Basic Search / Detailed Display

Author: 羅文揚
Wen-Yang Luo
Thesis Title: 基於封包標頭偵測阻斷服務攻擊與網路探測之輕量型系統
A Lightweight System of Detecting DoS/Probe Attacks Based on Packet Header
Advisor: 洪西進
Shi-Jinn Horng
Committee: 鍾國亮
Kuo-Liang Chung
Ming-Yang Su
Tzong-Wann Kao
Jyun-Jy Hu
Degree: 碩士
Department: 電資學院 - 資訊工程系
Department of Computer Science and Information Engineering
Thesis Publication Year: 2008
Graduation Academic Year: 96
Language: 中文
Pages: 88
Keywords (in Chinese): 阻斷服務攻擊封包標頭DARPA資料集
Keywords (in other languages): Denial of Service (DoS), Packet Header, Entropy, DARPA dataset
Reference times: Clicks: 254Downloads: 3
School Collection Retrieve National Library Collection Retrieve Error Report
  • 阻斷服務攻擊為現今網路環境中重大的網路安全威脅。根據CSI/FBI電腦犯罪與安全調查顯示,仍有25%的受訪者在2006年中曾遭受阻斷服務攻擊,另在賽門鐵克的網際網路安全威脅報告指出,2006上半年每天平均有6,110次阻斷服務攻擊發生。阻斷服務攻擊的手法從早期偽造攻擊來源位址,到現在攻擊者利用傀儡主機同時發動分散式阻斷服務攻擊,增加了追蹤攻擊來源的困難度。雖然目前有許多阻斷服務攻擊偵測與防禦的研究,但仍無法有效地阻止攻擊發生,僅能被動地封鎖攻擊流量。

    A denial-of-service (DoS) attack is a serious threat to the Internet security nowadays. According to a 2006 CSI/FBI Computer Crime and Security Survey, 25 percent of respondents whose computer detected DoS attacks in the last 12 months. Moreover, the Symantec Internet Security Threat Report showed that an average of 6,110 DoS attacks occurred per day in the first half year of 2006. In the early days, many DoS attacks spoofed source addresses in the attack packets. Now they can use a number of zombies simultaneously to send tremendous packets to a victim and this makes it more difficult to trace the attackers.
    In this research, we applied an entropy-based method to analyze the characteristic of network traffic and revealed that it is helpful to detect great scale of DoS/Probe attacks by observing the variation of the entropy of each header field. To accomplish this idea in real-time network, we had to simplify the process and turn it into three detection approaches: Distributed Addresses Detection Approach, S/R Ratio Detection Approach and TCP Connection Detection Approach. Based on the result of DARPA 98 testing dataset, we proved that our proposed lightweight system could detect DoS/probe attacks efficiently in an actual network and keep a low false positive rate.

    摘  要 I ABSTRACT IV 目錄 VI 圖目錄 VIII 表目錄 X 第一章 緒論 1  第一節 研究背景 1  第二節 研究動機 5 第二章 阻斷服務攻擊與網路探測 6  第一節 (分散式)阻斷服務攻擊 6  第二節 (分散式)阻斷服務攻擊分類 9  第三節 典型阻斷服務攻擊介紹 13  第四節 網路探測 16  第五節 常見網路探測攻擊介紹 18  第六節 相關研究 20 第三章 網路流量分析 22  第一節 網路封包格式 22  第二節 網路流量資料集 26  第三節 網路流量分析 31 第四章 系統實作 41  第一節 系統概述 41  第二節 取樣封包數 43  第三節 位址分散偵測機制 45  第四節 傳接比值偵測機制 47  第五節 TCP連線偵測機制 53  第六節 系統流程設計 55 第五章 實驗結果 58  第一節 DARPA測試集實驗 58  第二節 即時模擬實驗 63 第六章 結論 69 參考文獻 71

    [1] Access Control List,
    [2] Ali, K., M. Zulkernine and H. Hassanein, “ Packet Filtering Based on Source Router Marking and Hop-Count,” in Proceedings of Local Computer Networks, 15-18 Oct. 2007.
    [3] Athanasiades, N., R. Abler, J. Levine, H. Owen and G. Riley, “Intrusion Detection Testing and Benchmarking Methodologies,” in Proceedings of First IEEE International Workshop on Information Assurance (IWIA'03), 24 Mar. 2003, pp. 63-72.
    [4] Basic Security Module (BSM),
    [5] Baxter, Watt, Header Drawings,
    [6] Brugger, S. and J. Chow, “An assessment of the DARPA IDS Evaluation Dataset Using Snort,” in UC Davis Technical Report CSE-2007-1, Davis, CA, 2006.
    [7] Campbell, P. L., “The Denial-of-Service Dance,” IEEE Security and Privacy, vol. 3, no. 6, pp. 34-40, Nov./Dec. 2005.
