在移動目標防禦下基於機器學習之DDoS攻擊偵測機制

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：132

、訪客IP：3.15.25.245

姓名

陳韋佑(Wei-Yu Chen) 查詢紙本館藏

畢業系所

資訊工程學系

論文名稱

在移動目標防禦下基於機器學習之DDoS攻擊偵測機制
(Machine Learning-based DDoS Attacks Detection for Moving Target Defense Networks)

相關論文

★ 無線行動隨意網路上穩定品質服務路由機制之研究	★ 應用多重移動式代理人之網路管理系統
★ 應用移動式代理人之網路協同防衛系統	★ 鏈路狀態資訊不確定下QoS路由之研究
★ 以訊務觀察法改善光突發交換技術之路徑建立效能	★ 感測網路與競局理論應用於舒適性空調之研究
★ 以搜尋樹為基礎之無線感測網路繞徑演算法	★ 基於無線感測網路之行動裝置輕型定位系統
★ 多媒體導覽玩具車	★ 以Smart Floor為基礎之導覽玩具車
★ 行動社群網路服務管理系統－應用於發展遲緩兒家庭	★ 具位置感知之穿戴式行動廣告系統
★ 調適性車載廣播	★ 車載網路上具預警能力之車輛碰撞避免機制
★ 應用於無線車載網路上之合作式交通資訊傳播機制以改善車輛擁塞	★ 智慧都市中應用車載網路以改善壅塞之調適性虛擬交通號誌

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

至系統瀏覽論文 ( 永不開放)

摘要(中)

近幾年來，物聯網（Internet of Things, IoT）技術急速發展，據估計，2020年具有聯網功能的物聯網設備將高達數百億，由於大部分物聯網設備運算能力較低，因此大都缺乏完善的安全機制，這也導致基於物聯網的殭屍網路（Botnet）數量快速增長。網路技術的進步與物聯網產業的盛行，使駭客的攻擊手法變得多元，且常利用不安全的物聯網設備所建立的殭屍網路進行分散式阻斷服務攻擊（Distributed Denial-of-Service, DDoS）藉此破壞網通設備以及消耗伺服器資源。因此本論文運用機器學習（Machine Learning）以及透過CIDDS-001資料集訓練智慧型訊務分類器用來偵測DDoS攻擊以及辨識用戶端。其中能夠為了有效解決傳統網路防禦上易攻難守的問題，採用了新型的網路架構以及防禦策略，例如：軟體定義網路（Software-defined Networking, SDN）透過控制層集中化管理特性，來讓網路架構易於管理且靈活；移動目標防禦（Moving Target Defense, MTD）透過變換欲防禦之目標資訊，來達到混淆攻擊者並轉移攻擊流量的概念。
本論文提出的ATBM是一種在SDN環境下的MTD機制，透過智慧型訊務分類器對用戶端訊務進行惡意訊務偵測與行為分析，可有效偵測DDoS攻擊以及識別合法與惡意用戶。為了驗證智慧型訊務分類器之穩健性，本論文使用20%的 CIDDS-001資料集數據作為Testing Data，其分類器的F1-Score評估高達99.1%。此外，本論文也實作一套基於ATBM機制的安全系統並利用Docker來模擬多台殭屍設備對本系統之Master Server進行DDoS攻擊，根據實驗結果顯示可阻擋98.11%來自TCP SYN Flooding攻擊流量與96.44%來自UDP Flooding攻擊流量進入本系統，其運用了移動目標防禦讓惡意訊務無法攻擊本系統之Master Server，使合法用戶不被DDoS攻擊影響能正常存取Master Server的資源。

摘要(英)

