網路惡意攻擊誘餌與自我保護之攻擊轉向系統

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：67

、訪客IP：3.138.105.240

姓名

陳立函(Li-Han Chen) 查詢紙本館藏

畢業系所

資訊工程學系

論文名稱

網路惡意攻擊誘餌與自我保護之攻擊轉向系統
(Attack-Redirector: A Server Protection and Honeypot Bait System)

相關論文

★ USB WORM KILLER: Cure USB Flash Worms Through a USB Flash Worm	★ Discoverer- Rootkit即時偵測系統
★ 一項Android手機上詐騙簡訊的偵測與防禦機制	★ SRA系統防禦ARP欺騙劫持路由器
★ A Solution for Detecting and Defending ARP Spoofing on Virtual Machines	★ 針對遠端緩衝區溢位攻擊之自動化即時反擊系統
★ 即時血清系統: 具攻性防壁之自動化蠕蟲治癒系統	★ DNSPD: Entrap Botnets Through DNS Cache Poisoning Detection
★ TransSQL: A Translation and Validation-based Solution for SQL-Injection Attacks	★ A Spam Mail-based Solution for Botnet Detection and Network Bandwidth Protection
★ Shark: Phishing Information Recycling from Spam Mails	★ FFRTD: Beat Fast-Flux by Response Time Differences
★ Antivirus Software Shield against Antivirus Terminators	★ MAC-YURI : My ACcount, YoUr ResponsIbility
★ KKBB: Kernel Keylogger Bye-Bye	★ CIDP Treatment: An Innovative Mobile Botnet Covert Channel based on Caller IDs with P8 Treatment

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

[檢視]

[下載]

本電子論文使用權限為同意立即開放。
已達開放權限電子全文僅授權使用者為學術研究之目的，進行個人非營利性質之檢索、閱讀、列印。
請遵守中華民國著作權法之相關規定，切勿任意重製、散佈、改作、轉貼、播送，以免觸法。

摘要(中)

在本篇論文中我們提出一新的honeypot架構 — A-R: Attack-Redirector來解決過去honeypot在基本條件下的限制問題。一般來說，honeypot使用於收集網路上的攻擊資訊，藉此得知攻擊者的來源資訊，更甚至進一步得知攻擊者使用之方法與軟體可能漏洞和臭蟲（bug），紀錄下這些資訊對於網路安全有著極大貢獻，近年來為使用於偵測殭屍網路（Botnet）等惡意網路組織之主要方法。本篇論文將會討論過去honeypot系統常見的幾個限制：一、如何吸引攻擊者，二、必須浪費一些電腦資源作為honeypot，造成成本上的增加，三、被感染的電腦有可能嘗試去攻擊其他電腦，反而造成了網管的麻煩和適法性的問題。
現今引誘攻擊者的方法，通常是以honeypot技術，利用一些並非使用中的電腦當作誘餌，讓這些攻擊者以為入侵了一台重要主機，而藉此得知攻擊者的手法與攻擊者之來源。然而，honeypot本身有所限制，且這幾年駭客界也研究出一些方法反制這樣子的honeypot技術，能夠偵測出被攻擊的目標是否為honeypot。因此本論文則把偵測的機制放入了攻擊者最有興趣的伺服器上，並且把偵測出的惡意封包轉向至負責分析的主機，且在伺服器上建立黑名單，不再處理這個IP來源的封包，都直接轉向到負責承受攻擊和分析的主機，如此，伺服器可以建立起可能為攻擊者的IP位址名單，也可以藉由分析主機的反應得知攻擊者想達成的目的，藉此達到自我保護的機制。

摘要(英)

In recent years, with the popularity of Internet, people exchange information to each other faster and conveniently. However, some malicious people try to steal the important information via Internet for personal benefit. Mostly, attackers use the Buffer Overflow Attacks to compromise other computers. This type of attacks result from that the program writes data into the buffer without boundary checking. This research will focus on the actions after discovering the Buffer Overflow Attacks. It just needs to modify Linux Operating System Kernel, and does not change the original hardware or software.
Nowadays, the defenders use honeypot technology to attract attackers’ attention. By taking some unused computers as traps, attackers may consider they are compromising an important server. Therefore, we can get information about the attacks, like IP address or attack’s method. But there are still some restrictions about honeypot. Attackers recently also discover some ways to distinguish if the target server is a honeypot system. For this reason, this research will put the detection mechanism in the servers which contain the sensitive information attracting attackers the most. We will redirect the network packets which are considered attacking packets to another server, called victim server, which is used to examine the packet content. Eventually, we can construct a list with suspected attackers’ IP address. Also, with the reaction of victim server, we are able to understand the attackers’ technique and purpose, and achieve self-protect mechanism.

