认识网路安全与异常侦测.ppt

《认识网路安全与异常侦测.ppt》由会员分享，可在线阅读，更多相关《认识网路安全与异常侦测.ppt（88页珍藏版）》请在taowenge.com淘文阁网|工程机械CAD图纸|机械工程制图|CAD装配图下载|SolidWorks_CaTia_CAD_UG_PROE_设计图分享下载上搜索。

1、認識網路安全與異常偵測認識網路安全與異常偵測 中央大學 電算中心 楊素秋 96年 11月 13日2007 Susan Yang,Computer Center,National Central University.報告大綱報告大綱q1.網路安全問題Viruses,Worms,Dos attackq2.網路安全因應對策Customer-based countermeasuresISP-based countermeasuresq3.Detection&Notification SystemEnd-based,LAN-based,WAN-based(ISP)q4.結語2007 Susan Yan

2、g,Computer Center,National Central University.1.網路安全問題網路安全問題q網路安全的挑戰VirusesLarge amount of program replication ail virusAttached in emailInfect system by enduring user clicking the attachedResend large amount of mail virus Self-propagating programs,Spread through toxic web page browsing 2007 Susan Y

3、ang,Computer Center,National Central University.1.網路安全問題網路安全問題(cont.)WormsSelf-propagating programs spread over InternetSpread by scanning the network for vulnerable machines&infecting themEvolution of network wormsSpread through system vulnerabilityCoRed(Jul 2001)Spread through system vulnerability

4、&tftpdNimda,Nachi(Sep 2001)Spread through system vulnerability&mail virusSoBig(Aug 2003),MyDoom(jan 2004),Bagle(2004)Spread through system vulnerability&Toxic web-pagesStanty(Dec 2004)2007 Susan Yang,Computer Center,National Central University.2007 Susan Yang,Computer Center,National Central Univers

5、ity.2007 Susan Yang,Computer Center,National Central University.1.網路安全問題網路安全問題(cont.)BotNetZombie armyDistributed through Irc(network chat room)6667/tcpDos attackSlam well known web server(MicroSofts,Google,)Flooding-based DDoS attackSignificant performance decline of network linkIdentification thie

6、fSpyware,Phishing(banks,ebay,paypal,2007 Susan Yang,Computer Center,National Central University.1.網路安全問題網路安全問題(cont.)Technical HackersShow their skillTechnical Hackers+Criminal gangEnormous profitsqThe weak link in Internet SecurityA significant population of Internet users are not adequately secure

7、 their desktops2007 Susan Yang,Computer Center,National Central University.2.網路安全因應對策網路安全因應對策qWhere security countermeasures could be invokedCustomer-based countermeasuresISP-based countermeasures*ISP core/edge/access routers2007 Susan Yang,Computer Center,National Central University.2.網路安全因應對策網路安全因

8、應對策(cont.)qCustomer-based countermeasuresAnti-virus softwareFirewall,IDSOS Vender s/w patchWindows UpdateLinux Up2dateS/W Venders Security ImprovementsDesktop Vulnerability CheckingqFirewall=Secure?(Incorrect)2007 Susan Yang,Computer Center,National Central University.2.網路安全因應對策網路安全因應對策(cont.)qWhy I

9、SPs are uniquely positioned to helpJohn E.H.Clark (Feb 2003)Traffic gateway All traffic bw.Internet&the customers desktop passes through ISPs accessSkilled network managersWell organized network user informationHigh efficiency,wide range protection 2007 Susan Yang,Computer Center,National Central Un

10、iversity.2.網路安全因應對策網路安全因應對策(cont.)qISP-based countermeasuresa)Measuring&monitoring traffic to/from customerb)Bi-direction IPS at ISP access50%60%of junk attack traffic c)Ingress address filtering at ISP accessIn-line with the traffic being monitoredd)Users awareness&training effort2007 Susan Yang,Co

