《认识网路安全与异常侦测》由会员分享,可在线阅读,更多相关《认识网路安全与异常侦测(88页珍藏版)》请在金锄头文库上搜索。
1、認識網路安全與異常偵測認識網路安全與異常偵測 中央大學 電算中心 楊素秋 96年 11月 13日2007 Susan Yang, Computer Center, National Central University. 報告大綱報告大綱q1. 網路安全問題Viruses, Worms, Dos attackq2.網路安全因應對策Customer-based countermeasuresISP-based countermeasuresq3. Detection & Notification SystemEnd-based, LAN-based, WAN-based (ISP)q4. 結語2
2、007 Susan Yang, Computer Center, National Central University.1. 網路安全問題網路安全問題q網路安全的挑戰VirusesLarge amount of program replication ail virusAttached in emailInfect system by enduring user clicking the attachedResend large amount of mail virus Self-propagating programs, Spread through toxic web page brow
3、sing 2007 Susan Yang, Computer Center, National Central University.1.網路安全問題網路安全問題(cont.)WormsSelf-propagating programs spread over InternetSpread by scanning the network for vulnerable machines & infecting themEvolution of network wormsSpread through system vulnerabilityCoRed (Jul 2001)Spread throug
4、h system vulnerability & tftpdNimda, Nachi (Sep 2001)Spread through system vulnerability & mail virusSoBig ( Aug 2003), MyDoom(jan 2004),Bagle (2004)Spread through system vulnerability & Toxic web-pagesStanty (Dec 2004)2007 Susan Yang, Computer Center, National Central University.2007 Susan Yang, Co
5、mputer Center, National Central University.2007 Susan Yang, Computer Center, National Central University.1.網路安全問題網路安全問題(cont.)BotNetZombie armyDistributed through Irc (network chat room) 6667/tcpDos attackSlam well known web server (MicroSofts, Google, )Flooding-based DDoS attackSignificant performa
6、nce decline of network linkIdentification thiefSpyware, Phishing (banks, ebay, paypal, 2007 Susan Yang, Computer Center, National Central University.1.網路安全問題網路安全問題(cont.)Technical HackersShow their skillTechnical Hackers + Criminal gangEnormous profitsqThe weak link in Internet SecurityA significant
7、 population of Internet users are not adequately secure their desktops2007 Susan Yang, Computer Center, National Central University.2.網路安全因應對策網路安全因應對策qWhere security countermeasures could be invokedCustomer-based countermeasuresISP-based countermeasures*ISP core/edge/access routers2007 Susan Yang, C
8、omputer Center, National Central University.2.網路安全因應對策網路安全因應對策(cont.)qCustomer-based countermeasuresAnti-virus softwareFirewall, IDSOS Vender s/w patchWindows UpdateLinux Up2dateS/W Venders Security ImprovementsDesktop Vulnerability CheckingqFirewall = Secure ? (Incorrect)2007 Susan Yang, Computer C
9、enter, National Central University.2.網路安全因應對策網路安全因應對策(cont.)qWhy ISPs are uniquely positioned to helpJohn E.H. Clark (Feb 2003)Traffic gateway All traffic bw. Internet & the customers desktop passes through ISPs accessSkilled network managersWell organized network user informationHigh efficiency, wi
10、de range protection 2007 Susan Yang, Computer Center, National Central University.2.網路安全因應對策網路安全因應對策(cont.)qISP-based countermeasuresa) Measuring & monitoring traffic to/from customerb) Bi-direction IPS at ISP access50% 60% of junk attack traffic c) Ingress address filtering at ISP accessIn-line wit
