摘要: | 近幾年來,物聯網(Internet of Things, IoT)技術急速發展,據估計,2020年具有聯網功能的物聯網設備將高達數百億,由於大部分物聯網設備運算能力較低,因此大都缺乏完善的安全機制,這也導致基於物聯網的殭屍網路(Botnet)數量快速增長。網路技術的進步與物聯網產業的盛行,使駭客的攻擊手法變得多元,且常利用不安全的物聯網設備所建立的殭屍網路進行分散式阻斷服務攻擊(Distributed Denial-of-Service, DDoS)藉此破壞網通設備以及消耗伺服器資源。因此本論文運用機器學習(Machine Learning)以及透過CIDDS-001資料集訓練智慧型訊務分類器用來偵測DDoS攻擊以及辨識用戶端。其中能夠為了有效解決傳統網路防禦上易攻難守的問題,採用了新型的網路架構以及防禦策略,例如:軟體定義網路(Software-defined Networking, SDN)透過控制層集中化管理特性,來讓網路架構易於管理且靈活;移動目標防禦(Moving Target Defense, MTD) 透過變換欲防禦之目標資訊,來達到混淆攻擊者並轉移攻擊流量的概念。 本論文提出的ATBM是一種在SDN環境下的MTD機制,透過智慧型訊務分類器對用戶端訊務進行惡意訊務偵測與行為分析,可有效偵測DDoS攻擊以及識別合法與惡意用戶。為了驗證智慧型訊務分類器之穩健性,本論文使用20%的 CIDDS-001資料集數據作為Testing Data,其分類器的F1-Score評估高達99.1%。 此外,本論文也實作一套基於ATBM機制的安全系統並利用Docker來模擬多台殭屍設備對本系統之Master Server進行DDoS攻擊,根據實驗結果顯示可阻擋98.11%來自TCP SYN Flooding攻擊流量與96.44%來自UDP Flooding攻擊流量進入本系統,其運用了移動目標防禦讓惡意訊務無法攻擊本系統之Master Server,使合法用戶不被DDoS攻擊影響能正常存取Master Server的資源。;In recent years, the Internet of Things (IoT) technology has developed rapidly. By 2020, it is expected that more than ten billion IoT devices surf on the Internet. Due to the low processing capabilities of IoT devices, the vulnerabilities of security mechanism cause the rapid growth of IoT-based botnets such as Mirai and Torii. Botnets are often used to implement Distributed Denial-of-Service (DDoS) attacks. The advancement of the Internet technology has made it easy for hackers to control a large of zombie devices and launch DDoS attacks. (TCP Flooding, UDP Flooding, HTTP Flooding, etc.) According to the above, how to effectively detect and defense DDoS attacks is an important research topic. In order to solve the problem of defense of the network security, the new network architecture and defense strategy is adopted, such as software-defined network (SDN), the network architecture is easy to manage and flexible through the centralized management of the control layer; Moving Target Defense (MTD) achieves the concept of confusing attackers and redirecting abnormal traffic by transforming the target information to be defended. The proposed ATBM is an MTD based mechanism in the SDN environment. It performs abnormal traffic detection and behavior analysis of network traffic by the abnormal traffic classifier, which can detect DDoS attacks and identify legitimate and malicious clients. In order to verify the stability of the abnormal traffic classifier, this paper uses 20% of the CIDDS-001 dataset as testing data. The evaluation of abnormal traffic classifier’s F1-Score is 99.1%. In addition, this paper implemented an ATBM based security system and simulated 100 zombie devices performing DDoS attacks to the Master Server of the ATBM system. The proposed mechanism can effectively protect legitimate clients and the Master Server from DDoS attacks with MTD approach. According to the experimental results, it shows that the proposed mechanism is able to prevent 98.11% of abnormal traffic from TCP SYN Flooding attacks and 96.44% of abnormal traffic from UDP Flooding attacks to the ATBM system. |