關鍵字(中)

★ 攻擊轉向
★ 緩衝區
★ 緩衝區溢位
★ 作業系統
★ 誘餌
★ 網路誘餌
★ 自我保護

關鍵字(英)

★ honeypot bait
★ honeypot
★ Linux
★ operating system
★ buffer overflow
★ buffer
★ redirection
★ self-protection

論文目次

摘要 i
Abstract ii
誌謝 iii
目錄 iv
圖目錄 vi
表目錄 vii
第一章緒論 1
1-1 背景與目的 1
1-2 方法概述 3
1-3 章節架構 4
第二章背景技術 5
2-1 Honeypot 5
2-2 記憶體保護者 6
2-2-1 Memory Protector運作機制 6
2-2-2 EBP Overflow Detection 8
第三章 A-R的系統與架構 9
3-1 A-R系統部屬 9
3-1-1 吸引攻擊者 9
3-1-2 A-R高互動實體式honeypot 10
3-1-3 減少額外電腦資源使用 11
3-1-4 即時行為式保護 12
3-1-5 A-R內部構成 13
3-2 Modified Memory Protector 14
3-2-1 Stack Smashing BOA Strings 14
3-2-2 Return-into-libc Attacking Strings 14
3-2-3 Modified MP for A-R System 15
3-3 ABList 16
3-4 Redirector 16
3-5 自我保護機制 17
第四章 Linux TCP/IP Stack 18
4-1 Network Layer 18
4-2 Transmission Layer 22
第五章實驗與討論 26
5-1 Effectiveness測試 26
5-2 回應時間測試 29
5-3 影響攻擊時間測試 30
第六章相關研究 32
6-1 低互動式Honeypot 32
6-1-1 Honeyd 32
6-1-2 ScriptGen 33
6-1-3 Nepenthes 33
6-2 高互動式Honeypot 34
6-2-1 VM-Based Honeypot 34
6-2-2 Sebek 35
6-2-3 GenIII Honeynet 35
6-2-3 Shadow Honeypot 36
6-3 特別用途Honeypot 37
6-4 緩衝區溢位攻擊防禦機制 37
6-4-1 Address Space Layout Randomization 37
6-4-2 SigFree 38
6-4-3 COVERS 38
6-4-4 ShieldGen 38
第七章結論 39
7-1 貢獻 39
7-2 未來工作 39
7-2-1 Botnet Detection 39
7-2-2 Signature-Generation Mechanism 40
附錄參考文獻 41

