郭大維臺灣大學：資訊工程學研究所修丕承Hsiu, Pi-ChengPi-ChengHsiu2007-11-262018-07-052007-11-262018-07-052004http://ntur.lib.ntu.edu.tw//handle/246246/53971這篇論文的目的在於討論入侵偵測系統 (intrusion detection system) 設計中的兩個基本問題：規則挑選的最佳化 (rule-firing optimization) 以及攻擊分析 (attack analysis)。 我們提出了情境導向 (scenario-based) 的方法來建立攻擊封包間的關連性，進而聰明地挑選偵測攻擊的規則。針對規則挑選 (rule selection) 和攻擊手法鑑別 (attack scenario identification) 分別提出了演算法。在這篇論文 中，我們以閘道 (gateway) 和網際網路伺服器 (web server) 應用上潛在的攻擊 (threats) 為例子。 並且以Snort為基礎，實作一套入侵偵測系統來實踐我們所提出來的演算法。實驗結果證實我們所提出的方法提升了入侵偵測系統的效能，並且增加了攻擊手法鑑別的能力。This thesis targets two essential issues in intrusion detection system designs: the optimization of rule selection and the attack discovery in attack analysis. A scenario-based approach is proposed to correlate malicious packets and to intelligently select intrusion detection rules to fire. We propose algorithms for rule selection and attack scenario identification. Potential threats and their relationship for a gateway and web-server applications are explored as an example in the study. The proposed algorithms are implemented over Snort, a signature-based intrusion detection system, for which we have some encouraging performance evaluation results.Contents 1 Introduction 1 2 System Architecture 3 2.1 Common Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2.2 Gateways and Web-Server Applications . . . . . . . . . . . . . . . . . . . 3 3 Threat Detection and Attack Analysis - A Scenario-Based Approach 6 3.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 3.2 Threat Dependency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 3.2.1 Threats and Their Dependency Relationship . . . . . . . . . . . . 7 3.2.2 A Dependency Graph of Threats . . . . . . . . . . . . . . . . . . 10 3.3 Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 3.3.1 Problem De‾nitions . . . . . . . . . . . . . . . . . . . . . . . . . . 12 3.3.2 Threat Detection: Rule Firing Optimization . . . . . . . . . . . . 13 3.3.3 Attack Analysis: Subsequence Identi‾cation . . . . . . . . . . . . 17 4 Implementation 20 4.1 Introduction to Snort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 4.2 Implementation Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 4.2.1 Rules and Classtypes . . . . . . . . . . . . . . . . . . . . . . . . . 21 4.2.2 Mechanism . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 4.3 Performance Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 4.3.1 Setup Environment . . . . . . . . . . . . . . . . . . . . . . . . . . 24 4.3.2 Experimental Results . . . . . . . . . . . . . . . . . . . . . . . . . 25 5 Conclusion 31 Bibliography 32327117 bytesapplication/pdfen-US攻擊分析入侵偵測系統攻擊偵測intrusion detection systemattack analysisthreat detectionthesishttp://ntur.lib.ntu.edu.tw/bitstream/246246/53971/1/ntu-93-R91922004-1.pdf