11、mputer Center,National Central University.3.Detection&Notification SystemqSignature DetectionPacket payload qanomaly detectionPacket-based Tcpdump(snooped over subnetworks)Flow-basedNetfow(exported by router/switch)2007 Susan Yang,Computer Center,National Central University.3.Detection&Notification

12、System(cont.)qOur works遭感染/誤用的主機系統持續,頻繁地建立網路連接到單一或多部主機,源自遭感染主機的超量傳訊特徵flow連接 驟增封包量驟增超量訊務持續時段明顯拉長本研究擷取節點router Netflow 轉送紀錄實做Flooding Detection System,FDS2007 Susan Yang,Computer Center,National Central University.3.Detection&Notification System(cont.)2007 Susan Yang,Computer Center,National Central U

13、niversity.3.Detection&Notification System(cont.)qPortScan訊務特徵訊務特徵 源端主機要求建立的多個源端主機要求建立的多個PortScan flows,集中在特集中在特殊的弱點殊的弱點 由目的主機回應給源端主機的port number卻分散於大範圍的1024 65535.2007 Susan Yang,Computer Center,National Central University.3.Detection&Notification System(cont.)q選擇3項NetFlow辨識特徵(1)source IP 位址(src_IP)

14、(2)destina-tion應用埠(dst_port)(3)小TCP封包q使Feature-based訊務累計程式僅加總超速傳送 SYN|FIN TCP handshaking 封包往大量連網主機特殊弱點ports的source 主機,突顯Portscan問題主機 2007 Susan Yang,Computer Center,National Central University.3.Detection&Notification System(cont.)qSMTP Flooding(Spam)訊務特徵訊務特徵 類似Portscan傳訊特徵spam源端主機持續傳送超量SMTP(Simple

15、 Mail Transfer Ptorocol)訊務往多部主機主機outbound的連接數突然暴增超量SMTP傳送時段也呈明顯拉長 2007 Susan Yang,Computer Center,National Central University.3.Detection&Notification System(cont.)qPacket Flooding 訊務特徵訊務特徵 產出鉅量的UDP/ICMP Flooding封包阻斷選定主機的對外服務壅塞沿徑routing網段選擇source(src_IP)為virtual flow累計程式僅統計source IP 傳送的超大量UDP/ICMP P

16、acket/Byte/Flow訊務偵測與自動通告DDoS攻擊 2007 Susan Yang,Computer Center,National Central University.3.Detection&Notification System(cont.)qFlooding 異常訊務偵測系統Feature-based訊務累計訊務累計/排序程式排序程式加加總總每每一一source IP主主機機送送往往各各destination port的的flow數數,packet數數,byte數數,與與mean packet size訊務變量訊務變量,Multi-thresholds異常偵測程式異常偵測程式

17、累計各時段source主機建立的flow sourcei,packet sourcei,bytesourcei,pkt_sizesourcei加總其發送超量TCP封包的持續時段durationsourcei 與估定臨界質比對,篩選得PortScan sources.2007 Susan Yang,Computer Center,National Central University.2007 Susan Yang,Computer Center,National Central University.2007 Susan Yang,Computer Center,National Centra

18、l University.2007 Susan Yang,Computer Center,National Central University.2007 Susan Yang,Computer Center,National Central University.3.Detection&Notification System(cont.)qFlooding 異常訊務的自動通告萃取 ip_routing table Router ipRoute SNMP MIB建置與啟動RWhois IP管理資料查詢系統 讀取異常訊務數據自動通告自動通告 2007 Susan Yang,Computer Ce

19、nter,National Central University.3.Detection&Notification System(cont.)qFlooding 異常訊務的自動通告（cont.)擷取骨幹router的數萬筆routingsnmpwalk ipRouteMask(1.3.6.1.4.21.2.1.11)snmpwalk ipRouteNextHop(1.3.6.1.4.21.2.1.7)萃取/重建龐大 ip_routing 紀錄 構建符合RWhois network schema資料庫結合NextHop 紀錄與管理聯絡資訊連線學校 IP管理資訊查詢http:/susan.tyc.

