臺灣大學: 電機工程學研究所王勝德林顥宗Lin, Hao-TsungHao-TsungLin2013-03-272018-07-062013-03-272018-07-062012http://ntur.lib.ntu.edu.tw//handle/246246/253876為了取得網路犯罪的證據,網路鑑識這門技術逐漸受到重視,現今主要的網路鑑識方法大多是事後人工的分析,此方法尤其在大量網路流量的雲端環境下十分耗時,因此,網路鑑識的自動化是個不可或缺的任務。本論文中,我們提出一個於雲端環境下的動態網路鑑識系統,當遭受攻擊時,此系統會在最短的時間內盡可能地蒐集證據。我們在論文中使用一個基於特徵碼的入侵偵測系統Snort,當作一個監視網路活動的工具。另外,本論文也提出一個兩階段式分析方法,能根據入侵警報分析網路資料。此論文的目標包括動態地蒐集相關證據、嘗試找出基於特徵碼的入侵偵測系統所偵測不到的攻擊,以及減少資料量來節省儲存空間。在實驗中,我們使用知名的數據集來測試系統,並呈現在不同入侵偵測系統的設置下,此系統分析結果的差異。實驗結果顯示我們的分析方法能夠有效率地萃取相關證據,並在跟相關研究的比較之下,更有效的節省空間。In order to confirm network criminals, network forensics techniques have become more and more important. Current network forensic approaches are primarily static and post-mortem investigation which is time-consuming with massive network traffic, especially in cloud environments. Therefore, the automation of network forensics turns into an essential task. In this thesis, we proposed a dynamic network forensics system for cloud environments to gather evidence as soon as possible. We use the popular signature-based Intrusion Detection System (IDS), Snort, as a network forensic tool to monitor network activities. Moreover, we propose a two-phase analysis approach to automatically analyze the network data based on intrusion alerts. In brief, the objectives of our approach include collecting relevant evidence dynamically, trying to discover the attacks missed by the signature-based IDS, and reducing data storage required to keep the evidences. In the experiments with well-known data sets, the performance of our approach under different IDS configuration has also been analyzed and presented in this thesis. The experimental results show that our analysis approach has ability to automatically extract relevant evidence and save more storage space.1290550 bytesapplication/pdfen-US網路鑑識入侵檢測警報關聯Network ForensicsIntrusion DetectionAlert Correlation[SDGs]SDG16雲端環境下基於入侵警報關聯性之動態網路鑑識分析系統A Dynamic Network Forensic Analysis System based on Intrusion Alert Correlation for Cloud Environmentsthesishttp://ntur.lib.ntu.edu.tw/bitstream/246246/253876/1/ntu-101-R99921071-1.pdf