具隱私防護與關聯能力之資安警訊轉換機制研究

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：91

、訪客IP：18.222.100.35

姓名

林昶志(Chang-Zhi Lin) 查詢紙本館藏

畢業系所

資訊管理學系

論文名稱

具隱私防護與關聯能力之資安警訊轉換機制研究
(On Privacy-Preserving and Correlatable Security Alert Translation)

相關論文

★ 應用數位版權管理機制於數位影音光碟內容保護之研究	★ 以應用程式虛擬化技術達成企業軟體版權管理之研究
★ 以IAX2為基礎之網頁電話架構設計	★ 應用機器學習技術協助警察偵辦詐騙案件之研究
★ 擴充防止詐欺及保護隱私功能之帳戶式票務系統研究-以大眾運輸為例	★ 網際網路半結構化資料之蒐集與整合研究
★ 電子商務環境下網路購物幫手之研究	★ 網路安全縱深防護機制之研究
★ 國家寬頻實驗網路上資源預先保留與資源衝突之研究	★ 以樹狀關聯式架構偵測電子郵件病毒之研究
★ 考量地區差異性之隨選視訊系統影片配置研究	★ 不信任區域網路中數位證據保留之研究
★ 入侵偵測系統事件說明暨自動增加偵測規則之整合性輔助系統研發	★ 利用程序追蹤方法關聯分散式入侵偵測系統之入侵警示研究
★ 一種網頁資訊擷取程式之自動化產生技術研發	★ 應用XML/XACML於工作流程管理系統之授權管制研究

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

[檢視]

[下載]

本電子論文使用權限為同意立即開放。
已達開放權限電子全文僅授權使用者為學術研究之目的，進行個人非營利性質之檢索、閱讀、列印。
請遵守中華民國著作權法之相關規定，切勿任意重製、散佈、改作、轉貼、播送，以免觸法。

摘要(中)

早期的分散式入侵偵測系統(DIDS)或是近年來的資訊安全營運管理中心(SOC），當他們在彙整資安警訊時，仍面臨下列兩個重要問題： 1.DIDS以及SOC大都假設可以無條件取得完整的入侵警訊，但事實上，許多公司並不願意和外人分享自己設備所偵測到的資安警訊，以免無意中洩漏了公司網路內種種機密資訊。2. 資安警訊數量太多，裡面甚至有許多誤報，讓管理人員疲於應付，而且資安警訊往往都屬於低階資訊，未能讓管理人員很快地瞭解攻擊者的意圖或入侵行為的全貌。
因此我們提出具隱私防護與關聯能力之入侵偵測警訊轉換方法，首先我們會先以改良自K-Anonymity的方法來達到隱私防護，接著以多種關聯方式來驗證我們的方法確實是可以在達到隱私防護後還能具有關聯與分析的能力。我們的研究是以廣為使用的入侵偵測系統為基礎，以擴大我們方法的實用性。我們的方法流程是先在各個本地端的入侵偵測系統做完匿名化後才將警訊發送出去分享，因此可以避免在傳輸過程中被惡意使用者攔截取得未匿名的資安警訊內容，之後再交由遠端的資訊安全營運管理中心來做彙整分析與關聯。我們的最終目的是為了能達到資訊分享又能讓各警訊具有關聯能力以提升防護的範圍，並且不讓資訊分享者的機密資料外洩，防止惡意使用者濫用此流通的警訊資料，藉以提升使用者分享資安警訊資料的意願。

摘要(英)

The Distribution Intrusion Detection (DIDS) or Security Operation Center (SOC), when they want to integrate alerts, still have to overcome the following two problems:
1. DIDS and SOC often assume that they can get the alerts completely for no other condition, but in fact, only if the SOC operating inside a single company or manage by a trustable third part, else most companies are not willing to share the alerts collected from their security equipments, because they afraid that will reveal their privacy information accidently.
2. There are too many alerts, even have lots of false alerts, it make the managers hard to deal with. Security alerts often been low level information, that is hard to let managers realize the full attack scenario or purpose of attackers.
We propose a method for privacy-preserving and correlatable alerts translation. First, we use a method modify from K-anonymity to achieve privacy-preservation. Then we will prove when we protect the private information of alerts still have the correlation and analysis ability by using some kinds of correlation methods. Our research is base on the IDS which is popularly used to extend practicality of our method. First of our process is protecting the private information of alerts on the end-side IDS, and then share these alerts. By this reason, we can prevent the information of non-privacy-protecting alerts be intercepted by attackers when it transfer to SOC. Then sharing these alerts to SOC and do so integrating, analysis, and correlation process. Our final purpose is to make the private information of alerts be protected, so the uses can share their alerts with no worry. And when these alerts are privacy protected, they still have the analysis and correlation ability. It not only prevent the private information be misused by attackers, but also improve the willing of users for sharing.