In recent years, the Internet of Things (IoT) technology has developed rapidly. By 2020, it is expected that more than ten billion IoT devices surf on the Internet. Due to the low processing capabilities of IoT devices, the vulnerabilities of security mechanism cause the rapid growth of IoT-based botnets such as Mirai and Torii. Botnets are often used to implement Distributed Denial-of-Service (DDoS) attacks. The advancement of the Internet technology has made it easy for hackers to control a large of zombie devices and launch DDoS attacks. (TCP Flooding, UDP Flooding, HTTP Flooding, etc.) According to the above, how to effectively detect and defense DDoS attacks is an important research topic.
In order to solve the problem of defense of the network security, the new network architecture and defense strategy is adopted, such as software-defined network (SDN), the network architecture is easy to manage and flexible through the centralized management of the control layer; Moving Target Defense (MTD) achieves the concept of confusing attackers and redirecting abnormal traffic by transforming the target information to be defended.
The proposed ATBM is an MTD based mechanism in the SDN environment. It performs abnormal traffic detection and behavior analysis of network traffic by the abnormal traffic classifier, which can detect DDoS attacks and identify legitimate and malicious clients. In order to verify the stability of the abnormal traffic classifier, this paper uses 20% of the CIDDS-001 dataset as testing data. The evaluation of abnormal traffic classifier’s F1-Score is 99.1%. In addition, this paper implemented an ATBM based security system and simulated 100 zombie devices performing DDoS attacks to the Master Server of the ATBM system. The proposed mechanism can effectively protect legitimate clients and the Master Server from DDoS attacks with MTD approach. According to the experimental results, it shows that the proposed mechanism is able to prevent 98.11% of abnormal traffic from TCP SYN Flooding attacks and 96.44% of abnormal traffic from UDP Flooding attacks to the ATBM system.

關鍵字(中)

★ 分散式阻斷服務攻擊
★ 軟體定義網路
★ 移動目標防禦
★ 機器學習
★ NetFlow

關鍵字(英)

★ Distributed Denial-of-Service
★ Software-defined Networking
★ Moving Target Defense
★ Machine Learning
★ NetFlow

論文目次

摘要 i
Abstract ii
誌謝 iv
目錄 v
圖目錄 viii
表目錄 xi
第一章緒論 1
1.1 概要 1
1.2 研究動機 2
1.3 研究目的 3
1.4 章節架構 4
第二章背景知識與相關研究 5
2.1 分散式阻斷服務攻擊 5
2.2 移動目標防禦 8
2.3 軟體定義網路 11
2.4 NetFlow 15
2.5 機器學習 18
2.6 相關研究比較 23
第三章研究方法 25
3.1 系統架構與設計 25
3.1.1 Dataset Handler模組 27
3.1.2 Feature Selection模組 29
3.1.3 ML Algorithm模組 30
3.1.4 Traffic Collector模組 31
3.1.5 NetFlow Handler模組 31
3.1.6 NetFlow Classification模組 32
3.1.7 Classification Collector模組 32
3.1.8 Abnormal Traffic Detection模組 33
3.1.9 Behavior Analysis模組 33
3.1.10 DstServer Selection模組 34
3.1.11 DDoS Decision模組 34
3.1.12 Flow Rule Manager模組 34
3.2 系統運作流程與機制 35
3.2.1 系統定義與假設 35
3.2.2 系統資料符號表 36
3.2.3 系統運作流程 41
3.2.4 Training Modules運作流程 43
3.2.5 Classification Modules運作流程 45
3.2.6 Attack Detection Modules運作流程 46
3.2.7 SDN MTD Modules運作流程 48
3.3 系統實作 49
第四章實驗與討論 55
4.1 情境一：SDN移動目標防禦系統評估與測試 55
4.1.1 實驗一：DNS服務之功能驗證 56
4.1.2 實驗二：SDN移動目標防禦系統之功能驗證 57
4.1.3 實驗三：SDN移動目標防禦系統之網路效能分析 60
4.2 情境二：機器學習之智慧型訊務分類器分析與評估 63
4.2.2 實驗四：多層感知機分析與比較 64
4.2.1 實驗五：監督式機器學習分析與比較 67
4.2.3 實驗六：遞歸式特徵消除演算法分析與比較 70
4.3 情境三：ATBM機制評估與討論 75
4.3.1 實驗七：辨識合法用戶與惡意用戶 75
4.3.2 實驗八：DDoS攻擊之減緩與討論 78
4.3.3 實驗九：預防伺服器蒐集攻擊與討論 83
第五章結論與未來研究 85
5.1 結論 85
5.2 研究限制 86
5.2 未來工作 87
參考文獻 89

