一個以TCP連線行為基礎來防禦後門程式的機制

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：20

、訪客IP：3.136.97.64

姓名

陳俊佑(Chun-yu Chen) 查詢紙本館藏

畢業系所

資訊工程學系

論文名稱

一個以TCP連線行為基礎來防禦後門程式的機制
(A Novel Behavior-Based Solution to Backdoors)

相關論文

★ USB WORM KILLER: Cure USB Flash Worms Through a USB Flash Worm	★ Discoverer- Rootkit即時偵測系統
★ 一項Android手機上詐騙簡訊的偵測與防禦機制	★ SRA系統防禦ARP欺騙劫持路由器
★ A Solution for Detecting and Defending ARP Spoofing on Virtual Machines	★ 針對遠端緩衝區溢位攻擊之自動化即時反擊系統
★ 即時血清系統: 具攻性防壁之自動化蠕蟲治癒系統	★ DNSPD: Entrap Botnets Through DNS Cache Poisoning Detection
★ TransSQL: A Translation and Validation-based Solution for SQL-Injection Attacks	★ A Spam Mail-based Solution for Botnet Detection and Network Bandwidth Protection
★ Shark: Phishing Information Recycling from Spam Mails	★ FFRTD: Beat Fast-Flux by Response Time Differences
★ Antivirus Software Shield against Antivirus Terminators	★ MAC-YURI : My ACcount, YoUr ResponsIbility
★ KKBB: Kernel Keylogger Bye-Bye	★ CIDP Treatment: An Innovative Mobile Botnet Covert Channel based on Caller IDs with P8 Treatment

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

[檢視]

[下載]

本電子論文使用權限為同意立即開放。
已達開放權限電子全文僅授權使用者為學術研究之目的，進行個人非營利性質之檢索、閱讀、列印。
請遵守中華民國著作權法之相關規定，切勿任意重製、散佈、改作、轉貼、播送，以免觸法。

摘要(中)

惡意程式的發展，從早期的病毒﹙Virus﹚，蠕蟲﹙Worm﹚，木馬﹙Trojan Horse﹚與後門﹙Backdoor﹚程式，至今日的Rootkit、間諜軟體﹙Spyware﹚、垃圾信件發送軟體﹙Spamware﹚等，其使用的技術不斷地改變，滲透的手段日趨多元，而造成的損失也日益龐大，這些惡意軟體藉由網路多樣化的傳播途徑達散播的目的，對網路以及網路上的主機系統安全帶來巨大的威脅。
在眾多攻擊方式中，攻擊者為了掌控受害的主機，開啟後門是最重要的步驟，常見的木馬與後門程式，大多都會偽裝成一般正常程式，像是取與正常程式相同的名稱，以避免被使用者發覺，一旦攻擊者取得具有系統管理員﹙root﹚權限的後門程序，攻擊者便可對受害電腦為所欲為。
在本論文中，我們提出新的防禦機制，以程序使用網路的行為﹙behavior-based﹚為基礎來區分正常程式與後門程式，有效的保護系統不被後門程式操控，我們在系統資訊被不正常的透過網路傳出之前，即偵測出攻擊存在的可能性，在傷害尚未擴大之時，便終止可疑的程序，可阻止攻擊者利用後門程式進行後續的惡意行為，提高系統與網路伺服器的安全性。

摘要(英)

With the popularity of computers and Internet, more information security problems are taken into consideration. From the old-time virus to the newfashioned worm, Trojan horse and backdoor, nowadays, attackers develop a variety of malware to gain lots of personal benefit. Like rootkit, spyware, or spamware, these malwares spread via all kinds of network applications. It is a huge threat to Internet and system security.
In order to control the victim computers, open the backdoor is the most important step in all attacking methods. The conventional Trojan house and backdoor may mask themselves as normal programs, like having the same name with normal program, in order to cheat users. Once attackers get the backdoor process with root privilege, attackers can do everything to the victim.
In this thesis, we propose a new behavior-based defensive mechanism to detect whether a program is a backdoor or not. This mechanism can protect system from controlling by backdoor. We can find out the backdoor before the system information is sent by Internet abnormally. Before the attack succeeds, we can terminate the suspicious process and stop the follow-up malicious activities in advanced. This mechanism can raise the security level of system and network server.

