基於Router轉送紀錄的洪流訊務檢測系統

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：147

、訪客IP：3.137.161.222

姓名

楊素秋(Su-Chiu Yang) 查詢紙本館藏

畢業系所

資訊工程學系

論文名稱

基於Router轉送紀錄的洪流訊務檢測系統
(Flow-based Flooding Detection System)

相關論文

★ 整合多樣配置組態下的藍芽射頻驗證系統	★ 具檔案敘述相關語查詢之智慧型檔案搜尋系統
★ 具遲到者支援功能之網際網路簡報系統	★ 以快速廣播法建構熱門視訊隨選服務伺服器
★ 具事件同步再現特性之遠程電傳展示伺服器	★ 無線網路環境下之廣播資訊快速下載
★ 中文網站繁簡互訪協助系統	★ 支援時光平移播放之調適性現場直播演算法
★ 用於互動式廣播之段落對齊法	★ 熱門影片廣播法之影片區段復原機制
★ 配合熱門影片廣播的本地伺服器高效快取法	★ 一個增進SIP在防火牆環境中應用的協同模組
★ 考量網頁熱門度之一致性雜湊法解決網頁代理伺服器之負載平衡	★ 以網域名稱伺服器為基礎之色情網站過濾系統
★ 使用熱門廣播法及支援點對點傳輸之影音內容傳遞網路	★ 變動頻寬平滑化之熱門廣播演算法

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

[檢視]

[下載]

本電子論文使用權限為同意立即開放。
已達開放權限電子全文僅授權使用者為學術研究之目的，進行個人非營利性質之檢索、閱讀、列印。
請遵守中華民國著作權法之相關規定，切勿任意重製、散佈、改作、轉貼、播送，以免觸法。

摘要(中)

論文提要
本論文陳述兩項主要的研究成果:洪流訊務檢測系統(FDS)與非內容查驗式的P2P訊務量測系統. FDS系統的第一要務是依據各類洪流攻擊特性選定傳訊特性項,作為訊務量測的基礎. 當轉送訊務紀錄被饋入系統時, 量測模組便能高效率地統計top-N的flooding訊務,例如:ICMP/UDP等即時性 packet flooding、 scanning/SYN flooding、 SMTP flooding.並提供檢測模組定期加總各時段的flooding訊務,比對packet size, packet rate或flow rate等訊務臨界值,篩選異常的攻擊訊務並自動通告用戶,或限制嚴重攻擊源的通訊.
本研究也依據P2P網路的高頻次連接特性,實做非內容查驗式的P2P訊務量測系統,協助網路用戶與管理者掌握大傳訊量的P2P節點, P2P應用阜的訊務分布. Flow-based FDS與P2P量測系統已成功地裝設於一個TANet骨幹節點網路,持續執行flooding訊務量測與檢測,自動發送電子郵件通知用戶或管理者修補感染的系統,也自動設定骨幹router限流嚴重的異常flooding訊務. 統計的通告abuse 訊務與flooding檢測結果間的相關數據也顯示: 相當高比率的被通告abuse主機 (包括: scanning/SYN flooding、 spam 、違反智財權) 可由自動檢測的異常訊務列中檢得.

摘要(英)

Abstract
In this thesis, we present two specific contributions, the flow-based flooding detection system (FDS) and P2P traffic measurement system. The key idea of FDS is constructing the set of features and corresponding criteria according to the interested flooding behaviors, and aggregating the flooding traffic based on the constructed features. Then, the detection module accumulates the interested statistical variables, and compares those traffic variables with the thresholds. Once all the variables exceeded the estimated quantifiers, the detector alarms the anomalies and trigs response module to notify owners of the anomalous systems, and limit the significant real-time flooding traffic.
The flow-based P2P traffic measurement system is developed based on the connection-intensive feature of P2P network for providing network users grasp the P2P traffic and the aggressive participants. FDS and P2P traffic measurement systems have been deployed over an aggregate network of TANet backbone for effectively detecting and limiting the significant flooding anomalies. The detection result shows that a high proportion of the notified abuse traffic, including port scanning, spam, and copyright infringement, could be picked up from the detected anomalies and the measured aggressive P2P peers.