20、edu.tw/yang/rwhois.php?ip2007 Susan Yang,Computer Center,National Central University.2007 Susan Yang,Computer Center,National Central University.4.結語結語qFlooding異常訊務偵測系統(FDS)aggregate router NetFlow轉送紀錄自動偵測PortScan,Spam與 packet flooding攻擊訊務透過 Rwhoisd IP 管理資訊的查詢自動將具體的異常訊務通告該網路用戶促使其補強系統安全,阻截flooding攻擊

21、2007 Susan Yang,Computer Center,National Central University.4.結語結語(cont.)q據幾年來的使用經驗網路匯集點的異常偵測系統能偵測多變的 portscan 訊務(不斷翻新的弱點 ports)Spam packet flooding事件具體的flooding 訊務數據能協助網管人員掌握異常源端主機聯絡用戶並分析其主機 flooding現象2007 Susan Yang,Computer Center,National Central University.Thank You!桃園區網桃園區網 abuse通告分布通告分布中央大學 電

22、子計算機中心 楊素秋()2007 Susan Yang,Computer Center,National Central University.報報 告告 大大 綱綱q1.abuse complaint 自動轉通告q2.abuse年度統計q3.abuse分類統計q4.P2P traffic target systemhttp:/163.25.255.22/yang/index_abuse_emule.phphttp:/163.25.255.22/yang/index_abuse_emule_port.phpq5.總結2007 Susan Yang,Computer Center,Nationa

23、l Central University.1.Abuse complain 自動轉通告自動轉通告qAbuse complaint 轉通告系統系統定時接收 abuse complaint mail file(/var/mail/abuse)切割/分類 abuse 通告信 PortScan/Password crack(安全弱點掃描)Spam(廣告/色情信)Infringement(侵犯智慧財產權)Phishing(網路詐騙)轉通知負責人員,並儲存資料庫記錄.2007 Susan Yang,Computer Center,National Central University.1.Abuse co

24、mplain 自動轉通告自動轉通告(cont.)系統處理程序如下:讀取 mail file,切割/儲存 各單封信件執行 dbacl(digramic Bayesian text classifier):分類各單封信件abuse type(spam,infringe,portscan,phish).掃描 target IP 位址,並將 IP,abuse 類別存檔以 IP 為key,連接 Rwhois Server,查詢管理員 emai.,並將原信件寄發對應的管理員.2007 Susan Yang,Computer Center,National Central University.1.Abus

25、e complain 自動轉通告自動轉通告(cont.)q系統成效系統成效:節省一名處理節省一名處理abuse通告的網路管理人力通告的網路管理人力.能即時地處理轉通告能即時地處理轉通告,不會因假期延誤通告不會因假期延誤通告.資料庫建檔資料庫建檔提供提供on-demand abuse資料查詢網頁資料查詢網頁.2007 Susan Yang,Computer Center,National Central University.2007 Susan Yang,Computer Center,National Central University.2.abuse年度統計年度統計q93年(2004)q

26、94年(2005)q95年(2006)q96年(2007)2007 Susan Yang,Computer Center,National Central University.2007 Susan Yang,Computer Center,National Central University.2007 Susan Yang,Computer Center,National Central University.2007 Susan Yang,Computer Center,National Central University.2007 Susan Yang,Computer Center

27、,National Central University.3.Abuse分類統計分類統計q智財權(Infringement)q廣告信(Spam)qPortScanqPhishing2007 Susan Yang,Computer Center,National Central University.2007 Susan Yang,Computer Center,National Central University.2007 Susan Yang,Computer Center,National Central University.2007 Susan Yang,Computer Cente

28、r,National Central University.163.30.*.*2007 Susan Yang,Computer Center,National Central University.4.Abuse 歷史紀錄查詢歷史紀錄查詢qURL單月統計 abuse complaint 分類選擇 年度,月份 96-0195-122007 Susan Yang,Computer Center,National Central University.2007 Susan Yang,Computer Center,National Central University.2007 Susan Yan

29、g,Computer Center,National Central University.2007 Susan Yang,Computer Center,National Central University.5.P2P traffic target systemqFeature of P2PmtrafficPacket size(large packet)Connections(many to many)Duration(last longer)Traffic volume(large amount)qURLs of Tyc P2P traffic statistic http:/163.

