适用於分散式阻断服务与分散式扫描之网路入侵侦测方法

1、network intrusion detection for distributeddenial of service and distributed scanningstudent: chang-han jong advisor: dr. shiuh-pyng shiehdepartment of computer science and information engineering,national chiao-ling universityabstractill this thesis, we analyze two kinds of network attacks, distrib

2、uted denial of service (ddos) and distributed scanning (ds) and then propose a nehvork intrusion detection scheme. the scheme focuses on monitoring the vaiiance of the packet fields. the sets of anomaly packet fields are attack signatures, which can be used to identify the attack types. in the proce

3、ss of analyzing packet field variation, the alleged packets can be logged for forensics. we also discuss the design piinciples of the fiinction that present the traffic chaiacteristic and two tecliiiiques based on probability and hash fimction to improve tluougliput. we implement tlie prototype of t

4、he proposed scheme, and the experiments showed that the prototype detects successfiilly dozens of ddos/ds attack types without predefined network attack patterns.77list of contentschapter 1 introduction781.1 background781.1.1 intrusion scenario781.1.2 intrusion detection9401.2 motiations10441.3 cont

5、ribution121.4 synopsis12chapter 2 related work13442.1 intrusion detection13442.2 grids2.3 packet aggregation172.4 detecting anomaly traffic by entropy1902.5 detecting anomaly by kriance of traffic quantity2024-2.6 chapter summary2024：chapter 3 analysis of ddos/ds attacks22233.1 distributed denial of

6、 service2223.2 distributed scanning25263.3 attack programs28293.4 chapter summary3034-chapter 4 proposed scheme31324.1 overview324.2 stage 1： packet classification39404.3 stage 2： traffic dispersion function44454.3.1 preliminary45464.3.2 properties of traffic dispersionfunction45464.3.3 theorem 1495

7、04.3.4 proposed traffic dispersion function4904.4 stage 3: ariance-based anomaly detection50514.5 chapter summary525chapter 5 prototype and discussion53s45.1 prototype and experiments53545.2 anomaly distribution of packet fields61625.3 advantages63645.4 dis ad antages66675.5 comparison676s5.6 chapte

8、r summary7172chapter 6 conclusion727areferences7appendix tcp/ip fields81k2list of contentsfigure 1-1 intrusion scenario8figure 4-1 overxiew of the proposed scheme32figure 4-2 attack signature33figure 4-3 attack path identification34figure 4-4 architecture35figure 4-5 example of the proposed scheme f

9、low38figure 4-6 digest of the packet40figure 5-1 prototype53figure 5-2 data structure of the prototype55list of contentstable 3-1 common ddos tools, by vicki irwin2324table 3-2 web tcp chargen attack2526table 3-3 scanning a open port 79 via http proxy2627table 3-4 scanning a non-open port 81 via htt

10、p proxy272table 3-5 fixed aalue field in attack program2829table 3-6 random aalue field in attack program290table 3-7 certain-function-made field in attack program290table 4-1 the flow of the proposed scheme373stable 4-2 result of stage 141_42table 4-3 algorithm of mapping41.42table 4-4 algorithm of

11、 packet digest41.45table 4-5 algorithm of classification424table 4-6 algorithm for probability-based mergng4344table 4-7 algorithm for hash-based merging4445table 4-8 notation454table 4-9 assumption454table 4-10 aggregative4647table 4-11 insensitiat4647table 4-12 over-coverage74stable 4-13 theorem i

12、: aggregative4950table 4-14 theorem i: insensitive4950table 4-15 theorem i: otr-cotrage4950table 4-16 proposed traffic dispersion function504-table 4-17 algorithm of ariance-based anomaly detection512table 4-18 algorithm of cooperative response525table 5-1 sample attack parameters575schapter 1introd

13、uctioncomputer and netwoik secmity are important issues in todays e-business world. the secmity officer often uses filter technology to make the computer systems or network obey the secmity policy. filter technology. in the realm of networks, is the filewall. even with the filter teclmology. we have

14、 no idea if the filter works as we tliiiik or if the filter is well configured. the intiiision detection scheme is then used to verify the secmity policy baceoo. it detects the malicious behavior of the computer systems or the networks. network anomaly detection is one kind of intiiision detection.

