兩種入侵偵測方法之研究-從電子郵件病毒偵測到網頁完整性檢驗

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：29

、訪客IP：13.59.2.242

姓名

林大為(Da-Wei Lin) 查詢紙本館藏

畢業系所

資訊管理學系

論文名稱

兩種入侵偵測方法之研究-從電子郵件病毒偵測到網頁完整性檢驗
(A study of two intrusion detection methods-from email virus detection to web content self-integrity measurement)

相關論文

★ 應用數位版權管理機制於數位影音光碟內容保護之研究	★ 以應用程式虛擬化技術達成企業軟體版權管理之研究
★ 以IAX2為基礎之網頁電話架構設計	★ 應用機器學習技術協助警察偵辦詐騙案件之研究
★ 擴充防止詐欺及保護隱私功能之帳戶式票務系統研究-以大眾運輸為例	★ 網際網路半結構化資料之蒐集與整合研究
★ 電子商務環境下網路購物幫手之研究	★ 網路安全縱深防護機制之研究
★ 國家寬頻實驗網路上資源預先保留與資源衝突之研究	★ 以樹狀關聯式架構偵測電子郵件病毒之研究
★ 考量地區差異性之隨選視訊系統影片配置研究	★ 不信任區域網路中數位證據保留之研究
★ 入侵偵測系統事件說明暨自動增加偵測規則之整合性輔助系統研發	★ 利用程序追蹤方法關聯分散式入侵偵測系統之入侵警示研究
★ 一種網頁資訊擷取程式之自動化產生技術研發	★ 應用XML/XACML於工作流程管理系統之授權管制研究

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

[檢視]

[下載]

本電子論文使用權限為同意立即開放。
已達開放權限電子全文僅授權使用者為學術研究之目的，進行個人非營利性質之檢索、閱讀、列印。
請遵守中華民國著作權法之相關規定，切勿任意重製、散佈、改作、轉貼、播送，以免觸法。

摘要(中)

安全的確保是各種網路應用成功的基礎，電子郵件的使用已經是現在人與人溝通的主要工具，而Web提供各種網路上使用最廣、最重要的服務。由於使用的普及，電子郵件已經成為病毒散播的最主要管道，而目前最普遍的防毒方法就是使用病毒特徵碼比對的方式。可惜這種方法只適合用來偵測已知的病毒，對於未知的病毒是無能為力的。為了能夠偵測到最新的病毒，必須時常更新病毒碼。新的病毒層出不窮，面對病毒的防治，總是處於被動的立場。我們極需一種能夠主動偵測未知新病毒的方法。
本研究從使用者寄件行為著手，發現寄件者的溝通行為具有組群的特性，會形成一個個的通訊團體，這種行為有別於郵件病毒的隨機大量寄送的特性。基於此項特性，我們提出一套異常郵件行為的偵測方法。本方法可用來協助於新的未知病毒出現初期，及早偵測出來，將損失降至最低。
而Web是現今網路上使用最廣的服務，對於Web的攻擊也層出不窮，雖然有各種入侵偵測系統的協助，但仍無法保證不會被入侵。因此本研究提出不同於傳統方式的保護方法，不直接偵測入侵，而改從網頁完整性檢驗的角度出發。本方法具有極低的誤報率，由於本方法非採用攻擊特徵比對的方式，因此沒有攻擊特徵碼需要更新的問題。在處理效能上，僅需做完整性的計算，優於傳統攻擊特徵比對方式。
本文所提出的異常郵件偵測方法，仍難免存在不小的誤報率，而網頁完整性的檢驗具有極低誤報率的優點，因此未來我們可以結合完整性檢驗的方法，應用於電子郵件系統的設計上，解決郵件病毒的問題。

摘要(英)

Security assurance is the basis for success on the Internet. Viruses and worms constitute a great threat. Many countermeasures have been applied to counteract these malicious threats. Signature-based detection method works well only for a known virus or worm. It is very difficult to defend against an unknown virus or worm. Anomaly detection has the potential to detect unknown attacks. In this thesis, we proposed an abnormal mail detection method based on user mailing behavior. In our observation, human communication would form many parties. This characteristic can help us to differentiate the mailing behavior from email viruses. The proposed method can help us to detect new unknown viruses at the beginning of virus outbreak.
To model user behavior is not easy, however, since user behavior may change over time. In the second part of this thesis, we propose a web content protection method which has a very low error rate. It is based on the concept of “integrity”, that is, the information content can be represented by an integrity value. Integrity is a unique value for any given information content. From a distinct prospective, we measure the integrity of Web content, instead of detecting the intrusion directly. If the integrity is violated it means that content modification has occurred. There is no needed of signature updating which is necessary in signature-based detection system. Besides, the computation time is better than that of the traditional type of signature-based detection systems in the long run. In the future, we plan to construct an email system by combining the integrity concept into the email system design.

