應用移動式代理人之網路協同防衛系統

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：140

、訪客IP：3.21.76.0

姓名

彭銘樹(Ming-Shu Peng ) 查詢紙本館藏

畢業系所

資訊工程研究所

論文名稱

應用移動式代理人之網路協同防衛系統
(Mobile Agent-Based Network Cooperated Defense Systems)

相關論文

★ 無線行動隨意網路上穩定品質服務路由機制之研究	★ 應用多重移動式代理人之網路管理系統
★ 鏈路狀態資訊不確定下QoS路由之研究	★ 以訊務觀察法改善光突發交換技術之路徑建立效能
★ 感測網路與競局理論應用於舒適性空調之研究	★ 以搜尋樹為基礎之無線感測網路繞徑演算法
★ 基於無線感測網路之行動裝置輕型定位系統	★ 多媒體導覽玩具車
★ 以Smart Floor為基礎之導覽玩具車	★ 行動社群網路服務管理系統－應用於發展遲緩兒家庭
★ 具位置感知之穿戴式行動廣告系統	★ 調適性車載廣播
★ 車載網路上具預警能力之車輛碰撞避免機制	★ 應用於無線車載網路上之合作式交通資訊傳播機制以改善車輛擁塞
★ 智慧都市中應用車載網路以改善壅塞之調適性虛擬交通號誌	★ 車載虛擬交通號誌環境下 Green Wave 之研究

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

至系統瀏覽論文 ( 永不開放)

摘要(中)

身負企業營運重責大任的網站伺服器在面對網路阻絕服務攻擊(DoS)時，往往造成服務連通率嚴重降低或甚至中止服務，在仍無法完全杜絕攻擊之狀況下，本論文提出應用移動式代理人之網路協同防衛系統，以減少網站伺服器系統受阻絕服務攻擊的損害，提昇多數使用者連線成功的機率，使服務可以繼續被多數使用者存取為目標。
防禦系統由協防之多個網路節點進行訊務監控，收集通過各個網路節點欲到達網站伺服器之TCP連線請求訊務，作為這個網路節點的訊務樣式參考，並作為判斷具攻擊訊務之依據，並以限制通過之連線請求訊務作為防禦，使該區之所有連線請求訊務被部分丟棄。如果判斷攻擊訊務為真，則可降低伺服器受到的損害，與不進行防禦比較起來，其它路由方向進入的使用者獲得服務的機會增加了；如果瞬間湧入的是正常使用者之連線請求，造成封包重傳以致完成連線之時間變長或者是逾時而無法連線，因系統仍在正常服務狀態，所以使用者數不是太多時則嘗試多次後應可獲得服務。但如果攻擊訊務匯入至此協防網路節點之數量並不多時，則無法判斷出攻擊狀況;然而整體而言伺服器之效能應能容忍這些小量的攻擊封包，所以伺服器系統應該仍能繼續提供服務。
本系統應用移動式代理人之技術，達到防禦系統於伺服器端與協防端透過移式代理人進行程式分派及訊務收集，以增加管理之彈性。並提出應用移動式代理人概念之監測代理人、伺服器代理人及指揮代理人，使系統的運作更具靈活性及符合其運作模式，目前本系統已完成監測代理人之實作，並透過實測驗證其功能。

摘要(英)

When under the Denial of Service(DoS) attacking, the enterprises' mission-critical systems often only provide low service rate to the user or even stop the service. Since the DoS threaten seems will never disappear, this paper proposed a mobile agent-based network cooperated defense systems to reduce the injuries that network server is suffering, and increase the amount of users can successfully access the service.
The server will gain more defense ability from multiple cooperated network node via collecting the TCP connection request traffic and treated it as the traffic pattern of that network node. When the traffic against the safe, the system will issue a command to network node to restrict the SYN packet forwarding. If the judgment is true, then the injury of the server is reduced. Compared with the case without cooperated network node's defense, the successful accessing users come from other network node is increased; if the huge amount of SYN traffic are from legitimate users, it will cause packet retransmit and have longer establishment time, or just timeout. Because the server is not under attacking, so if the user number is not so much, after some other retries the connection will be setup. If the attacking traffic is small, then it will not be treated as attacks and will harm the server, but since the attacking traffic is not much, so the server should have the ability to provide service continually.
The system is implemented with mobile agent technology, so codes are dispatched from management system side to network node side, so the systems management is with more flexible. This paper also proposed the mobile agent-based monitoring agent, server agent and commander agent to let the system can operate agilely as in reality world. At present phase, the system has already implemented monitoring agent, and do some experimental tests to verify its function.

