P4環境中運用入侵偵測系統針對物聯網攻擊之偵防機制

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：101

、訪客IP：18.118.162.180

姓名

張晁誌(Chao-Chih Chang) 查詢紙本館藏

畢業系所

資訊工程學系

論文名稱

P4環境中運用入侵偵測系統針對物聯網攻擊之偵防機制
(Detection and Mitigation of IoT Attacks Based on Intrusion Detection System in P4 Networks)

相關論文

★ 無線行動隨意網路上穩定品質服務路由機制之研究	★ 應用多重移動式代理人之網路管理系統
★ 應用移動式代理人之網路協同防衛系統	★ 鏈路狀態資訊不確定下QoS路由之研究
★ 以訊務觀察法改善光突發交換技術之路徑建立效能	★ 感測網路與競局理論應用於舒適性空調之研究
★ 以搜尋樹為基礎之無線感測網路繞徑演算法	★ 基於無線感測網路之行動裝置輕型定位系統
★ 多媒體導覽玩具車	★ 以Smart Floor為基礎之導覽玩具車
★ 行動社群網路服務管理系統－應用於發展遲緩兒家庭	★ 具位置感知之穿戴式行動廣告系統
★ 調適性車載廣播	★ 車載網路上具預警能力之車輛碰撞避免機制
★ 應用於無線車載網路上之合作式交通資訊傳播機制以改善車輛擁塞	★ 智慧都市中應用車載網路以改善壅塞之調適性虛擬交通號誌

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

至系統瀏覽論文 ( 永不開放)

摘要(中)

在網路的蓬勃發展下，軟體定義網路(Software Defined Networking, SDN)的概念被廣泛應用於各個領域。透過將控制層與資料層切割，並將控制層集中管理，讓網路管理者可以更輕易的管控整體網路。然而隨著物聯網等網路裝置數量的急遽增加，使SDN控制器的負擔越來越重，於此同時，Programming Protocol-independent Packet Processors(P4)被提出。P4是一個與SDN截然不同的概念，P4交換器可以透過P4專屬的程式來操作網路傳輸的資料層，透過定義新的協定等，能夠做到許多單純SDN無法達成的目標。通過兩者的結合，可以讓網路管理者更輕鬆細膩的管理網路。而入侵偵測系統(Intrusion Detection System, IDS)是一種透過捕捉網路封包分析其舉動，作為判斷是否為惡意攻擊的依據。
本論文所提出的方法名稱為基於動態時間校正之服務層級調整演算法(Dynamic-time-wArping based Service LEvel Regulating Algorithm, DASLERA)，旨在防禦阻斷式服務攻擊(Denial of Service, DoS)以及位址解析協定欺騙攻擊(Address Resolution Protocol Spoofing, ARP Spoofing)。透過入侵偵測系統與P4網路的結合，減輕SDN控制器的負擔，並透過服務層級的設定讓網路管理者可以更有彈性的管理網路。DASLERA在判斷出惡意攻擊者有93.6%的準確度，同時保持控制器的CPU平均使用率低於20%。

摘要(英)

With the booming of the Internet, the concept of Software Defined Networking (SDN) is widely used in various fields. By separating the control plane and data plane from the traditional network and centralizing the control plane, network administrators can more easily control the overall network. However, with the rapid increase in the number of network devices such as the Internet of Things, the overhead on SDN controllers has become heavier and heavier. P4 is a very different concept from SDN, as P4 switches can operate the data plane of network transport through P4-specific programs, and can achieve many goals that cannot be achieved by SDN alone, by defining new protocols, etc. Through the combination of the two, network administrators can manage their networks with greater ease and sophistication. The Intrusion Detection System (IDS) is a system that captures network packets and analyzes their behavior to determine if they are malicious attacks.
The method proposed in this paper aims to prevent Denial of Service (DoS) and Address Resolution Protocol Spoofing (ARP Spoofing) defenses, called Dynamic-time-wArping based Service LEvel Regulating Algorithm (DASLERA). Through the integration of intrusion detection system and P4 network, the overhead of SDN controller is reduced, and the service level setting allows network administrators to manage the network more flexibly. DASLERA has 93.6% accuracy in determining malicious attackers while keeping the average CPU usage of the controller below 20%.

關鍵字(中)

★ 軟體定義網路
★ 入侵偵測系統
★ P4
★ 阻斷式服務攻擊
★ 位址解析協定欺騙攻擊
★ 動態時間校正

關鍵字(英)

★ Software Defined Networking
★ Intrusion-Detection System
★ Programming Protocol-independent Packet Processors
★ DoS
★ ARP Spoofing
★ Dynamic Time Warping

