一個以警報為基礎的聯合防禦系統

Abstract

本篇論文提出一個以警報資料為基礎的聯合防禦解決方案。 我們注意到在企業內部很難防止惡意的攻擊，因為每天所產生的大量日誌記錄與警報資料很難分析，造成系統管理員無法掌控狀況且無法針對事件的處理做出立即的決策。病毒、病蟲和特洛伊木馬程式迅速地傳播並擴及全球。論文中，我們探討分析了入侵偵測系統、分散式入侵偵測系統、聯合防禦、警報資料分析與資訊分享機制，發現目前的網路安全系統有許多困境與挑戰點。我們延伸分散式入侵偵測的模式，提出一個聯合防禦的架構。包含警報收集、萃取、分析、回報、資料倉儲和分析。此外我們發展一個混合式的安全資訊分享的方法，就像升起狼煙警告其他夥伴一般，藉由資訊分享，參與電腦安全事件回報團隊的成員能獲得安全防禦相關的解決資訊，例如黑名單、入侵偵查的規則和安全防禦知識。這個架構提供學術界和企業界一個建立有效合作的安全聯防團隊方案。我們進行了評估可行性的實驗，並追查出SQL Slammer蠕蟲的傳播情形。結果發現，透過聯合防禦的機制，廣泛部署系統，能更加準確地追查出攻擊的行為，並且可以協助成員評估威脅的衝擊和採取適當的行動來降低風險。

This thesis proposes a lightweight alert-based collaborative defense solution. We notice that malicious attack is difficult to prevent in the enterprise interior. Because it is hard to analyze a large number of logs and alerts, the administrator can not control the situation and make decision immediately. The Worms, Virus and Trojan spread rapidly, the scale of the problem is large and growing rapidly. Modern Security Systems have many predicaments. We had discussed the intrusion detection, distributed intrusion system, collaborative defense system, security information sharing mechanism and alert analysis in this thesis. We propose a framework for collaborative defense by extending the original distributed intrusion detection model. It contains alert’s collector, extractor, analyzer, report’s generator, alert warehouse and alert’s analysis. Besides, we develop a hybrid approach to share security information like raising the wolf smoke to warn partners. By the security information sharing, the members of CSIRT can obtain the solutions of defense, such as blacklists, detection rules, and security knowledge about alerts. The framework provides a solution to build effective cooperative security teams for academia and industry. We evaluate the feasibility of our framework and track the spreading behaviors of the SQL Slammer Worm. As a result, we can deploy security system more widely and detect the aggressor's behavior more accurately. The alert-based collaborative defense mechanism can help members to evaluate the impact of the threats and take proper actions to mitigate the risk.