進階搜尋


   電子論文尚未授權公開,紙本請查館藏目錄
(※如查詢不到或館藏狀況顯示「閉架不公開」,表示該本論文不在書庫,無法取用。)
系統識別號 U0026-2607201016185600
論文名稱(中文) 應用賽局理論動態分配流量於平行入侵偵測系統
論文名稱(英文) Dynamic Allocation Mechanism Based on the Game Theory for Parallel Intrusion Detection Systems
校院名稱 成功大學
系所名稱(中) 電腦與通信工程研究所
系所名稱(英) Institute of Computer & Communication
學年度 98
學期 2
出版年 99
研究生(中文) 沈怡伶
研究生(英文) Yi-Ling Shen
學號 q3697155
學位類別 碩士
語文別 英文
論文頁數 82頁
口試委員 指導教授-賴溪松
口試委員-林輝堂
口試委員-陳嘉玫
口試委員-曾俊元
口試委員-劉培文
中文關鍵字 平行式架構入侵偵測系統  負載平衡  動態分配  賽局理論 
英文關鍵字 Parallel IDS  load balancing  dynamic allocation  game theory 
學科別分類
中文摘要 入侵偵測系統(Intrusion Detection System, IDS)為預防入侵攻擊之資安設備,藉由檢查封包以偵測資安攻擊事件。然而,隨著網際網路的蓬勃發展,網路流量日漸增加。單一的入侵偵測系統架構因處理能力受限,無法即時處理大量封包而造成丟棄(Drop)封包的現象。
本論文提出「動態平行式架構入侵偵測系統(Dynamic Parallel Intrusion Detection Systems, DPIDS)」,使用多台入侵偵測系統平行執行封包檢測。此系統以「監督者(Taskmaster)」為核心,主動收集各入侵偵測系統之狀態,再依賽局理論動態分配(dynamic allocation)流量與實施負載平衡(load balancing),因此可避免流量驟增導致封包丟棄與處理入侵偵測系統當機的突發事件。在實施流量分配時,因本系統為會話導向(Session-oriented),所以具有狀態化分析(Stateful analysis)的效果。另外由於此演算法具有易加入新硬體與汰換舊硬體之特性,且可讓不同等級之入侵偵測系統平行進行封包檢查,因此硬體上的使用更具有彈性(Flexibility)選擇的優勢。
由實驗結果得知,監督者機制可動態平衡流量、更有效率的使用整體系統資源,因此可增加效能並減少封包丟棄的現象。
英文摘要 An Intrusion detection system (IDS) is a network security tool that can check packets passing through it. However, with the rapid development of Internet, network bandwidth has steadily increased. So a major issue with IDS is an overly high volume of traffic where the NIDS is unable to process all data resulting in “dropped” traffic. Scaling NIDS to high speed networks can be achieved by using multiple NIDS operating in parallel.
We propose a Dynamic Parallel Intrusion Detection System (DPIDS) with dynamic allocation and a load balancing mechanism to handle the increased load. For improving performance of using multiple IDS, we introduce a taskmaster, which is the core of the DPIDS. The taskmaster oversees division and allocation of responsibility and performs packet control, pre-filtering, and state management. This taskmaster uses active analysis to achieve intelligent assignment of work distribution using game theory contrasting against the passive distribution methods proposed by previous works. The active mechanism improves division of labor by dynamically loading the slave IDSs and can account for sudden increases in traffic or slave IDS crashes. In addition, this mechanism also allows for different grades of IDSs to work in tandem within the DPIDS architecture.
The overall system is designed as session-oriented signature-based IDS, which provides stateful analysis to aggregate related events for detection by a single Slave IDS. Our experimental results show that DPIDS maintains stable loading as a function of the taskmaster. This feature allows better performance of the overall system as a result of more efficient use of IDS capacity.