參考文獻

[1] 趨勢季刊,
http://www.trend.org/printing/etrend08/p01.htm
[2] Microsoft, HoneyMonkey,
http://research.microsoft.com/honeymonkey/article.aspx
[3] Y. M. Wang, D. Beck, X. Jiang, and R. Roussev. Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploited Browser Vulnerabilities. ftp://ftp.research.microsoft.com/pub/tr/TR-2005-72.pdf
[4] mwcollect.org
http://www.mwcollect.org/
[5] honeynet.org
http://www.honeynet.org/
[6] Niels Provos. A Virtual Honeypot Framework. Proceedings of the 13th USENIX Security Symposium, 2004.
[7] X. Jiang, X. Wang, Out-of-the-box Monitoring of VM-based High-Interaction Honeypots, Proceedings of the 10th International Symposium on Recent Advances in Intrusion Detection, September 2007.
[8] 林忠立, 許富皓. MP: A Memory Protector against Stack-Based Buffer Overflow Attacks. 國立中央大學資訊工程系碩士論文
[9] Nmap
http://insecure.org/nmap/
[10] C. C. Zou and R. Cunningham. Honeypot-Aware Advanced Botnet Construction and Maintenance. Dependable Systems and Network, 2006.
[11] Corrado Leita, Ken Mermoud, Marc Dacier. ScriptGen: an automated script generation tool for honeyd. Annual Computer Security Applications Conference, 2005.
[12] Corrado Leita, Marc Dacier, Frederic Massicotte. Automatic Handling of Protocol Dependencies and Reaction to 0-Day Attacks with ScriptGen Based Honeypots. Proceedings of the 9th International Symposium on Recent Advances in Intrusion Detection, 2006.
[13] VMware
http://www.vmware.com
[14] Xen
http://www.xensource.com/
[15] Nick L. Petroni, Jr. and Michael Hicks. Automated Detection of Persistent Kernel Control-Flow Attacks. the ACM Conference on Computer and Communications Security (CCS), October 2007.
[16] Jackpot
http://jackpot.uk.net/
[17] The Bubblegum Proxypot
http://www.proxypot.org/
[18] Tian Bu, Aiyou Chen, Scott Vander Wiel and Thomas Woo. Design and Evaluation of a Fast and Robust Worm Detection Algorithm. IEEE INFOCOM, Barcelona, Spain, April, 2006.
[19] Fu-Hau Hsu, Fanglu Guo, and Tzi-cker Chiueh.Scalable Network-based Buffer Overflow Attack Detection. Proceedings of ACM/IEEE Symposium on Architectures for Networking and Communications Systems (ANCS 2006), San Jose, California, USA, December, 2006.
[20] Linux Networking Kernel
[21] Zhenkai Liang and R. Sekar. Fast and Automated Generation of Attack Signatures: A Basis for Building Self-Protecting Servers. Proceedings of the 12th ACM Conference on Computer and Communications Security.
[22] NETFILTER
http://www.netfilter.org
[23] Iptable
http://www.netfilter.org/projects/iptables/index.html
[24] Michael Vrable, Justin Ma, Jay Chen, David Moore, Erik Vandekieft, Alex C. Snoeren, Geoffrey M. Voelker, and Stefan Savage. Scalability, Fidelity, and Containment in the Potemkin Virtual Honeyfarm. Proceedings of the ACM Symposium on Operating System Principles (SOSP), 2005.
[25] Xuxian Jiang and Dongyan Xu. Collapsar: A VM-Based Architecture for Network Attack Detention Center. Proceedings of 13th USENIX Security Symposium, 2004.
[26] Lance Spitznet. Honeypots: Catching the Insider Threat. Annual Computer Security Applications Conference, 2003
[27] Paul Baecher, Markus Koetter, Thorsten Holz, Maximillian Dornseif, and Felix Freiling. The Nepenthes Platform: An Efficient Approach to Collect Malware. The 9th International Symposium on Recent Advances in Intrusion Detection (RAID), Sept. 2006
[28] Wikipedia, ASCII Code
http://zh.wikipedia.org/wiki/ASCII
[29] 巴哈姆特被攻擊事件
http://forum.gamer.com.tw/C.php?bsn=60404&snA=2554&locked=F&tnum=1&subbsn=0&Bpage=1&author=sega&media=0
[30] Gaurav Kataria,Gaurav Anand, Rudolph Araujo, Ramayya Krishnan,Adrian Perrig. A Distributed Stealthy Coordination Mechanism for Worm Synchronizatio. IEEE Securecomm & Workshop, 2006.
[31] The PaX Address Space Layout Randomization Project
http://pax.grsecurity.net
[32] K. G. Anagnostakis, S. Sidiroglou‡, P. Akritidis?, K. Xinidis?, E. Markatos, and A.D. Keromytis. Detecting Targeted Attacks Using Shadow Honeypots. Proceedings of the 14th USENIX Security Symposium, 2005.
[33] Honeynet Project. Know Your Enemy：Sebek – A kernel based data capture tool
http://www.honeynet.org/papers/sebek.pdf
[34] Edward Balas. Sebek – Convert Glass-Box Host Analysis. 12th USENIX Security Symposium Conference Reports
[35] M. Dornseif, T. Holz, C. N. Klein. NoSEBrEaK – Attacking Honeynets. Proceedings of the 2004 IEEE Workshop on Information and Security.
[36] E. Balas and C. Viecco. Towards a Third Generation Data Capture Architecture for Honeynets. Proceedings of the 2005 IEEE Workshop on Information Assurance and Security.
[37] Honeynet Project. Know Your Enemy：GenII Honeynet.
http://www.honeynet.org/papers/gen2/
[38] S. Bhatkar, D. DuVarney, and R. Sekar. Address Obfuscation：An Efficient Approach to Combat a Broad Range of Memory Error Exploits. Proceedings of 12th USENIX Security Symposium, 2003.
[39] C. Kil, J. Jun, C. Bookholt, J. Xu, and P. Ning, Address Space Layout Permutation (ASLP): Towards Fine-Grained Randomization of Commodity Software. Annual Computer Security Applications Conference (ACSAC), 2006.
[40] H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh. On the Effectiveness of Address Space Randomization. ACM Conf. on Computer and Communications Security, 2004.
[41] Anonymous. Bypassing PaX ASLR protection. Phrack, 11(59), July 2002.
[42] Nergal. The advanced return-into-lib(c) exploits: Pax case study. Phrack, 10(58), Dec. 2001
[43] Izik. Advanced Buffer Overflow Methods [or] Smack the Stack. 22nd Chaos Communication Congress, Dec. 2005.
[44] Phetips. Returning to %esp (Circumventing the VA kernel patch For Fun and Profit).
http://milw0rm.com/papers/94
[45] X. Wang, C. Pan, P. Liu, and S. Zhu. SigFree：A Signature-Free Buffer Overflow Attack Blocker. 15th USENIX Security, 2006.
[46] W. Cui, M. Peinado, H. Wang, and M. Locasto. ShieldGen：Automatic Data Patch Generation for Unknown Vulnerabilities with Informed Probing. IEEE Symposium on Security and Privacy, 2007.

指導教授

許富皓(Fu-Hau Hsu)

審核日期

2008-7-21

推文