在科技越來越進步的同時，網路與電腦帶給人們的便利性也越大，但隱藏在這些便利性的背後，隨之而來的卻是無數的網路攻擊。現今有許多不同類型的網路攻擊，例如探測受害者有用的資訊、入侵目標系統、竊取機密資料、建立後門以及分散式阻斷服務攻擊等等，都容易使得受害者的系統遭受嚴重破壞。雖然市面上已經有許多入侵偵測系統的工具（如snort），但是這些工具大多有幾項缺點。第一，入侵偵測系統著重於產生攻擊的警訊，而沒有多加整理，所以遭受DOS攻擊時，會產生大量相同的警訊。第二，倘若管理者需監控多台且不同的系統時，一旦發生大量攻擊，或是有計畫性的攻擊，管理者就很難有效率的分析出重要的警訊。第三，入侵偵測系統只能當攻擊後才產生警訊通知，並無預警的功能。由於以上三點的因素，當管理者使用這些工具時，很容易浪費時間與人力，也很容易因為疏忽而漏掉某些重要警訊。
在本論文中我們發展腳本因果關聯模型語言(Causal Relationship for Scenario Modeling Language, CRSML)，用來架構一個攻擊腳本資料庫，主要有幾個建構的單元。1.攻擊腳本資料庫：事先收集目前實際攻擊的樣本，分析樣本彼此間的關聯性，架構成為腳本資料庫，並且設計成未來可擴充的型態。2.系統內部偵測單元：主要發展系統內的偵測工具，並且產生警訊。3.整合警訊單元：整合重複且有計畫性的攻擊，產生重要的攻擊事件。4.攻擊狀態及預警單元：分析網路與系統端的事件，轉換成攻擊狀態圖。最後搭配先前我們所發展的資訊安全營運中心，有效率的協助管理者維護網路安全。於是系統流程為事前利用攻擊步驟間的因果關係，建構出實際的攻擊腳本，再藉由警訊整合的方式，整合重複以及有關係性的警訊，最後進行分析，產生攻擊狀態圖，用以告知攻擊的步驟，以及預測下一步可能的行為，達到預警的效果。本研究分別針對兩種攻擊行為-入侵UNIX系統、蠕蟲做因果關聯以建置對應的攻擊腳本資料庫，而本論文著重在入侵UNIX系統的部份，而另一位夥伴--姜忠志則研究蠕蟲攻擊行為。

Networks and computers bring convenience for people when there is more advanced in science and technology. After the conveniences, many kinds of network attacks are coming. There are many different type of attacks, for example probing victims’ useful information, intruding target systems, stealing secure data, installing backdoor, distributing deny of service and so on. All of them are harmful to people or destroy systems seriously. Although many kinds of IDSs (intrusion detection systems) are developed, they have some disadvantages. First, IDSs focus on generating alerts but do not analyze or correlate them. For example, IDSs will generate a large number of alerts when system is suffered from DOS attack. Second, the system managers will not effectively analyze main attacks when great mounts of attacks or plan-set attacks occur. Third, IDS will generate alerts and report to manager after attacks. So, it could not predict the next step of attacks. Based on these three reasons, not only time and efforts would be easily wasted but also some important messages would be lost because of carelessness.
We develop a Causal Relationship for Scenario Modeling Language (CRSML) to building an attack scenario database. There are four main units. 1. Attack scenario database: we collect some attack patterns in advance and then analyze their causal relationships to construct a scenario database. 2. Host detection unit: the main function is to develop detection sensors in the systems and generate alerts when attacks happen. 3. Alert correlation unit: it could correlate duplicate and plan-set alerts. Then, it transfers correlative alerts into events. 4. Attack status and prediction unit: it produces attack status graphs from handling all network and host events. Finally, we combine our research with security operation center (SOC) which we made previously. It could effectively help system managers to maintain network security. The procedure in our construction is using causal relationships of patterns to build attack scenarios. Then, it brings alerts together based on alert correlation. Finally, it generates attack status graph and predicts next steps of attacks to prevent damage in advance. There are two researches which we propose. They are intrusive behaviors in Unix-like systems and worm attack behaviors. We focus on intrusive behaviors in Unix-like systems in this thesis and the other topic, worm attack behaviors is proposed by another member—Chung-Chih Chiang.

[1] M. Attig and J. Lockwood, “A Framework for Rule Processing in Reconfigurable Network Systems.”, Field-Programmable Custom Computing Machines, 2005. FCCM 2005. 13th Annual IEEE Symposium, April 2005.
[2] D. Barbara, N. Wu and S. Jajodia, “Detecting Novel Network Intrusions Using Bayes Estimators.”, SIAM International Conf. Data Mining, 2001.
[3] S. Cheung, U. Lindqvist and M. W. Fong, “Modeling Multistep Cyber Attacks for Scenario Recognition.”. In Proceedings of the Third DARPA Information Survivability Conference and Exposition (DISCEX III), Washington, D.C, April 2003.
[4] M. Christodorescu and S. Jha, “Static Analysis of Executables to Detect Malicious Patterns.” USENIX Security Symposium, 2003.
[5] F. Cuppens and A. Miege, “Alert Correlation in a Cooperative Intrusion Detection Framework.” In Proceedings of the 2002 IEEE Symposium on Security and Privacy, Oakland, CA, May 2002.
[6] F. Cuppens and R. Ortalo, “LAMBDA: A language to model a database for detection of attacks.” In Proc. Of Recent Advances in Intrusion Detection (RAID 2000), pages 197-216, September 2000.
