阻斷服務攻擊為現今網路環境中重大的網路安全威脅。根據CSI/FBI電腦犯罪與安全調查顯示，仍有25%的受訪者在2006年中曾遭受阻斷服務攻擊，另在賽門鐵克的網際網路安全威脅報告指出，2006上半年每天平均有6,110次阻斷服務攻擊發生。阻斷服務攻擊的手法從早期偽造攻擊來源位址，到現在攻擊者利用傀儡主機同時發動分散式阻斷服務攻擊，增加了追蹤攻擊來源的困難度。雖然目前有許多阻斷服務攻擊偵測與防禦的研究，但仍無法有效地阻止攻擊發生，僅能被動地封鎖攻擊流量。
在各ISP或網際網路閘道入口經常使用入侵偵測防禦系統偵測異常網路流量，但該系統因需要執行深層檢測而降低網路傳輸效能，網路管理者也因此得處理其產生的異常警示。對於內部網路來說，亦需要一偵測系統來防禦網路攻擊。因此，本論文提出一套建置於普通主機上的輕量型偵測系統，扮演內部網路的守護者。
本論文運用熵來分析網路傳輸行為，並發現可利用封包標頭欄位的熵值變化率偵測阻斷服務攻擊和網路探測。為了因應即時偵測的需要，本論文簡化上述的特性為三個判斷式。經過以DARPA訓練集的資料分析、測試集的實驗結果，證實能正確地偵測出常見DoS攻擊和網路探測，並有理想的誤報率與偵測速度。

A denial-of-service (DoS) attack is a serious threat to the Internet security nowadays. According to a 2006 CSI/FBI Computer Crime and Security Survey, 25 percent of respondents whose computer detected DoS attacks in the last 12 months. Moreover, the Symantec Internet Security Threat Report showed that an average of 6,110 DoS attacks occurred per day in the first half year of 2006. In the early days, many DoS attacks spoofed source addresses in the attack packets. Now they can use a number of zombies simultaneously to send tremendous packets to a victim and this makes it more difficult to trace the attackers.
In this research, we applied an entropy-based method to analyze the characteristic of network traffic and revealed that it is helpful to detect great scale of DoS/Probe attacks by observing the variation of the entropy of each header field. To accomplish this idea in real-time network, we had to simplify the process and turn it into three detection approaches: Distributed Addresses Detection Approach, S/R Ratio Detection Approach and TCP Connection Detection Approach. Based on the result of DARPA 98 testing dataset, we proved that our proposed lightweight system could detect DoS/probe attacks efficiently in an actual network and keep a low false positive rate.

[1] Access Control List, http://en.wikipedia.org/wiki/Access_control_list.
[2] Ali, K., M. Zulkernine and H. Hassanein, “ Packet Filtering Based on Source Router Marking and Hop-Count,” in Proceedings of Local Computer Networks, 15-18 Oct. 2007.
[3] Athanasiades, N., R. Abler, J. Levine, H. Owen and G. Riley, “Intrusion Detection Testing and Benchmarking Methodologies,” in Proceedings of First IEEE International Workshop on Information Assurance (IWIA'03), 24 Mar. 2003, pp. 63-72.
[4] Basic Security Module (BSM), http://www.sun.com/software/security/audit/.
[5] Baxter, Watt, Header Drawings, http://www.visi.com/~mjb/Drawings/.
[6] Brugger, S. and J. Chow, “An assessment of the DARPA IDS Evaluation Dataset Using Snort,” in UC Davis Technical Report CSE-2007-1, Davis, CA, 2006.
[7] Campbell, P. L., “The Denial-of-Service Dance,” IEEE Security and Privacy, vol. 3, no. 6, pp. 34-40, Nov./Dec. 2005.
[8] CERT CC, Denial of Service Attacks, http://www.cert.org/tech_tips/denial_of_service.html.
[9] Chan, E. Y. K., H. W. Chan, K. M. Chan, V. P. S. Chan, S. T. Chanson, M. M. H. Cheung, C. F. Chong, K. P. Chow, A. K. T. Hui, L. C. K. Hui, L. C. K. Lam, W. C. Lau, K. K. H. Pun, A. Y. F. Tsang, W. W. Tsang, S. C.W. Tso, D. Y. Yeung and K. Y. Yu, “IDR: an intrusion detection router for defending against distributed denial-of-service (DDoS) attacks,” in Proceedings of Parallel Architectures, Algorithms and Networks, 10-12 May 2004.
[10] Chang, R. K. C., “Defending against flooding-based distributed denial-of-service attacks: A tutorial,” IEEE Communications Magazine, vol. 40, no.10, pp. 42-51, Oct. 2002.
[11] Chen, Y., K. Hwang and W. S. Ku, “Collaborative Detection of DDoS Attacks over Multiple Network Domains,” IEEE Transactions on Parallel and Distributed Systems, vol. 18, no. 12, pp. 1649-1662, Dec. 2007.