30、25.255.22/yang/index_abuse_emule.phphttp:/163.25.255.22/yang/index_abuse_emule_port.php2007 Susan Yang,Computer Center,National Central University.2007 Susan Yang,Computer Center,National Central University.2007 Susan Yang,Computer Center,National Central University.6.總結總結q日趨完整的網路安全防禦Technique區網:Flo

31、od Detection system校園網:firewall,IDS使用者端:firewall,antivirus packageEducation end userProtect PC from being exploited as stepping stoneSecurity policyManagement Support2007 Susan Yang,Computer Center,National Central University.5.總結總結(cont.)qPutting an end to the dark side of networkIncrease awareness

32、Education usersImplement organization policiesUse Technology to protect against these threatsFlooding Detection system2007 Susan Yang,Computer Center,National Central University.5.總結總結(cont.)q進行中的工作網路安全文件的彙整與分享網路管理工具與說明文件的彙整Content-based 網路入侵偵測系統MiningDetection台聯大出國線路效能評估台聯大出國線路效能評估中央大學電算中心 楊素秋2007年

33、 10月 8日2007 Susan Yang,Computer Center,National Central University.報告大綱報告大綱q1.研研究動機究動機q2.主要連外主要連外 Trunk 流量流量的變化的變化q3.國外網站檔案擷取延遲的變化國外網站檔案擷取延遲的變化q4.結語結語2007 Susan Yang,Computer Center,National Central University.1.研究動機q台聯大出國線路Cost 2 million per yearPerformanceTrunk Traffic Statistics(MRTG圖)Ping(RTT値)部

34、分 firewall 不允許 ping trafficUser Sensitive Traffic StatisticsDelay for fetching png or pdf fileCisco,hp,3com,ubuntu*2007 Susan Yang,Computer Center,National Central University.2.主要連外 Trunk 流量q校園core router7609接台聯大出國線路流量q中央大學到桃園區網流量q桃園區網到TANET骨幹流量2007 Susan Yang,Computer Center,National Central Univer

35、sity.校園校園core router接台聯大線路流量接台聯大線路流量2007 Susan Yang,Computer Center,National Central University.中央大學到桃園區網流量中央大學到桃園區網流量2007 Susan Yang,Computer Center,National Central University.桃園區網到桃園區網到TANET骨幹流量骨幹流量2007 Susan Yang,Computer Center,National Central University.2.主要連外 Trunk 流量(cont.)qTANET出國流量變化q台聯大出

36、國流量變化2007 Susan Yang,Computer Center,National Central University.TANET出國流量變化出國流量變化2007 Susan Yang,Computer Center,National Central University.台聯大出國流量變化台聯大出國流量變化2007 Susan Yang,Computer Center,National Central University.3.國外網站檔案擷取延遲國外網站檔案擷取延遲效能比較網頁:http:/NCU_Llink CollectorTYC_Link 163.25.254.72007

37、Susan Yang,Computer Center,National Central University.3.國外網站檔案擷取延遲國外網站檔案擷取延遲(cont.)q2007-Aug&2007-Sep8/178/31,9/19/30q2007-Oct10/3(NCTU_DORM斷線)10/9(NCTU_DORM復線)10/15(TWGATE 修正routing path)10/16 10/312007 Susan Yang,Computer Center,National Central University.2007 Susan Yang,Computer Center,National

38、 Central University.2007 Susan Yang,Computer Center,National Central University.2007 Susan Yang,Computer Center,National Central University.2007 Susan Yang,Computer Center,National Central University.2007 Susan Yang,Computer Center,National Central University.4.子程式功能子程式功能 qdelay2.javaget()main()q wg