關鍵字(中)

★ 群組分析
★ 網頁完整性檢驗
★ 網頁保護
★ 郵件行為
★ 異常郵件行為偵測
★ 郵件病毒偵測

關鍵字(英)

★ Mailing behavior
★ anomalous behavior detection
★ email virus detection
★ grouping analysis
★ Web protection
★ content integrity

論文目次

第一章緒論 1
1.1 研究背景 1
1.2 研究動機 2
1.3 研究目的 4
1.4 研究範圍與假設 5
1.5 章節架構 6
第二章相關研究與文獻探討 7
2.1 病毒的偵測與異常行為偵測 7
2.2 WEB的入侵與防護技術 13
第三章基於使用者行為的異常郵件行為偵測 19
3.1 群組關係分析 23
3.2 群組內的依存關係 28
3.3 郵件行為異常與否的判斷 29
3.4 群組行為規範的產生 30
3.4.1 行為特徵歸納表 31
3.4.2 時間門檻值 33
3.5 實驗設計 34
3.5.1 電子郵件基本資料分析 37
3.5.2 不同時間長度的測試 39
3.5.3 時間門檻值的測試 41
3.5.4 滑動窗的測試 42
3.5.5 郵件病毒模擬測試 44
3.6 討論 47
3.7 系統設計和建置 49
第四章基於內容完整性的動態網頁保護機制 52
4.1 方法與系統架構 54
4.2 安全性分析 62
4.3 系統的限制 63
4.4 效能評估 64
4.5 討論 69
第五章結論與未來研究方向 71
5.1 結論 71
5.2 研究貢獻 73
5.3 未來研究方向 74
參考文獻 75

