這是個資訊爆炸的年代，網際網路的發展在生活中帶給我們很多便利性。但當我們享受這快速與便捷之餘，伴隨而來的竟是多種類的網路攻擊。現今有許多不同類型的網路攻擊，例如探測受害者相關弱點資訊、入侵目標系統、竊取機密資料、建立後門以及分散式阻斷服務攻擊等等，都容易使得受害者的系統遭受嚴重破壞。雖然市面上已經有許多入侵偵測系統的工具（如snort），但是這些工具大多有幾項缺點。第一，入侵偵測系統著重於產生攻擊的警訊，而沒有進一步的上層整理，所以遭受一連串的序列攻擊時，管理者僅知收到多少攻擊，但這多個攻擊行為間的相關性無從得知。第二，倘若管理者需監控大量系統時，一旦收到大量的攻擊，管理者很難釐清警訊的權重性，導致後續補救動作的延遲。第三，入侵偵測系統只能在收到攻擊後產生警訊通知，並無相關預警的功能。基於以上三點因素，一個管理者使用這些工具時，容易浪費時間與人力，也很容易因為疏忽而漏掉某些重要警訊。
在本論文中我們發展腳本因果關聯模型語言(Causal Relationship for Scenario Modeling Language, CRSML)，用來架構一個攻擊腳本資料庫，主要建構幾個單元。1.攻擊腳本資料庫：事先收集目前實際存在的攻擊樣本，分析樣本間的關聯性，建構成為腳本資料庫，並且設計成未來方便擴充的型態。2.系統內部偵測單元：主要發展系統內部的偵測工具，以偵測系統內部的攻擊行為，並產生警訊。3.整合內部警訊單元：整合同種類的內部攻擊，以產生複合性的攻擊事件。4.攻擊行為因果關聯單元：在先前我們所發展的資訊安全營運中心裡開發基於攻擊腳本資料庫的攻擊行為因果關聯單元，以得到實際發生的上層攻擊序列，另一方面，透過與攻擊腳本資料庫的比對，呈現出來的攻擊狀態圖將達到下一步攻擊預警的成效。
本研究分別針對兩種攻擊行為-入侵UNIX系統、蠕蟲做因果關聯以建置對應的攻擊腳本資料庫，而本論文著重在蠕蟲的部份，入侵UNIX系統攻擊行為的研究，為另一位研究夥伴-陳建宏的研究議題

In information explosion time, network and computer bring people conveniences when there is more advanced in science and technology. However, there are many kinds of attacks are coming after convenience. More and more attack types are discovered, for example for example probing victim’s useful information, intruding target system, stealing secure data, opening backdoor, distribute deny of service and so on. Although many intrusion detection systems (IDSs) are used to detect attacks, they have some disadvantages. First, IDSs focus on alerts which are risen by attacks but they are not correlated effectively. Therefore, a system manager can know how many attacks happen but he can not know their relationships. Second, a manager can not understand weight of alerts and handle delay when large of attacks happen. Third, IDS will generate alerts and report to manager after attacks. So, it can not predict a next attack. Because of three reasons, it is difficult to deal with important alerts when we use these IDSs.
Our research is focused on building an attack scenario database. Therefore, we develop a Causal Relationship for Scenario Modeling Language (CRSML) to building it. We develop four main units. 1. Attack scenario database: we collect some real attack patterns early and analyze their causal relationships to construct scenario database. 2. Host detection unit: we integrate some tools with detection flow. The host sensors can detect attacks and generate alerts. 3. Alert correlation unit: it can correlate duplicate and plan-set alerts. Then, it transfers correlative alerts into events. 4. Attack status and prediction unit: it results attack status graphs from handling all network and host events. After through these main units, we also apply our construction into security operation center (SOC) which we made before. It can effectively help system managers to keep network security. The procedure in our construction is using causal relationships of patterns to build attack scenarios. Then, it brings alerts together based on alert correlation. Finally, it generates attack status graph and predicts next attacks. There are two researches which we propose. They are intrusive behaviors in Unix-like systems and worm attack behaviors. We focus on worm attack behaviors in this thesis and the other topic, intrusive behaviors in Unix-like systems is proposed by another member - Chien-Hung Chen.