[7] Wei-Yu Chen, “The Study and Implementation of Alert Integration,Correlation, and Presentation System In SOC.” Institute of Computer and Communication National Cheng Kung University Tainan, Taiwan, R.O.C. Thesis for Master of Science June, 2006
[8] S. C., U. L. and Martin W. Fong, “Modeling Multistep Cyber Attacks for Scenario Recognition.” In Proceedings of the Third DARPA Information Survivability Conference and Exposition (DISCEX III), Washington, D.C.,April 22–24, 2003
[9] Chung-Chih Chiang, “Building an Attack Scenario Database with Causal Relationship of Worm Attack Behaviors and its Applications.” Institute of Computer and Communication Engineering National Cheng Kung University, Taiwan, R.O.C. Thesis for Master of Science, June, 2007
[10] Dain and R. Cunningham, “Fusing a heterogeneous alert stream into scenarios.” In Proc. of the 2001 ACM Workshop on Data Mining for Security Applications, pages 1{13, Nov. 2001.
[11] R. P. Goldman, W. Heimerdinger and S. A. Harp, “Information Modeling for Intrusion Report Aggregation.” In DARPA Information Survivability Conference and Exposition (DISCEX II), June 2001.
[12] H. S. Javitz and A. Valdes, “The NIDES statistical component: Description and justification.” Technical report, SRI International, Mar. 1994.
[13] C. C. Lin, H. K. Wong and T. C. Wu, “Enhancing Interoperability of Security Operation Center to Heterogeneous Intrusion Detection Systems.” Security Technology, CCST '05. 39th Annual 2005 International Carnahan Conference on 11-14, Oct. 2005.
[14] B. Morin and H. Debar, “An Application of Chronicles.” In Proceedings of the 6th International Symposium on Recent Advances in Intrusion Detection (RAID 2003), Pittsburgh, PA, Sept. 2003.
[15] P. Ning, Y. Cui, and D. S. Reeves, “Constructing Attack Scenarios through Correlation of Intrusion Alerts.” In 9th ACM Conference on Computer and Communications Security, Nov. 2002.
[16] P. Ning, D. Xu, C. G. Healey and R. S. Amant, “Building Attack Scenarios through Integration of Complementary Alert Correlation Methods.” Network and Distributed System Security Symposium Conference Proceedings, 2004.
[17] S. Noel, E. Robertson, and S. Jajodia, “Correlating Intrusion Events and Building Attack Scenarios through Attack Graph Distances.” 20th Annual Computer Security Applications Conference, Dec. 2004.
[18] S. K. Park, K. Y. Kim, J. S. Jang and B. N. Noh, ”Supporting interoperability to heterogeneous IDS in secure networking framework.” Inf. Security Res. Div., Electron. & Telecommun. Res. Inst., Taejeon, South Korea.
[19] P. A. Porras, M.W. Fong and A. Valdes, “A Mission-Impact- Based research to INFOSEC alarm correlation.” In Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID), October 2002.
[20] X. Qin, and W. Lee, “Attack Plan Recognition and Prediction using Causal Networks.” Computer Security Applications Conference, 20th Annual Publication., 2004.
[21] X. Qin, and W. Lee, “Statistical Causality Analysis of INFOSEC Alert Data.” In Proceedings of the 6th International Symposium on Recent Advances in Intrusion Detection (RAID 2003), Pittsburgh, PA, Sept. 2003.
[22] S. Staniford, J. Hoagland and J. McAlerney, “Practical automated detection of stealthy portscans.” To appear in Journal of Computer Security, 2002.
[23] S. Templeton and K. Levit, “A requires/provides model for computer attacks.” In Proc. of New Security Paradigms Workshop, pages 31. September 2000.
[24] Valdes and K. Skinner, “Probabilistic alert correlation.” In Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection (RAID), Oct. 2001.
[25] F. Valeur, G. Vigna, C. Kruegel and R. A. Kemmerer, “Comprehensive Research to Intrusion Detection Alert Correlation.”, Dependable and Secure Computing, IEEE Transactions on. On page(s): 146- 169, Volume: 1, Issue: 3, July-Sept. 2004.
[26] Y. S. Wu, B. Foo, Y. Mei and S. Bagchi, “Collaborative intrusion detection system (CIDS): a framework for accurate and efficient IDS.”, Computer Security Applications Conference, 2003. Proceedings. 19th Annual, Page(s):234-244, 2003.
[27] D. Xu and P. Ning, “Alert Correlation through Triggering Events and Common Resources.” In Proceedings of the 20th Annual Computer Security Applications Conference (ACSAC'04), 2004.
[28] T. Zhou, J. Blustein and N. Zincir-Heywood, “Improving Intrusion Detection Systems through Heuristic Evaluation.” Electrical and Computer Engineering, Canadian Conference on Volume 3, 2-5, Page(s):1641-1644, Vol.3, May 2004.
[29] The honeynet project, http://www.honeynet.org/
[30] Internet Security Systems. RealSecure intrusion detection system. http://www.iss.net.
[31] “Know Your Enemy: Sebek”, The Honeynet Project, 17 November 2003
[32] Symantec Corporation. Symantec’s norton antivirus. http://www.symantec.com.
[33] “Snort Intrusion Detection Second Edition”
[34] Strace - Linux man page, http://www.die.net/doc/linux/man/man1/strace.1.html
[35] “Taiwan Network Security Testbed”, http://twanst.icsc.ncku.edu.tw/.
[36] “TCPDUMP public repository”, http://sourceforge.net/projects/libpcap/.
[37] Tripwire, Inc. Tripwire changing monitoring and reporting solutions. http://www.tripwire.com.
[38] Zone Labs. Zonealarm pro. http://www.zonelabs.com.