參考文獻

1. 2004 Virus Prevalence Survey, http://www.icsalabs.com/icsa/docs/html/library/whitepapers/VPS2004.pdf
2. Yen, David C., Chou, David C., and Cao, J. H., "Innovation in Information Technology: Integration of Web and Database Technologies," Int. J. of Innovation and Learning, Vol. 1, No.2 , 2004, pp.143-157
3. Hollander, Yona, The Future of Web Server Security, http://www.mcafee.com/us/local_content/white_papers/wp_future.pdf.
4. Symantec, http://www.symantec.com/avcenter/
5. Trend Micro, http://www.trendmicro.com/tw/home/enterprise.htm
6. B. Le Charlier, A. Mounji and Morton Swimmer, “Dynamic detection and Classification of Computer viruses using general behaviour patterns”, Proceedings of Fifth International Virus Bulletin Conference, Sep 1995
7. Virii Generators: Understanding the Threat，http://www.sans.org/reading_room/whitepapers/malicious/144.php
8. Simple Mail Transfer Protocol, http://www.sendmail.org/rfc/0821.html
9. E-mail Explained, http://www.sendmail.org/misc/email-explained.html
10. 電腦病毒有著巨大的破壞潛力，http://www.symantec.com/region/tw/enterprise/article/virus_protect.html
11. 各類防毒技術，http://www.trendmicro.com/tw/security/general/guide/overview/guide04.htm
12. G. Tesauro, J. O. Kephart and G. B. Sorkin, “Neural Network for Computer Virus Recognition” , IEEE expert, Vol 11, No 4, Aug 1996, pp5-6
13. Steve R. White, Morton Swimmer, Edward J. Pring et al, “Anatomy of a Commercial-Grade Immune System”, http://www.research.ibm.com/antivirus/SciPapers/White/Anatomy.html
14. The Digital Immune System, http://www.symantec.com/avcenter/reference/dis.tech.brief.pdf
15. Understanding Heuristics: Symantec’s Bloodhound Technology, http://www.symantec.com/avcenter/reference/heuristc.pdf
16. Steve R. White, “Open Problems in Computer Virus Research”, Virus Bulletin Conference, Munich, Germany, October 1998, access from http://www.research.ibm.com/antivirus/SciPapers/White/Problems/Problems.html
17. Intrusion Detection FAQ, http://www.sans.org/newlook/resources/IDFAQ
18. S. Forrest, S. A. Hofmeyr, A. Somayaji and Thomas A. Longstaff, “A Sense of Self for Unix Processes”, Proceedinges of the 1996 IEEE Symposium on Research in Security and Privacy, 1996, pp120-128
19. Terran Lane and Carla E. Brodley, “Temporal sequence learning and data reduction for anomaly detection”, Proceedings of the 5th Conference on computer & Communications Security, ACM, San Francisco, CA, USA, Nov 2-5, 1998, pp 150~158
20. Stefan Axelsson, “On a difficulty of Intrusion Detection”, 2nd Intl. Workshop on Recent Advances in Intrusion Detection (RAID'99), September 7-9, 1999
21. S. Cheung, R. Crawford, M. Dilger, J. Frank, J. Hoagland, K. Levitt, J. Rowe, S. Staniford-Chen, R. Yip, and D. Zerkle, "The Design of GrIDS. A Graph-Based Intrusion Detection System," Technical Report CSE-99-2, Computer Science Department, The University of California, Davis, January 1999.
22. Keisuke Ishibashi, Tsuyoshi Toyono, Toyama, Katsuyasu, Ishino, Masahiro, Ohshima, Haruhiko, and Mizukoshi, Ichiro, “Detecting Mass-Mailing Worm Infected Hosts by Mining DNS Traffic Data”, In Proc. of the 2005 ACM SIGCOMM workshop on Mining network data, Philadelphia, Pennsylvania, USA, August 22-26, 2005, pp.159-164
23. Whyte, D., Oorschot, P.C. van, and Kranakis, E., “Addressing Malicious SMTP-based Mass-Mailing Activity Within an Enterprise Network.”, Carleton University, SCS Technical Report, TR-05-06, May 2005.
24. Stolfo, Salvatore J., Hu, Chia-Wei, Li, Wei-Jen, Hershkop, Shlomo, Wang, Ke, and Nimeskern, Olivier. "Combining Behavior Models to Secure Email Systems", CU Tech Report, April 2003
25. Salvotore J. Stolfo, Shlomo Hershkop, Chia-Wei Hu, Wei-Jen Li, Olivier Nimeskern, Ke Wang, "Behavior-based Modeling and its Application to Email Analysis", ACM Transactions on Internet Technology (TOIT) , Feb 2006
26. Tripwire Software for Use on Web Servers，http://www.tripwire.com/files/literature/application_notes/Tripwire_App_Note_TFS_Web_Servers.pdf
27. SecureIIS™ Web Server Protection，http://www.eeye.com/html/products/secureiis/
28. UrlScan Security Tool，http://www.microsoft.com/technet/security/tools/urlscan.mspx
29. IIS Lockdown Tool，http://www.microsoft.com/technet/security/tools/locktool.mspx
30. ModSecurity，http://www.modsecurity.org/documentation/index.html
31. KNOPPIX, http://www.knoppix.org/
32. CERT® Advisory CA-2001-19 "Code Red" Worm Exploiting Buffer Overflow In IIS Indexing Service DLL, http://www.cert.org/advisories/CA-2001-19.html
33. Conquering Complex Viruses, http://enterprisesecurity.symantec.com/article.cfm?articleid=11&PID=4402422, 2000.
34. Sandeep Kumar and Eugene H. Spafford, “A Generic Virus Scanner in C++”, In Proc. of the 8th Computer Security Applications Conference, IEEE press, 1992.
35. Da-Wei Lin and Yi-Min Chen, ”Detection of Anomalous Mailing Behavior Using Novel Data Mining Approaches”, Journal of Information, Technology and Society, 中央警察大學, Jun 2006.
36. Jiawei Han and Micheline Kamber, Data mining: Concepts and Techniques, Morgan Kaufmann, 2001.
37. R. Agrawal, T. Imielinski and A. Swami, “Mining Association Rules between Sets of Items in Large Databases”, In Proc. of the ACM SIGMOD Conference on Management of Data, Washington D.C., May 1993, pp.207-216.
38. R. Srikant and R. Agrawal, “Mining Generalized Association Rules”, In Proc. of the 21st international Conference on Very Large Data Bases, 1995, pp. 407-419
39. V. Barnett and T. Lewis, Outliers in Statistical Data, 3rd edition, John Wiley, 1994.
40. Edwin M. Knorr and Raymond T. Ng, “Algorithms for Mining Distance-Based Outliers in Large Datasets”, In Proc. of the 24th VLDB Conference, New York, USA, 1998.
41. R. L. Kennedy, Y. Lee, B.V. Roy, C. D. Reed and R. P. Lippmann, “Solving Data Mining Problems through Pattern Recognition”, Prentice Hall, 1998
42. Julio Cella “Antivirus at SMTP Gateways Level” http://www.giac.org/certified_professionals/practicals/gsec/0846.php.
43. William Stallings, Network and Internet Security, Prentice Hall, 1995
44. Hollander, Yona, Prevent Web Site Defacement, http://www.mcafee.com/us/local_content/white_papers/wp_2000hollanderdefacement.pdf.
45. Yona Hollander, The Future of Web Server Security, http://www.mcafee.com/us/local_content/white_papers/wp_future.pdf.
46. Automatic Execution of Embedded MIME Types, http://www.cert.org/advisories/CA-2001-06.html, 2001.
47. Julio Cella, “Antivirus at SMTP Gateways Level” http://www.giac.org/certified_professionals/practicals/gsec/0846.php.
48. Lance Spitzner, Honeytokens: The Other Honeypot, http://www.securityfocus.com/infocus/1713, July 2003.
49. Da-Wei Lin and Yi-Min Chen, “Dynamic Webpage protection based on Content integrity”, Int. J. Services and Standards, has been accepted to be published.
50. Apache software foundation, http://www.apache.org, 2006
51. PHP: Hypertxt Preprocessor, http://www.php.net, 2006
52. MySQL, http://www.mysql.com, 2006.
53. Perl, http://www.perl.com, 2006

指導教授

陳奕明(Yi-Ming Chen)

審核日期

2006-7-24

推文