[1] M. Attig and J. Lockwood, “A Framework for Rule Processing in Reconfigurable Network Systems,” Field-Programmable Custom Computing Machines, 2005. FCCM 2005. 13th Annual IEEE Symposium, April 2005.
[2] D. Barbara, N. Wu and S. Jajodia, “Detecting Novel Network Intrusions Using Bayes Estimators,” SIAM International Conf. Data Mining, 2001.
[3] S. Cheung, U. Lindqvist and M. W. Fong, “Modeling Multistep Cyber Attacks for Scenario Recognition,” In Proceedings of the Third DARPA Information Survivability Conference and Exposition (DISCEX III), Washington, D.C, April 2003.
[4] M. Christodorescu and S. Jha, “Static Analysis of Executables to Detect Malicious Patterns,” USENIX Security Symposium, 2003.
[5] F. Cuppens and A. Miege, “Alert Correlation in a Cooperative Intrusion Detection Framework”. In Proceedings of the 2002 IEEE Symposium on Security and Privacy, Oakland, CA, May 2002.
[6] F. Cuppens and R. Ortalo, “LAMBDA: A language to model a database for detection of attacks,” In Proc. Of Recent Advances in Intrusion Detection (RAID 2000), pages 197{216, September 2000.
[7] Wei-Yu Chen, “The Study and Implementation of Alert Integration,Correlation, and Presentation System In SOC,” Institute of Computer and Communication National Cheng Kung University Tainan, Taiwan, R.O.C. Thesis for Master of Science June, 2006
[8] S. C. , U. L. and Martin W. Fong, “Modeling Multistep Cyber Attacks for Scenario Recognition,” In Proceedings of the Third DARPA Information Survivability Conference and Exposition (DISCEX III), Washington, D.C.,April 22–24, 2003
[9] Chien-Hung Chen, “Building an Attack Scenario Database with Causal Relationship of Intrusive Behaviors in Unix-like Systems and its Applications,” Institute of Computer and Communication National Cheng Kung University Tainan, Taiwan, R.O.C. Thesis for Master of Science June, 2007
[10] Dain and R. Cunningham, “Fusing a heterogeneous alert stream into scenarios,” In Proc. of the 2001 ACM Workshop on Data Mining for Security Applications, pages 1{13, Nov. 2001.
[11] R. P. Goldman, W. Heimerdinger and S. A. Harp, “Information Modeling for Intrusion Report Aggregation,”. In DARPA Information Survivability Conference and Exposition (DISCEX II), June 2001.
[12] H. S. Javitz and A. Valdes, “The NIDES statistical component: Description and justification,” Technical report, SRI International, Mar. 1994.
[13] C. C. Lin, H. K. Wong and T. C. Wu, “Enhancing Interoperability of Security Operation Center to Heterogeneous Intrusion Detection Systems,”. Security Technology, CCST '05. 39th Annual 2005 International Carnahan Conference on 11-14, Oct. 2005.
[14] B. Morin and H. Debar, “An Application of Chronicles,” In Proceedings of the 6th International Symposium on Recent Advances in Intrusion Detection (RAID 2003), Pittsburgh, PA, Sept. 2003.
[15] P. Ning, Y. Cui, and D. S. Reeves, “Constructing Attack Scenarios through Correlation of Intrusion Alerts,”. In 9th ACM Conference on Computer and Communications Security, Nov. 2002.
[16] P. Ning, D. Xu, C. G. Healey and R. S. Amant, “Building Attack Scenarios through Integration of Complementary Alert Correlation Methods,” Network and Distributed System Security Symposium Conference Proceedings, 2004.