關鍵字(中)

★ SYN flooding attack
★ 分散式阻絕服務攻擊
★ 協同防衛
★ 移動式代理人
★ 訊務樣式
★ 阻絕服務攻擊

關鍵字(英)

★ cooperated defense
★ DDoS
★ DoS
★ mobile agent
★ SYN flooding
★ traffic pattern

論文目次

目錄
第 1 章緒論1
1.1 網路安全1
1.2 研究目標2
1.3 論文架構3
第 2 章相關研究4
2.1 DoS/DDoS攻擊4
2.1.1 TCP/IP的缺陷4
2.1.2 DoS攻擊種類6
2.1.3 DDoS網路攻擊7
2.2 DoS/DDoS攻擊之防禦策略9
2.2.1 網站伺服器防禦措施9
2.2.2 訊務削減10
2.2.3 防火牆防禦阻絕服務功能11
2.2.4 安全的網路環境14
2.2.5 存活觀念16
2.3 移動式代理人(Mobile agent)簡介17
2.3.1 Mobile agent之優點18
2.3.2 Mobile agent之系統運作圖19
2.3.3 Mobile agent應用與發展20
2.3.4 Mobile agent 系統介紹21
第 3 章應用移動式代理人網路協同防衛系統之設計及實作24
3.1 功能需求與網路環境之假設24
3.2 伺服器代理人之設計26
3.3 監測代理人之設計29
3.4 指揮代理人之設計34
3.5 系統防禦能力42
3.6 系統實作環境45
第 4 章系統實測48
4.1 系統測試環境48
4.2 系統實測結果52
4.2.1 實測案例列表52
4.2.2 案例1:　所有使用者正常存取效能紀錄53
4.2.3 案例2:　出現阻絕服務攻擊者，但未採取防禦措施之效能紀錄53
4.2.4 案例3:　採取協同防禦措施之效能紀錄54
4.2.5 案例4:　出現阻絕服務攻擊者，但未採取防禦措施之效能紀錄55
4.2.6 案例5:　防禦以嚴密網路節點訊務樣式為依據之效能紀錄56
4.3 系統測試結論57
第 5 章結論及未來發展之方向58

