標題: 網路入侵、惡意程式、病毒、垃圾郵件與行動安全威脅之樣本與流量資料庫:收集與評鑑-總計畫及子計畫一:網路入侵之樣本與流量資料庫: 收集與評鑑( I )
Databases of Samples and Packet Traces for Intrusions: Collection and Evaluation( I )
作者: 林盈達
Lin Ying-Dar
國立交通大學資訊工程學系(所)
關鍵字: 網路入侵測試;流量;樣本;流量錄製;流量重播;流量萃取;流量/樣本 評鑑;Intrusion Test;Packet Traces;Sample;Traffic Capturing;Traffic Replay;Traffic Extraction;Sample Evaluation;Packet Traces Evaluation
公開日期: 2012
摘要: 為了增進資通安全設備的品質和檢測其功能,國家通訊委員會制訂一套安全檢 測標準來測試資通安全設備,其中入侵偵測設備和網頁應用防火牆設備亦是受檢測 的設備。 本計畫第一年的目的在於收集 CVE (Common Vulnerabilities and Exposures) 和 OWASP (Open Web Application Security Project ) 所公佈的網路入侵方式的流量/程式 /工具來測試入侵偵測設備和網頁應用防火牆設備。網路流量是網路入侵流量/樣本的 重要來源。因此,我們預計使用流量重播測試工具,其中包括了流量錄製、重播以 及萃取的功能。透過這些工具,找出攻擊的流量或程式。另外,我們將以目前公開 原始碼的攻擊工具和商業工具為基礎,開發出符合CVE 和OWASP 所公佈的主要攻 擊方式的攻擊工具。最後,再與其他組織交換流量/樣本,以完成流量/樣本的收集, 並存入流量/樣本資料庫。 第二年的目的即是將已收集的流量/樣本以資通安全設備對該流量/樣本誤判(FP) 或是漏判(FN)的狀況分類成容易分辨和困難分辨的流量/樣本。如此,流量/樣本資 料庫的流量/樣本即可依分辨的難易程度加以分類,同時也可區分受測設備的檢測程 度。另一方面,當對網路入侵流量/樣本完成收集和評鑑,則即可與子計畫二、子計 畫三和子計畫四所收集的流量/樣本整合在一起,以增加流量/樣本的種類和擴大流量 /樣本的範圍。
In order to improve the quality of security equipments and evaluate their functionality, the National Communications Commission (NCC) of Taiwan established security criteria for testing various security equipments, such as Intrusion Detection/Prevention (IDP) systems and Web Application Firewall (WAF) equipments. The purpose of our plan in the first year is to collect samples that are published by CVE (Common Vulnerabilities and Exposures) and OWASP (Open Web Application Security Project). Network traffic is an important source of intrusion samples. Thus, we will use the tools of traffic replay testing (traffic capturing, traffic replay, traffic extraction) to find malicious traffic or programs. In addition, based on open-source attack tools and commercial attack tools, we will design and develop the attack tool which can generate malicious traffic that is published by CVE and OWASP. Finally, we also exchange collected packet traces/samples with that of other organizations and store them in the packet traces/sample database. The purpose of our plan in the second year is to evaluate the collected packet traces/samples according to the FP/FN (False Positive/ False Negative) results of packet race/sample testing by using IDP equipments. Thus, the packet traces/samples can be classified as easy distinguishable and difficult distinguishable packet traces/samples. And we can distinguish the testing level of security equipments according to the testing results. On the other hand, if we finish the collection and evaluation of intrusion packet traces/samples, the packet traces/sample database of this plan can be merged into that of subproject 2, subproject 3, and subproject 4 such that the packet traces database and sample database can have more packet traces and samples.
官方說明文件#: NSC101-2219-E009-024
URI: http://hdl.handle.net/11536/98704
https://www.grb.gov.tw/search/planDetail?id=2596437&docId=393119
顯示於類別:研究計畫