近年來隨著網際網路的快速普及,網路攻擊與入侵日益增加。為了防治這多且複雜的網路攻擊,大範圍防禦概念越來越受重視。在此架構下,資訊分享者會將自己收集到的資安警訊或封包資訊分享給各方的資安系統,去進行分析、判斷,了解目前有哪些網路威脅,快速有效的防範網路攻擊。無論如何,封包酬載中會有許多資訊分享者的個人隱私資訊,若此資料被不法人士取得,後果將不堪設想,因此需要對封包酬載做隱私防護。目前對封包酬載做隱私防護之研究主要為哥倫比亞大學提出的Anagram,系統產生的酬載特徵具有惡意碼特徵比對之能力,但此方法缺點是對於短的惡意酬載碼,其特徵比對效果不佳,且系統的門檻值設定也會影響偵測結果。 本研究提出一套封包酬載轉換機制: G-D酬載轉換法。此方法以酬載碼所對應的群組與碼間的差值去對封包酬載進行編碼轉換,其產生的編碼酬載具不可逆的特性,所以不法者無法從編碼酬載中得知分享者原始酬載資訊,且編碼後的酬載也保有原始酬載特徵,能比對找出惡意酬載。最後本研究提出一隱私防護指標去衡量G-D酬載轉換法,讓分享者了解所設定的編碼參數是否為最佳化。 The emergence of the internet has provided convenient way to exchange information, but many cybercrime incidents and network attacks has been discovered. In order to prevent from numerous and complicated network attacks, defending against a large scale attacks become more popular. In this architecture, individual organizations from anywhere would collect alerts or packets to share with SOC. However, packet payload has a lot of privacy information about corporations, we need to protect payload content. Anagram enables privacy-preserving payload sharing by using Bloom Filters. Generated payload signature still keep malicious signature, researcher can find anomalous payload, but Anagram has a poor detection rate when it detects short malicious signature and adjusting threshold is very difficult. We propose a payload transformative method: Group-Difference payload transformation. It would calculate groups and differences of payload character to encode the payload. Produced code is irreversible, attackers cannot get the original payload content. Produced code still keep signature of original payload, researcher can find malicious payload from produced code. Finally, we propose a privacy-preserving indicator to evaluate Group-Distance payload transformation, user can understand whether encode parameters are optimization or not.
