進階搜尋


   電子論文尚未授權公開,紙本請查館藏目錄
(※如查詢不到或館藏狀況顯示「閉架不公開」,表示該本論文不在書庫,無法取用。)
系統識別號 U0026-2101201911570000
論文名稱(中文) 基於事件關聯之風險評估管理系統之研究
論文名稱(英文) The Study of a Risk Assessment System based on Event Correlation
校院名稱 成功大學
系所名稱(中) 電腦與通信工程研究所
系所名稱(英) Institute of Computer & Communication
學年度 107
學期 1
出版年 108
研究生(中文) 侯佳伶
研究生(英文) Chia-Ling Hou
學號 Q36064133
學位類別 碩士
語文別 英文
論文頁數 72頁
口試委員 指導教授-楊竹星
口試委員-李忠憲
口試委員-林輝堂
口試委員-陳俊良
口試委員-謝錫堃
中文關鍵字 嫌疑行為  事件關聯  風險評估 
英文關鍵字 Suspicious Behavior  Event Correlation  Risk Assessment 
學科別分類
中文摘要 隨著網際網路技術推陳出新,使用網路對現代人不只是便利更是一種享受,可處理的範疇小至查詢資訊、大至網路報稅,還有年輕人最喜歡的影音娛樂,這一切服務只要連上網路都能被滿足。但在享受便利的同時,不法人士也藉由網路,不留痕跡地進行犯罪。駭客的攻擊手法千奇百怪,為了達到目的他們往往會不擇手段,知名的攻擊像是2016年第一銀行ATM盜領事件,還有2017年勒索病毒WannaCry加密使用者資料求取贖金,以上述幾個例子來看,多數網路攻擊不可能利用單一防禦方式進行防範,現在的攻擊已跳脫鎖定單一目標的入侵行為轉變並升級為多層次多目標的攻擊方式,因此本論文提出利用事件關聯性分析的方式找出有關連之攻擊進行整合並且同時找尋潛在性的威脅。
有鑑於網路攻擊的氾濫,發掘攻擊行為及有嫌疑的攻擊者為目前最重要的任務,因此,相關偵測及防禦系統逐步發展,如:網路型入侵偵測系統(NIDS)和主機型入侵偵測系統(HIDS),可針對相對應之環境進行偵測或防禦,但有些網路攻擊類型(網頁型及主機漏洞型攻擊)和漏洞型攻擊(Command Injection)透過NIDS檢測是無法成功辨識的,需要透過HIDS的輔助進行日誌檢測才可察覺。所以,本研究系統結合網路型及主機型入侵偵測系統提出風險評估管理系統(RiskAssessment System, RAS),對攻擊和嫌疑行為進行事件關連及風險評估。本系統會蒐集NIDS和HIDS的分析結果進行攻擊事件關聯演算法找出各個獨立攻擊事件之間的關聯性和進行潛在攻擊嫌疑行為的分析,並同時利用攻擊行為評估演算法和事件漏洞評估算法進行風險評分,最後利用各嫌疑IP的風險係數進行排序,進而找出攻擊風險最高的嫌疑IP進行後續防禦。
英文摘要 Nowadays, network technology grows rapidly. When using internet, people can deal with searching, paying taxes and media entertainment which young people like. People can be satisfied when connecting to internet. However, with enjoying the convenience, there are a variety of attacks on the Internet. Unfortunately, no one can be safe and sound in this trend. Famous attack events like famous message board being attacked by flooding flows, hacker heisting over eighty million by installing malware to ATM and WannaCry encrypting users’ files to ask for ransom. Following the cases above, most of attacks can’t be defensed by single methods. Recently, attacks have improved into multi-technique attacks. Also, they not only focus on single aim, but also search for huge targets to crack. The most important thing is to find the attackers and search for the suspicious behaviors in network environment. Hence, intrusion detection system was proposed.
For now, network-based IDS (NIDS) and host-based IDS (HIDS) can help users to find out whether there is any attack or not, but for some special cases, like web-based attack or system vulnerability, network based IDS can’t detect the attack by itself. Thus, our system integrates NIDS and HIDS to detect the suspicious behaviors and to assess the risk value of these IPs. Consequently, the research is dedicated to attackers and suspicious behaviors analysis by NIDS and HIDS. Furthermore, the system will also find the relations among these events by using the event correlation algorithm in our research, and use behavior estimation algorithm and event and vulnerability estimation algorithm to calculate risk value of events. Finally, get the ranking of every IPs and do some procedures to protect the hosts or devices from the attacks.
