一個採用分散式處理的侵害行為偵測模式及其應用

Abstract

本論文提出一個採用分散式處理(distributed processing)的模式導向( pattern oriented)侵害行為偵測模式(intrusion detection model),用 來分析電腦網路中的資訊(information)和權利(privilege)的傳遞以偵測 利用系統運作弱點(operational security problem)的直接或間接侵害行 為.本模式採用分散式的資料處理(data processing)技巧(technique),將 可以加快處理速度,並且可以降低分析過程中必須的資料傳輸量,減少對系 統所造成的負荷.在隱密通道的偵測方面,我們亦提出估計隱密通道最大使 用頻寬(co- vert channel bandwidth estimation)的方法,對於有限狀態 通道(finite state channel)和無窮狀態通道(infinite state channel) 的處理均有詳細的探討. In this thesis, we present a distributed pattern-oriented, intrusion-detection model which can track data and privilege flows in computer networks. It has the advantage of detecting context-dependent intrusions such as those caused by inadvertent execution of foreign programs containing viruses or Trojan Horse, and those caused by network message insertion by wire-tapping. Our model is the only model to date that detect intrusions in computer networks by using a distributed analysis technique. It can enhance the analysis speed and avoid the heavy network traffic load. One of the difficulties of detecting context-dependent intusion patterns is the use of covert storage channels. Some of the covert channels can be modeled as finite-state graphs while others cannot. In this thesis, we will present methods to determine and estimate the maximum bandwidths of both finite- state channels, and give the problems and basic rules for their measurement.