以系統呼叫為基礎改良式迴圈簡化演算法之異常入侵偵測系統理論與實作

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：34

、訪客IP：18.118.137.243

姓名

邱建宏(Jian-Hung Chiou) 查詢紙本館藏

畢業系所

通訊工程學系

論文名稱

以系統呼叫為基礎改良式迴圈簡化演算法之異常入侵偵測系統理論與實作

相關論文

★ 應用MSPP至DWDM都會光纖網路的設計	★ 光網路與WiMAX整合架構研究及其簡化雛型實驗
★ 以Linux系統為基礎之NAT效能優化研究及其實作	★ 光波長劃分多工網路之路徑保護機制研究
★ 標籤交換網路下具有服務品質路由安排之研究	★ 以訊務相關性為基礎的整合性服務可調整QoS排程器之研究
★ 以群體播送支援IPv6環境下移動式網路連結更新之研究	★ 無線區域網路資源動態分配之效能研究
★ 在微觀移動環境下有效資源保留之路徑管理研究	★ 無線網路交握程序之預先認證方法分析與比較
★ 無線區域網路虛擬允入控制之研究	★ IPv6環境下移動網路之連結更新程序及其效能之研究
★ 具有限數量波長轉換節點的分波多工網路之群播波長分配與容量計算研究	★ 階層化行動式IPv6移動錨點選擇機制研究
★ 具高能量移動節點之叢集式感測網路效能研究	★ 預先註冊之快速換手階層化行動式IPv6研究

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

[檢視]

[下載]

本電子論文使用權限為同意立即開放。
已達開放權限電子全文僅授權使用者為學術研究之目的，進行個人非營利性質之檢索、閱讀、列印。
請遵守中華民國著作權法之相關規定，切勿任意重製、散佈、改作、轉貼、播送，以免觸法。

摘要(中)

近年來，網路安全事件頻傳，使用誤用入侵偵測技術可以有效偵測出已知攻擊，然而對於新型態的攻擊便無法偵測出。此時，異常入侵偵測正好提供了另外一個思考觀點，亦即對應用程式建立正常行為的資料庫，若有異於正常的行為則視為攻擊。Forrest (1996)發現程式所產生的系統呼叫可用來表示程式的行為，之後，陸陸續續有許多相關研究發表，本論文基於迴圈簡化演算法所造成的缺點來進行改良，且進一步可以判斷是否為攻擊者的偽造系統呼叫。此外，針對系統呼叫截取所造成的效能下降，亦提供了一項核心修改解決方案。透過本論文所提出的方式可以更具體地描述程式的行為，且為作業系統本身提供一個更加安全的防護。

摘要(英)

In recent years, network security events have undergone a major renaissance. Using misuse intrusion detection technology can detect attacks effectively, however, it cannot detect new kind of attacks. At this time, anomaly intrusion detection techniques provide another viewpoint that the database of normal behavior can be constructed according to application program, and it will detect deviations from this norm as attacks. Forrest (1996) shows the novel idea that system calls derived from application program can describe the behavior of program. Afterwards, a body of research has been published continually. In this paper, we modify the main drawbacks of loop reduction algorithm and determine whether the faked system calls made by attackers or not. Furthermore, we also put up a modified kernel approach to improve the declined effectiveness caused by system call interception. Therefore, in this paper we provide a method to describe the program behavior concretely, and afford a safer protection to operating systems.

關鍵字(中)

★ 異常入侵偵測
★ 系統呼叫
★ 迴圈簡化演算法
★ Linux核心

關鍵字(英)

★ system call
★ anomaly intrusion detection
★ and Linux kernel
★ loop reduction algorithm

論文目次

中文/英文摘要………………………………………………………………i
致謝 ………………………………………………………………………………ii
目錄 ………………………………………………………………………………iii
圖目錄 ……………………………………………………………………………v
表目錄 ……………………………………………………………………………vi
第一章序論………………………………………………………………………1
1-1研究背景
1-2研究目的與動機
1-3研究範圍與限制
1-4章節結構
第二章相關研究…………………………………………………………………4
2-1攻擊對系統呼叫的影響
2-2以系統呼叫為基礎的異常入侵偵測技術
2-2-1系統呼叫序列分析(N-gram method)
2-2-2系統呼叫靜態分析(Static analysis method)
2-2-3有限狀態機(FSA method)
2-2-4函式呼叫堆疊(VtPath method)
2-2-5系統呼叫參數資料流(Data-flow method)
2-2-6 其他
2-2-7 評比
2-3資料來源的探討
2-4迴圈簡化演算法
第三章改良式迴圈簡化演算法…………………………………………………22
3-1系統呼叫簡介
3-2改良式迴圈簡化演算法
第四章系統架構與設計…………………………………………………………29
4-1核心修改
4-2資料收集平台
第五章實驗與討論………………………………………………………………34
5-1實驗一
5-2實驗二
第六章結論………………………………………………………………………38
6-1貢獻
6-2總結
6-3未來方向
參考文獻…………………………………………………………………………39
附錄A……………………………………………………………………………42
附錄B……………………………………………………………………………43
附錄C……………………………………………………………………………44
附錄D……………………………………………………………………………48

