透過Server協同之網路釣魚防禦研究—以交易網站為例

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：7

、訪客IP：3.128.199.130

姓名

鄭宇弘(YU-Hong Cheng) 查詢紙本館藏

畢業系所

資訊工程學系在職專班

論文名稱

透過Server協同之網路釣魚防禦研究—以交易網站為例
(Anti-Phishing with Client-Server Cooperation -- Example by Online Transaction Website)

相關論文

★ 整合多樣配置組態下的藍芽射頻驗證系統	★ 具檔案敘述相關語查詢之智慧型檔案搜尋系統
★ 具遲到者支援功能之網際網路簡報系統	★ 以快速廣播法建構熱門視訊隨選服務伺服器
★ 具事件同步再現特性之遠程電傳展示伺服器	★ 無線網路環境下之廣播資訊快速下載
★ 中文網站繁簡互訪協助系統	★ 支援時光平移播放之調適性現場直播演算法
★ 用於互動式廣播之段落對齊法	★ 熱門影片廣播法之影片區段復原機制
★ 配合熱門影片廣播的本地伺服器高效快取法	★ 一個增進SIP在防火牆環境中應用的協同模組
★ 考量網頁熱門度之一致性雜湊法解決網頁代理伺服器之負載平衡	★ 以網域名稱伺服器為基礎之色情網站過濾系統
★ 使用熱門廣播法及支援點對點傳輸之影音內容傳遞網路	★ 變動頻寬平滑化之熱門廣播演算法

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

[檢視]

[下載]

本電子論文使用權限為同意立即開放。
已達開放權限電子全文僅授權使用者為學術研究之目的，進行個人非營利性質之檢索、閱讀、列印。
請遵守中華民國著作權法之相關規定，切勿任意重製、散佈、改作、轉貼、播送，以免觸法。

摘要(中)

何謂網路釣魚攻擊?網路釣魚攻擊者是藉由發送釣魚郵件(Phishing mail)給受害者，受害者點選了誤以為是來自合法網站的郵件中的惡意超連結(Hypelink)，受害者就被導向釣魚網頁，而在釣魚網頁上洩漏了個人的機密資訊給予攻擊者，如個人的信用卡號碼、帳號、密碼，釣魚者再將受害者導向合法的網頁，受害者根本很難發覺剛剛發生了什麼事而掉入釣魚者的陷阱。
因此本論文提出了一個Client端及Server端協同合作的方式，防止網路釣魚的攻擊，以此種協同方式強化線上交易網站，希望藉由此種方式能達到更加緊密的來防堵網路釣魚的攻擊，基於合作協防的立場，Client端可以提供一組假的帳號密碼代替使用者的正確帳號密碼，來協助舉報與追蹤受懷疑的攻擊者，此組假的帳號密碼是事先與Sever端協議好用來反制釣魚者的，釣魚者獲得此組協議的帳號密碼等於已被標記，釣魚者使用此組協議的帳號密碼來登入合法Server時，Server就能藉由這標記識別出釣魚者，Server端發現此異常帳號密碼後，可將釣魚者導向Trap Sever，使得釣魚者不會攻擊到受害者，因Trap Server是仿製合法網站，並可以在Trap Server監控釣魚者的一切活動，甚至可以收集到其他不知情的受害者的帳號資料並凍結帳號，如此一來，讓交易網站的Server端成為防禦網路釣魚的另一道防線，降低網路釣魚攻擊的威脅。過去防止網路釣魚的方式集中於Client端為多，其實在防堵網路釣魚方面，Server端也應該負起更多責任來協助，畢竟Server端的有此責任義務，同時也擁有較多的資源來防止網路釣魚的攻擊。

摘要(英)

Because the network online transaction is increasingly popular, many users encounter the phishing attack. The phisher usually use phishing mail and web spoofing to lure the victims. The victims don’t pay attention to the phisher’s trick, they leak their secret information to phisher. The victims often carelessly fall into the trap because of lacking of attention.
In this thesis, we propose a Client-Server Cooperated Anti-Phishing method to detect phishing attacks. We use this method to strength the anti-phishing ability of a online transaction web site. The goal of Client-Server Cooperated Anti-Phishing method is how to detect phisher, how to notify client, how to report server, how to trace back phisher. Except client sides’ anti-phinsh, Server sides take more effort to anti-phish will be more safty in online transaction environment. Because Server sides have more resource to anti-phish.

關鍵字(中)

★ 網路安全
★ 網路詐騙
★ 網路釣魚

關鍵字(英)

★ Phishing
★ Web spoofing
★ Internet Security

論文目次

摘要 I
Abstract II
目錄 III
圖目錄 V
表目錄 VII
第一章緒論 1
1-1 研究背景 1
1-2 研究動機 5
1-3論文架構 6
第二章相關研究 7
2-1 Client Side防禦 7
2-1-1 瀏覽器工具列Plug-in 7
2-1-2 Application Software 12
2-2 Server Side防禦 14
2-2-1黑名單 14
2-2-2 Yahoo安全圖章 14
2-3工具列相關比較 17
第三章系統設計 20
3-1 Client Side Toolbar偵測流程 24
3-2 Client Server協同反制流程 27
3-3 Trap Server反制流程 28
第四章實驗 29
4-1實驗環境 29
4-2 Client端瀏覽器工具列實驗 31
4-2-1實驗一：黑名單 31
4-2-2實驗二：釣魚網頁重新導向 31
4-3 Client & Server 協同實驗 33
4-4 Trap Server反制釣魚者實驗 36
4-5 實驗結論 38
第五章討論 39
第六章結論與未來工作 41
參考文獻 42