論文目次 List of Tables VII
List of Figures VIII
Chapter 1 Introduction 1
1.1 Motivation 1
1.2 Contributions 2
1.3 Proposed Solution 2
1.4 Design Considerations 4
1.5 Thesis Organization 6
Chapter 2 Background Knowledge 9
2.1 IDS Introduction 9
2.1.1 Overview of Intrusion Detection Systems 9
2.1.2 Common IDS detection methodologies 11
2.1.3 IDS Types 15
2.1.4 IDS Limitations 19
2.2 The Game Theory 20
2.2.1 Cooperative Games 25
Chapter 3 Related Work 31
3.1 Solutions by IDS platform 31
3.1.1 Distributed IDS 32
3.1.2 Parallel IDS 33
3.2 Log aggregation method 41
3.3 IDS Improvements 42
Chapter 4 System Principles 43
4.1 SWOT analysis of Parallel IDS 43
4.2 Problem statement 47
4.3 Resource allocation using Game Theory 48
4.4 Bankruptcy Games 49
4.4.1 Bankruptcy Problem 49
4.4.2 Characteristic Function of Coalition 50
4.4.3 Core and Shapley Value 52
Chapter 5 System Architecture 53
5.1 Framework 53
5.2 Implementation 56
Chapter 6 Experiments and Evaluation 61
6.1 System performance 61
6.1.1 Variable load claims 64
6.1.2 Dynamic recovery 66
6.2 Load normalization 68
6.3 Reallocation mechanism 69
Chapter 7 Discussion 73
Chapter 8 Conclusion and Future Work 77
References 79

參考文獻 [1] F. Alserhani, M. Akhlaq, I. U. Awan, A. J. Cullen, J. Mellor and P. Mirchandani," Snort performance Evaluation," In Proceedings of Twenty Fifth UK Performance Engineering Workshop (UKPEW 2009), Leeds. Uk, July 6-7(2009)
[2] M. Andreolini, S. Casolari, M. Colajanni, and M. Marchetti, "Dynamic load balancing for network intrusion detection systems based on distributed architectures, " In Proc. of the sixth IEEE International Symposium on Network Computing and Applications (NCA 2007), Cambridge, MA, USA, July 2007
[3] J.P. Anderson, "Computer security threat monitoring and surveillance," Technical Report, 1980
[4] R. Axelrod, "The Evolution of Cooperation," The RAND Journal of Economics, Vol. 15, No. 2 (Summer, 1984), pp. 305-309
[5] I. Charitakis, S. Anagnostakis, and E. P. Markatos, "An active traffic splitter architecture for intrusion detection, " In Proc. of the 11th IEEE/ACM International Symposium on Modeling, Analysis and Simulation of Computer Telecommunications Systems (MASCOTS 2003), Orlando, FL, USA, Oct. 2003
[6] W.Y. Chen, "The Study and Implementation of Alert Integration, Correlation, and Presentation System In SOC, " NCKU, 2006
[7] M. Colajanni and M.Marchetti, "A parallel architecture for stateful intrusion detection in high traffic networks, " In Proc. of the IEEE/IST Workshop on "Monitoring, attack detection and mitigation" (MonAM2006), Tuebingen, Germany, September 2006
[8] I. J. Curiel, M. Maschler, and S. H. Tijs, "Bankruptcy Games, " Zeitschrift für Operations Research 31, vol. 31, pp.A143-A159
[9] D.E. Denning, "An intrusion detection model," IEEE Transaction on Software Engineering, 1987.
[10] H. Dreger, A. Feldmann, V. Paxson, and R. Sommer, "Operational experiences with high-volume network intrusion detection," In Proc. of the 11th ACM conference on Computer and communications security, 2004
[11] M. Dashtbozorgi and M. Abdollahi Azgomi, "A high-performance software solution for packet capture and transmission, " Proceedings of ICCSIT, (2009)
[12] R. Heady, G. Luger, A. Maccabe and M. Servilla, "The architecture of a network level intrusion detection system," Technical report, Department of Computer Science, University of New Mexico, August 1990
[13] "Intrusion detection system," available online at http://www.scribd.com/doc/7148986/Intrusion-Detection-Systems.
