簡易檢索 / 詳目顯示

回結果列表
研究生: 李耕瑋
Lee, Keng-Wei
論文名稱: 入侵偵測系統之效率提昇設計
Enhancing the Efficiency on Intrusion Detection System
指導教授: 黃宗立
Hwang, Tzonelih
學位類別: 碩士
Master
系所名稱: 電機資訊學院 - 資訊工程學系
Department of Computer Science and Information Engineering
論文出版年: 2006
畢業學年度: 94
語文別: 中文
論文頁數: 64
中文關鍵詞: 入侵偵測系統網路封包系統呼叫
外文關鍵詞: system call, network packet, intrusion detection system
相關次數: 點閱:83下載:3
分享至:
查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報

    • 隨著入侵偵測系統的蓬勃發展,用於各類資料型態的入侵偵測演算法也不斷的被開發出來,但是需要被分析以及偵測的資料量往往十分的龐大,容易造成分析的時間過長且系統資源消耗過度的問題。

    有鑑於上述之問題,本論文則著手於網路封包(Network Packet)及系統呼叫(System Call)兩種不同型態的資料,根據其本身的特性以及與入侵偵測演算法之間的關係,分別提出改善偵測效率之架構。在改善網路封包偵測效率之架構方面,使用網路封包標頭預先分析(Early Filtering)及快取(Cache)來及早判斷正常的網路封包,達到改善網路封包偵測效率的目的;在改善系統呼叫偵測效率之架構方面,使用過濾(Filtering)及聚合(Aggregation)來減少系統呼叫分析的系統呼叫個數,達到改善系統呼叫偵測效率的目的。

    最後分別對本論文所提出之架構進行實驗,於網路封包分析效率方面,在同樣50000個封包的情況下,快取框格數(Cache Frame)為1000時,比起不使用快取,效率改進約23%,於系統呼叫分析方面,檔案伺服器與網頁伺服器的系統呼叫所節省之空間均接近50%,而各個常用指令於分析效率改進幅度,則決定於其系統呼叫個數改進比例。因此可以了解對於資料做前置的處理確實對於入侵偵測分析之效能有所改善。

    With the development of intrusion detection systems, intrusion detection systems focus on different types of datas are developed continuously. Even though many researchers make effort to intrusion detection systems, analyzing a large number of datas still becomes a heavy load which led to spend too much time on analysis and exhaust many system resources, no matter what intrusion detection system we used.

    In order to solve the above-mentioned problems, we focus on the two kinds of data types, the network packet and the system call, and propose the architectures for enhancing the efficiency on intrusion detection system, base on the properties of themselves and the relationship between datas and intrusion detection systems, in this paper. To enhance the efficiency on intrusion detection system, we use the Early Filtering mechanism and the Cache mechanism to determine whether network packets are normal or not as soon as possible on the architecture for enhancing the efficiency on network packets analysis, and use the Filtering mechanism and the Aggregation mechanism to decrease the number of system calls on the architecture for enhancing the efficiency on system calls analysis.

    Experiment results with real data clear demonstrate the efficiency of packet analysis was enhanced about 23% when the number of network packets is 50000 and the number of cache frames is 1000 , and the efficiency of the system call analysis was enhanced by the proportion of the number of system calls improved. In file transfer server and web server, the storage space we improved on the system call analysis can be saved about 50%. Based on these experiment results, both of the architectures do achieve the goal of enhancing the efficiency.

    中文摘要 I 英文摘要 III 誌謝 V 目錄 VI 表目錄 VII 圖目錄 VII 第1章 導論 1 1.1 為什麼需要入侵偵測系統 1 1.2 入侵偵測系統基本元件與入侵方式 2 1.2.1 入侵偵測系統基本元件 2 1.2.2 入侵方式 3 1.3 研究動機與目的 5 1.4 論文架構 7 第2章 相關研究 8 2.1 歷史沿革 8 2.2 入侵偵測系統的分類 9 2.3 網路封包 13 2.3.1 簡介 13 2.3.2 偵測方式 13 2.4 系統呼叫 14 2.4.1 簡介 14 2.4.2 偵測方式 14 第3章 改善入侵偵測系統效率之設計 17 3.1 改善網路封包偵測效率之架構 17 3.1.1 網路封包標頭預先分析(Early Filtering) 17 3.1.2 快取(Cache) 18 3.1.3 改善網路封包偵測效率之架構 19 3.1.4 改善網路封包偵測效率架構之流程 21 3.1.5 改善網路封包偵測之效率 23 3.2 改善系統呼叫偵測效率之架構 24 3.2.1 過濾(Filtering) 24 3.2.2 聚合(Aggregation) 26 3.2.3 改善系統呼叫偵測效率之架構 27 3.2.4 改善系統呼叫偵測效率架構之流程 29 3.2.5 改善系統呼叫偵測之效率 31 第4章 實驗與評估 34 4.1 改善網路封包偵測之效率 34 4.1.1 快取框格數大小與誤失率的關係 34 4.1.2 快取框格數與網路封包個數的關係 37 4.2 改善系統呼叫偵測之效率 39 4.2.1 儲存空間的改善 39 4.2.2 效率的改善 42 第5章 總結 46 5.1 結論 46 5.2 未來展望 47 參考文獻 48 附錄A 介面介紹 53 執行環境 53 改善網路封包偵測效率之介面 54 改善系統呼叫偵測效率之介面 57 自述 65

