Download - 論文報告 – 分散式 網路安全分析及偵測系統之研究
Ma0k0205
1.1
1.2.3.4.5.1.2
2.1
Host base
Network base
2.1.1 Host base
2.1.2 Network base
On lineOff line2.1.2.1 On line
:
:2.1.2.1 On line
:2.1.2.2 Off line
:1.2.:1.2.2.1.2.2 Off line2.2 UNIX
UNIXsyslogd
Syslogd
2.2.1 http_access_logIPGETPOSTHEADWEBprotocolHTTP/1.0 HTTP/1.1URL
2.2.2 sshd_logsshdsshdsshdsshd
pid Accepted passwordFailed password
sshd sshd2.2.3 iptables_log
2.2.4 mail_logmail_log
2.3
2.4 2.4.1 Fuzzy2.4.2 Neural Network2.4.3 SVM2.4.4 Automata2.4.5 empirical2.5 Log 2.5.1 (Denial of Service, DoS)Land Teardrop SYN Flood UDP Flood (Fraggle )Smurf
(Distributed Denial of ServiceDDoS)2.5.2 LogApache severaccess_logiptablesmail severmaillogsshsshd
Example:SlapperCode Red
3.1.1
3.1.1.1
3.1.2
3.1.2.1 (pattern match)
3-1-6 Code Red3.1.2.1 (pattern match) 3-1-7 Code Red
3.1.2.2 (abnormal behavior analysis)
3-1-8 3.1.2.2 (abnormal behavior analysis) 3-1-9
3.1.2.2 (abnormal behavior analysis) 3-1-10
= 1 / (-) * (-)3.1.2.3 (abnormal user log trace)3.1.3
3-1-11 3.1.3.1 log table1. http_access_log id bigserial NOT NULL userIP inet IPuserid character(80) IDaccessTime integer httpCommand character(1000) http statusCode integer size integer Refer character(255) userAgent character(255) uploadIP inet IPuploadTime integer 3.1.3.1 log tablehttp_access_logsshd_logiptables_logmail_log3.1.3.2 pattern table id bigserial NOT NULL pid character(80) ps character(80) name character(255)fname character(255) pattern character(1000)infor character(255) url character(255) 3.1.3.3 behavior table id bigserial NOT NULL b_pid integerps character(80) name character(255) threshold Time integer -fname character(255) Patterncharacter(1000) infor character(255) url character(255) 3.1.4
3.1.4.1 3.1.4.2 3.2 3.2.1 1.
2.
3.
4.3.2 3.2.1 5.
6.
7.3.2 3.2.2
3.3 3.3.1 Example:3.3 3.3.2 http_access_log sshd_loghttp_access_log IP sshd_log sshd 4.1 4.1.1 4.1.1.1 Code Red
4-1 Code Red4.1.1.2 Slapper
4-2 Slapper4.1.2 4.1.2.1 Unauthorized
http_access_log 4.1.2 4.1.2.2 Failed_password
sshd 4.1.2 4.1.2.3 Try_account Try_account
4.1.3
4.2
4-7
