• 藍色版面
  • 綠色版面
  • 橘色版面
  • 粉紅色版面
  • 棕色版面
帳號:guest(120.119.126.29)          離開系統
字體大小: 字級放大   字級縮小   預設字形  

詳目顯示

研究生: 鄭永隆
研究生(外文): Yong-Long Jheng
論文名稱: 基於可擴張馬爾可夫模型之可調適分散式阻斷服務攻擊偵測機制
論文名稱(外文): An Adaptive DDoS Detecting Scheme Based onExtensible Markov Model
指導教授: 曾昱國
指導教授(外文): Yu-Kuo Tseng
學位類別: 碩士
校院名稱: 樹德科技大學
系所名稱: 資訊工程學系
論文出版年: 2008
畢業學年度: 96
語文別: 中文
論文頁數: 65
中文關鍵詞: 電腦網路安全服務阻斷攻擊資料探勘可擴張的馬可夫模型
外文關鍵詞: Computer Network SecurityModelDenial of ServiceData MiningExtensible Markov
相關次數:
  • 被引用:0
  • 點閱:23
  • 評分:*****
  • 下載:9
  • 書目收藏:0
隨著個人電腦設備的普及與網際網路的快速發展,各種型態的電腦犯罪,也如雨後春筍般地快速增加。因此,如何有效地確保電腦或通訊網路中資訊的安全,防杜電腦或網路安全攻擊,已為一刻不容緩、亟待解決的議題。根據CSI/FBI 電腦安全調查報告,阻斷服務式攻擊造成的損失嚴重,且為目前網路攻擊方式主流之一。隨著阻斷服務式攻擊威脅日益嚴重,但迄今尚無一能完全解決阻斷服務式攻擊的機制被提出。
現今大部分對DoS/DDoS的研究工作,都集中在如何減緩此類攻擊所帶來的衝擊,但如此的消極作為只能將衝擊程度減到最低,卻無法有效地完全消弥攻擊。考量到前述防治DoS/DDoS的諸多困境,因此本研究在眾多網路攻擊方式中,將先以目前較常見且危害嚴重的氾濫式(flooding-style)DoS/DDoS作為研究標的,亦即找出可以區分善良與邪惡的封包的方法。
  本研究主要利用可擴張的馬爾可夫模型(Extensible Markov Model)依資料流時間及空間特性動態調整馬爾可夫鏈(Markov Chain),以進行網路封包分析與研究。它的優勢是可以自我調整並動態模型化會隨著時間變化的數據,並可經由觀察輸入數據流的狀態轉移機率來學習並調整模型結構。因此可擴張的馬爾可夫模型是一具高效率、可調節的機制,並適用於非監督式(unsupervised)即時處理,所以本研究將其用於具有資料串流特性的DoS/DDoS攻擊,以找出可對DoS/DDoS攻擊有效的EMM分群機制,藉以協助受害者端區分正常與異常的封包。
Among a variety of attacks on computer servers or communication networks, a prevalent, famous, and serious network-security subject is known as "Denial of Service" (DoS) or "Distributed Denial of Service" (DDoS) attacks. According to the investigation on computer crime conducted by CSI/FBI, Internet DoS/DDoS attacks have increased in frequency, severity, and sophistication, and have caught international attentions to the vulnerability of the Internet. However, there is no any complete solution for overcoming the kind of attack now. Therefore, in consideration of the difficult situation against the kind of attack, this research plan mainly concentrates on how to resolve these troublesome Internet flooding-style DoS/DDoS problems.
In the research, we devise a model that can distinguish attack packets from normal packets. Because of EMM is particularly well-suited to model spatiotemporal data, and such as "network traffic", environmental data, weather data, and automobile traffic and advantage of learning as well as adaptive adjusting its structure (number of states) and state transition probabilities according to the current network situation, so we utilize and improve the Extensible Markov Model (EMM) to detect the flooding-style DoS/DDoS attacks. Through the proposed EMM-based model, the victim can tell the difference between normal packets and malicious ones.
The experiment results also show that the detecting rate of the proposed scheme is better than others. Therefore, this thesis presents a feasible flooding style DoS/DDoS attack detection scheme.
一、緒論  1
1.1研究背景  1
1.2研究動機  2
1.3研究目的  5
1.4論文架構  9
二、相關研究  10
2.1阻斷服務攻擊之偵測與防禦  10
2.2資料探勘及其在網路安全應用  13
2.2.1資料探勘  13
2.2.2資料分群  16
2.2.3資料探勘在網路安全的應用  17
2.3應用馬爾可夫鏈的相關模型  19
2.3.1馬爾可夫鏈  19
2.3.2隱藏式馬爾可夫模型  20
2.3.3可增加的馬爾可夫模型  23
三、基於EMM之DDoS攻擊偵測機制  24
3.1可擴張的馬爾可夫模型  24
3.2可用於EMM之相似度計算方法介紹  27
3.3可調適DDoS攻擊偵測機制  29
四、實驗結果與分析  33