    [1] Allen Householder , Art Manion , Linda Pesante , George Weaver ,
    ”Managing the Threat of Denial-of-Service Attacks” , CERT/CC 2001 OCT.
    [2] Andreas Wespi, Marc Dacier, Hervé Debar , “An Intrusion-Detection System Based on the Teiresias Pattern Discovery Algorithm”, EICAR , 1999.
    [3] Andreas Wespi , Marc Dacier , Hervé Debar, “Intrusion Detection using Variable-Length Audit Trail Patterns”, RAID , 2000.
    [4] ByungRae Cha, "Host Anomaly Detection Performance Analysis Based on System Call of Neuro-Fuzzy Using Soundex Algorithm and N-gram Technique," ICW , 2005.
    [5] Christina Warrender, Stephanie Forrest, Barak Pearlmutter , “Detecting Intrusions using System Calls: Alternative Data Models” , IEEE Security and Privacy, 1998.
    [6] David Wagner , Paolo Soto ,”Mimicry Attacks on Host-Based Intrusion Detection Systems”, ACM CCS , 2002.
    [7] Debra Anderson, Thane Frivold, Alfonso Valdes, “Next-Generation Intrusion-Detection Expert System (NIDES).”, Technical Report, 1995.
    [8] Dorothy Denning , “An Intrusion Detection Model. “ IEEE Transactions on Software Engineering , 1987.
    [9] Emilie Lundin, Erland Jonsson ,”Survey of Intrusion Detection Research” ,Technical Report nr. 02-04.
    [10] Gene Kim , Eugene Spafford , “Tripwire: A Case Study in Integrity Monitoring.” Internet Besieged: Countering Cyberspace Scofflaws, 1997.
    [11] Gaurav Tandon, Philip Chan ,”Learning Rules from System Call Arguments and Sequences for Anomaly Detection”, DMSEC, 2003.
    [12] Helman, Paul, Bhangoo, Jessie,” A Statistically Based System for Prioritizing Information Exploration under Uncertainty”, IEEE Systems and Humans, 1997.
    [13] Herve Debar, Monique Becker, Didier Siboni, “A Neural Network Component for an Intrusion Detection System.”, IEEE Security and Privacy,1992.
    [14] Vaccaro H S , Gunar Liepins,” Detection of Anomalous Computer Session Activity.”, IEEE Security and Privacy, 1989.
    [15] Joseph Sherif, Tommy Dearmond , “Intrusion Detection: Systems and Models. “ , WETICE , 2002.
    [16] Joshua Haines, Richard Lippmann, David Fried, Eushiuan Tran, Steve Boswell, Marc Zissman, “1999 DARPA Intrusion Detection System Evaluation: Design and Procedures”, MIT Lincoln Laboratory Technical Report , 2001.
    [17] James Anderson , “Computer Security Threat Monitoring and Surveillance.” Technical report, 1980.
    [18] Konstantinos Xinidis, Ioannis Charitakis, Spiros Antonatos, Kostas Anagnostakis, Evangelos Markatos, “An Active Splitter Architecture for Intrusion Detection and Prevention”, IEEE Dependable and Secure Computing, 2006.
    [19] Koral Ilgun, “USTAT: A Real-Time Intrusion Detection System for UNIX.”, IEEE Security and Privacy, 1993.
    [20] Kymie Tan, Kevin Killourhy, Roy Maixon, “Undermining an Anomaly-Based Intrusion Detection System Using Common Exploits”, RAID, 2002.
    [21] Kymie Tan, Roy Maixon, ” "Why 6?" Defining the Operational Limits of Stide, an Anomaly-Based Intrusion Detector” , IEEE Security and Privacy, 2002.
    [22] Marc Damashek, “Gauging Similarity via N-Grams: Language-Independent Sorting,Categorization, and Retrieval of Text”, Science , 1995.
    [23] Marc Norton,Dan Roelker, “Snort 2.0 - Multi-Rule Inspection Engine”, 2002.