關鍵字(中)

★ 入侵偵測
★ 行為基礎
★ 後門程式

關鍵字(英)

★ Backdoor
★ Behavior-Based
★ Intrusion Detection

論文目次

摘要 i
Abstract ii
誌謝 iii
目錄 iv
圖目錄 vi
表目錄 viii
第一章緒論 1
1-1 研究背景 2
1-2 研究動機與目的 3
1-3 章節架構 5
第二章攻擊原理 6
2-1 原生型後門：偽裝或誘騙使用者執行 7
2-2 漏洞型後門：利用系統或應用程式的漏洞 9
2-3 硬體核心型後門 12
第三章系統設計 13
3-1 系統核心層 14
3-2 網路硬體設備 18
第四章實驗測試與分析 21
4-1 原生型防禦測試 21
4-2 漏洞型防禦測試 23
4-3 硬體檢測 26
4-4 效能測試 27
4-4-1 系統呼叫測試 27
4-4-2 整體效能測試 28
第五章相關研究 30
5-1 入侵偵測機制 30
5-2 網路入侵偵測系統 30
5-3 主機入侵偵測系統 31
第六章結論與未來研究方向 32
6-1 貢獻 32
6-2 未來工作 32
6-1-1 Spamware Detection 32
6-1-2 Attacking String Collection 33
參考文獻 34

參考文獻

〔1〕Dorothy E. Denning, Information Warfare and Security, Addsion Wesley, 1999.
〔2〕Stephen Northcutt, et al., Inside Network Perimeter Security, New Riders Press, 2003.
〔3〕Ed Skoudis and Lenny Zeltser, Malware – Fighting Malicious Code, Prentice Hall PTR, 2003.
〔4〕Bruce Schneier. “Attack Trends: 2004 and 2005”. ACM Queue, Vol.3, Iss.5; p.52-53, June, 2005.
〔5〕Y. Zhang, V. Paxson, “Detecting Backdoors,” 9th USENIX Security Symposium, August 2000.
〔6〕Moheeb Abu Rajab, et al., “A Multifaceted Approach to Understanding the Botnet Phenomenon,” 6th ACM SIGCOMM on Internet Measurement, 2006.
〔7〕David Dagon, Cliff Zou, Wenke Lee., “Modeling Botnet Propagation Using Time Zones,” 13th Annual Network and Distributed System Security Symposium, 2006.
〔8〕Symantec, “Symantec Global Internet Security Threat Report”, April 2008, http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_internet_security_threat_report_xiii_04-2008.en-us.pdf
〔9〕J. P. Anderson, “Computer Security Threat Monitoring and Surveillance,” 1980.
〔10〕Zhenkai Liang and R. Sekar, “Automatic Generation of Buffer Overflow Attack Signatures: An Approach Based on Program Behavior Models,” 21st Annual Computer Security Applications Conference 2005.
〔11〕Zhenkai Liang, R. Sekar, “Fast and automated generation of attack signatures: a basis for building self-protecting servers,” 12th ACM conference on Computer and communications security, 2005
〔12〕Hao Wang, Somesh Jha and Vinod Ganapathy, “NetSpy: Automatic Generation of Spyware Signatures for NIDS,” 22nd Annual Computer Security Applications Conference, 2006.
〔13〕Kevin D. Mitnick, The Art of Deception – Controlling the Human Element of Security, Wiley, 2002.
〔14〕ESET, “Global Treat Report 2007,” Jan. 2008, http://www.eset.com/threat-center/case_study/GlobalThreatReport(Jan2008).pdf
〔15〕Hung, J.C., Kuan-Cheng Lin, Chang, A.Y., Lin, N.H., Lin, L.H., “A behavior-based anti-worm system,” 17th International Conference on Advanced Information Networking and Applications, 2003.
〔16〕Yong Tang and Shigang Chen, “Defending Against Internet Worms: A Signature-Based Approach,” IEEE INFOCOM, Miami, FL, March 2005.
〔17〕C. Taylor and J. Alves-Foss. Nate – Network Analysis of Anomalous Traffic Events, a low-cost approach. New Security Paradigms Workshop, 2001.
〔18〕Daniel P. Bovet and Marco Cesati, Understanding the Linux Kernel, third edition, O’Reilly, 2005
〔19〕Thomas F. Herbert, The Linux TCP/IP stack networking for embedded systems, first edition, Charles River Media, 2004
〔20〕Klaus Wehrle, The Linux Networking Architecture : Design and Implementation of Network Protocols in the Linux Kernel, second edition, Pearson Prentice Hall, 2004
〔21〕L. T. Heberlein, G. V. Dias, K. N. Levitt, B. Mukherjee, J. Wood, and D. Wolber, “A network security monitor,” IEEE Computer Society Symposium, 1990
〔22〕S. Kornexl, V. Paxson, H. Dreger, A. Feldmann and R. Sommer, “Building a Time Machine for Efficient Recording and Retrieval of High-Volume Network Traffic,” ACM IMC, October 2005.
〔23〕H. Dreger, A. Feldmann, M. Mai, V. Paxson and R. Sommer, “Dynamic Application-Layer Protocol Analysis for Network Intrusion Detection,” 15th conference on USENIX Security Symposium, August 2006.
〔24〕V. Paxson, “Bro: A System for Detecting Network Intruders in Real-Time,” 7th conference on USENIX Security Symposium, January 1998.
〔25〕Snort, http://www.snort.org/
〔26〕Tripwire, http://www.tripwire.com/

指導教授

許富皓(Fu-hau Hsu)

審核日期

2008-7-23

推文