簡易檢索 / 詳目顯示

回結果列表
研究生: 唐梓瑈
Cynthia - Tang
論文名稱: 基於惡意行為序列分析之遺漏攻擊事件查找系統
MEF: Missing Event Finding System based on Malicious Behavior Sequence Analysis
指導教授: 李漢銘
Hahn-Ming Lee
口試委員: 鮑興國
Hsing-Kuo Pao
王榮英
Jung-Ying Wang
陳志銘
Chih-Ming Chen
鄭博仁
Po-Ren Jeng
學位類別: 碩士
Master
系所名稱: 電資學院 - 資訊工程系
Department of Computer Science and Information Engineering
論文出版年: 2009
畢業學年度: 97
語文別: 英文
論文頁數: 44
中文關鍵詞: 遺漏攻擊事件惡意行為序列
外文關鍵詞: Missing event, Missing attack, Malicious behavior sequence
相關次數: 點閱:140下載:1
分享至:
查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報
  •  上一筆

    • 目前的入侵偵測系統(IDS) 無法偵測所有的入侵行為,可能會遺漏真實的攻擊警報(false negative),或無法保證所有的警報都能反映出真實的攻擊(false positive),而警報事件關聯的效能往往受限於IDS的效能。當IDS遺失了某些重要的攻擊,便無法透過關聯警報描繪出正確的攻擊情境,甚至可能會提供錯誤的關聯資訊給管理者。
    先前的研究學者們著重於用人工去建立一個攻擊策略圖或是建構能力模型去找尋遺漏的警報事件,專家再依據此攻擊策略圖或能力模型來決定可能發生遺漏攻擊事件,為了能夠自動搜尋可能被遺漏的警報事件,我們提出基於惡意行為序列分析之遺漏攻擊事件搜尋系統,在本論文中,我們將呈現一系列的技術去建構惡意行為序列的樣板,並且利用測量惡意行為序列之間的相似度去找尋可能被遺漏的攻擊事件。
    本遺漏警報事件查找系統是先將警報事件聚合成一個精簡的序列,再使用關聯視窗序列建構成有關聯的惡意行為序列樣板,並且結合了三個相似度的測量方去過濾相似的惡意行為樣板,這將有利於此系統辨識遺漏警報事件。為了評估此系統的能力,本論文使用了Treasure Hunt (2002)資料庫,實驗結果顯示我們所提出來的遺漏攻擊事件查找系統能是有能力去尋找可能被遺漏的攻擊事件,且不需要事先對所有警報事件做任何的人工定義。

    The current Intrusion Detection System (IDS) could miss an attack (false negative) or incorrectly identify events as an attack (false positive). It also affects the efficiency of alert correlation. When the critical event is missed by the IDS, alert correlation may provide the error report for a security manager.
    Previous researchers focus on building an attack strategy or modeling capabilities to find missing events manually. For finding the possible missing event automatically, we propose a system based on malicious behavior sequence analysis.  We presents a series of techniques to construct the malicious behavior sequence templates and to measure the similarity between malicious behavior sequences.  
    The proposed missing event finding system uses a correlation window to construct the correlative malicious behavior templates from aggregated alert sequences. Moreover, it combined three similarity measures to filter out the similar malicious behavior sequence templates for the missing events identifying. In the system evaluation, this thesis uses the 2002 Treasure Hunt dataset, the experimental results show that our approach is effective and has the ability to find possible missing events. This system has no need to manually define these conditions for all alerts for finding missing events.

    List of Tablesvi List of Figuresvii Chapter 1 Introduction1 1.1Motivation2 1.2The Challenges of Current Research3 1.3Goals4 1.4Outlines of the Thesis4 Chapter 2 Background6 2.1Background of Missing Event Finding6 2.2Missing Events Identifying7 Chapter 3 Missing Event Finding9 3.1Concept of the Missing Event Finding (MEF)10 3.2The System Architecture of the MEF System11 3.2.1Malicious Behavior Sequences Constructor12 3.2.2Similar Candidate Sequences Filter16 3.2.2.1Sequences Similarity Measuring17 3.2.2.2Redundant Candidate Sequence Filtering20 3.2.3Missing Event Identifier21 3.3Characteristics of the MEF System23 Chapter 4 Experiments25 4.1Dataset Description25 4.2Experimental Setup29 4.3Experimental Results30 Chapter 5 Conclusion and Further Work35 5.1Discussion35 5.2Conclusion38 5.3Further Work39 References40 Appendix42

    1.W. F. Altschul, T. L. Madden, A. A. Schäffer, J. Zhang, Z. Zhang, W. Miller, and D. J. Lipman, “Gapped BLAST and PSI-BLAST: a new generation of protein database search programs,” Nucleic Acids Research, Vol. 25, No. 17, pp. 3389-3402, 1997.
    2.L. Bergroth, H. Hakonen, and T. Raita, “A Survey of Longest Common Subsequence Algorithms,” In Proceedings of the Seventh International Symposium on String Processing Information Retrieval, pp. 39-48, 2000.
    3.F. Cuppens and R. Ortalo, “Lambda: A language to model a database for detection of attacks,” in Proceedings of 3rd International Symposium on Recent Advances in Intrusion Detection (RAID), LNCS 1907, pp. 197-216, Springer-Verlag, Toulouse, France, Oct. 2000.
    4.Z. Markov and D. T. Larose, Data Mining the Web: Uncovering Patterns in Web Content, Structure, and Usage. Wiley, 2007.
    5.M.I.T Lincoln Laboratory, "2000 DARPA Intrusion Detection Scenario Specific Data Sets," http://www.ll.mit.edu/IST/ideval/data/2000/2000_data_index.html
    6.P. Ning, D. Xu, C. G. Healey, and R. S. Amant, “Building attack scenarios through integration of complementary alert correlation methods,” in Proceedings of the 11th Annual Network and Distributed System Security Symposium (NDSS), pp. 97-111, 2004.
    7.P. Ning and D. Xu, “Hypothesizing and reasoning about attacks missed by intrusion detection systems,” ACM Transactions on Information and System Security (TISSEC), Vol. 7, No. 4, pp. 591-627, 2004.
    8.R. Sadoddin and A. Ghorbani, “Alert correlation survey: framework and techniques,” ACM International Conference Proceeding Series, Vol. 380, No.37, pp. 37-37, 2006.
    9.Snort, http://www.snort.org/
    10.K. L. S. J. Templeton, “A requires/provides model for computer attacks,” in Proceedings of the 2000 workshop on New Security Paradigms, pp. 31-38, Feb. 2001.
    11.UCSB, “The 2002 UCSB Treasure Hunt Dataset,”
    http://ictf.cs.ucsb.edu/data/treasurehunt2002/
    12.F. Valeur, G. Vigna, C. Kruegel, and R. A. Kemmerer, “A Comprehensive Approach to Intrusion Detection Alert Correlation,” IEEE Transactions on Dependable and Secure Computing, Vol. 1, No. 3, pp. 146-169, 2004.
    13.J. Zhou, M. Heckman, B. Reynolds, A. Carlson, and M. Bishop, “Modeling Network Intrusion Detection Alerts for Correlation,” ACM Transactions on Information and System Security (TISSEC), Vol. 10, No. 1, pp. 1-31, 2007.

    無法下載圖示 全文公開日期 2011/08/05 (校內網路)
    全文公開日期 本全文未授權公開 (校外網路)
    全文公開日期 本全文未授權公開 (國家圖書館:臺灣博碩士論文系統)
    QR CODE