參考文獻

[1] Wikipedia, Denial of Service attack [Online]. Available: https://en.wikipedia.org/wiki/Denial_of_Service_attack.
[2] Wikipedia, Intrusion detection system [Online]. Available: https://en.wikipedia.org/wiki/Intrusion_detection_system.
[3] Botnet - Definition - Trend Micro USA [Online]. Available: https://www.trendmicro.com/vinfo/us/security/definition/botnet.
[4] Introduction DDoS Attacks [Online]. Available: http://www.cc.ntu.edu.tw/chinese/epaper/0026/20130920_2606.html.
[5] GitHub survived the biggest DDoS attack ever recorded [Online]. Available: https://www.wired.com/story/github-ddos-memcached/.
[6] R. Zhuang, S. Zhang, A. Bardas, S. A. DeLoach, X. Ou, and A. Singhal, "Investigating the application of moving target defenses to network security," in 2013 6th International Symposium on Resilient Control Systems (ISRCS), 2013: IEEE, pp. 162-169.
[7] R. Zhuang, A. G. Bardas, S. A. DeLoach, and X. Ou, "A theory of cyber attacks: A step towards analyzing MTD systems," in Proceedings of the Second ACM Workshop on Moving Target Defense, 2015: ACM, pp. 11-20.
[8] C. Guilin, W. Baosheng, W. Tianzuo, L. Yuebin, W. Xiaofeng, and C. Xinwu, "Research and development of moving target defense technology," Journal of Computer Research and Development, vol. 53, no. 5, pp. 968-987, 2016.
[9] S. Jajodia, A. K. Ghosh, V. Swarup, C. Wang, and X. S. Wang, Moving target defense: creating asymmetric uncertainty for cyber threats. Springer Science & Business Media, 2011.
[10] M. Azab, R. Hassan, and M. Eltoweissy, "ChameleonSoft: a moving target defense system," in 7th International Conference on Collaborative Computing: Networking, Applications and Worksharing (CollaborateCom), 2011: IEEE, pp. 241-250.
[11] Address space layout randomization [Online]. Available: https://en.wikipedia.org/wiki/Address_space_layout_randomization.
[12] A. K. Bangalore and A. K. Sood, "Securing web servers using self cleansing intrusion tolerance (scit)," in 2009 Second International Conference on Dependability, 2009: IEEE, pp. 60-65.
[13] H. Okhravi, A. Comella, E. Robinson, and J. Haines, "Creating a cyber moving target for critical infrastructure applications using platform diversity," International Journal of Critical Infrastructure Protection, vol. 5, no. 1, pp. 30-39, 2012.
[14] P. Wood, C. Gutierrez, and S. Bagchi, "Denial of service elusion (DoSE): Keeping clients connected for less," in 2015 IEEE 34th Symposium on Reliable Distributed Systems (SRDS), 2015: IEEE, pp. 94-103.
[15] Wikipedia, Content Delivery Network [Online]. Available: https://en.wikipedia.org/wiki/Content_delivery_network.
[16] Wikipedia, Internet Engineering Task Force [Online]. Available: https://en.wikipedia.org/wiki/Internet_Engineering_Task_Force.
[17] Wikipedia, Software-defined networking [Online]. Available: https://en.wikipedia.org/wiki/Software-defined_networking.
[18] Wikipedia, Open Networking Foundation [Online]. Available: https://en.wikipedia.org/wiki/Open_Networking_Foundation.
[19] N. McKeown et al., "OpenFlow: enabling innovation in campus networks," ACM SIGCOMM Computer Communication Review, vol. 38, no. 2, pp. 69-74, 2008.
[20] Ryu component-based software defined networking framework [Online]. Available: https://github.com/osrg/ryu.