關鍵字(中)

★ 隱私防護
★ 資訊安全營運管理中心
★ 警訊關聯
★ 入侵偵測

關鍵字(英)

★ privacy preserving
★ intrusion detection
★ SOC
★ alerts correlation

論文目次

中文摘要 i
英文摘要 ii
目錄 iii
圖目錄 iv
表目錄 vi
一、緒論 1
1-1 研究背景 1
1-2 研究動機與目的 4
1-3 研究假設、研究流程及主要成果 6
1-4 章節架構 7
二、相關研究 8
2-1 隱私防護 8
2-2 警訊關聯 14
2-3 小結 20
三、具隱私防護與關聯能力之入侵偵測警訊模型 22
3-1 系統設計考量 23
3-2 系統架構 24
3-2-1 警訊隱私防護方法 25
3-2-2 警訊隱私防護與關聯能力程度估算 30
3-2-3 隱私防護後警訊之關聯能力驗證方法 31
四、案例說明與模型比較 35
4-1 隱私防護後警訊之關聯案例分析 36
4-2 模型比較 39
五、結論 43
5-1 研究結論 43
5-2 研究貢獻 43
5-3 未來研究方向 45
參考文獻 47

參考文獻

中文參考文獻
[1] 劉美君，「一種利用彩色派翠網關聯警訊以重建多步驟攻擊的方法」，國立中央大學資訊管理學系碩士論文，2004。
[2] 官炳宏，「結合隱藏式馬可夫模型與彩色派翠網以關聯多步驟攻擊警訊之方法」，國立中央大學資訊管理學系碩士論文，2005。
[3] 黃志豪，「一個使用模組化方式來重建多步驟攻擊情境的方法」，國立中央大學資訊管理學系碩士論文，2006。
[4] 梁嘉鴻，「具隱私防護之關聯規則探勘研究」，朝陽科技大學資訊管理系碩士論文，2004。
[5] 陳肇勳，「序列樣式探勘的隱私權保護」，靜宜大學資訊管理學系碩士論文， 2005。
[6] 王恩慈，「於關聯規則探勘上隱藏敏感知識之新式演算法」，東華大學資訊工程學系碩士論文，2004。
[7] 陳威宇，「安全管理營運中心中警訊整合與關聯呈現之研究與實作」，國立成功大學電腦與通信工程研究所碩士論文，2005。
[8] 翁興國，「資訊安全營運中心之事件關聯處理的根本問題分析」，2004 網際網路安全工程研討會論文集，2004。
英文參考文獻
[9] Computer Security Institute, http://www.gocsi.com
[10] Honeynet project, http://www.honeynet.org
[11] U. Flegel, Privacy-Respecting Intrusion Detection, volume 35 in Advances in Information Security, 2007, Springer, New York, 325 pages, ISBN-10 0-387-34346-6, ISBN-13 978-0-387-34346-4, e-ISBN-13 978-0-387-68254.
[12] L. Sweeney. “k-anonymity: A model for protecting privacy.” International Journal on Uncertainty, Fuzziness and Knowledge-based Systems, 2002.
[13] Raymond Chi-Wing Wong et al., “(α,k)-Anonymity: An Enhanced-Anonymity Model for Privacy-Preserving Data Publishing”, KDD’06, August 20–23, 2006.
[14] Carlisle Adams, “A classification for privacy techniques”, university of ottawa law & technology journal, access from www.uoltj.ca/articles/vol3.1/2006.3.1.uoltj.Adams.35-52.pdf, 2006.
[15] L. Sweeney, “Achieving k-anonymity privacy protection using generalization and suppression.” International Journal on Uncertainty, Fuzziness and Knowledge-based Systems, 2002.
[16] Grigorios Loukides et al., “Capturing Data Usefulness and Privacy Protection in K-Anonymisation” SAC07, March 11-15, 2007.
[17] Jian Xu et al., “UtilityBased Anonymization for Privacy Preservation with Less Information Loss”, 12th ACM SIGKDD, 2006.
[18] C. C. Aggarwal, “On Privacy Preservation against Adversarial Data Mining”, conference on Knowledge discovery and data mining, 2006.
[19] Kristen LeFevre et al., “Mondrian Multidimensional K-Anonymity.”, 22nd International Conference on Data Engineering (ICDE'06), 2006.
[20] Siddharth Srivastava, “Privacy vs. Utility in Anonymized Data”, access from www.cs.umass.edu/~siddhart/Publications/privutil_kanon.pdf, 2005.
[21] Vassilios S. Verykios et al., “State-of-the-art in Privacy Preserving Data Mining”, SIGMOD, 2004.
[22] P. Porras et al., “Large-scale collection and sanitization of network security data: risks and challenges”, Proceedings of the 2006 workshop on New security paradigms, 2006.
[23] Brent R. Waters et al., “Building an Encrypted and Searchable Audit Log”, Proceedings of 11th Annual Network and Distributed System, 2004.
[24] Joachim Biskup et al., “Transaction-Based Pseudonyms in Audit Data for Privacy Respecting Intrusion Detection”, RAID 2000.
[25] Tim Bass, “Intrusion detection systems and multisensor data fusion” Communications of the ACM, 2000.
[26] Klaus Julisch, “Clustering Intrusion Detection Alarms to Support Root Cause Analysis”, ACM Transactions on Information and System Security (TISSEC), 2003.
[27] Ambareen Siraj et al., “Multi-Level Alert Clustering for Intrusion Detection Sensor Data”, Fuzzy Information Processing Society, 2005.