[12] Cisco IOS NetFlow, http://www.cisco.com/en/US/products/ps6601/products_ios_protocol_group_home.html.
[13] DARPA Intrusion Detection Evaluation, http://www.ll.mit.edu/mission/communications/ist/corpora/ideval/data/index.html.
[14] Eimann, R., U. Speidel and N. Brownlee, “A T-Entropy Analysis of the Slammer Worm Outbreak,” in Proceedings of the 8th Asia-Pacific Network Operations and Management Symposium (APNOMS), 27-30 Sep. 2005, pp. 434-445.
[15] Eimann, R., U. Speidel, N. Brownlee and J. Yang, “Network Event Detection with T-entropy,” in University of Auckland CDMTCS Report 266, 2005.
[16] Expect From Wikipedia, http://en.wikipedia.org/wiki/Expect.
[17] Feinstein, L., D. Schnackenberg, R. Balupari and D. Kindred, “Statistical approaches to DDoS attack detection and response,” in Proceedings of DARPA Information Survivability Conference and Exposition, 22-24 Apr. 2003, vol. 1, pp. 303-314.
[18] Gao, Z. and N. Ansari, “Differentiating Malicious DDoS Attack Traffic from Normal TCP Flows by Proactive Tests,” IEEE Communications Letters, vol. 10, no. 11, pp. 793-795, Nov. 2006.
[19] Gordon, L. A., M. P. Loeb, W. Lucyshyn and R. Richardson, “2006 CSI/FBI Computer Crime and Security Survey,” Computer Security Institute, 2006.
[20] Green, J., D. Marchette, S. Northcutt, and B. Ralph, “Analysis techniques for detecting coordinated attacks and probes,” in Proceedings of the 1st Conference on Workshop on intrusion Detection and Network Monitoring , 9-12 Apr. 1999.
[21] Guo, X. B., D. P. Qian, M. Liu, R. Zhang and B. Xu, “Detection and protection against network scanning: IEDP,” in Proceedings of Computer Networks and Mobile Computing Conference, 16-19 Oct. 2001.
[22] Haines, J. W., R. P. Lippmann, D. J. Fried, E. Tran, S. Boswell and M. A. Zissman, “1999 DARPA Intrusion Detection System Evaluation: Design and Procedures,” in MIT Lincoln Laboratory Technical Report ESC-TR-99-061, 26 Feb. 2001.
[23] Internet Control Message Protocol, http://tools.ietf.org/html/rfc792.
[24] Internet Protocol, http://tools.ietf.org/html/rfc791.
[25] Intrusion Detection Attacks Database, http://www.ll.mit.edu/mission/communications/ist/corpora/ideval/docs/attackDB.html.
[26] Itani, S., N. Aaraj, D. Abdelahad and A. Kayssi, “Neighbor stranger discrimination: A new defense mechanism against DDoS attacks,” in Proceedings of the ACS/IEEE 2005 International Conference on Computer Systems and Applications, Jan. 2005.
[27] Kayacik, H. G., “The Challenges in Traffic and Application Modeling for Intrusion Detection System Benchmarking,” in Dalhousie University Technical Report CSTR-030600, CA, 2003.
[28] Kendall, K., “A Database of Computer Attacks for the Evaluation of Intrusion Detection Systems,” Master's Thesis, Massachusetts Institute of Technology, 1998.
[29] Kulkarni, A. and S. Bush, “Detecting Distributed Denial-of-Service Attacks Using Kolmogorov Complexity Metrics,” Journal of Network and Systems Management, vol. 14, no. 1, pp. 69-80, Mar. 2006.
[30] Lau, F., S. H. Rubin, M. H. Smith, and L. Trajkovic, “Distributed denial of service attacks,” in Proceedings of Systems, Man, and Cybernetics, 2000 IEEE International Conference, 8-11 Oct. 2000, vol. 3, pp. 2275-2280.
[31] Lee, F. Y. and S. P. Shieh, “Defending against spoofed DDoS attacks with path fingerprint,” Computers & Security, vol. 24, no. 7, pp. 571-586, Oct. 2005.
[32] Lippmann, R., “A Summary of the 1998 Evaluation with a Brief Outline of Changes for the 1999 Evaluation,” http://www.ll.mit.edu/mission/communications/ist/files/1999_NewPlans.PDF, 1999.
[33] Lippmann, R., J. W. Haines, D. J. Fried, J. Korba and K. Das, “The 1999 DARPA off-line intrusion detection evaluation,” Computer Networks, vol. 34, no. 4, pp. 579-595, Oct. 2000.
[34] Mahajan, R., S. Bellovin, S. Floyd, V. Paxson and S. Shenker, “Controlling high bandwidth aggregates in the network,” ACM Computer Communications Review, vol. 32, no. 3, pp. 62-73, Jul. 2002.