關鍵字(中)

★ 廣告電子郵件
★ 洪流訊務檢測系統
★ P2P訊務量測
★ 安全弱點掃描

關鍵字(英)

★ Flow-based flooding detection system (FDS)
★ spam
★ P2P traffic measurement
★ scanning flooding

論文目次

Table of Contents
論文提要 ii
Abstract iii
誌謝 iv
Table of Contents v
List of Figures vii
List of Tables viii
Acronyms ix
Chapter 1 Introduction 1
1.1 Problem Statement 1
1.1.1 Distributed Flooding Attack 2
1.1.2 SMTP Flooding 3
1.1.3 Rapid Growth of P2P Traffic 3
1.2 The Approaches 4
1.3 Organization of the Dissertation 5
Chapter 2 Preliminary and Related Work 8
2.1 Packet-Based Traffic Measurement 8
2.2 Flow-based Traffic Measurement 10
2.3 Intrusion Detection System 12
2.3.1 Misuse Detection 12
2.3.2 Anomaly Detection 13
2.3.3 Response Option for IDSs 14
2.4 Minnesota Intrusion Detection System 15
2.4.1 Data Mining Approach 15
2.4.2 MINDS 16
Chapter 3 Flooding Detection System 18
3.1 System Design 18
3.2 Flow Data Capture 19
3.3 Feature Construct 20
3.3.1 Feature of Real-Time Packet Flood 21
3.3.2 Feature of Scanning/SYN Flood 22
3.3.3 Feature of SMTP Flood 24
3.4 Feature-based Traffic Aggregation 25
3.5 Flooding Traffic Detection 27
3.6 Automatic Response 32
3.6.1 Automatic Notification 33
3.6.2 Automatic Traffic Limitation 34
Chapter 4 Evaluation of FDS 36
4.1 Real-Time Packet Flooding 36
4.2 Scanning/SYN Flooding 42
4.3 Anomalous SMTP Flooding 45
4.4 Link between the Flooding Traffic and the Notified Abuses 46
4.5 Comparison of FDS and MINDS 48
Chapter 5 Flow-based P2P Traffic Measurement 51
5.1 Feature of the Distributed P2P Network 51
5.2 P2P Traffic Measurement 52
5.2.1 Figuring out Connection-intensive Stubs 52
5.2.2 P2P Traffic Aggregation 54
5.3 Monitoring the Aggressive P2P Traffic 56
5.4 Relation between the Aggressive P2P Peers and the Notifies Infringement 59
Chapter 6 Conclusion and Future Work 61
References 63