[14] C. V. Kopek, E. W. Fulp, P. S. Wheeler, "Distributed Data Parallel Techniques for Content-Matching Intrusion Detection Systems," Military Communications Conference, 2007. MILCOM 2007. IEEE
[15] C. Kruegel, F. Valeur, G. Vigna, and R. Kemmerer, "Stateful intrusion detection for high-speed networks, " In Proc. of the IEEE Symposium on Research on Security and Privacy, Oakland, CA, USA, May 2002
[16] S. Kornexl, V. Paxson, H. Dreger, A. Feldmann and R. Sommer," Building a Time Machine for Efficient Recording and Retrieval of High-Volume Network Traffic," (Short Paper). In Proc. ACM SIGCOMM IMC (2005)
[17] A. Kelly, "Decision Making using Game Theory, " Cambridge University Press. 2003.
[18] A. Le, R. Boutaba, and E. Al-Shaer, "Correlation-based load balancing for network intrusion detection and prevention systems," In SecureComm: Proceedings of the 4th international conference on Security and privacy in communication netowrks, New York, NY, USA, pp. 1–10. ACM, 2008
[19] A. Le, E. A. Shaer, and R. Boutaba, "On optimizing load balancing of intrusion detection and prevention systems," In: Proceedings of the IEEE INFOCOM Computer Communications Workshops 2008, pages 1–6, Phoenix, AZ, USA, April 13–18, 2008
[20] B. Mukherjee, L. T. Heberlein, and K. N. Levitt, "Network intrusion detection,' IEEE Network, vol. 8, no. 3, pp. 26-41, May/June 1994.
[21] J.Nash, "Equilibrium points in n-person games, " Proc. Nat. Acad. U.S.A, 36, pp. 48-49, 1950
[22] J.V. Neumann, J, "Zur Theorie der Gesellschaftsspiele Math. Annalen, " 100 (1928) 295-320
[23] B. O'Neill, "A problem of rights arbitration from the Talmud, " Mathematical Social Sciences 2, 345–371
[24] G. Owen, "Game Theory," Academic Press, New York, NY, USA, 3rd edition, 1995.
[25] T. Peng, C. Leckie, , and R. Kotagiri, "Proactively detecting distributed denial of service attacks using source ip address monitoring, " in Proc. of the Third International IFIP-TC6 Networking Conference, 2004, pp. 771–782
[26] "Prelude hybrid intrusion detection system," available online at http://www.preludeids.org/.
[27] T. H. Ptacek and T. N. Newsham. Insertion, evasion, and denial of service, "Eluding network intrusion detection, " Technical report, Secure Networks, Inc., Suite 330, 1201 5th Street S.W, Calgary, Alberta, Canada, T2R-0Y6, 1998
[28] L. Schaelicke, K.Wheeler, and C. Freeland. Spanids, "A scalable network intrusion detection loadbalancer, " In Proc. of the 2nd conference on Computing frontiers, Ischia, Italy, May 2005
[29] SWOT, http://en.wikipedia.org/wiki/SWOT_analysis
[30] T. L. Turocy and B. V. Stengel, "Game Theory," CDAM Research Report Oct. 2001
[31] M.Vallentin, R. Sommer, J. Lee, C. Leres, V. Paxson, B. Tierney, "The NIDS cluster: Scalable, stateful network intrusion detection on commodity hardware," In: RAID 2007. LNCS, vol. 4637, pp. 107–126. Springer, Heidelberg (2007)
[32] Wikipedia, "Shapley Value," http://en.wikipedia.org/wiki/Shapley_value
[33] K. Xinidis, I. Charitakis, S. Antonatos, K. G. Anagnostakis, and E. P. Markatos, "An active splitter architecture for intrusion detection and prevention," IEEE Transactions on Dependable and Secure Computing, 03(1):31–44, 2006
論文全文使用權限
  • 同意授權校內瀏覽/列印電子全文服務,於2011-07-29起公開。


  • 如您有疑問,請聯絡圖書館
    聯絡電話:(06)2757575#65773
    聯絡E-mail:etds@email.ncku.edu.tw