    [24] Michael Sebring, Eric Shellhouse, Mary Hanna, and Alan Whitehurst, “Expert Systems in Intrusion Detection: A Case Study.” , the 11th National Computer Security Conference, 1988.
    [25] Mohan Rajagopalan, Matti Hiltunen, Trevor Jim, Richard Schlichting, “Authenticated System Calls” , DSN, 2005.
    [26] Philip Porras , Peter Neumann, “EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances.“, the 20th National Information Systems Security Conference, 1997.
    [27] Paul Helman , Gunar Liepins, “Statistical Foundations of Audit Trail Analysis for the Detection of Computer Misuse.”, IEEE Software Engineering, 1993.
    [28] Sandeep Kumar , Eugene Spafford ,“A Pattern Matching Model for Misuse Intrusion Detection.”, the 17th National Computer Security Conference, 1994.
    [29] Stuart Staniford-Chen, Brain Tung, Schnackenberg , “The Common Intrusion Detection Framework (CIDF).” Information Survivability Workshop, 1998.
    [30] Stuart Staniford Chen, Steven Cheung, Rick Crawford, Mark Dilger, Jeremy Frank, Jim Hoagland, Karl Levitt, Raymond Yip, Dan Zerkle, “GrIDS—A Graph Based Intrusion Detection System for Large Networks.” the 19th National Information Systems Security Conference, 1996.
    [31] Stephanie Forrest, Steven Hofmeyr, Anil Somayaji, Thomas Longstaff , “A Sense of Self for Unix Processes” , IEEE Security and Privacy , 1996.
    [32] Steven Hofmeyr, Stephanie Forrest, Anil Somayaji , “Intrusion Detection using Sequences of System Calls “, Journal of Computer Security , 1998.
    [33] Steven Smaha. ,”Haystack: An Intrusion Detection System.”, In Fourth Aerospace Computer Security Applications Conference, 1988.
    [34] Steven Snapp, Stephen Smaha, Daniel Teal, and Tim Grance, ”The DIDS (Distributed Intrusion Detection System) Prototype.”, USENIX , 1992.
    [35] Sung-Bae Cho , Hyuk-Jang Park ,” Efficient Anomaly Detection by Modeling Privilege Flows using Hidden Markov Model.”, Computers & Security , 2003.
    [36] Teresa Lunt, Ravi Jagannathan, Rosanna Lee, Sherry Listgarten, David Edwards, Peter Neumann, Harold Javitz, Al Valdes, “IDES: The Enhanced Prototype, A Real-Time Intrusion Detection System.” Technical Report SRI Project , 1988.
    [37] Todd Heberlein, Gihan Dias, Karl Levitt, Biswanath Mukherjee, Jeff Wood, David Wolber, “A Network Security Monitor.”, IEEE Security and Privacy, 1990.
    [38] Vern Paxon, “Bro: A System for Detecting Network Intruders in Real-Time. “, USENIX , 1988.
    [39] Wenke Lee, Sal Stolfo, Phil Chan , “Learning Patterns from Unix Process Execution Traces for Intrusion Detection” AAAI Workshop: AI Approaches to Fraud Detection and Risk Management, 1997.
    [40] Snort - the de facto standard for intrusion detection/prevention http://www.snort.org/
    [41] http://www.cisco.com/
    [42] http://www.iss.net/
    [43] http://www.windowsecurity.com/articles/Hids_vs_Nids_Part1.html
    [44] http://www.securityfocus.com/infocus/1514
    [45] http://www.study-area.org/network/network_ip_model.htm
    [46] http://en.wikipedia.org/wiki/Syn_Flood
    [47] http://en.wikipedia.org/wiki/Smurf_attack
    [48] http://en.wikipedia.org/wiki/Fraggle_attack
    [49] http://en.wikipedia.org/wiki/Ping_of_Death
    [50] http://www.cert.org/advisories/CA-1997-28.html
    [51] http://www.die.net/doc/linux/man/man2/

    下載圖示 校內:立即公開
    校外:2006-08-28公開
    QR CODE