參考文獻

References
[1] Darrell M.; Kienzle; Matthew C.; Recent Worms: A Survey and Trends, Proceedings of the 2003 ACM workshop on Rapid Malcode, Oct 2003, pages: 1-10.
[2] Levenhagen R., Trends, Codes and Virus Attack- 2003 year in review, Network Security, Vol. 2004 Issue 1, Jan 2004, Pages: 13-15.
[3] Clark J., The Consumer Desktop – The Weak Link in Internet Security and Why ISP’s Are Uniquely Positioned to Help”, Systems Administrators And Security Managers (SANS) Technique Reports, Feb 2003. Pages: 1-32.
[4] Houle K.J.; Weaver G.M., Trends in Denial of Service Attack Technology, CERT Coordination Center, Oct 2001, Pages: 1-20.
[5] Chang, R.K.C.; Defending against Flooding-based Distributed Denial-of-Service Attacks, Communications Magazine, IEEE, Volume: 40, Issue: 10, Oct 2002, Pages: 42 – 51.
[6] Harris D., Drowning in Sewage- SPAM, Asia Pacific Regional Internet Conference on Operational Technologies (APRICOT) Conference, Feb 2004.
[7] Cranor L.F.; LaMacchia B.A.; Spam; Communications of the ACM, Volume 41, Issue 8, Aug 1998, Pages: 74 – 83.
[8] Soonthornphisaj N.; Chaikulseriwat K.; Piyanan Tang-On; Anti-spam filtering: a centroid-based classification approach, 2002 6th International Conference on Signal Processing, Volume: 2, 26-30 Aug. 2002, Pages: 1096 – 1099.
[9] Request for Comments: 2821, Simple Mail Transfer Protocol, Apr 2001.
[10] Request for Comments: 2505, Anti-Spam Recommendations for SMTP MTAs, Feb 1999.
[11] Geer D., Will new standards help curb spam, Computer, Volume: 37, Issue: 2, Feb. 2004, Pages: 14 – 16.
[12] Levy, E.; The making of a spam zombie army. Dissecting the Sobig worms, Security & Privacy Magazine, IEEE, Volume: 1, Issue: 4, July-Aug. 2003, Pages: 58 – 59.
[13] Bass, T.; Watt, G., A simple framework for filtering queued SMTP mail, MILCOM 97 Proceedings, Vol 3, Nov 1997, Pages: 1140 - 1144.
[14] Vaughan-Nichols S.J., Saving private e-mail, IEEE Spectrum, Volume: 40, Issue: 8, Aug. 2003, Pages: 40 – 44.
[15] Sen A.; Spatscheck O.; Wang D.; Accurate, Scalable In-Network Identification of P2P Traffic Using Application Signatures; The 13th World Wide Web Conference, May 2004, Pages: 512- 521.
[16] Mahoney M.V., Network Traffic Anomaly Detection Based on Packet Bytes, Proceedings of the 2003 ACM symposium on Applied computing, Mar 2003, Pages: 346-350.
[17] Williamson C., Internet traffic Measurement, IEEE Internet Computing, Nov 2001, Pages: 70-74.
[18] Kushida T., The traffic measurement and the empirical studies for the Internet, GLOBECOM, Volume 2, 1998, Pages: 1142-1147.
[19] Luca D.; Finsiel S.A., Effective Traffic Measurement Using Ntop, IEEE Communications Magazine, May 2000, Pages: 138-143.
[20] Wang H.; Zhang D.; Shin K. G.; Detecting SYN flooding attacks, twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies (INFOCOM 2002), Volume: 3, Jun 2002, Pages: 1530 – 1539.
[21] Wang H.; Zhang D.; Shin, K.G.; SYN-dog: sniffing SYN flooding sources. Proceedings. 22nd International Conference on Distributed Computing Systems, Jul 2002, Pages: 421 – 428.
[22] Zhang Y.; Paxson V., Detecting Backdoors, Proceedings of 9th USENIX Security Symposium, 2000.
[23] Roesch M., Snort - Lightweight Intrusion Detection for Networks, Proceedings of 13th Systems Administration Conference (LISA '99), Nov 1999, Pages: 229 – 235.
[24] Huston G., Measuring IP Network Performance, The Internet Protocol Journal, Mar 2003, Pages: 2-9.
[25] Duffield N.; Lund C., Predicting Resource Usage and Estimation Accuracy in an IP Flow Measurement Collection Infrastructure, Proceedings of the 2003 ACM SIGCOMM conference on Internet measurement, Oct 2003, Pages: 179-191.
[26] Fullmer M., The OSU Flow-tools Package and Cisco Netflow Logs, Proceedings of 14th Systems Administration Conference (LISA 2000), Dec 2000, Pages: 291 – 303.
[27] Plonka D., FlowScan: A network traffic flow reporting and visualization tool, Proceedings of 14th Systems Administration Conference (LISA 2000), Dec 2000, Pages: 305 – 317.
[28] Barford P.; Plonka D., Characteristics of network traffic flow anomalies, Proceedings of the First ACM SIGCOMM Workshop on Internet Measurement, Nov 2001, Pages: 69 –73.
[29] Liu D.; Huebner F., Application Profiling of IP Traffic, Proceedings of the 27th Annual IEEE Conference on Local Computer Networks (LCN’02), Nov 2002, Pages: 220 – 229.
[30] Base R.; Mell P., Intrusion Detection Systems, National Institute of Standards and Technology (NIST) Special Publication on IDS. Pages: 74 – 83.
[31] Porras P. A.; Valdes A.; Live Traffic Analysis of TCP/IP Gateways, Networks and Distributed Systems Security Symposium, Mar 1998.
[32] Urupoj K.; Surasak S.; Wipa J., A Rule-based Approach for Port Scanning Detection, Electrical Engineering Conference (EECON-23), Nov 2000.
