保護家用IoT 網路的安全機制

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：77

、訪客IP：52.14.61.160

姓名

史君仲(Chun-Chung Shih) 查詢紙本館藏

畢業系所

資訊工程學系

論文名稱

保護家用IoT 網路的安全機制
(MechAnism for household IoT Security Enhancement)

相關論文

★ 基於OP-TEE的可信應用程式軟體生態系統	★ 在低軌道衛星無線通訊中的CSI預測方法
★ 為多流量低軌道衛星系統提出的動態換手策略	★ 基於Trustzone的智慧型設備語音隱私保護系統
★ 一種減輕LEO衛星網路干擾的方案	★ TruzGPS:基於TrustZone的位置隱私權保護系統
★ 衛星地面整合網路之隨機接入前導訊號設計與偵測	★ SatPolicy: 基於Trustzone的衛星政策執行系統
★ TruzMalloc: 基於TrustZone 的隱私資料保護系統	★ 衛星地面網路中基於物理層安全的CSI保護方法
★ 低軌道衛星地面整合網路之安全非正交多重存取傳輸	★ 低軌道衛星地面網路中的DRX機制設計
★ 衛星地面整合網路之基於集合系統的前導訊號設計	★ 基於省電的低軌衛星網路路由演算法
★ 衛星上可重組化計算之安全FPGA動態部分可重組架構	★ 衛星網路之基於空間多樣性的前導訊號設計

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

[檢視]

[下載]

本電子論文使用權限為同意立即開放。
已達開放權限電子全文僅授權使用者為學術研究之目的，進行個人非營利性質之檢索、閱讀、列印。
請遵守中華民國著作權法之相關規定，切勿任意重製、散佈、改作、轉貼、播送，以免觸法。

摘要(中)

隨著網路頻寬、無線網路與其他各種通訊科技的技術結合，任何
在無線通訊範圍內的惡意攻擊者都很容易去攻擊網路內部的其他無
線IoT 的裝置。本論文所設計的系統會有sensor 代理人(sensor agent)
與影子主機(shadow host)。Sensor 代理人(sensor agent) 主要是負責蒐
集與傳送sensor 裝置的資料到網路當中，而影子主機(shadow host) 是
當作sensor 代理人(sensor agent) 的虛擬替身。本論文所提出的安全機
制/系統會利用sensor 代理人與影子主機的身分交換方式來避免sensor
代理人受到攻擊。也因為sensor 代理人與影子主機的特徵不容易被攻
擊者給詳細記錄，因此攻擊者很容易會被我們的影子主機給欺騙與困
住。除此之外，因為成本效益，攻擊者不會花費太多的資源來攻擊一
個sensor 代理人。攻擊者在入侵到我們真正的sensor agent 之前，需要
對這些sensor 代理人與影子主機做簡略的掃描與探索，並按照入侵的
順序來探索這些影子主機。這樣的方式彷彿是將攻擊者困在一個” 迷
宮”，使攻擊者在達到他攻擊的目標之前(攻擊sensor 代理人)，必須先
經過我們一系列的影子主機。在效能分析當中，我們呈現本篇所提的
方法/系統是有能力可以在便宜的樹梅派3 去做到一般攻擊的行為的偵
測與處理。

摘要(英)

With the advent of broadband, wireless networking, and convergence of
different communication technologies being adopted by HANs, these insiderattack
incidents have further increased because anyone could breakthrough
the network and penetrate other insider devices if they are located within
the wireless communication range. Our proposed security system/mechanism
uses identity exchange of sensor agents and shadow hosts to redirect the attack.
Since all the detail and characteristics of every sensor agents and shadow
hosts cannot not be easily recognized,the attacker may be easily fooled and
trapped into our shadow hosts. Moreover, it is not cost-effective to assign
much computing resource to just penetrate one specific sensor agent. This
forces the attacker to roughly scan and inspect all these shadow hosts one
by one before reaching to our sensor agents, which resembles a MAZE for
entrapping the attacker. In our performance analysis, we show that our proposed
security system/mechanism can even detect and handle general insider
attacks/intrusion with the limited hardware resources of a Raspberry Pi 3.