論文目次 摘要........................................................................................................................................ I
Abstract .................................................................................................................................II
誌謝..................................................................................................................................... III
Catalog ................................................................................................................................ IV
Table catalog........................................................................................................................ VI
Figure catalog.....................................................................................................................VII
1. Introduction ....................................................................................................................... 1
1.1 Research Background.............................................................................................. 1
1.2 Research Motivation ............................................................................................... 1
1.3 Research Goal ......................................................................................................... 4
1.4 Thesis Structure....................................................................................................... 5
2. Background and Related work .......................................................................................... 6
2.1 Intrusion Detection System/ Intrusion Prevention System (IDS/IPS) .................... 6
2.1.1 Detection of IDS............................................................................................. 8
2.1.2 Deployment of IDS ........................................................................................ 9
2.2 Deep Packet Inspection (DPI) ............................................................................... 10
2.3 Risk Assessment.....................................................................................................11
2.3.1 Method of Risk Assessment ......................................................................... 12
2.3.2 Application of Risk Assessment................................................................... 14
2.4 Data Mining........................................................................................................... 15
2.4.1 Data Mining Introduction............................................................................. 15
2.4.2 Association Analysis .................................................................................... 17
2.4.3 Classification and Clustering ....................................................................... 17
2.4.4 Link Analysis................................................................................................ 18
2.4.5 PageRank...................................................................................................... 18
3. System Design................................................................................................................. 20
3.1 System Architecture .............................................................................................. 20
3.2 Attack IP Management Module............................................................................. 24
3.3 Suspicious IP Management Module...................................................................... 27
3.3.1 Behavior Estimation..................................................................................... 28
3.3.2 IPRank.......................................................................................................... 34
3.3.3 Event and Vulnerability Estimation ............................................................. 36
3.4 IP Relation Visualization....................................................................................... 42
3.5 Web Interface......................................................................................................... 42
4. Experiments and Evaluations .......................................................................................... 47
4.1 System Test............................................................................................................ 49
4.2 System Operation .................................................................................................. 51
4.3 Attack IPs Detection Result................................................................................... 54
4.4 Suspicious IPs Detection Result............................................................................ 59
5. Conclusion and Future works.......................................................................................... 63
Reference............................................................................................................................. 65
參考文獻 [1] "杜亦瑾—PTT創辦人史上最大DDos攻擊PTT", 記者快抄, 2018. [Online]. Available: http://news.ptt.cc/chat/gossiping/2018/03/03/GossipingM.1520060407.A.29D.html.
[2] "新型勒索病毒WannaCry重創台灣!中毒了怎麼辦?如何預防? - 蘋果仁 - 你的科技媒體", 蘋果仁- 你的科技媒體, 2018. [Online]. Available: https://applealmond.com/posts/5171.
[3] "如果你是一銀,防得住駭客嗎?", iThome, 2018. [Online]. Available: https://www.ithome.com.tw/voice/107292.
[4] EC-Council Ethical Hacking and Penetration Testing Program Certified Ethical Hacker(CEH), http://www.eccouncil.org/Certification/certified-ethical-hacker
[5] K. Ingham and S. Forrest, "A history and survey of network firewalls, University of New Mexico", Tech. Rep, 2002.
[6] A. Moore and K. Papagiannaki, "Toward the Accurate Identification of Network Applications", Lecture Notes in Computer Science, pp. 41-54, 2005.
[7] F. Sabahi and A. Movaghar, "Intrusion Detection: A Survey", 2008 Third International Conference on Systems and Networks Communications, 2008.
[8] X. Zhang, C. Li and W. Zheng, "Intrusion prevention system design", The Fourth International Conference on Computer and Information Technology, 2004. CIT '04.
[9] P. Kenkre, A. Pai and L. Colaco, "Real Time Intrusion Detection and Prevention System", Advances in Intelligent Systems and Computing, pp. 405-411, 2015.
[10] M. Guimaraes and M. Murray, "Overview of intrusion detection and intrusion prevention", Proceedings of the 5th annual conference on Information security curriculum development - InfoSecCD '08, 2008.
[11] A. Lazarevic, V. Kumar and J. Srivastava, "Intrusion Detection: A Survey", Managing Cyber Threats, pp. 19-78.
[12] H. Liao, C. Richard Lin, Y. Lin and K. Tung, "Intrusion detection system: A comprehensive review", Journal of Network and Computer Applications, vol. 36, no. 1, pp. 16-24, 2013.
[13] Kim, Gisung, S. Lee, and S. Kim. "A novel hybrid intrusion detection method integrating anomaly detection with misuse detection." Expert Systems with Applications 41.4 (2014): 1690-1700.
[14] Wang, Lidong, and R. Jones. "Big data analytics for network intrusion detection: A survey." International Journal of Networks and Communications 7.1 (2017): 24-31.