論文目次

摘要 i
Abstract ii
誌謝 iii
目錄 iv
圖目錄 vi
表目錄 ix
第一章緒論 1
1.1. 概要 1
1.2. 研究動機 3
1.3. 研究目的 4
1.4. 章節架構 4
第二章背景知識與相關研究 5
2.1. 軟體定義網路 5
2.2. 入侵偵測系統 7
2.3. IoT 攻擊 8
2.3.1. 阻斷服務攻擊 9
2.3.2. 中間人攻擊 10
2.4. P4: Programming Protocol-Independent Packet Processor 10
2.5. 相關研究 11
第三章研究方法 14
3.1. 系統架構與設計 14
3.1.1. Intrusion Detection System Module 16
3.1.2. Judgement Module 19
3.1.3. P4 Runtime Module 28
3.1.4. P4 Switch Module 29
3.2. 系統實作 34
第四章實驗與討論 37
4.1. 偵防機制與P4環境之驗證 38
4.1.1. 實驗一: P4交換機基於服務層級的轉發功能驗證 38
4.1.2. 實驗二: IDS閾值調整機制驗證 41
4.1.3. 實驗三: DASLERA的閾值制定與驗證 42
4.2. ARP Spoofing與DoS攻擊之防禦機制驗證 46
4.2.1. 實驗四: ARP Spoofing攻擊的偵測與防禦機制驗證 47
4.2.2. 實驗五: DoS攻擊的偵測與防禦機制驗置 48
4.3. P4網路環境的效能分析以及與其他機制之比較 51
4.3.1. 實驗六: 使用Sluice對於封包傳輸的RTT與Throughput的影響 52
4.3.2. 實驗七: 其他機制的比較 53
4.3.3. 實驗八: Controller減緩負載的成效 55
第五章結論與未來研究方向 57
5.1. 結論 57
5.2. 研究限制 58
5.3. 未來研究方向 58
參考文獻 61