11、h the traffic being monitoredd) Users awareness & training effort2007 Susan Yang, Computer Center, National Central University.3. Detection & Notification SystemqSignature DetectionPacket payload qanomaly detectionPacket-based Tcpdump (snooped over subnetworks)Flow-basedNetfow (exported by router /
12、switch)2007 Susan Yang, Computer Center, National Central University.3. Detection & Notification System(cont.)qOur works遭感染 /誤用的主機系統持續,頻繁地建立網路連接到單一或多部主機,源自遭感染主機的超量傳訊特徵flow連接 驟增封包量驟增超量訊務持續時段明顯拉長本研究擷取節點router Netflow 轉送紀錄實做Flooding Detection System, FDS2007 Susan Yang, Computer Center, National Centra
13、l University.3. Detection & Notification System(cont.)2007 Susan Yang, Computer Center, National Central University.3. Detection & Notification System(cont.)qPortScan訊務特徵訊務特徵 源端主機要求建立的多個源端主機要求建立的多個PortScan flows,集中在特集中在特殊的弱點殊的弱點 由目的主機回應給源端主機的port number卻分散於大範圍的1024 65535.2007 Susan Yang, Computer Ce
14、nter, National Central University.3. Detection & Notification System(cont.)q選擇3項NetFlow辨識特徵(1)source IP 位址 (src_IP)(2)destina- tion應用埠(dst_port)(3)小TCP封包q使Feature-based訊務累計程式僅加總超速傳送 SYN|FIN TCP handshaking 封包往大量連網主機特殊弱點ports的source 主機, 突顯Portscan問題主機 2007 Susan Yang, Computer Center, National Centra
15、l University.3. Detection & Notification System(cont.)qSMTP Flooding (Spam) 訊務特徵訊務特徵 類似Portscan傳訊特徵spam源端主機持續傳送超量SMTP (Simple Mail Transfer Ptorocol)訊務往多部主機主機outbound的連接數突然暴增超量SMTP傳送時段也呈明顯拉長 2007 Susan Yang, Computer Center, National Central University.3. Detection & Notification System(cont.)qPacke
16、t Flooding 訊務特徵訊務特徵 產出鉅量的UDP/ICMP Flooding封包阻斷選定主機的對外服務壅塞沿徑routing網段選擇source (src_IP) 為virtual flow累計程式僅統計source IP 傳送的超大量UDP / ICMP Packet/ Byte/ Flow訊務偵測與自動通告DDoS攻擊 2007 Susan Yang, Computer Center, National Central University.3. Detection & Notification System(cont.)qFlooding 異常訊務偵測系統Feature-base
17、d訊務累計訊務累計/排序程式排序程式加加總總每每一一source IP主主機機送送往往各各destination port的的flow數數,packet數數, byte數數,與與mean packet size訊務變量訊務變量, Multi-thresholds異常偵測程式異常偵測程式累計各時段source主機建立的flow sourcei,packet sourcei,bytesourcei, pkt_sizesourcei加總其發送超量TCP封包的持續時段durationsourcei 與估定臨界質比對,篩選得PortScan sources. 2007 Susan Yang, Compu
18、ter Center, National Central University.2007 Susan Yang, Computer Center, National Central University.2007 Susan Yang, Computer Center, National Central University.2007 Susan Yang, Computer Center, National Central University.2007 Susan Yang, Computer Center, National Central University.3. Detection
19、 & Notification System(cont.)qFlooding 異常訊務的自動通告萃取 ip_routing table Router ipRoute SNMP MIB建置與啟動RWhois IP管理資料查詢系統 讀取異常訊務數據自動通告自動通告 2007 Susan Yang, Computer Center, National Central University.3. Detection & Notification System(cont.)qFlooding 異常訊務的自動通告(cont.)擷取骨幹router的數萬筆routingsnmpwalk ipRouteMas
20、k (1.3.6.1.4.21.2.1.11) snmpwalk ipRouteNextHop (1.3.6.1.4. 21.2.1.7) 萃取/重建龐大 ip_routing 紀錄 構建符合RWhois network schema資料庫結合NextHop 紀錄與管理聯絡資訊連線學校 IP管理資訊查詢http:/susan.tyc.edu.tw/yang/rwhois.php?ip=140.115.1.122007 Susan Yang, Computer Center, National Central University.2007 Susan Yang, Computer Center
21、, National Central University.4. 結語結語qFlooding異常訊務偵測系統(FDS) aggregate router NetFlow轉送紀錄自動偵測PortScan, Spam與 packet flooding攻擊訊務透過 Rwhoisd IP 管理資訊的查詢自動將具體的異常訊務通告該網路用戶促使其補強系統安全,阻截flooding攻擊 2007 Susan Yang, Computer Center, National Central University.4. 結語結語(cont.)q據幾年來的使用經驗網路匯集點的異常偵測系統能偵測多變的 portsca