4.1相似度計算方法和門檻值對EMM分群的影響  33
4.2基於EMM之DDoS攻擊偵測機制效能分析  36
4.2.1適用KDD-Cup 1999資料集之分群門檻值  37
4.2.2 氾濫式DoS/DDoS攻擊偵測之效能分析  42
4.2.3 廣義DoS攻擊偵測之效能分析  50
參考文獻  59
[1]O. Cleopas Angaye, “Security in a networked environment,” ACM SIGAPP Applied Computing Review, Volume 3, Issue 1, pp. 2-5, Summer 1995.
[2]Cliff Changchun Zou, Weibo Gong, Don Towsley, “Code red worm propagation modeling and analysis,” Proc. 9th ACM conference on Computer and Communication Security, pp. 138-147, Washington, DC, USA, 2002.
[3]D. Chapman and E. Zwicky , Internet Security Firewalls, O’Reilly, Sebastopol Calif., 1995.
[4]T. Andrew Yang, “Computer security and impact on computer science education,” Proc. of the sixth annual CCSC northeastern conference on The journal of computing in small colleges Middlebury, Vermont, United States, pp. 233-246, 2001.
[5]Dorothy Denning, “An intrusion-detection model,” in IEEE Symposium on Security and Privacy, pp. 118-131, Oakland, USA, 1986.
[6]A. Ghosh and A. Schwartzbard, “A study in using neural networks for anomaly and misuse detection,” in USENIX Security Symposium, 1999.
[7]Project. Honeynet, Y. Know our Enemy: Honeynets.
http://project.honeynet.org/papers/honeynet/
[8]S.Savage, D.Wetherall, A.R.Karlin, and T.Anderson, “Practical Network Support for IP Traceback,” SIGCOMM, pp. 295-306, 2000.
[9]A. Belenky and N. Ansari, “On IP Traceback,” IEEE Communications Magazine, pp. 142-153, 2003.
[10]CSI/FBI, COMPUTER CRIME AND SECURITY SURVEY, 2005. http://www.usdoj.gov/criminal/cybercrime/FBI2005.pdf
[11]D. Moore, G. Voelker, and S. Savage, “Inferring Internet Denial of Service Activity,” in Proc. USENIX Security Symposium, Washington D.C., August 2001.
[12]O. Spatscheck and L. Peterson, “ Defending Against Denial of Service Attacks in Scout,” Proc. of 1999 USENIX/ACM Symposium on Operating System Design and Implementation, pp. 59-72, Feb. 1999.
[13]Margaret Dunham, Yu Meng, and Jie Huang, “Extensible Markov Model”, ICDM, pp. 371-374.2004.
[14]D. John Howard, “An Analysis of Security Incidents on the Internet,” 1995.
http://www.cert.org/research/JHThesis/Start.html
[15]Computer Emergency Response Team, “CERT Advisory CA-92.21: TCP SYN Flooding and IP Spoofing Attacks ”.
http://www.cert.org/advisories/CA-96.21.ping.html
[16]CERT Coordination Center, “Denial of Service Attack,” June 4, 2001.
http://www.cert.org/tech_tips/denial_of_service.html.
[17]馬淑貞,「以網路流量資料探勘協助進行阻斷服務攻擊偵測與防禦之研究」,國立中山大學資訊管理學系碩士論文, 2005
[18]Haixun Wang and Jian Pei, Philip S. Yu, “Online Mining of Data Streams: Applications”, Techniques and Progress. ICDE , 2005.
[19]Aggarwal Han et al, “A Framework for Clustering Evolving Data Streams”, VLDB., 2003.
[20]P. Domingos and G. Hulten, “Mining high-speed data streams”, Knowledge Discovery and Data Mining, pages 71-80, 2000.
[21]Computer Emergency Response Team, “CERT Advisory CA-98.01: Smurf IP denial-of-service attack via pings”
http://www.cert.org/advisories/CA-98.01.smurf.html
[22]S. Tanachaiwiwat and K. Hwang, “Differential packet filtering agains DDoS flood attacks”, 2003.
http://ceng.usc.edu/~kaihwang/papers/ ACMSecurity509pdf.pdf

