發掘可疑網路行為的聯合防禦分析方法

Abstract

隨著網路入侵工具的快速普及，網路入侵事件的型態也逐漸改變。參考最新的網路安全威脅報告，網路入侵行為正朝向隱密化與目標特定化而演進。許多研究已經針對底層的網路資料分析網路入侵行為，例如入侵偵測系統（IDS）；然而這些方法可能產生數量龐大的錯誤警報，要從這些含錯誤警報的資料中找到有用的資訊，管理者須具備相關的經驗或知識。為了減輕管理者的負擔，必須先系統化擷取出有用的未知攻擊序列，再由管理者進行主機修復與攻擊事件研究。然而每種不同的攻擊都有自己的特性，目前並沒有任何單一方法可以完美的分析網路警報而同時找出實際的多種入侵。在這篇論文中，我們提出一個基於聯合防禦概念的可疑網路行為探勘知識（CDSNB）架構。這個架構主要包含三個階段的演算過程：分別是資料前處理階段，警報過濾階段及聯合分析階段。資料前處理階段被用來區分符合某些特定條件的主機，作為聯合分析階段的目標主機群組；此外，警報資料依據聯合分析階段的需求，被轉換成特定的資料格式。因為充斥錯誤警報，警報過濾階段便藉由建立警報的過濾模型（FM），藉此過濾多數的錯誤警報，以作為聯合分析階段的可靠資料來源。聯合分析階段則是從多台具有特定條件主機的觀點，分析各種攻擊模式，並將結果轉化為容易分析的格式提供管理者作為參考。在這個知識導向的分析架構下，系統與管理者不斷進行互動，彈性的協助管理者進行各階段適當的演算法決策。最後，管理者可藉由經過整合的可疑入侵資訊，進行事件防禦或是修復主機弱點，甚至追溯攻擊起源。因此，我們希望可以藉此達到有效預防攻擊，並準確發掘新的攻擊模式，並同時減低管理者在分析階段的負擔。

As the rapid growth of network attacking tools, patterns of network intrusion events change gradually. Referring to the newest Symantec Internet Security Threat Report, we found that network intrusion behaviors evolve into more hidden and target-specific behaviors. There are many researches had been proposed to analyze network intrusion behaviors in accordance with low-level network data. However, since these researches might suffer a large mount of false alerts, it is very difficult for network administrators to discover useful information from these alerts. To reduce the load of administrators, by collecting and analyzing unknown attack sequences systematically, administrators can do the duty of fixing the root causes and researching attack events. However, due to the different characteristics for each intrusion, there is no single analysis method which can correlate IDS alerts perfectly and discover all kinds of real intrusion patterns up to the present. Therefore, a knowledge-based framework for Collaborative Discovering Suspicious Network Behaviors (CDSNB) is proposed in this thesis. The framework of CDSNB consists of three phases: Data Preprocessing Phase, Alert Filtering Phase and Collaborative Analysis Phase. The Data Processing Phase is used to divide sensors into groups with specific system and network profiles, and IDS alerts of these groups are transformed into alert transactions with specific data formats according to requirements in the Collaborative Analysis Phase. Because of numerous of false alerts, the Alert Filtering Phase is used to construct Filter Model (FM) of sensors in specific group to filter most false alerts. The Collaborative Analysis Phase is used to analyze each alert pattern and classify the results into aggregated information for administrators as references of intrusion defense in the viewpoint of specific sensor groups with similar backgrounds and behaviors. In this knowledge-based analysis framework, the system interacts with administrators to assist them making appropriate decisions in each phase. According to the urgent situations of different levels, Network administrators can do event protecting or vulnerability repairing, even or cause tracing of attacks. Therefore, the knowledge-based framework of CDSNB can prevent attacks effectively, find novel attack patterns exactly and reduce the load of administrators efficiently.