[35] Mahoney, M.V. and P. K. Chan, “An Analysis of the 1999 DARPA/Lincoln Laboratory Evaluation Data for Network Anomaly Detection,” in Proceedings of the Sixth International Symposium on Recent Advances in Intrusion Detection, Sep. 2003, pp. 220-237.
[36] Maximum Transmission Unit, http://en.wikipedia.org/wiki/Maximum_transmission_unit.
[37] McClure, S., J. Scambray and G. Kurtz, “Hacking Exposed – Network Security Secrets & Solutions,” McGraw-Hill, 2005, ISBN 0072260815.
[38] McHugh, J., “Testing Intrusion Detection Systems: A Critique of the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory,” ACM Transactions on Information and System Security (TISSEC), vol. 3, no. 4, pp. 262-294, Nov. 2000.
[39] Mirkovic, J. and P. Reiher, “A Taxonomy of DDoS Attack and DDoS Defense Mechanisms,” ACM SIGCOMM Computer Communications Review, vol. 34, no. 2, pp. 39-54, Apr. 2004.
[40] NetFlow, http://en.wikipedia.org/wiki/Netflow.
[41] Nychis, G., “An Empirical Evaluation of Entropy-based Anomaly Detection,” in Carnegie Mellon University Thesis, PA, USA, May 2007.
[42] Park, K. and H. Lee, “On the Effectiveness of Route-Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internets,” in Proceedings of ACM SIGCOMM, Aug. 2001, pp. 15-26.
[43] Paxson, V., “An analysis of using reflectors for distributed denial-of-service attacks,” Computer Communications Review, vol. 31, no. 3, pp. 38-47, 2001.
[44] Shannon, C. E., “A Mathematical Theory of Communication,” Bell System Technical Journal, vol. 27, pp. 379-423, 623-656, Jul., Oct. 1948.
[45] Speidel, U., R. Eimann and N. Brownlee, “Detecting network events via T-entropy,” in Proceedings of Information, Communications & Signal Processing, 2007 6th International Conference, 10-13 Dec. 2007, pp. 1-5.
[46] SNORT Official Website, http://www.snort.org/.
[47] Snort Preprocessors Development Kickstart, http://afrodita.unicauca.edu.co/~cbedon/snort/spp_kickstart.html.
[48] SQL Slammer, http://en.wikipedia.org/wiki/SQL_slammer_worm.
[49] Sun, H., J. C. S. Lui and D. K. Y. Yau, “Defending Against Low-rate TCP Attacks: Dynamic Detection and Protection,” in Proceedings of IEEE Conference on Network Protocols (ICNP2004), 5-8 Oct. 2004, pp. 196-205.
[50] Switched Port Analyzer (SPAN), http://www.cisco.com/warp/public/473/41.html.
[51] Symantec corp., “Symantec Global Internet Security Threat Report, Trends for July - December 07”, vol. XIII, Apr. 2008.
[52] Symantec corp., “Symantec Internet Security Threat Report, Trends for January 06 - June 06”, vol. X, Sep. 2006.
[53] Tcpdump, http://www.tcpdump.org/.
[54] Tcpreplay Official Website, http://tcpreplay.synfin.net/.
[55] The 1998 Intrusion Detection Off-line Evaluation Plan, http://www.ll.mit.edu/mission/communications/ist/files/id98-eval-ll.txt.
[56] The Expect Home Page, http://expect.nist.gov/.
[57] Transmission Control Protocol, http://tools.ietf.org/html/rfc793.
[58] User Datagram Protocol, http://tools.ietf.org/html/rfc768.
[59] Wagner, A. and B. Plattner, “Entropy based worm and anomaly detection in fast IP networks,” in Proceedings of 14th IEEE International Workshops on Enabling Technologies: Infrastructures for Collaborative Enterprises (WET ICE 2005), 13-15 Jun. 2005, pp. 172-177.
[60] Wan, K. K. K. and R. K. C. Chang, “Engineering of a global defense infrastructure for DDoS attacks,” in Proceedings of Networks, 2002. ICON 2002. 10th IEEE International Conference, pp. 419-427, 2002.
[61] Wu, N. and J. Zhang, “Factor Analysis Based Anomaly Detection,” Information Assurance Workshop, 2003. IEEE Systems, Man and Cybernetics Society, 18-20 Jun. 2003.
[62] Xu, K., Z. Zhang and S. Bhattacharyya, “Profiling internet backbone traffic: behavior models and applications,” in Proceedings of the 2005 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications (SIGCOMM’ 05), 22-26 Aug. 2005, pp. 169-180.
[63] Yaar, A., A. Perrig, and D. Song, “Stackpi: New packet marking and filtering mechanisms for ddos and ip spoofing defense,” IEEE Journal on Selected Areas in Communications, vol. 24, no. 10, pp. 1853-1863, Oct. 2006.