22、n 訊務 (不斷翻新的弱點 ports)Spam packet flooding事件具體的flooding 訊務數據能協助網管人員掌握異常源端主機聯絡用戶並分析其主機 flooding現象2007 Susan Yang, Computer Center, National Central University.Thank You!桃園區網桃園區網 abuse通告分布通告分布中央大學 電子計算機中心 楊素秋(center7cc.ncu.edu.tw) 2007 Susan Yang, Computer Center, National Central University. 報報 告告 大大 綱
23、綱q1. abuse complaint 自動轉通告q2. abuse年度統計q3. abuse分類統計q4. P2P traffic target systemhttp:/163.25.255.22/yang/index_abuse_emule.phphttp:/163.25.255.22/yang/index_abuse_emule_port.phpq5.總結2007 Susan Yang, Computer Center, National Central University.1.Abuse complain 自動轉通告自動轉通告qAbuse complaint 轉通告系統系統定時接收
24、 abuse complaint mail fileabusencu.edu.tw (/var/mail/abuse)切割/分類 abuse 通告信 PortScan/Password crack (安全弱點掃描)Spam (廣告/色情信)Infringement (侵犯智慧財產權)Phishing (網路詐騙)轉通知負責人員,並儲存資料庫記錄.2007 Susan Yang, Computer Center, National Central University.1.Abuse complain 自動轉通告自動轉通告(cont.)系統處理程序如下:讀取 abusencu.edu.tw ma
25、il file, 切割/儲存 各單封信件執行 dbacl(digramic Bayesian text classifier): 分類各單封信件abuse type(spam, infringe, portscan, phish).掃描 target IP 位址,並將 IP, abuse 類別存檔以 IP 為key,連接 Rwhois Server, 查詢管理員 emai.,並將原信件寄發對應的管理員.2007 Susan Yang, Computer Center, National Central University.1.Abuse complain 自動轉通告自動轉通告(cont.)q
26、系統成效系統成效:節省一名處理節省一名處理abuse通告的網路管理人力通告的網路管理人力.能即時地處理轉通告能即時地處理轉通告,不會因假期延誤通告不會因假期延誤通告.資料庫建檔資料庫建檔提供提供on-demand abuse資料查詢網頁資料查詢網頁.2007 Susan Yang, Computer Center, National Central University.2007 Susan Yang, Computer Center, National Central University.2. abuse年度統計年度統計q93年(2004)q94年(2005)q95年(2006)q96年(
27、2007)2007 Susan Yang, Computer Center, National Central University.2007 Susan Yang, Computer Center, National Central University.2007 Susan Yang, Computer Center, National Central University.2007 Susan Yang, Computer Center, National Central University.2007 Susan Yang, Computer Center, National Cent
28、ral University.3.Abuse分類統計分類統計q智財權(Infringement)q廣告信 (Spam) qPortScanqPhishing2007 Susan Yang, Computer Center, National Central University.2007 Susan Yang, Computer Center, National Central University.2007 Susan Yang, Computer Center, National Central University.2007 Susan Yang, Computer Center, Na
29、tional Central University.163.30.*.*2007 Susan Yang, Computer Center, National Central University.4. Abuse 歷史紀錄查詢歷史紀錄查詢qURLhttp:/ayang.tyc.edu.tw/Tyc_Abuse/Tanet/summ_notify.php單月統計 abuse complaint 分類選擇 年度,月份 96-0195-122007 Susan Yang, Computer Center, National Central University.2007 Susan Yang, Co
30、mputer Center, National Central University.2007 Susan Yang, Computer Center, National Central University.2007 Susan Yang, Computer Center, National Central University.5. P2P traffic target systemqFeature of P2PmtrafficPacket size (large packet)Connections (many to many)Duration (last longer)Traffic
31、volume (large amount)qURLs of Tyc P2P traffic statistic http:/163.25.255.22/yang/index_abuse_emule.phphttp:/163.25.255.22/yang/index_abuse_emule_port.php2007 Susan Yang, Computer Center, National Central University.2007 Susan Yang, Computer Center, National Central University.2007 Susan Yang, Comput
