| DC 欄位 |
值 |
語言 |
| DC.contributor | 資訊工程學系 | zh_TW |
| DC.creator | 趙亞略 | zh_TW |
| DC.creator | Ya-Lyue Jhao | en_US |
| dc.date.accessioned | 2012-7-23T07:39:07Z | |
| dc.date.available | 2012-7-23T07:39:07Z | |
| dc.date.issued | 2012 | |
| dc.identifier.uri | http://ir.lib.ncu.edu.tw:88/thesis/view_etd.asp?URN=995202073 | |
| dc.contributor.department | 資訊工程學系 | zh_TW |
| DC.description | 國立中央大學 | zh_TW |
| DC.description | National Central University | en_US |
| dc.description.abstract | 電腦與網路的普及,使得電腦與網路的攻擊手法也日新月異,為了蒐集與了解層出不窮的攻擊手法,資訊安全人員發展出各式各樣方法來收集與分析各種攻擊程式與行為,以期及時找出防禦之道。Honeypot是最常被使用的方法之一,Honeypot需要讓攻擊者能夠入侵且避免被偵測才能發揮它的效果。由於Honeypot要讓攻擊者能夠入侵,因此目前的Honeypot大多無法對外連線以避免攻擊者利用Honeypot做為跳板攻擊其他電腦,雖然本意是好的,但這也使得攻擊者很容易藉由測試對外連線是否被管制,了解他是否是陷入在Honeypot中,以決定他是否需停止其攻擊行為以避免被觀察、分析。本篇論文在此提出了一個新的Honeypot架構—DEH (Dynamic Extensible Two-way Honeypot) 來解決Honeypot容易被偵測的嚴重問題,DEH允許對內及對外的網路連線,但對外的連線內含攻擊外部主機的shellcode時,DEH會先暫緩傳送該攻擊字串至目標主機並複製包含該shellcode的攻擊字串,但將shellcode以DEH的code取代,DEH接着循著攻擊者原定的攻擊方式將DEH的code注入至攻擊者原定的目標主機上被鎖定的有漏洞的程式以保護及監測該程式,因此當上述步驟完成,DEH讓原先的攻擊字串攻擊該目標主機的漏洞程式並使得攻擊者的shellcode被執行時,該shellcode是在DEH注入的code的控制及觀察下執行的。當攻擊者要從該受害者再對外攻擊其他的主機時,DEH可重複上述的機制擴充Honeypot的觀察範圍或將攻擊導回原Honeypot,因此DEH不僅降低了Honeypot被發現的機會,也可以收集到更多攻擊者的資訊。
| zh_TW |
| dc.description.abstract | Honeypot is very powerful for security analysts to collect malicious data for a long time. We need to let attacker intrudes into honeypot, so that we can analyze the malicious data we get, and find a method to prevent the attack. Because we have to prevent attackers to attack another computer through honeypot, almost all of the honeypots block the outgoing traffic. This is a serious problem. Some assailants would test whether the computer they attack is a honeypot by sending some simple connections out. If they know the computer they are attacking is a honeypot, they will not do the further malicious behavior. If honeypot cannot collect the attack pattern anymore, it becomes useless. In this thesis, we introduce a new design of honeypot, DEH (Dynamic Extensible Two-way Honeypot), to fix this serious problem. DEH allows not only incoming traffic but outgoing traffic. If the outgoing traffic includes malicious shellcode, we can hold this traffic and copy the shellcode, and then DEH replace it with our own code to set the protective mechanism on the computer that the attacker wants to intrude into. After we set the mechanism, we let the attacker intrude in, and he is monitored by our protective mechanism. When attacker wants to send traffic out from the victim, DEH can extend the protective mechanism to other computers or redirected the connections back to honeypot. We can efficiently protect honeypot from being detected and prevent the attack being spread, in the same time we could also get more information from attackers.
| en_US |
| DC.subject | 蜜罐 | zh_TW |
| DC.subject | Honeypot | en_US |
| DC.title | DEH:Dynamic Extensible Two-way Honeypot | zh_TW |
| dc.language.iso | zh-TW | zh-TW |
| DC.title | DEH:Dynamic Extensible Two-way Honeypot | en_US |
| DC.type | 博碩士論文 | zh_TW |
| DC.type | thesis | en_US |
| DC.publisher | National Central University | en_US |