中大機構典藏-NCU Institutional Repository-提供博碩士論文、考古題、期刊論文、研究計畫等下載:Item 987654321/54424
English  |  正體中文  |  简体中文  |  Items with full text/Total items : 80990/80990 (100%)
Visitors : 41657700      Online Users : 1640
RC Version 7.0 © Powered By DSPACE, MIT. Enhanced by NTU Library IR team.
Scope Tips:
  • please add "double quotation mark" for query phrases to get precise results
  • please goto advance search for comprehansive author search
    •  Adv. Search
    HomeLoginUploadHelpAboutAdminister Goto mobile version


    Please use this identifier to cite or link to this item: http://ir.lib.ncu.edu.tw/handle/987654321/54424


    Title: DEH:Dynamic Extensible Two-way Honeypot;DEH:Dynamic Extensible Two-way Honeypot
    Authors: 趙亞略;Jhao,Ya-Lyue
    Contributors: 資訊工程研究所
    Keywords: 蜜罐;Honeypot
    Date: 2012-07-23
    Issue Date: 2012-09-11 18:50:28 (UTC+8)
    Publisher: 國立中央大學
    Abstract: 電腦與網路的普及,使得電腦與網路的攻擊手法也日新月異,為了蒐集與了解層出不窮的攻擊手法,資訊安全人員發展出各式各樣方法來收集與分析各種攻擊程式與行為,以期及時找出防禦之道。Honeypot是最常被使用的方法之一,Honeypot需要讓攻擊者能夠入侵且避免被偵測才能發揮它的效果。由於Honeypot要讓攻擊者能夠入侵,因此目前的Honeypot大多無法對外連線以避免攻擊者利用Honeypot做為跳板攻擊其他電腦,雖然本意是好的,但這也使得攻擊者很容易藉由測試對外連線是否被管制,了解他是否是陷入在Honeypot中,以決定他是否需停止其攻擊行為以避免被觀察、分析。本篇論文在此提出了一個新的Honeypot架構—DEH (Dynamic Extensible Two-way Honeypot) 來解決Honeypot容易被偵測的嚴重問題,DEH允許對內及對外的網路連線,但對外的連線內含攻擊外部主機的shellcode時,DEH會先暫緩傳送該攻擊字串至目標主機並複製包含該shellcode的攻擊字串,但將shellcode以DEH的code取代,DEH接着循著攻擊者原定的攻擊方式將DEH的code注入至攻擊者原定的目標主機上被鎖定的有漏洞的程式以保護及監測該程式,因此當上述步驟完成,DEH讓原先的攻擊字串攻擊該目標主機的漏洞程式並使得攻擊者的shellcode被執行時,該shellcode是在DEH注入的code的控制及觀察下執行的。當攻擊者要從該受害者再對外攻擊其他的主機時,DEH可重複上述的機制擴充Honeypot的觀察範圍或將攻擊導回原Honeypot,因此DEH不僅降低了Honeypot被發現的機會,也可以收集到更多攻擊者的資訊。Honeypot is very powerful for security analysts to collect malicious data for a long time. We need to let attacker intrudes into honeypot, so that we can analyze the malicious data we get, and find a method to prevent the attack. Because we have to prevent attackers to attack another computer through honeypot, almost all of the honeypots block the outgoing traffic. This is a serious problem. Some assailants would test whether the computer they attack is a honeypot by sending some simple connections out. If they know the computer they are attacking is a honeypot, they will not do the further malicious behavior. If honeypot cannot collect the attack pattern anymore, it becomes useless. In this thesis, we introduce a new design of honeypot, DEH (Dynamic Extensible Two-way Honeypot), to fix this serious problem. DEH allows not only incoming traffic but outgoing traffic. If the outgoing traffic includes malicious shellcode, we can hold this traffic and copy the shellcode, and then DEH replace it with our own code to set the protective mechanism on the computer that the attacker wants to intrude into. After we set the mechanism, we let the attacker intrude in, and he is monitored by our protective mechanism. When attacker wants to send traffic out from the victim, DEH can extend the protective mechanism to other computers or redirected the connections back to honeypot. We can efficiently protect honeypot from being detected and prevent the attack being spread, in the same time we could also get more information from attackers.
    Appears in Collections:[Graduate Institute of Computer Science and Information Engineering] Electronic Thesis & Dissertation

    Files in This Item:

    File Description SizeFormat
    index.html0KbHTML415View/Open


    All items in NCUIR are protected by copyright, with all rights reserved.

    社群 sharing

    ::: Copyright National Central University. | 國立中央大學圖書館版權所有 | 收藏本站 | 設為首頁 | 最佳瀏覽畫面: 1024*768 | 建站日期:8-24-2009 :::
    DSpace Software Copyright © 2002-2004  MIT &  Hewlett-Packard  /   Enhanced by   NTU Library IR team Copyright ©   - 隱私權政策聲明