适用於分散式阻断服务与分散式扫描之网路入侵侦测方法

1NetworkIntrusionDetectionforDistributedDenialofServiceandDistributedScanningStudent:Chang-HanJongAdvisor:Dr.Shiuh-PyngShiehDepartmentofComputerScienceandInformationEngineering,NationalChiao-TungUniversityAbstractInthisthesis,weanalyzetwokindsofnetworkattacks,distributeddenialofservice(DDoS)anddistributedscanning(DS)andthenproposeanetworkintrusiondetectionscheme.Theschemefocusesonmonitoringthevarianceofthepacketfields.Thesetsofanomalypacketfieldsareattacksignatures,whichcanbeusedtoidentifytheattacktypes.Intheprocessofanalyzingpacketfieldvariation,theallegedpacketscanbeloggedforforensics.Wealsodiscussthedesignprinciplesofthefunctionthatpresentthetrafficcharacteristicandtwotechniquesbasedonprobabilityandhashfunctiontoimprovethroughput.Weimplementtheprototypeoftheproposedscheme,andtheexperimentsshowedthattheprototypedetectssuccessfullydozensofDDoS/DSattacktypeswithoutpredefinednetworkattackpatterns.2ListofContentsCHAPTER1INTRODUCTION..........................................................................781.1BACKGROUND...............................................................................................781.1.1IntrusionScenario................................................................................781.1.2IntrusionDetection............................................................................9101.2MOTIVATIONS............................................................................................10111.3CONTRIBUTION.........................................................................................12131.4SYNOPSIS..................................................................................................1213CHAPTER2RELATEDWORK....................................................................13142.1INTRUSIONDETECTION.............................................................................13142.2GRIDS......................................................................................................16172.3PACKETAGGREGATION.............................................................................17182.4DETECTINGANOMALYTRAFFICBYENTROPY...........................................19202.5DETECTINGANOMALYBYVARIANCEOFTRAFFICQUANTITY...................20212.6CHAPTERSUMMARY.................................................................................2021CHAPTER3ANALYSISOFDDOS/DSATTACKS.....................................22233.1DISTRIBUTEDDENIALOFSERVICE............................................................22233.2DISTRIBUTEDSCANNING...........................................................................25263.3ATTACKPROGRAMS..................................................................................28293.4CHAPTERSUMMARY.................................................................................3031CHAPTER4PROPOSEDSCHEME.............................................................31324.1OVERVIEW................................................................................................32334.2STAGE1:PACKETCLASSIFICATION...........................................................39404.3STAGE2:TRAFFICDISPERSIONFUNCTION................................................44454.3.1Preliminary......................................................................................45464.3.2PropertiesofTrafficDispersionFunction.......................................45464.3.3TheoremI.........................................................................................49504.3.4ProposedTrafficDispersionFunction.............................................49504.4STAGE3:VARIANCE-BASEDANOMALYDETECTION..................................50514.5CHAPTERSUMMARY.................................................................................5253CHAPTER5PROTOTYPEANDDISCUSSION..........................................53545.1PROTOTYPEANDEXPERIMENTS................................................................535435.2ANOMALYDISTRIBUTIONOFPACKETFIELDS............................................61625.3ADVANTAGES............................................................................................63645.4DISADVANTAGES.......................................................................................66675.5COMPARISON............................................................................................67685.6CHAPTERSUMMARY.................................................................................7172CHAPTER6CONCLUSION..........................................................................7273REFERENCES.......................................................................................................7475APPENDIXTCP/IPFIELDS................................................................................81824ListofContentsFIGURE1-1INTRUSIONSCENARIO..................................................................................8FIGURE4-1OVERVIEWOFTHEPROPOSEDSCHEME......................................................32FIGURE4-2ATTACKSIGNATURE...................