[23]M. G. Gouda, E. N. Elnozahy, C. T. Huang and T. M. McGuire, “Ho Integrity in computer Networks”, IEEE Trans. Networking, Vol.10, No.3, pp.380–319, 2002
[24]C. Jin, H. Wang, and K. G. Shin, “Hop-Count Filtering: An Effective Defense Against Spoofed DDoS Traffic”, Proc. 10th ACM Conf. Computer and Communications Security (CCS), pp.30–41, Washington, DC, 2003.
[25]S. J.Templeton, and K. E. Levitt, “Detecting spoofed packets”, Proc. 3rd IEEE DARPA Information Survivability Conference and Exposition (DISCEX), pp.164–175, Washington, D.C, 2003.
[26]S. Felix Wu et al., “Intention-Driven ICMP Trace-back”, Internet Draft: draft-wu-itrace-intention-01. txt,IETF, July 2001.
[27]J. Ioannidis and S.M. Bellovin, ”Implementing pushback: Router-Based Defense Against DDoS Attacks,” Proc. Network and Distributed System Security Symposium, San Diego, CA., Feb., 2002.
[28]Ratul Mahajan, Steven M. Bellovin, Sally Floyd, John Ioannidis, Vern Paxson, and Scott Shenker, “Controlling high bandwidth aggregates in the network,”Computer Communications Review, pp.62–73. Also appeared inTechnical report, AT&T Center for Internet Research at ICSI, July 2001.
[29]R. B. Blazek, H. Kim, B. Rozovskii, and A. Tartakovsky, “A novelapproach to detection of denial-of-service attacks via adaptive sequential and batch-sequential change-point detection methods”, IEEE Systems, Man, andcybernetics Information Assurance Workshop, pp.220–226, 2001.
[30]S.M. Bellovin, “ICMP traceback messages,” Internet Dradraft-bellovin-itrace-00.txt, March 2000.
[31]S.M.Bellovin, M. Leech, and T. Taylor, “ICMP traceback messages” IETF, Internet Draft, draft-ietf-itrace-01.txt, October 2001.


[32]D. Dean, M. Franklin, and A. Stubblefield, ”An algebraic approach to IP traceback,” Proc. of the Network and Distributed System Security Symp.(NDSS), pp.3–12, 2001.
[33]A.Mankin, D.Massey, C.-L. Wu,S.F.Wu and L.Zhang, “On design and evaluation of `intention-driven' ICMP traceback”, in Proc. IEEE Int. Conf. Computer Communications and Networks, pp.159-165, Oct. 2001.
[34]S. F. Wu, L. Zhang, D. Massey, and A. Mankin, “Intention-Driven ICMP Trace-back”, IETF, Internet Draft, draft-wu-itrace-intention-00.txt, 2001.
[35]S. F. Wu, L. Zhang, D. Massey, and A. Mankin, “Intention-Driven ICMP Trace-back”, IETF, Internet Draft: draft-wu-itrace-intention-01.txt, 2001.
[36]S. Savage, D. Wetherall, A.Karlin, and T. Anderson, “Network support for IP traceback”, IEEE/ACM Trans.Netw., Vol.9, No.3, pp.226–237. Also appeared in Proc. ACM SIGCOMM Conf., pp.295–306, 2001.
[37]R. Stone, “CenterTrack: An IP Overlay Network for Tracking DoS Floods,” Proc. of the9th USENIX Security Symposium, Denver, CO, August, 2000.
[38]A. C. Snoeren, C. Partridge, L. A. Sanchez, C. E. Jones, F. Tchakountio, S. T. Kent, and W. T. Strayer, ”Hash-based IP traceback”, Proc. ACM SIGCOMM Applications, Technologies, Architectures, and Protocols for Computer Communication, pp.3–14, 2001.
[39]H. Burch, and B. Cheswick, “Tracing anonymous packets to theirapproximate source”, Usenix LISA (New Orleans) Conf., pp.313–322, 2000.
[40]曾憲雄、蔡秀滿、蘇東興、曾秋蓉、王慶堯,資料探勘(初版),旗標出版股份有限公司,2005。
[41]J. Han and M. Kamber, “Data Mining: Concepts and Techniques. Morgan Kaufmann”, 2000.