關鍵字(中)

★ 樹梅派3
★ 入侵偵測
★ 入侵防患
★ IoT 安全

關鍵字(英)

★ Raspberry Pi 3
★ Intrusion detection
★ Intrusion response
★ IoT security

論文目次

中文摘要i
Abstract ii
致謝iii
Contents iv
List of Figures vi
List of Tables vii
1 Introduction 1
1.1 IoT security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
2 Related work 4
2.1 Preliminary: difference between virtual machine and sandbox . . . . . . 4
2.2 Different types of sandbox implementation . . . . . . . . . . . . . . . . . 5
2.2.1 Sandboxing by jail . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.2.2 Sandboxing by rule-based execution . . . . . . . . . . . . . . . . 6
2.2.3 Sandboxing by virtual machine . . . . . . . . . . . . . . . . . . 7
2.2.4 Sandboxing by Docker engine . . . . . . . . . . . . . . . . . . . 7
2.3 Open source intrusion detection system (IDS) . . . . . . . . . . . . . . . 8
2.3.1 SNORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.3.2 BRO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
iv
2.4 Intrusion response system (IRS) . . . . . . . . . . . . . . . . . . . . . . 9
2.4.1 Notification system . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.4.2 Manual response system . . . . . . . . . . . . . . . . . . . . . . 10
2.4.3 Automated response system . . . . . . . . . . . . . . . . . . . . 10
3 Low cost sandboxing scheme for household IoT networks 11
3.1 Main idea . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
3.2 Intrusion detection system (IDS) . . . . . . . . . . . . . . . . . . . . . . 11
3.3 Intrusion Response System (IRS) . . . . . . . . . . . . . . . . . . . . . . 12
3.4 The detail of MASE (Shadow Host recycling) . . . . . . . . . . . . . . . 13
4 Performance analysis and evaluation 18
4.1 IDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
4.2 IRS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
4.3 Attacks/Intrusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
4.3.1 Port scanning attack . . . . . . . . . . . . . . . . . . . . . . . . 20
4.3.2 Attack: ping flood (ICMP flood) . . . . . . . . . . . . . . . . . . 20
4.4 Performance evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
5 Implementation 24
5.1 System overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
5.2 SNORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
5.3 Intrusion detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
5.4 IRS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
5.5 Identity/Characteristics transfer and checking–IP and MAC addresses setup 29
6 Discussion and conclusion 32
Bibliography 33
Raspberry Pi 3 35

參考文獻

[1] Gartner 4.9 billion connected ”things” will be in use in 2015, 2014. http://www.
gartner.com/newsroom/id/2905717.
[2] Wired News the internet of things is wildly insecure - and often unpatchable,
2014. http://www.wired.com/2014/01/theres-no-good-way-topatchthe-
internet-of-things-and-thats-a- olerance9999\r emergencystretch3emhfuzz.5p@vfuzzhfuzzhuge-problem/.
[3] The Gaurdian will giving the internet eyes and ears mean the end of privacy?,
2013. http://www.theguardian.com/technology/2013/may/16/
internet-of-things-privacy-google.
[4] BBC News fridge sends spam emails as attack hits smart gadgets, 2014. http:
//www.bbc.com/news/technology-25780908.
[5] Security Week hackers attack shipping and logistics firms using malware laden
handheld scanners, 2016. http://www.securityweek.com/hackersattackshipping-
and-logistics-firms olerance9999\r emergencystretch3emhfuzz.5p@vfuzzhfuzz-usingmalware-
ladenhandheld-scanners.
[6] Natalia Stakhanova, Samik Basu, and Johnny Wong. A taxonomy of intrusion
response systems. International Journal of Information and Computer Security,
1:169–184, 2007.
33
[7] Paul Michael Martini and Peter Anthony Martini. Selectively introducing security
issues in a sandbox environment to elicit malicious application behavior, July 28
2015. US Patent App. 14/811,797.
[8] Wikipedia sandbox (computer security), 2017. https://en.wikipedia.
org/wiki/Sandbox_(computer_security).
[9] Check Point the sandbox evolved: An advanced solution to defeat the unknown,
2015. http://blog.checkpoint.com/2015/09/09/thesandbox-
evolved-an-advanced-solution-to-defeat-the-
olerance9999emergencystretch3emhfuzz.5p@vfuzz\r hfuzzunknown/.
[10] Steven M Silva, Yadong Zhang, Eric Winsborrow, Johnson L Wu, and Craig A
Schultz. Network infrastructure obfuscation, April 28 2015. a US Patent 9,021,092.
[11] Hadi Nahari and Ronald L Krutz. Web commerce security: design and development.
2011.
[12] Docker platform, 2017. https://docs.docker.com/engine/docker-overview/.
[13] Surendra Mahajan, Akshay Mhasku Adagale, and Chetna Sahare. Intrusion detection
system using raspberry pi honeypot in network security. International Journal of
Engineering Science, 2792, 2016.
[14] Ar Kar Kyaw, Yuzhu Chen, and Justin Joseph. Pi-ids: evaluation of open-source
intrusion detection systems on raspberry pi 2. pages 165–170, 2015.
[15] Richard Lippmann and Andrew Clark. Recent Advances in Intrusion Detection.
2008.
[16] TechTarget defense in depth, 2007. http://searchsecurity.
techtarget.com/definition/defense-in-depth.
[17] Official snort website, 2017. https://www.snort.org/.

指導教授

張貴雲(Guey-Yun Chang)

審核日期

2017-8-2

推文