簡易檢索 / 詳目顯示

回結果列表
研究生: 鄭毓芹
Chen, Yu-Chin
論文名稱: 應用於IDS 測試的使用者行為與環境之 網路資料集設計與實現
Design and Implementation of Web Dataset for IDS Testing with User-Behavior and Environment
指導教授: 賴溪松
Laih, Chi-Sung
學位類別: 碩士
Master
系所名稱: 電機資訊學院 - 電腦與通信工程研究所
Institute of Computer & Communication Engineering
論文出版年: 2006
畢業學年度: 94
語文別: 英文
論文頁數: 78
中文關鍵詞: 入侵偵測系統資料集使用者行為網路資料集
外文關鍵詞: IDS Testing, Intrusion Detection System, IDS, Web Application Attack, Dataset, User Behavior
相關次數: 點閱:98下載:2
分享至:
查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報

    • 隨著網路頻寬及需求的成長, 網路應用程式快速的增加中。當用來連結的網路技術被採用, 公司已啟動組織與供應商、顧客及保管人無間斷的連結。藉由設計, 網路應用軟體便可在網際網路公開的獲取。這已暴露在一大堆先前未知的安全風險中, 以及提供了駭客們一個方便的存取, 並且允許幾乎所有不受限制的嘗試去攻擊此應用程式。駭客們在公司的安全建設中找尋漏洞已經相當成功。結果, 來自網路應用程式的攻擊所造成的網站損壞成為了另一個主要的問題。因此需要有資料集來測試保護網站安全的入侵偵測系統的特徵值。此外, 就入侵偵測系統的效能評估而言,MIT 林肯實驗室提出的離線資料集評估方法是一個
    可行的解決方案。然而,MIT 林肯實驗室模擬的人造流量多是從session層面而非使用者層面。從我的觀點來看, 使用者行為模擬在入侵偵測系統評估是非常重要的也是極大的挑戰, 因為人類行為是複雜而難以模擬的。在我的論文中, 我探討我的成果來改進入侵偵測特徵評估的資料集。不同於MIT 林肯實驗室, 我藉由重建網路建設與分析使用者行為而提出了設計與程序來產生人造的流量。由實驗結果得知, 我的模型有能力去合理的建立高相似性與精確度的人造流量, 並且成功的偵測入侵偵測特徵的弱點。

     Web applications is increasing quickly with the blooming network bandwidth and demands. While the adoption of Web-based technologies for conducting business has enabled organizations to connect seamlessly with suppliers, customers and other stakeholders. By design, Web applications are publicly available on the Internet. This has also exposed a multitude of previously unknown security risks and provided hackers with easy access and allows almost unlimited attempts to hack the application. Hackers have been successful in finding a gaping hole in the corporate security infrastructure, one of which organizations were previously unaware Web applications. Consequently,  website defacement is another major problem resulting from Web application attacks. Such factors require the dataset to test the signatures of intrusion detection systems used for protecting the web-site security. In addition, the off-line dataset evaluation methodology proposed by MIT Lincoln Lab is a pratice solution in terms of evaluating the performance of IDS. However, MIT Lincoln Lab models the synthetic traffic more from session level rather than from user level. From my viewpoint, user behavior simulation is very important in IDS evaluation and is an immensely challenging undertaking because of the complexity and intricacy of human behaviors.

     In my master thesis, I discuss my effort to improve the dataset for intrusion detection signatures evaluation. Unlike MIT Lincoln Lab, I propose the design and procedures to generate the synthetic traffic by rebuilding the web infrastruc-
    ture and analyzing the user behavior. From the experiment results, it gives my model the ability to feasibly construct synthetic traffic with high similarity and fidelity, and detects the weakness of intrusion detection signatures successfully.

