隨著網路環境愈來愈複雜,傳統單點式入侵偵測系統已不足以偵測日益精進的入侵手法。為偵測各種複雜的攻擊手法,分散式入侵偵測系統逐漸成為入侵偵測研究的主流。但目前分散式入侵偵測系統的關聯分析能力仍有許多限制,這主要導因於過去分散式入侵偵測系統,所用以進行關聯分析之資訊過於貧乏,且未能分別處理不同型態之警示資訊所致。因此本研究的目的在利用程序追蹤方法(process tracking)來補足關聯分散式入侵偵測系統之警示所需的資訊,並提出新的關聯分析模型,以解決過去分散式入侵偵測系統關聯分析方法所遭遇之問題。 在本研究中,我們首先整理歸納過去分散式入侵偵測系統研究其關聯分析方法所隱含之缺點、問題及造成此問題之原因,並提出相關解決方法。接著我們由程序的層次來思考整個網路與資訊系統的運作,進而提出一個以程序關係為基礎之關聯分析模型 --- 程序關聯模型。根據此模型,我們設計一分散式入侵測系統雛形PRIDS (Process Relationship based distributed Intrusion Detection System)。 最後我們利用於Windows 2000上實作出的PRIDS系統雛形,進行三個網路模擬攻擊,我們的實驗結果證明,對於過去分散式入侵偵測系統難以偵測的攻擊手法, 如Relay Attack式攻擊、時間關係為非決定性之攻擊類型與入侵偵測系統躲避式攻擊等複雜攻擊手法,採用程序追蹤方法進行關聯分析的PRIDS都能有效地偵測出來。 As network environments become complex, it is difficult for traditional intrusion detection systems (IDS) to detect the ingenious intrusion methods successfully. As a result, distributed intrusion detection systems (DIDS) become the main stream of the IDS researches. However, the correlation abilities of DIDS are still limited by (1) the inaccurate information that IDS uses for correlation and (2) the inability to discriminating between the heterogeneous information. To solve these shortcomings, this study uses the technology of process tracking to assist DIDS in correlating alerts and proposes a novel correlation model to solve the flaws of alert correlation that the previous DIDS have. In this study, we first sum up the flaws and the causes that lead to them in previous researches. Then we propose a novel Process Relationship Correlation Model (PRCM) to model the operations of network information system in the view of processes. Next, we present the design of a prototype intrusion system named PRIDS (Process Relationship based distributed Intrusion Detection System) based on PRCM. We have implemented PRIDS on Microsoft Win2000 System and used three artificial attacks to evaluate its detection abilities. The results of these experiments revealed that PRIDS could efficiently detect those attack methods including relay attacks, the attacks with nondeterministic temporal relationship and IDS evasion attacks that could evade detecting of other DIDS.
