| 摘要: | 電腦主機之入侵監控與安全防護由於需處理大量的網路資料,因此在傳統的單核心架構下往往會消耗大量的處理器資源,造成系統整體執行效能之降低,因而傳統的入侵監控與安全防護多需由額外的電腦主機負責。然多核心處理器的架構卻為此問題提供新的解決方向,借由將入侵監控與安全防護的工作分工至專屬的核心,系統之整體執行效能將可有效地提昇,同時每台電腦主機皆可有安裝於其上、專屬於它的入侵監控與安全防護系統,而不需與其他主機共同使用特別的入侵監控與安全防護電腦,造成入侵監控與安全防護的瓶頸。 Honeypot 是一廣泛被採用的入侵監控設備,利用此工具資安人員可蒐集惡意程式或惡意行為的攻擊pattern,分析攻擊者的行為模式,並進一步地發展防禦之道。然而 Honeypot 要能發揮功效的重要前提是–Honeypot 必須被攻擊,而這項前題能否達成也是決定一Honeypot 能否成功的重要因素。以多核心系統為基礎,本子計畫將修改「Linux 作業系統核心」和「核心控制緒」以研發出一上可安全地將運轉中的主機轉換成Honeypot 誘餌的機置「攻擊轉向系統」(Attack Redirection System; A-R),進而解決(1)長久以來嚴重困擾著Honeypot 設計者的重要議題–如何吸引攻擊者攻擊Honeypot, (2)保護安裝A-R 此一入侵監控輔助系統的主機的安全,與(3)避免A-R 消耗大量的處理器資源,造成系統整體執行效能之降低。此外我們亦將探討在多核心系統下數位存取管理(DAM) (特別是數位資料盜拷) 與 Android 的資安問題。由於在多核心處理器下,各核心可輕易地獲得其他核心的執行狀態與使用的資源,因此傳統上用來防止軟體盜拷的技術–如Virtual Memory System 及 anti-debugger 的技術–在多核心架構下很可能無法再提供與以往相同之保護,因此本子計畫將探討多核心架構對如數位資料盜拷的數位存取管理產生的資安問題與防禦之道。此外在Google 的大力推動下,Android 已成為各方所看好的手機作業系統,然而Android 的open source 的特性,亦可能成為惡意程式的作者散播惡意程式的管道,因此本子計畫將探討Android 的資安問題與防禦方法。 ; Due to having to handle colossal network traffic, intrusion monitor and prevention usually consume tremendous computation resource/CPU time. On a system with a single-core processor, this overhead may greatly degrade the overall performance of the related system. Therefore, traditional intrusion detection and protection mechanisms are usually handled by independent computer systems. However a multi-core processor provides a new solution for this problem. By shifting the work of an IDS or IPS to a dedicated core of a multi-core processor, the performance overhead of the corresponding computer can be reduced greatly. As a result each host can afford to have its own intrusion monitor and prevention system. And it doesn’t need to share its IDS and IPS with other hosts, which may become a security bottleneck of all hosts involved. The development of Internet provides people a fast and convenient way to exchange information with each other. However, some malicious people try to steal the important information via Internet for personal benefit. Mostly, attackers use the Buffer Overflow Attacks to compromise other computers. This type of attacks result from that the program writes data into the buffer without boundary checking. This research will focus on the actions after discovering the Buffer Overflow Attacks. It just needs to modify Linux Operating System Kernel, and does not change the original hardware or software. Nowadays, the defenders use Honeypot technology to attract attackers’ attention. By taking some unused computers as traps, attackers may consider they are compromising an important server. Therefore, we can get information about the attacks, like IP address or attack’s method. But there are still some restrictions about Honeypot. Attackers recently also discover some ways to distinguish if the target server is a Honeypot system. For this reason, this research will put the detection mechanism in the servers which contain the sensitive information attracting attackers the most. We will redirect the network packets which are considered attacking packets to another server, called victim server, which is used to examine the packet content. Eventually, we can construct a list with suspected attackers’ IP address. Also, with the reaction of victim server, we are able to understand the attackers’ technique and purpose, and try to find solutions to defeat these attacks easily. ; 研究期間 9708 ~ 9807 |
