《认识网路安全与异常侦测.ppt》由会员分享,可在线阅读,更多相关《认识网路安全与异常侦测.ppt(88页珍藏版)》请在三一文库上搜索。
1、認識網路安全與異常偵測,中央大學 電算中心 楊素秋 96年 11月 13日,報告大綱,1. 網路安全問題 Viruses, Worms, Dos attack 2.網路安全因應對策 Customer-based countermeasures ISP-based countermeasures 3. Detection & Notification System End-based, LAN-based, WAN-based (ISP) 4. 結語,1. 網路安全問題,網路安全的挑戰 Viruses Large amount of program replication ail virus A
2、ttached in email Infect system by enduring user clicking the attached Resend large amount of mail virus Self-propagating programs, Spread through toxic web page browsing,1.網路安全問題(cont.),Worms Self-propagating programs spread over Internet Spread by scanning the network for vulnerable machines & infe
3、cting them Evolution of network worms Spread through system vulnerability CoRed (Jul 2001) Spread through system vulnerability & tftpd Nimda, Nachi (Sep 2001) Spread through system vulnerability & mail virus SoBig ( Aug 2003), MyDoom(jan 2004),Bagle (2004) Spread through system vulnerability & Toxic
4、 web-pages Stanty (Dec 2004),1.網路安全問題(cont.),BotNet Zombie army Distributed through Irc (network chat room) 6667/tcp Dos attack Slam well known web server (MicroSofts, Google, ) Flooding-based DDoS attack Significant performance decline of network link Identification thief Spyware, Phishing (banks,
5、ebay, paypal, ,1.網路安全問題(cont.),Technical Hackers Show their skill Technical Hackers + Criminal gang Enormous profits The weak link in Internet Security A significant population of Internet users are not adequately secure their desktops,2.網路安全因應對策,Where security countermeasures could be invoked Custo
6、mer-based countermeasures ISP-based countermeasures* ISP core/edge/access routers,2.網路安全因應對策(cont.),Customer-based countermeasures Anti-virus software Firewall, IDS OS Vender s/w patch Windows Update Linux Up2date S/W Venders Security Improvements Desktop Vulnerability Checking Firewall = Secure ? (
7、Incorrect),2.網路安全因應對策(cont.),Why ISPs are uniquely positioned to help John E.H. Clark (Feb 2003) Traffic gateway All traffic bw. Internet & the customers desktop passes through ISPs access Skilled network managers Well organized network user information High efficiency, wide range protection,2.網路安全因
8、應對策(cont.),ISP-based countermeasures a) Measuring & monitoring traffic to/from customer b) Bi-direction IPS at ISP access 50% 60% of junk attack traffic c) Ingress address filtering at ISP access In-line with the traffic being monitored d) Users awareness & training effort,3. Detection & Notificatio
9、n System,Signature Detection Packet payload anomaly detection Packet-based Tcpdump (snooped over subnetworks) Flow-based Netfow (exported by router / switch),3. Detection & Notification System(cont.),Our works 遭感染 /誤用的主機系統 持續,頻繁地建立網路連接到單一或多部主機,源自遭感染主機的超量傳訊特徵 flow連接 驟增 封包量驟增 超量訊務持續時段明顯拉長 本研究擷取節點route
10、r Netflow 轉送紀錄 實做Flooding Detection System, FDS,3. Detection & Notification System(cont.),3. Detection & Notification System(cont.),PortScan訊務特徵 源端主機要求建立的多個PortScan flows,集中在特殊的弱點 由目的主機回應給源端主機的port number卻分散於大範圍的1024 65535.,3. Detection & Notification System(cont.),選擇3項NetFlow辨識特徵 (1)source IP 位址 (s