    1 Introduction 1  1.1 Introduction to Intrusion Detection System . . . . . . . . . . . . . . 1  1.2 Intrusion Detection System using Data Mining . . . . . . . . . . . . . 2  1.3 Introduction to Intrusion Detection System Evaluation . . . . . . . . . 3  1.4 Research Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . 4  1.5 Contribution . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . 5  1.6 Thesis Organization . . . . . . . . . . . . . . . . . . . . . . . . . . 5     2 Preliminary Background 6  2.1 Web Application Intrusions . . . . . . . . . . . . . . . . . . . . . . .6  2.2 Traditional IDS v.s Application-based IDS . . . . . . . . . .. . . . . .7   2.2.1 Overview of Traditional Intrusion Detection System . . . . . . . . .7   2.2.2 Web Application-based Intrusion Detection System . . . . . . . . . .8  2.3 Gaps and Challenges of Intrusion Detection . . . . . . . . . . . . . . 9  2.4 Overview of IDS Evaluation . . . . . . . . . . . . . . . . . . . . . . 12   2.4.1 Existing IDS Testing Efforts . . . . . . . . . . . . . . . . . . . .13   2.4.2 Measurable IDS Characteristics . . . . . . . . . . . . . . . . . . .14   2.4.3 Challenges of Intrusion Detection System Testing . . . . . . . . . .17  2.5 MIT/LL DARPA Off-line Intrusion Detection Evaluation Dataset . . . 20   2.5.1 Overview of MIT/LL Off-line Evaluation Dataset . . . . . . . . 20   2.5.2 Critique of MIT/LL Off-line Evaluation Dataset . . . . . . . . . . .21  2.6 A Free IDS – Snort . . . . . . . . . . . . . . . . . . . . . . . . . . 21 3 Critical Topics of Web Application 23  3.1 What is a Web application? . . . . . . . . . . . . . . . . . . . . . . 23  3.2 Hacking Web Applications in three stages . . . . . . . . . . . . . .. . 25  3.3 Web Application Level Attacks . . . . . . . . . . . . . . . . . . . . . 25   3.3.1 Classes of Web attacks . . . . . . . . . . . . . . . . . . . . . . .26   3.3.2 Common Web Application Attacks . . . . . . . . . . . . . . . . . . .28 4 Related Algorithms and Definitions 32  4.1 Decision Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32  4.2 Association Rules Algorithm . . . . . . . . . . . . . . . . . . . . . . 36   4.2.1 Basic Concepts of Association Rules . . . . . . . . . . . . . . . . 36   4.2.2 Apriori Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . 36   4.2.3 Quantitative Association Rule Mining . . . . . . . . . . . . . . . 41   4.2.4 Correlation Analysis . . . . . . . . . . . . . . . . . . . . . . . .44  4.3 Receiver Operationg Characteristic Curve . . . . . . . . . . . . . . . .44 5 Web Dataset For IDS Testing: Design and Procedure 46  5.1 Purpose of this thesis . . . . . . . . . . . . . . . . . . . . . . . . .46  5.2 A Hypothesis and Three Objectives . . . . . . . . . . . . . . . . . . . 47  5.3 Design Principle . . . . . . . . . . . . . . . . . . . . . . . . . . . .47   5.3.1 The TESTBED Approach . . . . . . . . . . . . . . . . . . . . . . . .47   5.3.2 Design Principle and Procedure . . . . . . . . . . . . . . . . . . .49   5.3.3 Background Traffic Analysis and Generation . . . . . . . . . . . . 50  5.4 Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54  5.5 Tools for Generating and Synthesizing of Background Traffic . . . . . . 56 6 Experiment and Results 57  6.1 The reference network . . . . . . . . . . . . . . . . . . . . . . . . . 57  6.2 Server Environment Analysis and Rebuild . . . . . . . . . . . . . . . . 58  6.3 User behavior Analysis . . . . . . . . . . . . . . . . . . . . . . . . .61  6.4 Traffic Synthesis . . . . . . . . . . . . . . . . . . . . . . . . . . . 66   6.4.1 Network Testbed . . . . . . . . . . . . . . . . . . . . . . . . . . 67   6.4.2 The Web Server Environment . . . . . . . . . . . . . . . . . . . . .68   6.4.3 The Client Side Environment . . . . . . . . . . . . . . . . . . . . 69   6.4.4 Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69   6.4.5 Attacks and Backgroung Traffic Generation . . . . . . . . . . . . . 69   6.4.6 Statistics of Generated Data . . . . . . . . . . . . . . . . . . . .72  6.5 Evaluating Intrusion Detection System Signatures . . . . . . . . . . . .72  6.6 Comparison with MIT/LL DARPA IDS Evaluation Dataset . . . . . . . . . . 72 7 Conclusions 74