[28] Mathew, S. et al., “Real-time multistage attack awareness through enhanced intrusion alert clustering”, Military Communications Conference, 2005.
[29] S.S. Chen et al., “GrIDS-A Graph based Intrusion Detection System for Large Networks”, In National Information Computer Security Conference, Baltimore, MD, 1996.
[30] F. Cuppens, “Managing alerts in a multi-intrusion detection environment”. In Proceedings of the 17th Annual Computer Security Applications Conference, December 2001.
[31] H. Debar et al., “Aggregation and correlation of intrusion-detection alerts”, RAID, 2001.
[32] Oleg Sheyner et al., “Automated Generation and Analysis of Attack Graphs”, Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, May 2002.
[33] Yu-Sung Wu et al., “Collaborative Intrusion Detection System (CIDS): A Framework for Accurate and Efficient IDS”, 19th Annual Computer Security Applications Conference December 8-12, 2003.
[34] P. Lincoln et al., "Privacy-Preserving Sharing and Correlation of Security Alerts", in 13th USENIX Security Symposium, 2004.
[35] S. Singh, et al., "The EarlyBird System for Real-time Detection of Unknown Worms.", UCSD Tech Report CS2003-0761, August 2003, access from http://www.cs.ucsd.edu/~susingh/
[36] S.J. Stolfo, “Worm and Attack Early Warning: Piercing Stealthy Reconnaissance”, IEEE Computer and Privacy, 2004.
[37] Cooperative Association for Internet Data Analysis, http://www.caida.org/home/
[38] Symantec DeepSight Threat Management System, https://tms.symantec.com/Default.aspx
[39] Distributed Intrusion Detection System, http://www.dshield.org/
[40] SANS Internet Storm Center, http://isc.sans.org/
[41] Steven Cheung et al., “Modeling Multistep Cyber Attacks for Scenario Recognition”, DARPA Information Survivability Conference and Exposition (DISCEX III), 2003.
[42] Peng Ning et al., "Constructing Attack Scenarios through Correlation of Intrusion Alerts", in Proceedings of the 9th ACM Conference on Computer & Communications Security, pages 245--254, November 2002.
[43] P. A. Porras, "Privacy-Enabled Global Threat Monitoring", In IEEE SECURITY & PRIVACY, 2006.
[44] Dingbang Xu et al., “A Flexible Approach to Intrusion Alert Anonymization and Correlation”, Securecomm and Workshops, 2006.
[45] Dingbang Xu et al., “Privacy-Preserving Alert Correlation: A Concept Hierarchy Based Approach”, ACSAC 2005.
[46] Ke Wang et al., "Privacy-preserving payload-based correlation for accurate malicious traffic detection", In SIGCOMM Workshop on Large Scale Attack Defence , 2006.
[47] Ke Wang et al., "Anomalous Payload-based Network Intrusion Detection. In Symposium on Recent Advances in Intrusion Detection, Sophia Antipolis.", In RAID, Sept 2004.
[48] Ke Wang et al., "Anomalous Payload-based Worm Detection and Signature Generation. In Symposium on Recent Advances in Intrusion Detection.", In Proceedings of the Eighth International Symposium on Recent Advances in Intrusion Detection(RAID 2005), 2005.
[49] Ke Wang et al., "Anagram: A Content Anomaly Detector Resistant to Mimicry Attack.”, In Proceedings of the Nineth International Symposium on Recent Advances in Intrusion Detection(RAID 2006), 2006.
[50] F. Cuppens et al., “Alert Correlation in a Cooperative Intrusion Detection Framework”, IEEE Symposium on Research in Security and Privacy, 2002.
[51] F. Cuppens et al., “CRIM：An Approach to Correlate Alerts and Recognize Malicious Intentions”, the RTO IST Symposium on Real Time Intrusion Detection, held in Estoril, Portugal, published in RTO-MP-101, 2002.

指導教授

陳奕明(Yi-Ming Chen)

審核日期

2008-7-22

推文