11、rc_IP) (2)destina- tion應用埠(dst_port) (3)小TCP封包 使Feature-based訊務累計程式 僅加總超速傳送 SYN|FIN TCP handshaking 封包往大量連網主機特殊弱點ports的source 主機, 突顯Portscan問題主機,3. Detection & Notification System(cont.),SMTP Flooding (Spam) 訊務特徵 類似Portscan傳訊特徵 spam源端主機 持續傳送超量SMTP (Simple Mail Transfer Ptorocol)訊務往多部主機 主機outbound的連接
12、數突然暴增 超量SMTP傳送時段也呈明顯拉長,3. Detection & Notification System(cont.),Packet Flooding 訊務特徵 產出鉅量的UDP/ICMP Flooding封包 阻斷選定主機的對外服務 壅塞沿徑routing網段 選擇source (src_IP) 為virtual flow 累計程式僅統計source IP 傳送的 超大量UDP / ICMP Packet/ Byte/ Flow訊務 偵測與自動通告DDoS攻擊,3. Detection & Notification System(cont.),Flooding 異常訊務偵測系統 F
13、eature-based訊務累計/排序程式 加總每一source IP主機送往各destination port的flow數,packet數, byte數,與mean packet size訊務變量, Multi-thresholds異常偵測程式 累計各時段source主機建立的 flow sourcei,packet sourcei, bytesourcei, pkt_sizesourcei 加總其發送超量TCP封包的持續時段durationsourcei 與估定臨界質比對,篩選得PortScan sources.,3. Detection & Notification System(con
14、t.),Flooding 異常訊務的自動通告 萃取 ip_routing table Router ipRoute SNMP MIB 建置與啟動RWhois IP管理資料查詢系統 讀取異常訊務數據 自動通告,3. Detection & Notification System(cont.),Flooding 異常訊務的自動通告(cont.) 擷取骨幹router的數萬筆routing snmpwalk ipRouteMask (1.3.6.1.4.21.2.1.11) snmpwalk ipRouteNextHop (1.3.6.1.4. 21.2.1.7) 萃取/重建龐大 ip_routin
15、g 紀錄 構建符合RWhois network schema資料庫 結合NextHop 紀錄與管理聯絡資訊 連線學校 IP管理資訊查詢 http:/susan.tyc.edu.tw/yang/rwhois.php?ip=140.115.1.12,4. 結語,Flooding異常訊務偵測系統(FDS) aggregate router NetFlow轉送紀錄 自動偵測PortScan, Spam與 packet flooding攻擊訊務 透過 Rwhoisd IP 管理資訊的查詢 自動將具體的異常訊務通告該網路用戶 促使其補強系統安全,阻截flooding攻擊,4. 結語(cont.),據幾年來
16、的使用經驗 網路匯集點的異常偵測系統能偵測多變的 portscan 訊務 (不斷翻新的弱點 ports) Spam packet flooding事件 具體的flooding 訊務數據 能協助網管人員掌握異常源端主機 聯絡用戶並分析其主機 flooding現象,Thank You!,桃園區網 abuse通告分布,中央大學 電子計算機中心 楊素秋(center7cc.ncu.edu.tw),報 告 大 綱,1. abuse complaint 自動轉通告 2. abuse年度統計 3. abuse分類統計 4. P2P traffic target system http:/163.25.255
17、.22/yang/index_abuse_emule.php http:/163.25.255.22/yang/index_abuse_emule_port.php 5.總結,1.Abuse complain 自動轉通告,Abuse complaint 轉通告系統 定時接收 abuse complaint mail file abusencu.edu.tw (/var/mail/abuse) 切割/分類 abuse 通告信 PortScan/Password crack (安全弱點掃描) Spam (廣告/色情信) Infringement (侵犯智慧財產權) Phishing (網路詐騙)
18、轉通知負責人員,並儲存資料庫記錄.,1.Abuse complain 自動轉通告(cont.),系統處理程序如下: 讀取 abusencu.edu.tw mail file, 切割/儲存 各單封信件 執行 dbacl(digramic Bayesian text classifier): 分類各單封信件abuse type (spam, infringe, portscan, phish). 掃描 target IP 位址,並將 IP, abuse 類別存檔 以 IP 為key,連接 Rwhois Server, 查詢管理員 emai.,並將原信件寄發對應的管理員.,1.Abuse compl
19、ain 自動轉通告(cont.),系統成效: 節省一名處理abuse通告的網路管理人力. 能即時地處理轉通告,不會因假期延誤通告. 資料庫建檔 提供on-demand abuse資料查詢網頁.,2. abuse年度統計,93年(2004) 94年(2005) 95年(2006) 96年(2007),3.Abuse分類統計,智財權(Infringement) 廣告信 (Spam) PortScan Phishing,163.30.*.*,4. Abuse 歷史紀錄查詢,URL http:/ayang.tyc.edu.tw/Tyc_Abuse/Tanet/summ_notify.php 單月統計