    [1] [Online]. Available: http://www.webappsec.org/whitepapers.shtml
    [2] [Online]. Available: http://www.silicondefense.com/software/spice/
    [3] [Online]. Available: http://ita.ee.lbl.gov/
    [4] [Online]. Available: http://www.nss.co.uk/ids.
    [5] Data Mining Approaches for Intrusion Detection, 1998.
    [6] An Application of Machine Learning to Network Intrusion Detection, 1999.
    [7] Measurement and analysis of real network traffic, 1999.
    [8] Mining in a Data-flow Environment: Experience in Network Intrusion Detection,
      1999.
    [9] A study in Using Neural Networks for Anomaly and Misuse detection, 1999.
    [10] A fast Automaton-based Method for Detecting Anomalous Program   
       Behaviors,2001.
    [11] Intrusion Detection Systems: Technology and Development, 2003.
    [12] D. e. a. Anderson, “Detecting unusual program behavior using the
       statistical component of the next-generation intrusion detection expert
       system (nides),” Computer Science Laboratory SRI-CSL 95-06, Tech. Rep.,
       1995.
    [13] S. D. Barbara, N.Wu, “Detecting novel network intrusions using bayes
       estimators first,”in SIAM Conference on Data Mining, Chicago, 2001.
    [14] W. B. M. E. D. Robert, C. Terrence and S. Luigi., “Testing and evaluating
       computer intrusion detection systems.” in Communications of the ACM,
       September 1999.
    [15] D. Denning, “An intrusion detection model,” in IEEE Transactions on
       Software Engineering, 1987.p75
    [16] R. P. L. et al., “Evaluating intrusion detection systems: The 1998 darpa
    off-line intrusion detection evaluation.”
    [17] S.-J. C. G.-H. Hwang and H.-D. Chu., “Technology for testing
    nondeterministic client/server database applications.” in IEEE
    Transactions on Software Engineering, 2004.
    [18] M. D. H. Debar and A. Wespi., “Towards a taxonomy of intrusion-detection
    systems.” in Computer Networks, 1999, p. 31:805V822.
    [19] L. G.-M. A. HEADY, R. and M. SERVILLA, “The architecture of a network
    level intrusion detection system. tech. rep., university of new mexico,”
    August 1990.
    [20] W. E. Howden., “Methodology for the generation of program test data,”
    in IEEE Transactions on Computers, 1975.
    [21] H. javitz and A. Valdes, “The nides statistical component: Description and
    justification,” Computer Science Laboratory, SRI Internationa, Tech. Rep.,
    1993.
    [22] S. J. W. L. Jonathon T. Giffin1, David Dagon2 and B. P. Miller,
    “Environment-sensitive intrusion detection,” in In Recent Advances in
    Intrusion Detection, 2005.
    [23] W. Lee and S. Stolfo, “Data mining approaches for intrusion detection,”
    in Proceedings of the 7th USENIX Security Symposium, San Antonio, TX.
    Manganaris, 1998.
    [24] J. Luo, “Integrating fuzzy logic with data mining methods for intrusion
    detection,”Master’s thesis, Department of Computer Science, Mississippi
    State University, 1999.
    [25] R. A. M. Joshi, V. Kumar, “Evaluating boosting algorithms to classify rare
    classes:Comparison and improvements,” in First IEEEInternational
    conference on Data Mining, San JoseCA, 2001.
    [26] V. K. M. Joshi, R. Agarwal, “Predicting rare classes: Can boosting make
    any weak learner strong,” in Proceedings of Eight ACM Conference, 2002.
    [27] V. K. P. M. Joshi, R. Agarwal, “Mining needles in a haystack: Classifying
    rare classes via two-phase rule induction,” in Mining Needles in a
    Haystack: Classifying Rare Classes via Two-Phase Rule Induction, May 2001.
    [28] V. H. P. Mell and R. Lippmann., “An overview of issues in testing
    intrusion detection systems.” Tech. Rep.76
    [29] V. Paxson, “Bro: A system for detecting network intruders in real-time,”
    in Lawrence Berkeley National Laboratory Proceedings, 7th USENIX Security
    Symposium, Jan.26-29, 1998.
    [30] D. J. F. J. K. R. Lippmann, J. W. Haines and K. Das., “The 1999 darpa
    off-line intrusion detection evaluation.” in Computer Networks, 2000.
    [31] R. C. R. Lippmann, “improving intrusion detection performance using
    keyword selection and neural networks,” in Computer Networks, 2000.
    [32] M. Ranum, “Intrusion detection: Challenges and myths.” 1998.
    [33] M. Roesch, “Snort-lightweight intrusion detection for networks,” in Proc.
    USENIX Lisa, 99, Seattle: Nov. 7-12, 1999.
    [34] H. Venter and J. Eloff, “A taxonomy for information security
    technologies,” in Computer & Security, 2003.
    [35] P. G. F. Y. Deng and Z. Chen, “Testing database transaction concurrency,”
    in International Conference on Automated Software Engineering (ASE),IEEE
    Computer Society, October 2003., p. 184V195.77

    下載圖示 校內:2007-08-16公開
    校外:2007-08-16公開
    QR CODE