    [8] CERT CC, Denial of Service Attacks,
    [9] Chan, E. Y. K., H. W. Chan, K. M. Chan, V. P. S. Chan, S. T. Chanson, M. M. H. Cheung, C. F. Chong, K. P. Chow, A. K. T. Hui, L. C. K. Hui, L. C. K. Lam, W. C. Lau, K. K. H. Pun, A. Y. F. Tsang, W. W. Tsang, S. C.W. Tso, D. Y. Yeung and K. Y. Yu, “IDR: an intrusion detection router for defending against distributed denial-of-service (DDoS) attacks,” in Proceedings of Parallel Architectures, Algorithms and Networks, 10-12 May 2004.
    [10] Chang, R. K. C., “Defending against flooding-based distributed denial-of-service attacks: A tutorial,” IEEE Communications Magazine, vol. 40, no.10, pp. 42-51, Oct. 2002.
    [11] Chen, Y., K. Hwang and W. S. Ku, “Collaborative Detection of DDoS Attacks over Multiple Network Domains,” IEEE Transactions on Parallel and Distributed Systems, vol. 18, no. 12, pp. 1649-1662, Dec. 2007.
    [12] Cisco IOS NetFlow,
    [13] DARPA Intrusion Detection Evaluation,
    [14] Eimann, R., U. Speidel and N. Brownlee, “A T-Entropy Analysis of the Slammer Worm Outbreak,” in Proceedings of the 8th Asia-Pacific Network Operations and Management Symposium (APNOMS), 27-30 Sep. 2005, pp. 434-445.
    [15] Eimann, R., U. Speidel, N. Brownlee and J. Yang, “Network Event Detection with T-entropy,” in University of Auckland CDMTCS Report 266, 2005.
    [16] Expect From Wikipedia,
    [17] Feinstein, L., D. Schnackenberg, R. Balupari and D. Kindred, “Statistical approaches to DDoS attack detection and response,” in Proceedings of DARPA Information Survivability Conference and Exposition, 22-24 Apr. 2003, vol. 1, pp. 303-314.
    [18] Gao, Z. and N. Ansari, “Differentiating Malicious DDoS Attack Traffic from Normal TCP Flows by Proactive Tests,” IEEE Communications Letters, vol. 10, no. 11, pp. 793-795, Nov. 2006.
    [19] Gordon, L. A., M. P. Loeb, W. Lucyshyn and R. Richardson, “2006 CSI/FBI Computer Crime and Security Survey,” Computer Security Institute, 2006.
    [20] Green, J., D. Marchette, S. Northcutt, and B. Ralph, “Analysis techniques for detecting coordinated attacks and probes,” in Proceedings of the 1st Conference on Workshop on intrusion Detection and Network Monitoring , 9-12 Apr. 1999.
    [21] Guo, X. B., D. P. Qian, M. Liu, R. Zhang and B. Xu, “Detection and protection against network scanning: IEDP,” in Proceedings of Computer Networks and Mobile Computing Conference, 16-19 Oct. 2001.
    [22] Haines, J. W., R. P. Lippmann, D. J. Fried, E. Tran, S. Boswell and M. A. Zissman, “1999 DARPA Intrusion Detection System Evaluation: Design and Procedures,” in MIT Lincoln Laboratory Technical Report ESC-TR-99-061, 26 Feb. 2001.
    [23] Internet Control Message Protocol,
    [24] Internet Protocol,
    [25] Intrusion Detection Attacks Database,
    [26] Itani, S., N. Aaraj, D. Abdelahad and A. Kayssi, “Neighbor stranger discrimination: A new defense mechanism against DDoS attacks,” in Proceedings of the ACS/IEEE 2005 International Conference on Computer Systems and Applications, Jan. 2005.
    [27] Kayacik, H. G., “The Challenges in Traffic and Application Modeling for Intrusion Detection System Benchmarking,” in Dalhousie University Technical Report CSTR-030600, CA, 2003.
    [28] Kendall, K., “A Database of Computer Attacks for the Evaluation of Intrusion Detection Systems,” Master's Thesis, Massachusetts Institute of Technology, 1998.
    [29] Kulkarni, A. and S. Bush, “Detecting Distributed Denial-of-Service Attacks Using Kolmogorov Complexity Metrics,” Journal of Network and Systems Management, vol. 14, no. 1, pp. 69-80, Mar. 2006.
    [30] Lau, F., S. H. Rubin, M. H. Smith, and L. Trajkovic, “Distributed denial of service attacks,” in Proceedings of Systems, Man, and Cybernetics, 2000 IEEE International Conference, 8-11 Oct. 2000, vol. 3, pp. 2275-2280.
    [31] Lee, F. Y. and S. P. Shieh, “Defending against spoofed DDoS attacks with path fingerprint,” Computers & Security, vol. 24, no. 7, pp. 571-586, Oct. 2005.