參考文獻

[ASF BULLETIN 20020620] apache 安全漏洞公告http://httpd.apache.org/info/security_bulletin_20020617.txt
[CBS 2006] Abhishek Chaturvedi, Sandeep Bhatkar and R. Sekar, “Improving Attack Detection in Host-Based IDS by Learning Properties of System Call Arguments,” In IEEE Symposium on Security and Privacy, May 2006
[CVE-2004-0488] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0488
[DEKLST 2002] Paul Dokas, Levent Ertoz, Vipin Kumar, Aleksandar Lazarevic, Jaideep Srivastava, and Pang-Ning Tan, “Data Mining for Network Intrusion Detection,” In Proceedings of NSF Workshop on Next Generation Data Mining, 2002.
[ELS 2001] E. Eskin, W. Lee, and S. J. Stolfo, “Modeling system calls or intrusion detection with dynamic window size,” In Proceedings of DARPA Information Survivability Conference & Exposition II, 2001(DISCEX '01), Anaheim, CA, June 2001.
[FHSL 1996] S. Forrest, S. A. Hofmeyr, A. Somayaji, and T. A. Longstaff , “A sense of self for unix processes,” In Proceedings of the 1996 IEEE Symposium on Security and Privacy, Los Alamitos, CA, 1996.
[FKFLG 2003] Henry Hanping Feng, Oleg M. Kolesnikov, Prahlad Fogla, Wenke Lee, and Weibo Gong, “Anomaly Detection Using Call Stack Information,” In Proceedings of the 2003 IEEE Symposium on Security and Privacy.
[GJM 2002] Jonathon T. Giffin Somesh Jha Barton P. Miller, “Detecting Manipulated Remote Call Streams,” In the 11 th USENIX Security Symposium, 2002.
[gobbles-own-linux.c]
http://members.lycos.co.uk/r34ct/main/PRIVATE/spl0it/gobbles-own-linux.c
[HF 2000] S. A. Hofmeyr, S.Forrest, “Intrusion detection using sequences of system calls,” (http://www.cs.virginia.edu/~jones/cs851sig/slides/forrest-signature.ppt)
[HFS 1998] S. A. Hofmeyr, S. Forrest, and A. Somayaji , “Intrusion detection using sequences of system calls,” In Journal of Computer Security, Volume 6, pages 151-180, 1998.
[KMVV 2003] C Kruegel, D Mutz, F Valeur, G Vigna – Springer, “On the detection of anomalous system call arguments,” In the 8th European Symposium on Research in Computer Security, 2003.
[LC 2004] L.C. Lam and T.C. Chiueh, “Automatic Extraction of Accurate Application-Specific Sandboxing Policy,” In RAID 2004 , pages 1-20
[LM 2005] Alexander Liu, Cheryl Martin, “A Comparison of System Call Feature
Representations for Insider Threat Detection,” In Proceedings of the 2005 IEEE
Workshop on Information Assurance and Security.
[LSSP 2005] Jidong Long, Daniel G. Schwartz, Sara Stoecklin, and Mahesh K. Patel
, “Application of Loop Reduction to Learning Program Behaviors for Anomaly Detection,” In the Conference of Information Technology Coding and Computing, 2005.
[LV 2002] Yihua Liao, V. Rao Vemuri, “Using Text Categorization Techniques for Intrusion Detection,” In the 11 th USENIX Security Symposium, 2002.
[openssl-too-open.c] http://bismark.extracon.it/exploits/archivio/files/SSL_ETC/APACHEOPENSSL_2.C
[RHSA-2004:245-14] “Moderate: apache, mod_ssl security update,” In http://rhn.redhat.com/errata/RHSA-2004-245.html
[SBDB 2001] R. Sekar M. Bendre D. Dhurjati P. Bollineni, “A Fast Automaton-Based Method for Detecting Anomalous Program Behaviors,” In Proceedings of the 2001 IEEE Symposium on Security and Privacy.
[SecurityFocus 1] “Apache Mod_SSL SSL_Util_UUEncode_Binary Stack Buffer Overflow Vulnerability,” In http://www.securityfocus.com/bid/10355
[SecurityFocus 2] “Apache Chunked-Encoding Memory Corruption Vulnerability,” In http://www.securityfocus.com/bid/5033
[WD 2001] D. Wagner and D. Dean, “Intrusion detection via static analysis,” In Proceedings of the 2001 IEEE Symposium on Security and Privacy, Oakland, California, 2001.
[WDD 2000] A. Wespi, M. Dacier, and H. Debar, “Intrusion detection using variable-length audit trail patterns,” In Proceedings of the 3rd symposium on Recent Advances in Intrusion Detection (RAID 2000), Toulouse, France, October 2000.
[YA 2004] M.M. Yasin and A.A.Awan, “A Study of Host-Based IDS using System Calls,” In IEEE Networking and Communication, 2004, June 2004.

指導教授

許富皓、陳彥文
(Fu-Hau Hsu、Y. W. Chen)

審核日期

2006-7-18

推文