針對埠或位址掃描做快速偵測之適應性接續假設測試

Abstract

隨著網路應用服務的增加，網路安全的議題也越來越受到廣泛的重視。其中埠或位址掃描這種異常的行為，是網路入侵的一個重要途徑。早期偵測這些埠或位址掃描的技術，是建立於惡意行為的主機具有較高掃描率的基礎上。但是這種方式對於偵測某些慢速的掃描並不適用，而且攻擊者一旦獲知發出警戒的門檻值，便能輕易的躲過這種偵測。為了解決這個問題，接續假設性測試便成為偵測這種掃描的另一種替代方案。這種方式可以藉由第一次連線要求的成功率之不同，來判斷發送者為正常或具有惡意攻擊行為的主機。但是假如無法知道正常與異常主機不同的連線成功率為何，其誤判的機率便會遠高於理想值。在這篇碩士論文中，我們比較了幾種以接續假設性測試為架構的技術，並且發現在實際未知連線成功率的網路中，這些基本的接續假設性測試並不適用。因此，我們提出在此測試法的基礎架構上，加入了一個簡單的適應性演算法，可以準確的估計出這些機率值。而從模擬的結果也顯示出，這個適應性的估計演算法對於原本的接續假設性測試法有極大的改善，因為它使原本對於埠或位址掃描的測試法更加健全與完備。

As more and more network applications and services are provided, the topic of network security becomes more and more important. The behavior anomaly of port/address scans is a way to intrude hosts on the Internet. Early detection techniques of port/address scans are based on the observation that malicious hosts could send scans with high scanning rates. But such approaches are not suitable to detect scanners with lower scanning rate. Once the threshold of scanning rate for generating alerts is known to the attackers, the detection will be easily evaded. In order to overcome the problems, sequential hypothesis testing is an alternative detection technique. According to the probabilities of success for the first-contact connection attempts sent by the hosts, sequential hypothesis testing can detect the senders as benign or malicious. If these probabilities are unknown, the false positive and false negative rates could be much larger than the desired values. In this thesis, we compare several techniques based on sequential hypothesis testing and realize these techniques inadequate for a real network. Therefore, we propose a simple adaptive algorithm which provides accurate estimation of these probabilities. Simulation results show that the proposed adaptive estimation algorithm provides a great improvement for sequential hypothesis testing.