15、it detennines the network anomaly if the cuitent behavior of network traffic is far from the historical ones recorded by the profiles.with the advance of nehvork attacks, distributed denial of service (ddos) and distributed scamiiiig (ds), perfbnned by multiple hosts, are among become the most serio

16、us problems in computer and nehvork security fbr the difficulties in detecting and tracing. therefore, in this thesis, we discuss about the detection issues of the distributed denial of service and distributed scamiiiig.1.1 backgroundll1 intrusion scenarionetwork attack can be described ill four ste

17、ps. ail intmder explores, looks fbr milnerability, and uses exploit programs to attack one host. after successfiilly breaking ill one host, the intmder takes advantage of the iiitmded host to attack other hosts.1. exploringfirst, the attacker locates the victims by dns, searching engines, or scannin

18、g utilities nmap. he or she then figures out the nehvoik topology of the victim and what service does the victim host provide. nehvork topology iiifonnation includes ip address, netmask, dns record, whois record, system managers personal iiifonnation.2. looking for vulnerabilitythe attacker then loo

19、ks up the vulnerability databases to see if certain services or platfbnn is vulnerable r-scaiinernessus. many vendors of operation systems or sofhvare and independent hacking organizations publish advisories periodically or when important seciuity incidents arise. the advisories are primarily for de

20、fense use but also the somce of iilnerability databases.3. using exploit programs to attack the victimthe attacker then develops or searches for the exploit progiams coitesponding to theknown vulneiability by the vulnerability databases. there are many public xiilnerability databases with exploit pr

21、ogiams, such as securityfocus bugtraq chang 00.4. attacking other hoststhe attack may use the controlled (broken in) host to break ill another host. tliis is important for attackers to attack in the fiitiue with multiple hosts such as worm, ddos and ds. denning 90 begel 99.ll2 intrusion detectionsin

22、ce 1986, there aie many intmsion detection methods and systems proposed denning 86 mukherjee 94cert 99. the iiitnision detection system is a system that detects if computer systems disobey the security policy. the intrusion detection system collects infbnnation from hosts or nenvorks and then analyz

23、es the iiifbmiation to alann fbr the intrusion.intnision detection systems, according to the data source, can be classified as host-based, network-based, and agent-based. host-based intnision detection systems analyze operation system audit trails to detect intrusion teng 90kosoresow 97. netwrork-ba

24、sed intnision detection systems collect network traffic to detect intrusion. agent-based intnision detection does its work by collecting data from other hosts or intrusion detection systems coast 98. the type of detecting ddos/ds is a special case of network iiitnision detection. we will have a deta

25、iled discussion about intrusion detection in next chapter.1.2 motivationsdistiibuted denial of seivice (ddos) disables network nodes by sending mass packets from multiple hosts. distributed scamiiiig collects network iiifbmiation including live hosts, open ports, and vulnerable services by multiple

26、hosts fbr fiituie intrusion. mapping to the 4 steps of intnision scenario, ddos is the 4th step and ds is the 1st step. additionally, they are often used with ip spoofing and attack based on tcp/ip desigiviniplementation defects. iiitinsion detection systems may fail when attacks are based on the un

27、known design； implementation defect of tcp/ip. these defects include the ambiguous parts of the internet protocol suits ptacek 98huang 01. we describe the problems in detail as follows.multiple roles in ddos/dsddos and ds are perfbnned by multiple hosts. so it is especially difficult to detect them

28、when the number of attack hosts is large as hundreds, thousands or above. this problem becomes more serious when client attacks, such as email viruses or worms, are more and more common today. not only internet servers are used as gangplank hosts but also personal computers are.it is easy to detect

