以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：76

、訪客IP：3.145.180.101

姓名	劉美君(Mei-Chun Liu)  查詢紙本館藏	畢業系所	資訊管理學系
論文名稱	一種利用彩色派翠網關聯警訊以重建多步驟攻擊的方法
相關論文	★ 應用數位版權管理機制於數位影音光碟內容保護之研究 ★ 以應用程式虛擬化技術達成企業軟體版權管理之研究 ★ 以IAX2為基礎之網頁電話架構設計 ★ 應用機器學習技術協助警察偵辦詐騙案件之研究 ★ 擴充防止詐欺及保護隱私功能之帳戶式票務系統研究-以大眾運輸為例 ★ 網際網路半結構化資料之蒐集與整合研究 ★ 電子商務環境下網路購物幫手之研究 ★ 網路安全縱深防護機制之研究 ★ 國家寬頻實驗網路上資源預先保留與資源衝突之研究 ★ 以樹狀關聯式架構偵測電子郵件病毒之研究 ★ 考量地區差異性之隨選視訊系統影片配置研究 ★ 不信任區域網路中數位證據保留之研究 ★ 入侵偵測系統事件說明暨自動增加偵測規則之整合性輔助系統研發 ★ 利用程序追蹤方法關聯分散式入侵偵測系統之入侵警示研究 ★ 一種網頁資訊擷取程式之自動化產生技術研發 ★ 應用XML/XACML於工作流程管理系統之授權管制研究
檔案	[Endnote RIS 格式]    [Bibtex 格式]    [相關文章]   [文章引用]   [完整記錄]   [館藏目錄]   [檢視]  [下載] 本電子論文使用權限為同意立即開放。 已達開放權限電子全文僅授權使用者為學術研究之目的，進行個人非營利性質之檢索、閱讀、列印。 請遵守中華民國著作權法之相關規定，切勿任意重製、散佈、改作、轉貼、播送，以免觸法。
摘要(中)	現在的駭客入侵動作，往往包括許多步驟，較以前更為複雜多變，使得資訊安全管理人員或資訊安全營運中心(SOC)常需面對資安警訊數量太多，甚至有許多誤報的問題，以致讓資安管理人員疲於應付，工作效率不彰。此外，目前的資安警訊大都仍屬於低階資訊，未能讓管理人員很快地瞭解入侵行為的全貌。為解決此問題，近年來，入侵偵測系統的發展已從著重於提高警訊之效率、正確率，漸漸地轉移到將警訊關聯，以提供更全面的攻擊概觀。換句話說，如何將低階警訊資料關聯成為對資訊安全管理人員有用的資訊及知識，已成為目前網路安全研究的重點之一。本篇論文主要就是從資訊安全營運中心的角度，說明如何以彩色派翠網（Colored Petri Net，CPN）為理論基礎，發展出一套將已知的攻擊方法轉成CPN圖形的規則後，再利用CPN圖形來關聯入侵偵測系統產生的警訊而發出多步驟攻擊的安全通知。在文中，我們將蒐集多個多步驟攻擊案例，然後以實例來說明如何轉換，我們也將展示如何利用CPN Tools這套工具及我們開發的程式，將Snort偵測到Sasser攻擊警訊關聯，找出更全面的攻擊行為資訊。
關鍵字(中)	★ 警訊關聯 ★ 多步驟攻擊 ★ 網路安全	關鍵字(英)	★ SOC ★ CPN
論文目次	目錄 I 圖目錄 III 表目錄 V 第一章 緒論 1 第一節 研究背景 1 第二節 研究動機與目的 3 第三節 研究假設、研究流程與主要成果 3 第四節 章節架構 4 第二章 相關研究 6 第一節 多步驟攻擊案例 7 第二節 警訊聚合（ALERT AGGREGATION） 12 第三節 攻擊意圖識別（ATTACK INTENTION RECOGNITION） 14 2.3.1攻擊樹 14 2.3.2狀態轉換分析 18 2.3.3基於pre-和post-condition之配對來關聯警訊 20 2.3.4 Colored Petri Nets 24 2.3.5綜合比較 28 第三章 採用COLORED PETRI NET重建多步驟攻擊 29 第一節 COLORED PETRI NET簡介 29 第二節 為何採用COLORED PETRI NET 30 第三節 多步驟攻擊轉換為CPN圖之說明 31 第四章 系統設計與實作 33 第一節 系統架構 33 第二節 系統實作 36 4.2.1開發環境及工具介紹 36 4.2.2模組實作 36 第五章 案例模擬分析 40 第一節 攻擊樣式的建立 40 5.1.1案例一—Illegal Root Access 40 5.1.2案例二—Sadmind Exploit for a DDoS attack 41 5.1.3案例三—SASSER Worm Infected 43 第二節 攻擊案例關聯實驗 45 5.2.1實驗一－SASSER Worm警訊關聯 46 5.2.2 實驗二－Sadmind Exploit for a DDoS attack(for RealSecure) 48 5.2.3實驗二之分析比較 52 第六章 結論 54 第一節 研究結論 54 第二節 研究貢獻 54 第三節 未來研究方向 55 參考文獻 56 中文參考文獻 56 英文參考文獻 56
參考文獻	中文參考文獻 [ 1] 李勁頤，“利用程序追蹤方法關聯分散式入侵偵測系統之入侵警示研究”，國立中央大學資訊管理學系碩士論文，民國 91 年 6 月。 [ 2] 游啟勝，“合作式防火牆之設計與應用”，國立中央大學資訊管理學系碩士論文，民國 92 年 6 月。 [ 3] 翁興國，“資訊安全營運中心之事件關聯處理的根本問題分析”，2004網際網路安全工程研討會論文集,台北, 2004, pp.57-84 英文參考文獻 [ 4] CERT/CC Statistics 1998-2003 http://www.cert.org/stats/ [ 5] CERT/CC, “Overview of Attack Trends”, Software Engineering Institute, Carnegie Mellon University, 2002. (Available at http://www.cert.org/archive/pdf/attack_trends.pdf) [ 6] T.F. Lunt, A. Tamaru, F. Gilham, R. Jagannathan, C. Jalali, P.G. Neumann, H.S. Javitz, and A. Valdes. A Real-Time Intrusion-Detection Expert System (IDES). Technical report, Computer Science Laboratory, SRI International, Menlo Park, California, 28 February 1992. [ 7] D. Anderson, T. Frivold, and A. Valdes. Next-generation Intrusion-Detection Expert System (NIDES). Technical report, Computer Science Laboratory, SRI International, Menlo Park, California, SRI-CSL-95-07, May 1995. [ 8] D. Anderson, T. Lunt, H. Javitz, A. Tamaru, and A. Valdes. Safeguard final report: Detecting unusual program behavior using the NIDES statistical component. Technical report, Computer Science Laboratory, SRI International, Menlo Park, California, 2 December 1993. [ 9] R. Jagannathan, T.F. Lunt, D. Anderson, C. Dodd, F. Gilham, C. Jalali, H.S. Javitz, P.G. Neumann, A. Tamaru, and A. Valdes. System Design Document: Next-generation Intrusion-Detection Expert System (NIDES). Technical report, Computer Science Laboratory, SRI International, Menlo Park, California, 9 March 1993. [10] H.S. Javitz and A. Valdes. The NIDES statistical component description and justification. Technical report, Computer Science Laboratory, SRI International, Menlo Park, California, March 1994. [11] U. Lindqvist and P.A. Porras. Detecting computer and network misuse through the Production-Based Expert System Toolset (P-BEST). In Proceedings of the 1999 Symposium on Security and Privacy, Oakland, California, May 1999. IEEE Computer Society. [12] P.A. Porras and P.G. Neumann. EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances. In Proceedings of the Nineteenth National Computer Security Conference, pages 353-365, Baltimore, Maryland, 22-25 October 1997. NIST/NCSC. [13] P.A. Porras and A. Valdes. “Live traffic analysis of TCP/IP gateways”, In Proceedings of the Symposium on Network and Distributed System Security. Internet Society, March 1998. [14] Peter G. Neumann and Phillip A. Porras. “EXPERIENCE WITH EMERALD TO DATE”, Proceedings of the Workshop on Intrusion Detection and Network Monitoring , April, 1999. [15] CERT/CC Statistics 1998-2003 http://www.cert.org/stats/ [16] F. Cuppens, F. Autrel, A. Miège et S. Benferhat, “Recognizing Malicious Intention in an Intrusion Detection Process”, Second International Conference on Hybrid Intelligent Systems, Santiago, Chili, Décembre 2002 [17] Kristopher Daley, Ryan Larson, Jerald Dawkins, “A Structural Framework for Modeling Multi-Stage Network Attacks”, Proceedings of International Conference on Parallel Processing Workshop, 2002. [18] Kurt Jensen, “Coloured Petri Nets. Basic Concepts, Analysis Methods and Practical Use. Vol 1：Basic Concepts”, Monographs in Theoretical Computer Science, Spring-Verlag, 1992. [19] H. Debar and A. Wespi, “Aggregation and Correlation of Intrusion-Detection Alerts”, In the proceedings of Recent Advances in Intrusion Detection (RAID) 2001, pages: 85 ~ 103, November 2001. [20] SRI，http://www.sri.com/ [21] A. Valdes and K. Skinner, “Probabilistic Alert Correlation,” In the proceedings of Recent Advances in Intrusion Detection (RAID) 2001, pages: 54 ~ 68, November 2001. [22] Benjamin Morin, Ludovic Mé, Hervé Debar, and Mireille Ducassé, “M2D2：A Formal Data Model for IDS Alert