39、et_stat.shcrontabCall delay2 routinely 2007 Susan Yang,Computer Center,National Central University.public void get(String theUrl,String filename)throws IOException theUrl_name=theUrl;try URL gotoUrl=new URL(theUrl);InputStreamReader isr=new InputStreamReader(gotoUrl.openStream();BufferedReader in=ne

40、w BufferedReader(isr);StringBuffer sb=new StringBuffer();String inputLine;boolean isFirst=true;/grab the contents at the URL while(inputLine=in.readLine()!=null)sb.append(inputLine+rn);/write it locally createAFile(filename,sb.toString();catch(MalformedURLException mue)mue.printStackTrace();catch(IO

41、Exception ioe)throw ioe;2007 Susan Yang,Computer Center,National Central University.public static void main(String args)Date date=new Date();SimpleDateFormat day=new SimpleDateFormat(MMdd);SimpleDateFormat df=new SimpleDateFormat(MMddHH);/System.out.println(df.format(date);String day_file=day.format

42、(date);String cur_hour=df.format(date);String filename=/home/Ncu_Link/+day_file;try BufferedWriter out=new BufferedWriter(new FileWriter(filename,true);out.write(n Hour +cur_hour);long elapsedtime=System.currentTimeMillis();out.write(n From +elapsedtime +msec.|);delay2 httpGetter=new delay2();httpGe

43、tter.get(args0,args1);out.write(n To +elapsedtime +msec.|);elapsedtime=System.currentTimeMillis()-elapsedtime;out.write(n It takes +elapsedtime +msec.+theUrl_name+n);out.close();catch(Exception ex)ex.printStackTrace();2007 Susan Yang,Computer Center,National Central University.#!/bin/csh-fsetenv CLA

44、SSPATH .set batch_homeset flist=/bin/ls$batch_home/lib/*.jarforeach name($flist)setenv CLASSPATH$CLASSPATH:$nameendcd$batch_homejava delay2 http:/ba_partnerLocato_blue.jpg cisco.jpgprimary_smb_msg_730.jpg hp.jpg-001.pdf 3com.pdfg ubuntu.png2007 Susan Yang,Computer Center,National Central University.

45、Date 111900 It takes 922 _partnerLocato_blue.jpgimary_smb_msg_730.jpg001.pdfDate 111904 It takes 1079 _partnerLocato_blue.jpgmary_smb_msg_730.jpg2007 Susan Yang,Computer Center,National Central University.4.子程式功能子程式功能(cont.)qLinkPerf.javaExtract the data recorded per 4 hours periodAggregate the mean

46、 delay(msec)Output to another file2007 Susan Yang,Computer Center,National Central University.1101Thu=774,=13443,=800,=11151102Fri=847,=12825,=815,=10251103Sat=1074,=13578,=853,=12251104Sun=672,=15053,=821,=10711105Mon=824,=13240,=837,=10652007 Susan Yang,Computer Center,National Central University.

47、4.子程式功能子程式功能(cont.)qBrowse.jspOffer user to monitoring the aggregate data recordsqTimes_both.jspDraw the time-series graph according to the aggregate data recordsCall jfreechart libraries2007 Susan Yang,Computer Center,National Central University.2007 Susan Yang,Computer Center,National Central Univ

48、ersity.2007 Susan Yang,Computer Center,National Central University.5.結語qTyc_Link/Ncu_Link國外連線效能分析 q使用使用 JAVA/JSP 語言語言(1)進度緩慢,卻能初體驗JAVA population&resources的強大.(2)雖然JAVA,JSP都K 過,但沒有太多概念.步步驗證使用 Socket,File,regex(pattern,match,scanner)實做小小的功能,很有趣.2007 Susan Yang,Computer Center,National Central University.5.結語(cont.)q使用 Jfreechart Time series chartBar chartPie chartq能動態地,圖型化地呈現量測數據Thank You!