29、ddos by checking tlie sendee quality of the victim host. if the victim is unable to serve or connected to othei networks, probably it is attacked by denial of service. if we can detect on the routers that in front of the victim, forensics, backtracking, or isolation are possible. but its not trivial

30、 to detect ddos/ds on the routers because we cant rely on the ip addiess to decide if packets with certain ip source address are the attack packets. ip spoofing fools the network traffic statistics.ip spoofingip spoofing forges the souice or destination addiesses of ip packets bellovin 89 hastings 9

31、6. ip spoofing hides the true attacker or victim. if the source addiess of a packet is forged, its difficult to trace the real source of this packet; if the destination address of a packet is forged, its difficult to know who the victim is. ip destination address spoofing is not well known. it happe

32、ned when the attacker wants to attack a router (maybe the router is an necessaiy fbr an internet server) and the attacker doesnt want people to be aware of this attack. packets are sent to multiple hosts and passed by the taiget router. therefore it becomes more difficult to detect if these packets

33、are offensive.there are ways to deal with ip spoofing stone 99savage 00song 01. one is to force every router to deny access to outbound packets whose source ip addiess does not belonged to the iiitianet. tliis approach is teclinical possible but is not suitable for real world because you cannot forc

34、e eveiy router administrator to do so. another approach is to mark partial path infbniiation when passing the routers.laver 3/4 attacks without patternsattacks that result in tcp/ip design/implementation defects are hard to be detected if we dont have pattern yet northcutt 01. if network protocols h

35、ave some implementation defects or protocol ambiguity, the intnision detection system may not identify the intnision. traditionally, if we want to detect that the packets with special patterns is an attack, we log the nehvork traffic. but it is very space consuming work.throughput requirementtliroug

36、liput is an important issue in intnision detection because computer and network anomaly actions have to be detected on time to reduce the damage bettati 99 sekar 99. the damage includes data lose, modified, spoofed or denial of service. because now the internet provides many vital commercial activit

37、ies, to detect the attack on time reduces the financial damage.1.3 contributionin the thesis, we have identified the possibility of ddos and ds that people dont know the complete pictiue yet. by this, we have designed and implemented a network intinsion detection scheme for these two kinds of attack

38、s. the proposed scheme is able to detect the ddos/ds attack without patterns. the prototype shows that the scheme is able to detect the given dozens of attack samples without giving attack signature in advance. thereby the scheme is usefill in detecting the novel network attack that we do not have s

39、ignatiues yet. on designing the scheme, we have the ideas of how to properly present the traffic distribution by a real number. the proposed scheme can easily extend its ability for monitoring more fields by only adding encoding code for the packet fields that we are interested in.1.4 synopsisthis t

40、hesis is organized as follows. in chapter 2, we survey related work including various intnision detection approaches, grids, packet aggregation, and anomaly detection by variance and entropy. in chapter 3, we show the analysis of ddos and ds attacks. in chapter 4, we proposed oiir scheme to handle d

41、dos and ds attacks. and we present the prototype and experiments on chapter 5. finally, chapter 6 is the conclusion.chapter 2related workwe fiist intioduce the important general-piuposed intnision detection methods and systems. these methods and systems can be cataloged as rule-based, anomaly detect

42、ion, large networks, machine leamiiig, and light-weighted network iiitmsion detection. in the subsequent sections, we discuss grids and packet aggiegation. grids is a intnision detection for large network, because of its hierarchy design. packet aggiegation is a symptom-based intnision detection tec

43、hnique that monitors the icmp control message of tcp/ip network to detected malicious activities. finally, anomaly detection by entropy and variance are presented.2.1 intrusion detectionin this section, we introduce general intrusion detection approaches related to ddos/ds. rule-based and anomaly ii