20、abuse complaint 分類 選擇 年度,月份 96-01 95-12,5. P2P traffic target system,Feature of P2Pmtraffic Packet size (large packet) Connections (many to many) Duration (last longer) Traffic volume (large amount) URLs of Tyc P2P traffic statistic http:/163.25.255.22/yang/index_abuse_emule.php http:/163.25.255.22/
21、yang/index_abuse_emule_port.php,6.總結,日趨完整的網路安全防禦 Technique 區網 : Flood Detection system 校園網 : firewall, IDS 使用者端 : firewall, antivirus package Education end user Protect PC from being exploited as stepping stone Security policy Management Support,5.總結(cont.),Putting an end to the dark side of network
22、 Increase awareness Education users Implement organization policies Use Technology to protect against these threats Flooding Detection system,5.總結(cont.),進行中的工作 網路安全文件的彙整與分享 網路管理工具與說明文件的彙整 Content-based 網路入侵偵測系統 Mining Detection,台聯大出國線路效能評估,中央大學電算中心 楊素秋 2007年 10月 8日,報告大綱,1.研究動機 2.主要連外 Trunk 流量的變化 3.
23、國外網站檔案擷取延遲的變化 4.結語,1.研究動機,台聯大出國線路 Cost 2 million per year Performance Trunk Traffic Statistics (MRTG圖) Ping (RTT値) 部分 firewall 不允許 ping traffic User Sensitive Traffic Statistics Delay for fetching png or pdf file Cisco, hp, 3com, ubuntu*,2. 主要連外 Trunk 流量,校園core router7609接台聯大出國線路流量 http:/cygnus.cc.n
24、cu.edu.tw/mrtg/7609/r7609_63.html 中央大學到桃園區網流量 http:/cygnus.cc.ncu.edu.tw/mrtg/m160/m160_65.html 桃園區網到TANET骨幹流量 http:/mrtg.moe.edu.tw/backbone/ncu_cht.html,校園core router接台聯大線路流量,中央大學到桃園區網流量,桃園區網到TANET骨幹流量,2. 主要連外 Trunk 流量(cont.),TANET出國流量變化 http:/mrtg.moe.edu.tw/internet/internet-pos-stm16.html 台聯大出國
25、流量變化http:/ http:/bunny.tyc.edu.tw/Ncu/browse.jsp NCU_Llink Collector 140.115.11.131 TYC_Link 163.25.254.7,3.國外網站檔案擷取延遲(cont.),2007-Aug & 2007-Sep 8/178/31, 9/19/30 2007-Oct 10/3 (NCTU_DORM斷線) 10/9 (NCTU_DORM復線) 10/15 (TWGATE 修正routing path) 10/16 10/31,4. 子程式功能,delay2.java get() main() wget_stat.sh
26、crontab Call delay2 routinely,public void get(String theUrl, String filename) throws IOException theUrl_name = theUrl; try URL gotoUrl = new URL(theUrl); InputStreamReader isr = new InputStreamReader(gotoUrl.openStream(); BufferedReader in = new BufferedReader(isr); StringBuffer sb = new StringBuffe
27、r(); String inputLine; boolean isFirst = true; /grab the contents at the URL while (inputLine = in.readLine() != null) sb.append(inputLine+“rn“); /write it locally createAFile(filename, sb.toString(); catch (MalformedURLException mue) mue.printStackTrace(); catch (IOException ioe) throw ioe; ,public
28、 static void main(String args) Date date=new Date(); SimpleDateFormat day=new SimpleDateFormat(“MMdd“); SimpleDateFormat df=new SimpleDateFormat(“MMddHH“); / System.out.println(df.format(date); String day_file=day.format(date); String cur_hour=df.format(date); String filename = “/home/Ncu_Link/“ + d
29、ay_file; try BufferedWriter out = new BufferedWriter(new FileWriter(filename, true); out.write(“n Hour “ + cur_hour); long elapsedtime = System.currentTimeMillis(); out.write(“n From “ + elapsedtime + “ msec. | “); delay2 httpGetter = new delay2(); httpGetter.get(args0, args1); out.write(“n To “ + e