Correlation”, Proceedings of the 5th symposium on Recent Advances in Intrusion Detection(RAID 2002), Zurich, Switzerland, October 2002. Springer LNCS 2516, pages 177-198 [23] Yuan Ho, Deborah Frincke, Donald Tobin , “Planning, Petri Nets, and Intrusion Detection” , In Proceedings of the 21st National Information Systems Security Conference (NISSC'98) , 1998 [24] Jeffrey Undercoffer, Anupam Joshi, and John Pinkston, “Modeling Computer Attacks：An Ontology for Intrusion Detection”, InProceedings, The Sixth International Symposium on Recent Advances in Intrusion Detection, September 2003. pages.113-135 [25] P. Ning, S. Jajodia, and XS Wang , “Abstraction-based Intrusion Detection in Distributed Environments”, ACM Transactions on Information and System Security (TISSEC), 4(4):407-452, November 2001. [26] F. Cuppens , R. Ortalo, “LAMBDA：A Language to Model a Database for Detection of Attacks” , Third International Workshop on Recent Advances in Intrusion Detection (RAID'2000). Toulouse, Octobre 2000 [27] Frederic Cuppens , “Cooperative intrusion detection”, International Sysmposium on Information superiority: tools for crisis and conflict-management. Paris, 24-26 Septembre 2001. [28] Schneier, B., “Attack Trees,” Secrets and Lies. pp. 318-333, John Wiley and Sons, New York, 2000. [29] T. Tidwell, R. Larson, K. Fitch and J. Hale, “Modeling Internet Attacks”, Proccedings of the 2001 IEEE Workshop on Information Assurance and Security, United States Military Academy, West Point, NY, 5-6 June, 2001, Pages 54-59 [30] Kristopher Daley, Ryan Larson, Jerald Dawkins, “A Structural Framework for Modeling Multi-Stage Network Attacks”, Proceedings of International Conference on Parallel Processing Workshop, 2002. [31] Giovanni Vigna and Richard A. Kemmerer, “NetSTAT：A Network-based Intrusion Detection Approach”, In Proceedings of the 14th Annual Computer Security Conference, Scottsdale, Arizona, December 1998.,1998 [32] K. Ilgun, R.A. Kemmerer, and P.A. Porras, “State Transition Analysis: A Rule-Based Intrusion Detection Approach,” IEEE Transaction on Software Engineering, 21(3), pages: 181 ~ 199, March 1995. [33] Sandeep Kummar, Eugene H. Spafford, “A Pattern Matching Model For Misuse Intrusion Detection”, In Proceedings of the 17th National Computer Security Conference, October 1994, pp. 1121. [34] Guy Helmer, Johnny Wong, Mark Slagell, Vasant Honavar, Les Miller,“Software Fault Tree and Colored Petri Net Based Specification, Design and Implementation of Agent-Based Intrusion Detection Systems ”, ACM Transactions on Computer Security, 2001 [35] K.M. Hansen, A.P. Ravn, V. Stavridou, “From safety analysis to software requirements,” IEEE Transactions on Software Engineering, 24(7), pages 573 ~ 584, July 1998. [36] N.G. Leveson, “Safeware: System Safety and Computers,” Addison-Wesley, Reading, MA, USA, 1995. [37] Shijie Zhou, Zhiguang Qin, Feng Zhang, Xianfeng Zhang, Wei