[42]J.B. MacQueen, “Some Methods for Classification and Analy¬ sis of Multivariate Observations,” Proceedings of the Fifth Berkeley Symposium on Mathematical Statistics and Probability, 281-297, 1967.
[43]L. Kaufman and P. J. Rousseeuw., “Finding Groups in Data: an Introduc¬tion to Cluster Analysis”. John Wiley & Sons, 1990.
[44]Tian Zhang, Raghu Ramakrishnan, Miron Livny, “BIRCH: An Efficient Data Clustering Method for Very Large Databases” SIGMOD Conf. pp. 103-114 , 1996.
[45]Martin Ester, Hans-Peter Kriegel, Jörg Sander, Xiaowei Xu, “A Density-Based Algorithm for Discovering Clusters in Large Spatial Databases with Noise”. KDD 226-23112, 1996.
[46]M. Ankerst, M. Breunig, H.-P. Kriegel, and J. Sander., “Optics:Order¬ing points to identify the clustering structure”, SIGMOD’99, 1999.
[47]A. Hinneburg and D. A. Keim, “An efficient approach to Clustering in Large multimedia Databases with Noise”. KDD98 pages 58-65, 1998.
[48]W. Lee, S. J. Stolfo, and K. W. Mok, “A Data Mining Framework for Building Instrusion Detection Models,” Proceedings of the 1999 IEEE Symposium on Security and Privacy, Oakland, CA, May 1999.
[49]林順傑,曾憲雄,林耀聰,周志明,「網路行為模式之探勘」,TANET2001, 2001。
[50]蕭漢威,「以資料探勘方法協助偵測網路服務不當使用之研究」,國立中山大學資訊管理研究所博士論文,2004。
[51]李信宏,「以時間為考量之網路錯誤推理診斷」,逄甲大學資訊工程研究所碩士論文,2001。
[52]HONG-YU YANG, LI-XIA XIE, “HYBRID HIERARCHICAL NETWORK INTRUSION DETECTION”, Proceedings of the Fifth International Conference on Machine Learning and Cybernetics, Dalian, 13-16, August 2006.


[53]P. Ganesh Kumar and D. Devaraj, “Network Intrusion Detection using Hybrid Neural Networks”, IEEE-ICSCN 2007, MIT Campus, Anna University, Chennai, India. Feb. 22-24, 2007.
[54]Alan Bivens, Chandrika Palagiri, Rasheda Smith, Boleslaw Szymanski, Mark Embrechts, “Network Based Intrusion Detection using Neural Networks”, Intelligent Engineering Systems through Artificial Neural Networks, Vol. 12, Proc. ANNIE, 2002.
[55]WU YANG, WEI WAN , LIN GUO, LE-JUN ZHANG, “AN EFFICIENT INTRUSION DETECTION MODEL BASED ON FAST INDUCTIVE LEARNING”, Proceedings of the Sixth International Conference on Machine Learning and Cybernetics, Hong Kong, 19-22, August 2007.
[56]馬爾可夫鏈,2007。
http://en.wikipedia.org/wiki/Markov_chain
[57]Hidden Markov Models, 2007.
http://en.wikipedia.org/wiki/Hidden_Markov_model
[58]Dani Goldberg, Maja J mataric, “Augmented Markov Models”, 1999.
http://www.cs.cmu.edu/~motionplanning/papers/sbp_papers/integrated3/goldberg_aug_markov_models.pdf
[59]彭怡菁,以統計量測為基礎之交易資料集分群,國立台灣大學資訊工程研究所碩士論文,台北,2001。
[60]Yu Ment and Margaret H. Dunham, “Ming Developing of Dynamic Spatiotemporal Data Streams”, JOURNAL OF COMPUTERS, VOL. 1, NO. 3, JUNE 2006.
[61]Y. Meng, M.H. Dunham, F.M. Marchetti, and J. Huang, “Rare Event Detection in A SpatiotemporalEnvironment”, in Proc 2nd IEEE Int’l Conf GranularComputing (GrC'06), Atlanta, GA, May 10-12, 2006.

[62]Ouse Catchment data, 1995.
http://engr.smu.edu/
[63]CiscoInternal, 2003.
http://engr.smu.edu/
[64]KDD-Cup1999.
http://www.sigkdd.org/kddcup/index.php?section=1999&method=dataConfusion
[65]Matrix Website.
http://www2.cs.uregina.ca/~hamilton/courses/831/notes/confusion_matrix/confusion_matrix.html
                                                                                                                                                                                                                                                                                                                                                                                                               
第一頁 上一頁 下一頁 最後一頁 top
* *