應用決策樹偵測分散式阻斷攻擊與搭配灰色理論之追蹤

Abstract

隨著網路技術的新興，現代人的生活與網路有著愈來愈密不可分的關係。在 這個與生活息息相關的網路環境中，網路安全這個課題也逐漸受到重視。在眾多 的網路攻擊手法中，分散式阻斷攻擊(Distributed Denial-of-service)是最常 發生並造成重大損害的一種攻擊手法。這種攻擊方式，主要是由入侵軟體的漏 洞，進而佔據整台主機，取得管理者的權限，以達到遙控整台主機的目的。因此， 在此攻擊中，攻擊者可藉由此被控制的主機對受害者發送大量的封包，消耗受害 者端的資源。因此，當被遙控的主機數量增多後，受害者終將無法負荷，因而讓 攻擊者達到阻斷服務的目的。有鑑於此，本論文提出一套對於分散式阻斷攻擊的 偵測與追蹤的系統，針對封包流量等資訊，利用人工智慧中的決策樹方法來判斷 主機是否遭受攻擊。本研究並利用非傳統統計學的方法來偵測可能的攻擊路徑， 以期能夠追蹤到攻擊者所在的網域。 我們藉由DETER 環境建立起擬真的網路環 境，並蒐集現實環境中的網路流量重新在DETER完整重現一次，根據實驗結果， 我們的系統對於DDoS的偵測約可以得到false positive ratio about 1.2% ~ 2.4%與 false negative ratio about %5 ~ 10%，追蹤攻擊者可得到約8% ~ 12%的false negative rate與12% ~ 14%的false positive rate。

As modern life becomes increasingly closely bound to the Internet, network security becomes increasingly important. We all live under the shadow of network threats. The threats could cause leakage of privacy and/or economic loss. Among network attacks, the DDoS (distributed denial-of-service) attack is one of the most frequent and serious. In a DDoS attack, an attacker first breaks into many innocent hosts (called zombies) by taking advantages of known or unknown bugs and vulnerabilities in the software. Then the attacker sends a large number of packets from these zombies to a server. These packets either occupy a major portion of the server’s network bandwidth or they consume much of the server’s time. The server is then prevented from conducting normal business operations. To mitigate the DDoS threat, we design a system to detect DDoS attacks based on a decision-tree technique and, after detecting an attack, to trace back to the approximate locations of the attacker with a traffic-flow pattern-matching technique. We conduct our experiment on the DETER system. According to our experiment results, our system could detect the DDoS attack with the false positive ratio about 1.2% ~ 2.4%, false negative ratio about %5 ~ 10% with different kind of attack, attack sending rate and find the attack path in traceback with the false negative rate 8%~12% and false positive rate 12%~16%.