[21] J. H. Jafarian, E. Al-Shaer, and Q. Duan, "Openflow random host mutation: transparent moving target defense using software defined networking," in Proceedings of the first workshop on Hot topics in software defined networks, 2012: ACM, pp. 127-132.
[22] 黃柏勝, "基於SDN、NFV與移動目標防禦之分散式阻斷服務攻擊防禦機制," 碩士, 資訊工程學系, 國立中央大學, 桃園縣, 2017.
[23] Wikipedia, NetFlow [Online]. Available: https://en.wikipedia.org/wiki/NetFlow.
[24] H. BENADDI, K. IBRAHIMI, and A. BENSLIMANE, "Improving the Intrusion Detection System for NSL-KDD Dataset based on PCA-Fuzzy Clustering-KNN," in 2018 6th International Conference on Wireless Networks and Mobile Communications (WINCOM), 2018: IEEE, pp. 1-6.
[25] M. Ring, S. Wunderlich, D. Grüdl, D. Landes, and A. Hotho, "Flow-based benchmark data sets for intrusion detection," in Proceedings of the 16th European Conference on Cyber Warfare and Security. ACPI, 2017, pp. 361-369.
[26] OpenStack [Online]. Available: https://www.openstack.org/.
[27] KDD Cup 1999 Dataset [Online]. Available: http://kdd.ics.uci.edu/databases/kddcup99/.
[28] NSL-KDD dataset [Online]. Available: https://www.unb.ca/cic/datasets/nsl.html.
[29] The CTU-13 Dataset. A Labeled Dataset with Botnet, Normal and Background traffic [Online]. Available: https://www.stratosphereips.org/datasets-ctu13.
[30] V. Jyothi, X. Wang, S. K. Addepalli, and R. Karri, "Brain: Behavior based adaptive intrusion detection in networks: Using hardware performance counters to detect ddos attacks," in 2016 29th International Conference on VLSI Design and 2016 15th International Conference on Embedded Systems (VLSID), 2016: IEEE, pp. 587-588.
[31] M. Zekri, S. El Kafhali, N. Aboutabit, and Y. Saadi, "DDoS attack detection using machine learning techniques in cloud computing environments," in 2017 3rd International Conference of Cloud Computing Technologies and Applications (CloudTech), 2017: IEEE, pp. 1-7.
[32] Snort - Network Intrusion Detection & Prevention System [Online]. Available: https://www.snort.org.
[33] Technical Report CIDDS-001 data set [Online]. Available: https://www.hs-coburg.de/fileadmin/hscoburg/Forschung/WISENT_cidds_Technical_Report.pdf.
[34] Wikipedia, Activation function [Online]. Available: https://en.wikipedia.org/wiki/Activation_function.
[35] Ryu SDN Framework [Online]. Available: https://osrg.github.io/ryu/.
[36] Open vSwitch [Online]. Available: https://www.openvswitch.org/.
[37] Docker: Enterprise Application Container Platform [Online]. Available: https://www.docker.com/.
[38] NGINX | High Performance Load Balancer, Web Server, & Reverse Proxy [Online]. Available: https://www.nginx.com/.
[39] Bmon: bandwidth monitor and rate estimator [Online]. Available: https://github.com/tgraf/bmon.
[40] Softflowd: A flow-based network traffic analyser capable of Cisco NetFlow data export software [Online]. Available: https://github.com/irino/softflowd.
[41] iPerf - Download iPerf3 and original iPerf pre-compiled binaries [Online]. Available: https://iperf.fr/iperf-download.php.
[42] hping3 | Penetration Testing Tools [Online]. Available: https://tools.kali.org/information-gathering/hping3.
[43] cURL [Online]. Available: https://en.wikipedia.org/wiki/CURL.
[44] Tcpreplay - Pcap editing and replaying utilities [Online]. Available: https://tcpreplay.appneta.com/.
[45] Hydra: Penetration testing tool [Online]. Available: https://github.com/vanhauser-thc/thc-hydra.

指導教授

周立德(Li-Der Chou)

審核日期

2019-8-15

推文