32、er Center, National Central University.6.總結總結q日趨完整的網路安全防禦Technique區網 : Flood Detection system校園網 : firewall, IDS使用者端 : firewall, antivirus packageEducation end userProtect PC from being exploited as stepping stoneSecurity policyManagement Support2007 Susan Yang, Computer Center, National Central Uni
33、versity.5.總結總結(cont.)qPutting an end to the dark side of networkIncrease awarenessEducation usersImplement organization policiesUse Technology to protect against these threatsFlooding Detection system2007 Susan Yang, Computer Center, National Central University.5.總結總結(cont.)q進行中的工作網路安全文件的彙整與分享網路管理工具
34、與說明文件的彙整Content-based 網路入侵偵測系統MiningDetection台聯大出國線路效能評估台聯大出國線路效能評估中央大學電算中心 楊素秋2007年 10月 8日2007 Susan Yang, Computer Center, National Central University.報告大綱報告大綱q1.研研究動機究動機q2.主要連外主要連外 Trunk 流量流量的變化的變化q3.國外網站檔案擷取延遲的變化國外網站檔案擷取延遲的變化q4.結語結語2007 Susan Yang, Computer Center, National Central University.1.
35、研究動機q台聯大出國線路Cost 2 million per yearPerformanceTrunk Traffic Statistics (MRTG圖)Ping (RTT値)部分 firewall 不允許 ping trafficUser Sensitive Traffic StatisticsDelay for fetching png or pdf fileCisco, hp, 3com, ubuntu*2007 Susan Yang, Computer Center, National Central University.2. 主要連外 Trunk 流量q校園core router
36、7609接台聯大出國線路流量http:/cygnus.cc.ncu.edu.tw/mrtg/7609/r7609_63.htmlq中央大學到桃園區網流量http:/cygnus.cc.ncu.edu.tw/mrtg/m160/m160_65.htmlq桃園區網到TANET骨幹流量http:/mrtg.moe.edu.tw/backbone/ncu_cht.html2007 Susan Yang, Computer Center, National Central University.校園校園core router接台聯大線路流量接台聯大線路流量2007 Susan Yang, Compute
37、r Center, National Central University.中央大學到桃園區網流量中央大學到桃園區網流量2007 Susan Yang, Computer Center, National Central University.桃園區網到桃園區網到TANET骨幹流量骨幹流量2007 Susan Yang, Computer Center, National Central University.2. 主要連外 Trunk 流量(cont.)qTANET出國流量變化http:/mrtg.moe.edu.tw/internet/internet-pos-stm16.htmlq台聯大
38、出國流量變化http:/ Susan Yang, Computer Center, National Central University.TANET出國流量變化出國流量變化2007 Susan Yang, Computer Center, National Central University.台聯大出國流量變化台聯大出國流量變化2007 Susan Yang, Computer Center, National Central University.3.國外網站檔案擷取延遲國外網站檔案擷取延遲效能比較網頁:http:/bunny.tyc.edu.tw/Ncu/browse.jspNCU_L
39、link Collector140.115.11.131TYC_Link 163.25.254.72007 Susan Yang, Computer Center, National Central University.3.國外網站檔案擷取延遲國外網站檔案擷取延遲(cont.)q2007-Aug & 2007-Sep8/178/31, 9/19/30q2007-Oct10/3 (NCTU_DORM斷線)10/9 (NCTU_DORM復線)10/15 (TWGATE 修正routing path)10/16 10/312007 Susan Yang, Computer Center, Nati
40、onal Central University.2007 Susan Yang, Computer Center, National Central University.2007 Susan Yang, Computer Center, National Central University.2007 Susan Yang, Computer Center, National Central University.2007 Susan Yang, Computer Center, National Central University.2007 Susan Yang, Computer Ce
41、nter, National Central University.4. 子程式功能子程式功能 qdelay2.javaget() main()q wget_stat.shcrontabCall delay2 routinely 2007 Susan Yang, Computer Center, National Central University. public void get(String theUrl, String filename) throws IOException theUrl_name = theUrl; try URL gotoUrl = new URL(theUrl)
42、; InputStreamReader isr = new InputStreamReader(gotoUrl.openStream(); BufferedReader in = new BufferedReader(isr); StringBuffer sb = new StringBuffer(); String inputLine; boolean isFirst = true; /grab the contents at the URL while (inputLine = in.readLine() != null) sb.append(inputLine+rn); /write i
