security,” http://www.ioc.oml.gov/projects/documents/containment.pdf, 2005.
[38] Tim Bass, “Intrusion Detection Systems and Multisensor Data Fusion,” Communications of the ACM, April 2000, Vol. 43, No. 4.
[39] Theodor Jandeweith, “The use of an Expert System to expand a Multi Sensor Fire Detector to a Robust Fire Detector,” Security Technology, 1995. Proceedings. Institute of Electrical and Electronics Engineers 29th Annual 1995 International Carnahan Conference, Oct. 1995.
[40] Veronique Clement, Gerard Giraudon, Stephane Houzelle, and Fadi Sandakly, “Interpretation of Remotely Sensed Images in a Context of Multisensor Fusion Using a Multispecialist Architecture,” IEEE Transactions on Geoscience and Remote Sensing, VOL. 31, No. 4, JULY 1993.
[41] Xiaoxin Yin, William Yurcik, and Adam Slagell, “The Design of VisFlowConnect-IP: a Link Analysis System for IP Security Situational Awareness,” The third IEEE International Workshop on Information Assurance (IWIA), 2005, pp.141-153.

指導教授

陳奕明(Yi-Ming Chen)

審核日期

2007-7-14

推文