參考文獻

[1]CERT Advisory CA-1996-21 TCP SYN Flooding and IP Spoofing Attacks, http://www.cert.org/advisories/CA-1996-21.html
[2]CERT Advisory CA-1996-26 Denial-of-Service Attack via ping, http://www.cert.org/advisories/CA-1996-26.html
[3]CERT Advisory CA-1996-01 UDP Port Denial-of-Service Attack, http://www.cert.org/advisories/CA-1996-01.html
[4]CERT Advisory CA-1998-01 Smurf IP Denial-of-Service Attacks, http://www.cert.org/advisories/CA-1998-01.html
[5]DDoS attack tool timeline, http://staff.washington.edu/dittrich/talks/sec2000/ timeline.html
[6]A.S. Tanenbaum, Computer Networks, Prentice-Hall International, Inc, pp 413-416, pp 524-536, 1996.
[7]CERT Incident Note IN-99-07, http://www.cert.org/incident_notes/ IN-99-07.html
[8]CERT Incident Note IN-2000-05, http://www.cert.org/incident_notes/ IN-2000-05.html
[9]S.-L. Wu and L.-D. Chou, "Simulations for solutions of TCP SYN flooding attacks," Proceedings of the Eighth National Conference on Information Security, Kaoshong, Taiwan, R.O.C., pp. 71-79, May 1998.
[10]L.-D. Chou and S.-J. Fong, "Preventive strategies to reduce the effect of TCP SYN flooding attack," Proceedings of the 2nd Conference on Information Management and Its Application in Law Enforcement, Taoyuan, Taiwan, R.O.C., pp. 91-96, May 1997.
[11]L.-D. Chou and S.-L. Wu, "Precautionary measures against TCP SYN flooding attacks," Proceedings of IFIP WCC 2000－World Computer Congress: The 15th International Conference on Information Security, Beijing, China, Aug. 2000.
[12]Policing and Shaping Overview, http://www.cisco.com/univercd/cc/td/doc /product /software/ios120/12cgcr/qos_c/qcpart4/index.htm.
[13]呂維毅, ATM網路新世紀實務進階篇, 和碩科技, pp. 26-40, Aug. 1996.
[14]N.A. Noureldien and I.M. Osman, "A stateful inspection module architecture," TENCON 2000. Proceedings, Vol. 2, pp 259-265, 24-27 Sept. 2000.
[15]CheckPoint FireWall-1 Technical Overview, http://www.checkpoint.com/ products/firewall-1/.
[16]X. Geng and A.B. Whinston, "Defeating distributed denial of service attacks, " IT Professional, pp 36-42, July-Aug. 2000.
[17]S.-K. Huang, "防止攻擊跳板主機的安全管理策略," 2000 年第二屆網際空間：資訊、法律與社會, Dec 2000, pp. 121-127.
[18]The NetBSD Packages Collection: security/ddos-scan, http://www.jp.netbsd.org/ ja/JP/Documentation/Packages/list/security/ddos-scan/README.html
[19]18 February, 2000 Detect DDoS Components, http://www2.axent.com/ swat/index.cfm
[20]D. Senie, "Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing," RFC 2827, http://www.ietf.org/rfc/ rfc2827.txt, May 2000.
[21]H.F. Lipson and D.A. Fisher, "A New Technical and Business Perspective on Security," Proceedings of the 1999 New Security Paradigms Workshop, Caledon Hills, Ontario, Canada, September 22-24, 1999.
[22]P. Bellavista, A. Corradi and C. Stefanelli, "An integrated management environment for network resources and services," IEEE Journal on Selected Areas in Communications, Vol. 188, No. 5, pp 676-685, May 2000.
[23]M.G. Ceruti, "Mobile agents in network-centric warfare", Proceedings of 5th International Symposium on Autonomous Decentralized Systems, pp. 243-246, 26-28 Mar. 2001.
[24]P. Marques, P. Simoes, L. Silva, F. Boavida and J. Silva, "Providing applications with mobile agent technology," Open Architectures and Network Programming Proceedings, pp 129-136, 2001 IEEE, 2001.
[25]P. Bellavista, A. Corradi and C. Stefanelli, "CORBA solutions for interoperability in mobile agent environments," Proceedings of the International Symposium on Distributed Objects and Applications, DOA '00., pp 283-292, 21-23 Sept. 2000.
[26]GMD FOKUS, and IBM Corp, Mobile Agent Facility Specification, Joint Submission supported by Crystaliz Inc., General Magic Inc., the Open Group, OMG TC Document orbos/98-03-09, ftp://ftp.omg.org/pub/docs/orbos/98-03-09.pdf.
[27]H. Reiser and G. Vogt, "Threat analysis and security architecture of mobile agent based management systems," Proceedings of Network Operations and Management Symposium, pp. 979-980, 10-14 Apr. 2000.
[28]F. Hohl, "A framework to protect mobile agents by using reference states," Proceedings of 20th International Conference on Distributed Computing Systems, 2000, pp. 410 - 417, 10-13 Apr. 2000.
[29]J.-H. Wang, J.-P. Hu and K. Hu, "Security design of mobile agent system," Proceedings of Workshop on Database and Expert Systems Applications, pp. 426 - 430, 4-8 Sept. 2000.
[30]J.-Y. Park, D.-I. Lee and H.-H. Lee, "Data protection in mobile agents; one-time key based approach", Proceedings of 5th International Symposium on Autonomous Decentralized Systems, pp. 411-418, 26-28 Mar. 2001.
[31]D'Agents Software Release 2.0, http://agent.cs.dartmouth.edu/software /agent2.0/
[32]The TACOMA project, http://www.tacoma.cs.uit.no/
[33]Voyager overview, http://www.objectspace.com/products/voyager/
[34]Concordia Technology - At a Glance, http://www.concordiaagents.com /documents.htm
[35]Grasshopper-The Agent Platform, http://www.grasshopper.de/
[36]Y.-W. Chen, K.-S. Hsiang and T.-Y. Hsieng, "Study on the Prevention of SYN Flooding by Using Traffic Policing," Proceedings of Network Operations and Management Symposium, Hawaii, pp. 593-604, April, 2000.
[37]R. Caceres, N. Duffield, A. Feldmann, J.D. Friedmann, A. Greenberg, R. Greer, T. Johnson, C.R. Kalmanek, B. Krishnamurthy, D. Lavelle, P.P. Mishra, J. Rexford, K.K. Ramakrishnan, F.D. True and J.E. van der Merwe, "Measurement and analysis of IP network usage and behavior," IEEE Communications Magazine, Vol. 38, No. 5, pp 141-151, May 2000.
[38]WinPcap: the Free Packet Capture Architecture for Windows, http://netgroup -serv.polito.it/winpcap
[39]WinDump: tcpdump for Windows, http://netgroup-serv.polito.it/windump/
[40]Cabletron Systems, SSR8 CLI Reference Manual.
[41]IBM Aglets Software Development Kit, http://www.trl.ibm.com/aglets.

指導教授

周立德(Li-Der Chou)

審核日期

2001-7-20

推文