43、t locally createAFile(filename, sb.toString(); catch (MalformedURLException mue) mue.printStackTrace(); catch (IOException ioe) throw ioe; 2007 Susan Yang, Computer Center, National Central University.public static void main(String args) Date date=new Date(); SimpleDateFormat day=new SimpleDateForma
44、t(MMdd); SimpleDateFormat df=new SimpleDateFormat(MMddHH); / System.out.println(df.format(date); String day_file=day.format(date); String cur_hour=df.format(date); String filename = /home/Ncu_Link/ + day_file; try BufferedWriter out = new BufferedWriter(new FileWriter(filename, true); out.write(n Ho
45、ur + cur_hour); long elapsedtime = System.currentTimeMillis(); out.write(n From + elapsedtime + msec. | ); delay2 httpGetter = new delay2(); httpGetter.get(args0, args1); out.write(n To + elapsedtime + msec. | ); elapsedtime = System.currentTimeMillis() - elapsedtime; out.write(n It takes + elapsedt
46、ime + msec. + theUrl_name + n); out.close(); catch (Exception ex) ex.printStackTrace(); 2007 Susan Yang, Computer Center, National Central University.#!/bin/csh -fsetenv CLASSPATH .set batch_home=/opt/apache-tomcat-6.0.14/webapps/ROOT/Socketset flist=/bin/ls $batch_home/lib/*.jarforeach name ($flist
47、) setenv CLASSPATH $CLASSPATH:$nameendcd $batch_homejava delay2 http:/ cisco.jpgjava delay2 http:/welcome.hp- hp.jpgjava delay2 http:/ 3com.pdfjava delay2 http:/ ubuntu.png2007 Susan Yang, Computer Center, National Central University.Date 111900 It takes 922 msec.http:/ 111900 It takes 1797 msec.htt
48、p:/welcome.hp- 111900 It takes 19266 msec.http:/ 111900 It takes 1140 msec.http:/ 111904 It takes 1079 msec.http:/ 111904 It takes 859 msec.http:/welcome.hp- 111904 It takes 12203 msec.http:/ 111904 It takes 1078 msec.http:/ Susan Yang, Computer Center, National Central University.4. 子程式功能子程式功能 (con
49、t.)qLinkPerf.javaExtract the data recorded per 4 hours periodAggregate the mean delay (msec)Output to another file2007 Susan Yang, Computer Center, National Central University.1101Thu welcome.hp-=774, =13443, =800, =11151102Fri welcome.hp-=847, =12825, =815, =10251103Sat welcome.hp-=1074, =13578, =8
50、53, =12251104Sun welcome.hp-=672, =15053, =821, =10711105Mon welcome.hp-=824, =13240, =837, =10652007 Susan Yang, Computer Center, National Central University.4. 子程式功能子程式功能 (cont.)qBrowse.jspOffer user to monitoring the aggregate data recordsqTimes_both.jspDraw the time-series graph according to the
51、 aggregate data recordsCall jfreechart librariesjfreechart-1.0.62007 Susan Yang, Computer Center, National Central University.2007 Susan Yang, Computer Center, National Central University.2007 Susan Yang, Computer Center, National Central University.5.結語qTyc_Link/Ncu_Link國外連線效能分析 q使用使用 JAVA /JSP 語言語言 (1)進度緩慢,卻能初體驗JAVA population & resources的強大. (2)雖然JAVA,JSP都K 過,但沒有太多概念. 步步驗證使用 Socket, File, regex( pattern, match, scanner) 實做小小的功能,很有趣. 2007 Susan Yang, Computer Center, National Central University.5.結語(cont.)q使用 Jfreechart Time series chartBar chartPie chartq能動態地, 圖型化地呈現量測數據Thank You!