44、itmsion detection are the conventional iiitmsion detection. rule-based intnision detection uses the knowledge of experts to mine the possible intnision. anomaly detection is aimed to detect activities far from the historical profiles. as the computer networks glow veiy fast, the scale of network att

45、acks are much larger than before. genetic algorithms are used to increase the processing speed. in another aspect machine-leaming tecliniques, such as artificial neural netamorks and data mining, are used to automatically discover the malicious activities.rule-basedexpert systems are the early perio

46、d intnision detection teclinique teng 90 lindqvist99paxson 99. security experts make the mles of iiitinsion description and the intinsion detection system alerts if the behavior of the system match rules or the inducted mles. this teclinique is still an important component for nowadays intmsion dete

47、ction because it is efficient for intmsion we have pattern already.state transition introduces tlie statefill semantics of intmsion detection ilgun 95vigna 98. iiitinsion man be archived by multiple haimless-like steps. state transition helps to identify this kind of intmsion. but it has problems on

48、 1) how to produce the state transition in an efficient way and 2) the iiitmder may change the path of intrusion to elude from being detected.pattem-oriented intnision detection takes advantages of the read/write/control semantics to induct the state of broken-in or weakness sliieh 97. therefore the

49、 mle of intrusion signatures can be automatically generated in a heuiistic way. but in real world systems, it is not suitable to verify eveiy access in such computational complex approach.asax is an iiitiusion detection system that 1) encodes the audit trails into bit strings, and 2) recognizes the

50、intnision by matching encoded bit strings habra 92. this method is platfbnn independent because audit trails are converted audit trails to a fbnnal fbnn.anomaly detectionstatistical method is an obvious approach because statistics has been a matoe teclinology for most fields of science and engineeri

51、ng. resoiuce usage is modeled by the statistical rules. if the statistics within certain time period exceed the limit computed by the statistical rules, then its treated as an intmsion. w&s, ides, ides are the important milestone of the statistical intmsion detection *accaro89 javitz93 marchette 99n

52、eumann 99.fuzzy logic helps anomaly detection to provide a ftizzy concept dickerson 01. binaiy logic aie extended to multiple values, that is, the domain and range of the logic operation and matrix aie extended from 0,1 to 0.1. using fuzzy logic, the concept of few or many can be exact described esp

53、ecially for network packet statistics.large networksgenetic algorithm aims on the fast matching of intiusion patterns neri 00. network packets are encoded in to bit strings (the dna). genetic algorithm helps to match if the network packets match tlie attack ones. snapp and his partners proposed an d

54、istributed architectiue fbr intnision detection systems snapp 91. coast laboratoiy in piudue university has proposed an agent architectiue fbr intnision detection, which specify authorities of the agents balasubramaniyan 98. visualization is another approach fbr large networks erbacher 00. tliis app

55、roach transfbniis network activities into visualized pictmes so that even non-experts can sense abnonnal network activities.machine learningartificial neural network (ann) has been widely used in intnision detection fbr its auto-learning property bonifacio 98ghosh 99sinclair 99 neri 00 cannady 00. a

56、nn leams nehvork or computer activities by feeding the statistics and anomaly status to tlie ann black box. after the learning period, the ann box decides if the network or computer activities are anomaly by the memoiy of the simulated biology cells inside ann. this method often has beautifiil r.o.c

57、 curves to show that it has low false alann rate. however, if the inputs exceed the memorization capacity of theann, ann might be fbrgetfiil. previous experimentation shows that if we feed thetcp flags of the tcp/ip packets in the ann, then ann can perfectly recognize the attack perfbiined by sendin

58、g malicious tcp/ip packets with special tcp flags. unfortunately, its the veiy special case that doesnt need much memoiy.data mining is another kind of machine learning technology lee 99b. data mining teclinology automatically analyzes the association between variables. but this teclinology is limited to offline use. data mining are usefiil to be used as discovering new attack, but is not suitable for routine use because of its