[15] "Snort - Network Intrusion Detection & Prevention System", Snort.org, 2018. [Online]. Available: https://www.snort.org.
[16] Sahasrabuddhe, Atmaja, et al. "Survey on Intrusion Detection System using Data Mining Techniques." (2017).
[17] Dutta, Sharmishtha, T. Mawla, and M. Forhad Rabbi. "A Comparison Study of Temporal Signature Mining Over Traditional Data Mining Techniques to Detect Network Intrusion." Emerging Technologies in Data Mining and Information Security. Springer, Singapore, 2019. 757-763.
[18] P. García-Teodoro, J. Díaz-Verdejo, G. Maciá-Fernández and E. Vázquez, "Anomaly-based network intrusion detection: Techniques, systems and challenges", Computers & Security, vol. 28, no. 1-2, pp. 18-28, 2009.
[19] S. Farraposo, P. Owezarski and E. Monteiro, "Contribution of Anomalies Detection and Analysis on Traffic Engineering", Proceedings IEEE INFOCOM 2006. 25TH IEEE International Conference on Computer Communications, 2006.
[20] H. Anh Nguyen, T. Van Nguyen, D. Il Kim and D. Choi, "Network traffic anomalies detection and identification with flow monitoring", 2008 5th IFIP International Conference on Wireless and Optical Communications Networks (WOCN '08), 2008.
[21] Moore and D. Zuev, "Internet traffic classification using bayesian analysis techniques", ACM SIGMETRICS Performance Evaluation Review, vol. 33, no. 1, p. 50, 2005.
[22] H. Altwaijry and S. Algarny, "Bayesian based intrusion detection system", Journal of King Saud University - Computer and Information Sciences, vol. 24, no. 1, pp. 1-6, 2012.
[23] Y. Li and L. Guo, "An active learning based TCM-KNN algorithm for supervised network intrusion detection", Computers & Security, vol. 26, no. 7-8, pp. 459-467, 2007.
[24] H. Om and A. Kundu, "A hybrid system for reducing the false alarm rate of anomaly intrusion detection system", 2012 1st International Conference on Recent Advances in Information Technology (RAIT), 2012.
[25] A. Aburomman and M. Ibne Reaz, "A novel SVM-kNN-PSO ensemble method for intrusion detection system", Applied Soft Computing, vol. 38, pp. 360-372, 2016.
[26] W. Chen, S. Hsu and H. Shen, "Application of SVM and ANN for intrusion detection", Computers & Operations Research, vol. 32, no. 10, pp. 2617-2634, 2005.
[27] S. Mukkamala, G. Janoski and A. Sung, "Intrusion detection using neural networks and support vector machines", Proceedings of the 2002 International Joint Conference on Neural Networks. IJCNN'02 (Cat. No.02CH37290).
[28] Bostani, Hamid, and M. Sheikhan. "Hybrid of anomaly-based and specification-based IDS for Internet of Things using unsupervised OPF based on MapReduce approach." Computer Communications 98 (2017): 52-71.
[29] Seth, J. Kumar, and S. Chandra. "An Efficient Hybrid Intrusion Detection System in Cloud." (2018): 653-666.
[30] L. Vokorokos and A. Balaz, "Host-based intrusion detection system", 2010 IEEE 14th International Conference on Intelligent Engineering Systems, 2010.
[31] G. Vigna and R. Kemmerer, "NetSTAT: A network-based intrusion detection system", Journal of Computer Security, vol. 7, no. 1, pp. 37-71, 1999.
[32] S. Saad, I. Traore, A. Ghorbani, B. Sayed, D. Zhao, Wei Lu, J. Felix and P. Hakimian, "Detecting P2P botnets through network behavior analysis and machine learning", 2011 Ninth Annual International Conference on Privacy, Security and Trust, 2011
[33] P. Dragan, "Wireless intrusion detection systems (WIDS)", 19th Annual Computer Security Applications Conference, 2003.
[34] S. Peddabachigari, A. Abraham, C. Grosan and J. Thomas, "Modeling intrusion detection system using hybrid intelligent systems", Journal of Network and Computer Applications, vol. 30, no. 1, pp. 114-132, 2007.
[35] S. Yao, C. Yang, "Design and Implementation of a Host-based Intrusion Detection System for Linux-based Web Server on Signature-based approach", Cheng Kung University, Institute of Computer and Communication Engineering, 2018.
[36] D. Tseng, C. Yang," A NetFlow Based Malicious Traffic Detection Research using XGBoost ", Cheng Kung University, Institute of Computer and Communication Engineering, 2018.