參考文獻

[1] T. Raffetseder, E. Kirda and C. Kruegel, "Building anti-phishing browser plug-ins: An experience report," in Proceedings of the Third International Workshop on Software Engineering for Secure Systems, 2007,
[2] J. Chen and C. Guo, "Online detection and prevention of phishing attacks," in Communications and Networking in China, 2006. ChinaCom'06. First International Conference on, 2006, pp. 1-7.
[3] Min Wu, "Fighting Phishing at the User Interface," 2006
[4] APWG, "http://www.antiphishing.org/,"
[5] APWG Phishing Attack Trends Report, "http://www.antiphishing.org/phishReportsArchive.html,"
[6] M. Jakobsson and S. Myers, Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft. Wiley-Interscience, 2006, pp. 37
[7] SpoofGuard, "http://crypto.stanford.edu/SpoofGuard/,"
[8] N. Chou, R. Ledesma, Y. Teraguchi, D. Boneh and J. C. Mitchell, "Client-side defense against web-based identity theft," in 11th Annual Network and Distributed System Security Symposium (NDSS’04), San Diego, 2005,
[9] Cloudmark, "http://www.cloudmark.com/desktop/ie-toolbar/,"
[10] EarthLink Toolbar, "http://www.earthlink.net/software/free/toolbar/,"
[11] eBay Toolbar, "http://pages.ebay.com/ebay_toolbar/,"
[12] GeoTrust TrustWatch Toolbar, "http://toolbar.trustwatch.com/,"
[13] Google Safe Browsing, "http://www.google.com/tools/firefox/safebrowsing/,"
[14] McAfee SiteAdvisor, "http://www.siteadvisor.com/,"
[15] Microsoft Phishing Filter in Windows Internet Explorer 7, "http://www.microsoft.com/taiwan/windows/ie/downloads/default.mspx,"
[16] Netcraft Anti-Phishing Toolbar, "http://toolbar.netcraft.com/,"
[17] Netscape Browser 8.1, "http://browser.netscape.com/ns8/,"
[18] SpoofStick, "http://www.spoofstick.com/,"
[19] Petname, "http://petname.mozdev.org/,"
[20] PhiskTank, "http://www.phishtank.com/,"
[21] Y. Zhang, S. Egelman, L. Cranor and J. Hong, "Phinding phish: Evaluating anti-phishing tools," in Proceedings of the 14th Annual Network and Distributed System Security Symposium (NDSS 2007), 2007,
[22] S. Sheng, B. Magnien, P. Kumaraguru, A. Acquisti, L. F. Cranor, J. Hong and E. Nunge, "Anti-phishing phil: The design and evaluation of a game that teaches people not to fall for phish," in Proceedings of the 3rd Symposium on Usable Privacy and Security, 2007, pp. 88-99.
[23] P. Kumaraguru, Y. Rhee, S. Sheng, S. Hasan, A. Acquisti, L. F. Cranor and J. Hong, "Getting users to pay attention to anti-phishing education: Evaluation of retention and transfer," in Proceedings of the Anti-Phishing Working Groups 2nd Annual eCrime Researchers Summit, 2007, pp. 70-81.
[24] Y. Pan and X. Ding, "Anomaly based web phishing page detection," in Computer Security Applications Conference, 2006. ACSAC'06. 22nd Annual, 2006, pp. 381-392.
[25] W. Liu, X. L. GH, M. Zhang and X. Deng, "Phishing webpage detection," in Proc. 8th Int’l Conf. Document Analysis and Recognition, pp. 560–564.
[26] S. Garera, N. Provos, M. Chew and A. D. Rubin, "A framework for detection and measurement of phishing attacks," in Proceedings of the 2007 ACM Workshop on Recurring Malcode, 2007, pp. 1-8.
[27] M. Sharifi and S. H. Siadati, "A phishing sites blacklist generator," in Computer Systems and Applications, 2008. AICCSA 2008. IEEE/ACS International Conference on, 2008, pp. 840-843.
[28] C. Karlof, U. Shankar, J. Tygar and D. Wagner, "Dynamic pharming attacks and locked same-origin policies for web browsers," in Proceedings of the 14th ACM Conference on Computer and Communications Security, 2007, pp. 58-71.
[29] PwdHash, "http://crypto.stanford.edu/PwdHash/,"
[30] E. Kirda and C. Kruegel, "Protecting Users Against Phishing Attacks with AntiPhish," COMPSAC-NEW YORK-, pp. 517, 2005.
[31] ZDNet, "惡意網站、網路軟體數目創新高紀錄", http://www.zdnet.com.tw/news/software/0,2000085678,20135004,00.htm
[32] APWG, "Phishing Activity Trends Report 2008/Q2", http://www.apwg.org/reports/apwg_report_Q2_2008.pdf
[33] Yahoo安全圖章, http://tw.info.yahoo.com/seal/index.html
[34] ZDNet, "Yahoo新增防釣魚詐騙功能", http://www.zdnet.com.tw/news/software/0,2000085678,20108922,00.htm
[35] ZDNet, "雅虎奇摩新增防網釣機制", http://www.zdnet.com.tw/news/software/0,2000085678,20116123,00.htm

指導教授

曾黎明(Li-Ming Tseng)

審核日期

2009-1-20

推文