[33] Kruegel C.; Mutz D.; Robertsom W.; Valeur F.; Bayesian Event Classification for Intrusion Detection, 19th Annual Computer Security Applications Conference, Dec 2003.
[34] Sebyala A. A.; Olukemi T.; Sacks L., Active Platform Security through Intrusion Detection Using Naïve Bayesian Network for Anomaly Detection, in London Communications Symposium (LCS 2002).
[35] Mirkovic J.; Reiher P., A taxonomy of DDoS attack and DDoS defense mechanisms, ACM SIGCOMM Computer Communication Review, Vol 34, Issue 2, Apr 2004, Pages: 39-53.
[36] Breunig M.; Kriegel H.P.; Sander J; LOF: Identifying Density-Based Local Outliers, Proceedings of the ACM SIGMOD Conference on Management of Data, 2000. Pages: 1-12.
[37] Han H.; Lu X.L.; Lu J.; Bo C.; Yong R.L., Data mining aided signature discovery in network-based intrusion detection system, ACM SIGOPS Operating Systems Review, Vol. 36, Issue 4, Oct 2002, Pages: 7-13.
[38] PATRICIU V.V.; Rusu L.; Priescu I., Data Mining Approaches for Intrusion Detection in Email System Internet-Based, RoEduNet (Romanian Education Network) Conference 2003, Jun 2003, Pages: 144-147.
[39] Lee W.; Stolfo S. J.; A Framework for Constructing Features and Models for Intrusion Detection System, ACM Transactions on Information and System Security, Vol. 3, No. 4, Nov 2000, Pages: 227 – 261.
[40] Dokas P.; Eilertson E.; Ertoz L.; Kim Y.; Lazarevic A.; Svastava J.; Kumar P.; Tan P.N.; Zhang Z., Data Mining for Network Intrusion Detection, Digital Technology Center, University of Minnesota, Mar 2003. Pages: 1 – 21.
[41] Ertoz, L., Lazarevic, A.;Eilertson, E.;Lazarevic, A., Tan, P.; Dokas P. ; Kumar, V.; Srivastava, J.; Protecting Against Cyber Threats in Networked Information Systems, SPIE Annual Symposium on AeroSense, Battlespace Digitization and Network Centric Systems III, April, 2003.
[42] Kanamaru A.; Ohtak K.; Kato N.; Mansfield G.; Nemoto Y., A simple packet aggregation technique for fault detection, International Journal of Network Management, Volume 10 Issue 4, July 2000, Pages: 215-228.
[43] Vivo M.; Carrasco E.; Isern G. Vivo G. O., A Review of Port Scanning Techniques, ACM SIGCOMM Computer Review, Vol 29, Issue 2, Apr 1999, Pages: 41-48.
[44] Steven W.R.; TCP/IP Illustrated, Volume 1, Addison-Wesley Publishing Company, Inc, 1994.
[45] Costales Bryan; Allman E., Sendmail, O’Reilly & Associates, Inc.2003.
[46] Bass, T.; Watt, G.; A simple framework for filtering queued SMTP mail (cyberwar countermeasures), MILCOM 97 Proceedings, Volume: 3, 2-5 Nov. 1997, Pages: 1140 – 1144.
[47] Request for Comments 2167; Referral Whois (RWhois) Protocol V1.5. S. Williamson, M. Kosters, D. Blacka, J. Singh, K. Zeilstra. June 1997.
[48] Yang S. C.; Tseng L. M., Automatic Detect and Notice Abnormal SMTP Traffic and Email Spammer, Proceedings of Cross-Strait Information Technology Conference (CSIT 2003) Conference, Nov 2003.
[49] Request for Comments: 1354, IP Forwarding Table MIB, July 1992.
[50] Huitema C., Routing in the Internet, Prentice Hall, Inc. 1995, Pages: 27-64.
[51] Request for Comments: 1213, Management Information Base for Network Management　of TCP/IP-based internets: MIB-II, 1991.
[52] Yang S. C.; Tseng L. M., Monitoring X-Attack Traffic over Aggregate Network, National Computer Symposium (NCS-2003), Dec 2003, Pages: 406 - 413.
[53] Saroiu S.; Krishna P.; Gribble S.D.; A Measurement Study of Peer-to-Peer File Sharing Systems, in Proceedings of Multimedia Computing and Networking (MNCN), Jan 2002.
[54] Ripeanu, M.; Peer-to-peer architecture case study: Gnutella network, First International Conference on Peer-to-Peer Computing Proceedings, Aug. 2001.
[55] Clifford, M.; Faigin, D.; Bishop, M.; Brutch, T.; Miracle cures and toner cartridges: finding solutions to the spam problem, 19th Annual Computer Security Applications Conference, 2003, Pages: 428 – 429.
[56] Sen, S.; Jia Wang; Analyzing peer-to-peer traffic across large networks, IEEE/ACM Transactions on Networking, Volume: 12, Issue: 2, April 2004, Pages: 219 – 232.
[57] Sion R.; Atallah M.; Prabhakar S.; On-the-fly intrusion detection for Web portals, Information Technology, International Conference on Coding and Computing Proceedings. ITCC 2003, April 2003, Pages: 325 – 330.
[58] Cho K.; Kaizaki R.; Kato A.; An Aggregation Technique for Traffic Monitoring, Proceedings of the 2002 Symposium on Applications and the Internet (SAINT’02w), 2002.
[59] Beyah, R.A.; Holloway, M.C.; Copeland, J.A.; Invisible Trojan: an architecture, the implementation and detection method, the 2002 45th Midwest Symposium on Circuits and Systems (MWSCAS-2002), Volume 3, Aug. 2002, Pages: III-500 - III-504.

指導教授

曾黎明(Li-Ming Tseng)

審核日期

2004-7-15

推文