[37] C. Kuo, C. Yang, "Design and Implementation of a Network Intrusion Detection System Based on NetFlow", Cheng Kung University, Institute of Computer and Communication Engineering, 2015.
[38] H. Chen, Z. Hu, Z. Ye and W. Liu, "A New Model for P2P Traffic Identification Based on DPI and DFI", 2009 International Conference on Information Engineering and Computer Science, 2009.
[39] "EU GDPR Information Portal", EU GDPR Portal, 2018. [Online]. Available: https://www.eugdpr.org/.
[40] M.Y. Liao, M.Y. Luo, C.-S. Yang, C.-H. Chen, P.-C. Wu, Y.-W. Chen. "Design and evaluation of deep packet inspection system: a case study", IET Networks, Volume 1, Issue 1, pp. 2-9, 2012.
[41] N. Cascarano, L. Ciminiera and F. Risso, "Improving cost and accuracy of DPI traffic classifiers", Proceedings of the 2010 ACM Symposium on Applied Computing - SAC '10, 2010.
[42] C. Chang, C. Yang, "Design and Implementation of a Packet Scheduler to Linux Based DPI System in Multi-Core Environment", Cheng Kung University, Institute of Computer and Communication Engineering, 2017.
[43] W. Jiang, Y. Yang and V. Prasanna, "Scalable multi-pipeline architecture for high performance multi-pattern string matching", 2010 IEEE International Symposium on Parallel & Distributed Processing (IPDPS), 2010.
[44] "ISO 31000:2018", Iso.org, 2018. [Online]. Available: https://www.iso.org/obp/ui/#iso:std:iso:31000:ed-2:v1:en.
[45] Li, Senyu, et al. "An Improved Information Security Risk Assessments Method for Cyber-Physical-Social Computing and Networking." IEEE Access 6 (2018): 10311-10319.
[46] Yao, Jiyun, et al. "Network topology risk assessment of stealthy cyber attacks on advanced metering infrastructure networks." Information Sciences and Systems (CISS), 2017 51st Annual Conference on. IEEE, 2017.
[47] "CVSS v3.0 Specification Document", FIRST — Forum of Incident Response and Security Teams, 2018. [Online]. Available: https://www.first.org/cvss/specification-document#n4.
[48] C. Raiteri, Daniele, and L. Portinale. "Decision Networks for Security Risk Assessment of Critical Infrastructures." ACM Transactions on Internet Technology (TOIT) 18.3 (2018): 29.
[49] Cherdantseva, Yulia, et al. "A review of cyber security risk assessment methods for SCADA systems." Computers & security 56 (2016): 1-27.
[50] "Data Mining: Concepts and Techniques", Liacs.leidenuniv.nl, 2018. [Online]. Available: http://liacs.leidenuniv.nl/~bakkerem2/dbdm2007/05_dbdm2007_Data%20Mining.pdf.
[51] Lee, Seunggeung, et al. "Rare-variant association analysis: study designs and statistical tests." The American Journal of Human Genetics 95.1 (2014): 5-23.
[52] Ligier, Damien, et al. "Privacy Preserving Data Classification Using Inner Product Encryption." International Conference on Security and Privacy in Communication Systems. Springer, Cham, 2016.
[53] Fries, Terrence P. "Classification of Network Traffic Using Fuzzy Clustering for Network Security." Industrial Conference on Data Mining. Springer, Cham, 2017.
[54] Beigi, Ghazaleh, J. Tang, and H. Liu. "Signed Link Analysis in Social Media Networks." ICWSM. 2016.
[55] Scanniello, Giuseppe, A. Marcus, and D. Pascale. "Link analysis algorithms for static concept location: an empirical assessment." Empirical Software Engineering 20.6 (2015): 1666-1720.
[56] Page, Lawrence, et al. The PageRank citation ranking: Bringing order to the web. Stanford InfoLab, 1999.
[57] "ELK Stack: Elasticsearch, Logstash, Kibana | Elastic", Elastic.co, 2018. [Online]. Available: https://www.elastic.co/cn/elk-stack.
[58] AbuseIPDB - IP address abuse reports - Making the Internet safer, one IP at a time, 2018. [Online]. Available: https://www.abuseipdb.com/
[59] 全球 WHOIS 查詢, 2018. [Online]. Available: https://www.whois365.com/tw/
論文全文使用權限
  • 同意授權校內瀏覽/列印電子全文服務,於2024-01-09起公開。
  • 同意授權校外瀏覽/列印電子全文服務,於2024-01-09起公開。


  • 如您有疑問,請聯絡圖書館
    聯絡電話:(06)2757575#65773
    聯絡E-mail:etds@email.ncku.edu.tw