    [32] Lippmann, R., “A Summary of the 1998 Evaluation with a Brief Outline of Changes for the 1999 Evaluation,”, 1999.
    [33] Lippmann, R., J. W. Haines, D. J. Fried, J. Korba and K. Das, “The 1999 DARPA off-line intrusion detection evaluation,” Computer Networks, vol. 34, no. 4, pp. 579-595, Oct. 2000.
    [34] Mahajan, R., S. Bellovin, S. Floyd, V. Paxson and S. Shenker, “Controlling high bandwidth aggregates in the network,” ACM Computer Communications Review, vol. 32, no. 3, pp. 62-73, Jul. 2002.
    [35] Mahoney, M.V. and P. K. Chan, “An Analysis of the 1999 DARPA/Lincoln Laboratory Evaluation Data for Network Anomaly Detection,” in Proceedings of the Sixth International Symposium on Recent Advances in Intrusion Detection, Sep. 2003, pp. 220-237.
    [36] Maximum Transmission Unit,
    [37] McClure, S., J. Scambray and G. Kurtz, “Hacking Exposed – Network Security Secrets & Solutions,” McGraw-Hill, 2005, ISBN 0072260815.
    [38] McHugh, J., “Testing Intrusion Detection Systems: A Critique of the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory,” ACM Transactions on Information and System Security (TISSEC), vol. 3, no. 4, pp. 262-294, Nov. 2000.
    [39] Mirkovic, J. and P. Reiher, “A Taxonomy of DDoS Attack and DDoS Defense Mechanisms,” ACM SIGCOMM Computer Communications Review, vol. 34, no. 2, pp. 39-54, Apr. 2004.
    [40] NetFlow,
    [41] Nychis, G., “An Empirical Evaluation of Entropy-based Anomaly Detection,” in Carnegie Mellon University Thesis, PA, USA, May 2007.
    [42] Park, K. and H. Lee, “On the Effectiveness of Route-Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internets,” in Proceedings of ACM SIGCOMM, Aug. 2001, pp. 15-26.
    [43] Paxson, V., “An analysis of using reflectors for distributed denial-of-service attacks,” Computer Communications Review, vol. 31, no. 3, pp. 38-47, 2001.
    [44] Shannon, C. E., “A Mathematical Theory of Communication,” Bell System Technical Journal, vol. 27, pp. 379-423, 623-656, Jul., Oct. 1948.
    [45] Speidel, U., R. Eimann and N. Brownlee, “Detecting network events via T-entropy,” in Proceedings of Information, Communications & Signal Processing, 2007 6th International Conference, 10-13 Dec. 2007, pp. 1-5.
    [46] SNORT Official Website,
    [47] Snort Preprocessors Development Kickstart,
    [48] SQL Slammer,
    [49] Sun, H., J. C. S. Lui and D. K. Y. Yau, “Defending Against Low-rate TCP Attacks: Dynamic Detection and Protection,” in Proceedings of IEEE Conference on Network Protocols (ICNP2004), 5-8 Oct. 2004, pp. 196-205.
    [50] Switched Port Analyzer (SPAN),
    [51] Symantec corp., “Symantec Global Internet Security Threat Report, Trends for July - December 07”, vol. XIII, Apr. 2008.
    [52] Symantec corp., “Symantec Internet Security Threat Report, Trends for January 06 - June 06”, vol. X, Sep. 2006.
    [53] Tcpdump,
    [54] Tcpreplay Official Website,
    [55] The 1998 Intrusion Detection Off-line Evaluation Plan,
    [56] The Expect Home Page,
    [57] Transmission Control Protocol,
    [58] User Datagram Protocol,
    [59] Wagner, A. and B. Plattner, “Entropy based worm and anomaly detection in fast IP networks,” in Proceedings of 14th IEEE International Workshops on Enabling Technologies: Infrastructures for Collaborative Enterprises (WET ICE 2005), 13-15 Jun. 2005, pp. 172-177.
    [60] Wan, K. K. K. and R. K. C. Chang, “Engineering of a global defense infrastructure for DDoS attacks,” in Proceedings of Networks, 2002. ICON 2002. 10th IEEE International Conference, pp. 419-427, 2002.
    [61] Wu, N. and J. Zhang, “Factor Analysis Based Anomaly Detection,” Information Assurance Workshop, 2003. IEEE Systems, Man and Cybernetics Society, 18-20 Jun. 2003.
    [62] Xu, K., Z. Zhang and S. Bhattacharyya, “Profiling internet backbone traffic: behavior models and applications,” in Proceedings of the 2005 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications (SIGCOMM’ 05), 22-26 Aug. 2005, pp. 169-180.
    [63] Yaar, A., A. Perrig, and D. Song, “Stackpi: New packet marking and filtering mechanisms for ddos and ip spoofing defense,” IEEE Journal on Selected Areas in Communications, vol. 24, no. 10, pp. 1853-1863, Oct. 2006.