參考文獻

[1] “Internet of things” Accessed on: June 10, 2022. [Online]. Available: https://en.wikipedia.org/wiki/Internet_of_things
[2] Al-Sarawi, S., Anbar, M., et al. "Internet of things market analysis forecasts, 2020–2030." 2020 Fourth World Conference on smart trends in systems, security and sustainability (WorldS4). IEEE, 2020.
[3] “Botnet” Access on: June 11, 2022. [Online]. Available: https://en.wikipedia.org/wiki/Botnet
[4] Xiao, Y., Jia, Y., Liu, C., et al. "Edge computing security: State of the art and challenges." Proceedings of the IEEE 107.8 (2019): 1608-1631.
[5] Haji, S. H., Zeebaree, S. R., Saeed, R. H., et al. "Comparison of software defined networking with traditional networking." Asian Journal of Research in Computer Science (2021): 1-18.
[6] Badotra, S., and Surya N. P. "Software-defined networking: A novel approach to networks." Handbook of Computer Networks and Cyber Security. Springer, Cham, 2020. 313-339.
[7] Dabbagh, M., Hamdaoui, B., Guizani, M., et al. "Software-defined networking security: pros and cons." IEEE Communications Magazine 53.6 (2015): 73-79.
[8] Brief, O. S. "OpenFlow-enabled SDN and network functions virtualization." Open Netw. Found 17 (2014): 1-12. 2.2
[9] “Intrusion detection system” Access on: June 11, 2022. [Online]. Available: https://en.wikipedia.org/wiki/Intrusion_detection_system
[10] “What Is a Host Intrusion Detection System (HIDS) and How It Works” Access on: June 11, 2022. [Online]. Available: https://heimdalsecurity.com/blog/host-intrusion-detection-system-hids/
[11] Raghunath, B. R., and Shivsharan N. M. "Network intrusion detection system (NIDS)." 2008 First International Conference on Emerging Trends in Engineering and Technology. IEEE, 2008.
[12] “About Intrusion Detection Systems in AlienVault USM Appliance” Access on: June 10, 2022. [Online]. Available: https://cybersecurity.att.com/documentation/
usm-appliance/ids-configuration/about-ids.htm
[13] “2021 SonicWall Cyber Threat Report” Access on: June 10, 2022. [Online]. Available: https://f.hubspotusercontent20.net/hubfs/2317774/2021-cyber-threat-report.pdf
[14] “Know Your Infusion Pump Vulnerabilities and Secure Your Healthcare Organization” Access on: June 11, 2022. [Online]. Available: https://unit42.paloaltonetworks.com/infusion-pump-vulnerabilities/
[15] “The State of Industrial Cybersecurity” Access on: June 11, 2022. [Online]. Available: https://resources.trendmicro.com/rs/945-CXD-062/images/TR00_ICS_OT_Security_Survey_Report_220525US_web.pdf
[16] “New Mirai Variant Targets Enterprise Wireless Presentation & Display Systems” Access on: June 11, 2022. [Online]. Available: https://unit42.paloaltonetworks. com/new-mirai-variant-targets-enterprise-wireless-presentation-display-systems/
[17] “New Mirai Variant Targeting Network Security Devices” Access on: June 11, 2022. [Online]. Available: https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/
[18] “Denial-of-service attack” Access on: June 11, 2022. [Online]. Available: https://en.wikipedia.org/wiki/Denial-of-service_attack
[19] Khader, R., Derar E. "Survey of DoS/DDoS attacks in IoT." Sustainable Engineering and Innovation 3.1 (2021): 23-28.
[20] Eliyan, L. F., Roberto D. P. "DoS and DDoS attacks in Software Defined Networks: A survey of existing solutions and research challenges." Future Generation Computer Systems 122 (2021): 149-171.
[21] “Man-in-the-middle attack” Access on: June 11, 2022. [Online]. Available: https://en.wikipedia.org/wiki/Man-in-the-middle_attack
[22] Conti, M., Dragoni, N., Lesyk, V. "A survey of man in the middle attacks." IEEE Communications Surveys & Tutorials 18.3 (2016): 2027-2051.
[23] Anu, P., Vimala, S. "A survey on sniffing attacks on computer networks." 2017 International Conference on Intelligent Computing and Control (I2C2). IEEE, 2017.
[24] Bosshart, P., Daly, D., Gibb, G., et al. "P4: Programming protocol-independent packet processors." ACM SIGCOMM Computer Communication Review 44.3 (2014): 87-95.
[25] “P4 – Open Network Fundation” Access on: June 11, 2022. [Online]. Available: https://opennetworking.org/p4/
[26] “P4-16 Language Specification” Accessed on: June 10, 2022. [Online]. Available: https://p4.org/p4-spec/docs/P4-16-v1.2.2.html
[27] “P4 Language Tutorial” Accessed on: June 10, 2022. [Online]. Available: https://docs.google.com/presentation/d/1zliBqsS8IOD4nQUboRRmF_19poeLLDLadD5zLzrTkVc/edit
[28] Simsek, G., Bostan, H., Sarica, A. K., et al. "Dropppp: a P4 approach to mitigating dos attacks in SDN." International Workshop on Information Security Applications. Springer, Cham, 2019.
[29] Munther, M. N., Hashim, F., Latiff, N. A. A., et al. "Scalable and secure SDN based ethernet architecture by suppressing broadcast traffic." Egyptian Informatics Journal 23.1 (2022): 113-126.
[30] Abdulkarem, H. S., Dawod, A. "DDoS Attack Detection and Mitigation at SDN Data Plane Layer." 2020 2nd Global Power, Energy and Communication Conference (GPECOM). IEEE, 2020.
[31] Runze, C., Fangming, R., Yidan, L., Lan, Y., et al. "A Simple DDoS Defense Method Based SDN." 2021 IEEE 15th International Conference on Anti-counterfeiting, Security, and Identification (ASID). IEEE, 2021.
[32] Krishnan, S., Oliver, J. J. E. "Mitigating DDoS Attacks in Software Defined Networks." 2019 3rd International Conference on Trends in Electronics and Informatics (ICOEI). IEEE, 2019.
[33] Lapolli, Â. C., Marques, J. A., Gaspary, L. P. "Offloading real-time DDoS attack detection to programmable data planes." 2019 IFIP/IEEE Symposium on Integrated Network and Service Management (IM). IEEE, 2019.
[34] Tul, H. H. Flooding Attack Detection and Defense Mechanism Based on P4 Switches and Intrusion Detection System, Master thesis from Department of Computer Science & Information Engineering, National Central University, Taiwan (2020)
[35] Salvador, S., Chan, P. "Toward accurate dynamic time warping in linear time and space." Intelligent Data Analysis 11.5 (2007): 561-580.
[36] Csillik, O., Belgiu, M., Asner, G. P., et al. "Object-based time-constrained dynamic time warping classification of crops using Sentinel-2." Remote sensing 11.10 (2019): 1257.
[37] “gRPC”, Accessed on: June 10, 2022. [Online]. Available: https://grpc.io/
[38] “Protocol Buffers - Google′s data interchange format”, Accessed on: June 10, 2022. [Online]. Available: https://github.com/protocolbuffers/protobuf
[39] “OSI Model”, Accessed on: June 10, 2022. [Online]. Available: https://en.wikipedia.org/wiki/OSI_model
[40] “IEEE Ethertype – standards ”, Accessed on June 10, 2022. [Online]: Available: https://standards-oui.ieee.org/ethertype/eth.txt
[41] Halpern, J., Carlos P. “Service function chaining (SFC) architecture.” No. rfc7665. 2015.
[42] “BEHAVIORAL MODEL (bmv2)”, Accessed on: June 12, 2022. [Online]. https://github.com/p4lang/behavioral-model
[43] “Snort – Network Intrusion Detection & Prevention System”, Accessed on: June 12, 2022. [Online]. https://www.snort.org/
[44] “Scapy”, Accessed on: June 12, 2022. [Online]. https://github.com/secdev/scapy
[45] “Wireshark Go Deep”, Accessed on: June 12, 2022. [Online]. https://www.wireshark.org/
[46] “Kick Devices Off Your Network”, Accessed on: June 12, 2022. [Online]. Available: https://github.com/k4m4/kickthemout
[47] “hping3(8) - Linux man page”, Accessed on: June 12, 2022. [Online]. Available: https://linux.die.net/man/8/hping3
[48] Muhamad, R. M., On Supporting Large Neural Networks Model Implementation in Programmable Data Plane , Master thesis from Department of Computer Science & Information Engineering, National Central University, Taiwan (2020)

指導教授

周立德(Li-Der Chou)

審核日期

2022-8-10

推文