[17] S. Noel, E. Robertson, and S. Jajodia, “Correlating Intrusion Events and Building Attack Scenarios through Attack Graph Distances,” 20th Annual Computer Security Applications Conference, Dec. 2004.
[18] S. K. Park, K. Y. Kim, J. S. Jang and B. N. Noh, ”Supporting interoperability to heterogeneous IDS in secure networking framework,” Inf. Security Res. Div., Electron. & Telecommun. Res. Inst., Taejeon, South Korea.
[19] Liu Peishun, W.J and H.D, "Worm Detection using CPN," IEEE International Conference on Systems,Man and Cybernetics ,2004
[20] P. A. Porras, M.W. Fong and A. Valdes, “A Mission-Impact- Based research to INFOSEC alarm correlation,” In Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID), October 2002.
[21] X. Qin, and W. Lee, “Attack Plan Recognition and Prediction using Causal Networks,” Computer Security Applications Conference, 20th Annual Publication., 2004.
[22] X. Qin, and W. Lee, “Statistical Causality Analysis of INFOSEC Alert Data,” In Proceedings of the 6th International Symposium on Recent Advances in Intrusion Detection (RAID 2003), Pittsburgh, PA, Sept. 2003.
[23] J. F. Shoch and J. A. Hupp, “The Worm Programs: Early Experience
with a Distributed Computation,” Communications of the ACM, vol. 25,
no. 3, pp. 172–180, March 1982
[24] S. Staniford, J. Hoagland and J. McAlerney, “Practical automated detection of stealthy portscans,” To appear in Journal of Computer Security, 2002.
[25] S. Templeton and K. Levit, “A requires/provides model for computer attacks,” In Proc. of New Security Paradigms Workshop, pages 31. September 2000.
[26] Valdes and K. Skinner, “Probabilistic alert correlation,” In Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection (RAID), Oct. 2001.
[27] F. Valeur, G. Vigna, C. Kruegel and R. A. Kemmerer, “Comprehensive Research to Intrusion Detection Alert Correlation,” Dependable and Secure Computing, IEEE Transactions on. On page(s): 146- 169, Volume: 1, Issue: 3, July-Sept. 2004.
[28] Y. S. Wu, B. Foo, Y. Mei and S. Bagchi, “Collaborative intrusion detection system (CIDS): a framework for accurate and efficient IDS,“ Computer Security Applications Conference, 2003. Proceedings. 19th Annual, Page(s):234-244, 2003.
[29] D. Xu and P. Ning, “Alert Correlation through Triggering Events and Common Resources,” In Proceedings of the 20th Annual Computer Security Applications Conference (ACSAC'04), 2004.
[30] T. Zhou, J. Blustein and N. Zincir-Heywood, “Improving Intrusion Detection Systems through Heuristic Evaluation,” Electrical and Computer Engineering, Canadian Conference on Volume 3, 2-5, Page(s):1641-1644, Vol.3, May 2004.
[31] FileMon for Windows v7.04, http://www.microsoft.com/technet/sysinternals/FileAndDisk/Filemon.mspx
[32] Fport, http://www.foundstone.com
[33] Internet Security Systems. RealSecure intrusion detection system, http://www.iss.net.
[34] RegMon for Windows v7.04,
http://www.microsoft.com/taiwan/technet/sysinternals/utilities/regmon.mspx
[35] Symantec Corporation. Symantec’s norton antivirus, http://www.symantec.com.
[36] Snort 2.1 Intrusion Detection Second Edition, http://www.snort.org
[37] Taiwan Network Security Testbed, http://twanst.icsc.ncku.edu.tw/.
[38] TCPDUMP public repository, http://sourceforge.net/projects/libpcap/.
[39] The Difference Between a Virus, Worm and Trojan Horse, http://www.webopedia.com
[40] Tripwire, Inc. Tripwire changing monitoring and reporting solutions, http://www.tripwire.com.
[41] Zone Labs. Zonealarm pro, http://www.zonelabs.com.