Chen, Jinde Liu, “Colored Petri Net Based Attack Modeling”, 9th International Conference, RSFDGrC 2003, Chongqing, China, May 26-29, 2003. Proceedings ,2003 [38] Peng Ning, Yun Cui, Douglas S. Reeves, “Constructing Attack Scenarios through Correlation of Intrusion Alerts”, In Proceedings of the 9th ACM Conference on Computer & Communications Security, pages 245--254, Washington D.C., November 2002. [39] Peng Ning, Yun Cui, “An Intrusion Alert Correlator Based on Prerequisites of Intrusions”, Technical Report TR- 2002-01, North Carolina State University, Department of Computer Science, 2002. [40] Peng Ning, Douglas S. Reeves, Yun Cui, “Correlating Alerts Using Prerequisites of Intrusions”, Technical Report, TR-2001-13, North Carolina State University, Department of Computer Science, December 2001. [41] F. Cuppens. “Managing alerts in a multi-intrusion detection environment”. In Proceedings of the 17th Annual Computer Security Applications Conference, December 2001 [42] Frédéric Cuppens, Alexandre Miège, “Alert Correlation in a Cooperative Intrusion Detection Framework”, IEEE Symposium on Research in Security and Privacy, 2002 [43] Steven Cheung, Ulf Lindqvist, Martin W. Fong, “Modeling Multistep Cyber Attacks for Scenario Recognition”, DARPA Information Survivability Conference and Exposition (DISCEX III), 2003 [44] CPN Tools, http://wiki.daimi.au.dk/cpntools/cpntools.wiki [45] F. Cuppens, F. Autrel, A. Miège , S. Benferhat. , “Correlation in an intrusion detection process”, Internet Security Communication Workshop (SECI'02), Tunis, September 2002 [46] F. Cuppens, F. Autrel, A. Miège et S. Benferhat, “Recognizing Malicious Intention in an Intrusion Detection Process”, Second International Conference on Hybrid Intelligent Systems, Santiago, Chili, 2002 [47] MIT Lincoln Lab.2000 DARPA intrusion detection scenario specific datasets.http://www.ll.mit.edu/IST/ideval/data/2000/2000_data_index.html,2000. [48] WORM_SASSER.C http://www.trendmicro.com/vinfo/zh-tw/virusencyclo/default5.asp?VName=WORM_SASSER.C&VSect=T [49] Yun Cui, “A Toolkit for Intrusion Alerts Correlation Based on Prerequisites and Consequences of Attacks”. M.S. thesis, North Carolina State University. 2002. Available at http://www.lib.ncsu.edu/ theses/available/etd-12052002-193803/. [50] F. Cuppens , R. Ortalo, “LAMBDA：A Language to Model a Database for Detection of Attacks” , Third International Workshop on Recent Advances in Intrusion Detection (RAID'2000). Toulouse, Octobre 2000 [51] Frederic Cuppens , “Cooperative intrusion detection”, International Sysmposium on Information superiority: tools for crisis and conflict-management. Paris, 24-26 Septembre 2001.
指導教授	陳奕明(Yi-Ming Chen)	審核日期	2004-7-16
推文	facebook   plurk   twitter   funp   google   live   udn   HD   myshare   reddit   netvibes   friend   youpush   delicious   baidu
網路書籤	Google bookmarks   del.icio.us   hemidemi   myshare