以Snort為基礎的混合入侵偵測系統之研究

Abstract

在網際網路發展的如此迅速與電子商務熱潮的推波助瀾的情況下，為了順應時代的潮流不得不增加公司內部對外的頻寬，在兩岸三地都有設立辦公室的中小企業公司大多以架設公司對內及對外的入口網站，整合通訊及視訊系統來達到節省費用的目的，或是企業與企業之間資料交換的服務，來增加公司的競爭力，隨著各種各樣的網路服務蓬勃發展所賜，越來越多的終端設備均可透過網際網路來取得服務，目前中小企業最擔心的前三名的資訊安全管理的問題分別是惡意程式入侵、其次是資料外洩與行動裝置控管，而員工上網行為管理及缺乏資訊人力來管理相關的問題是主要的原因。 一般中小企業是以封鎖方式為資訊安全管理的標準處理方式，所以一般公司的資訊管理人員都是透過防火牆的建置來過濾網路的封包及阻擋威脅，但由於公司內部員工因為沒有受過專業的訓練，僅具備一般資訊安全的防護觀念，往往無法有效的阻檔日新月異的惡意活動。因此本研究結合了誤用偵測(Misuse Detection)和異常偵測(Anomaly Detection)來增加偵測率減少誤報率，其誤用偵測將以Snort為偵測引擎，而異常偵測將實作時間序列分析法中Holt-Winters預測演算法對所擷取的網路流量資料來偵測異常，架構出整個入侵偵測系統，PIDS是位於在某中小企業公司的Core Switcher的某一個端口透過Port Mirroring的方式所擷取的網路封包，經過本研究的整合分析誤用偵測模組及異常偵測模組所產生的警訊後，以其所產生的入侵警報讓網路管理人員瞭解目前網路的異常狀況，藉此擬定因應的措施，以達到提升公司網路安全的目的

Under the activities of Internet and e-commerce are developed more and faster and big than before, these SMEs (Small and Medium Enterprise) must to face the majority problem is to provide more network bandwidth to meet business requirement which had build site office in different location between Taiwan, Hong Kong and China. These SMEs need to set up the company internal and external portals, communications and video systems integration to achieve cost-saving purposes, or data exchange between enterprises and service enterprises to increase the competitiveness of the company. With the vigorous development of various network services, more and more terminal equipment could be obtained those services via the Internet. These SMEs are most concerned about the current top three information security management issues are malware invasion, followed by control data leakage and mobile devices, and employee Internet access management and lack of manpower to manage the related information is the main cause of the problem. The information security management policy of these SMEs is to block the inbound and outbound network traffic, so the implementation is built on controlling the traffic flow through the firewall to filter network packets and blocking threats. However, due to internal staff they did not have enough information security training, only with the general concept of information security protection, so they are often unable to effectively detect and prevent those malicious activities. In this study combines the misuse detection and anomaly detection to increase the detection rate decreased false alarm rate, the misuse detection engine will be implemented on Snort detection system and anomaly detection engine will be implemented in time series analysis of the Holt-Winters prediction algorithm to capture network traffic data to detect abnormal behavior to contracture the entire intrusion detection system. PIDS captured network packets via core switcher through the port mirroring methodology and those network packets will be detected by the misuse detection module and anomaly detection module to detect the abnormal behavior to generate alerts. Network administrators could use those intrusion alerts to understand the current network of abnormal conditions, to develop response measures to achieve the objective of upgrading the campus network security.