30、lapsedtime + “ msec. | “); elapsedtime = System.currentTimeMillis() - elapsedtime; out.write(“n It takes “ + elapsedtime + “ msec.“ + theUrl_name + “n“); out.close(); catch (Exception ex) ex.printStackTrace(); ,#!/bin/csh -f setenv CLASSPATH . set batch_home=/opt/apache-tomcat-6.0.14/webapps/ROOT/So
31、cket set flist=/bin/ls $batch_home/lib/*.jar foreach name ($flist) setenv CLASSPATH $CLASSPATH:$name end cd $batch_home java delay2 http:/ ba_partnerLocato_blue.jpg cisco.jpg java delay2 http:/welcome.hp- primary_smb_msg_730.jpg hp.jpg java delay2 http:/ -001.pdf 3com.pdf java delay2 http:/ g ubuntu
32、.png,Date 111900 It takes 922 msec.http:/ partnerLocato_blue.jpg Date 111900 It takes 1797 msec.http:/welcome.hp- imary_smb_msg_730.jpg Date 111900 It takes 19266 msec.http:/ 001.pdf Date 111900 It takes 1140 msec.http:/ Date 111904 It takes 1079 msec.http:/ _partnerLocato_blue.jpg Date 111904 It ta
33、kes 859 msec.http:/welcome.hp- mary_smb_msg_730.jpg Date 111904 It takes 12203 msec.http:/ Date 111904 It takes 1078 msec.http:/ 子程式功能 (cont.),LinkPerf.java Extract the data recorded per 4 hours period Aggregate the mean delay (msec) Output to another file,1101Thu welcome.hp-=774, =13443, =800, =111
34、5 1102Fri welcome.hp-=847, =12825, =815, =1025 1103Sat welcome.hp-=1074, =13578, =853, =1225 1104Sun welcome.hp-=672, =15053, =821, =1071 1105Mon welcome.hp-=824, =13240, =837, =1065,4. 子程式功能 (cont.),Browse.jsp Offer user to monitoring the aggregate data records Times_both.jsp Draw the time-series g
35、raph according to the aggregate data records Call jfreechart libraries jfreechart-1.0.6, % TimeSeriesCollection dataset = new TimeSeriesCollection(); TimeSeries series1 = new TimeSeries(“NCU -台聯大出國專線“); TimeSeries series2 = new TimeSeries(“TYC -TANET出國共用線路“);,series1.add(new Day(1, 9, 2007), 13312);
36、 series1.add(new Day(2, 9, 2007), 12880); series2.add(new Day(20, 10, 2007), 25573958); series2.add(new Day(21, 10, 2007), 25612666); / * add the dataset dataset.addSeries(series1); dataset.addSeries(series2); / dataset.setDomainIsPointsInTime(true); String chartTitle = “Delay of NCU / TYC Trunk (20
37、07-Sep ,/ * plot XYPlot plot = chart.getXYPlot(); XYItemRenderer renderer = plot.getRenderer(); if (renderer instanceof XYLineAndShapeRenderer) XYLineAndShapeRenderer rr = (XYLineAndShapeRenderer) renderer; / rr.setDefaultShapesVisible(true); / rr.setDefaultShapesFilled(true); DateAxis axis = (DateA
38、xis) plot.getDomainAxis(); axis.setDateFormatOverride(new SimpleDateFormat(“dd“); chart.setBackgroundPaint(java.awt.Color.white); OutputStream ostream = response.getOutputStream(); ChartUtilities.writeChartAsPNG(ostream, chart, 700, 400); ostream.close(); %,5.結語,Tyc_Link/Ncu_Link國外連線效能分析 使用 JAVA /JSP 語言 (1)進度緩慢,卻能初體驗JAVA population & resources的強大. (2)雖然JAVA,JSP都K 過,但沒有太多概念. 步步驗證使用 Socket, File, regex( pattern, match, scanner) 實做小小的功能,很有趣.,5.結語(cont.),使用 Jfreechart Time series chart Bar chart Pie chart 能動態地, 圖型化地呈現量測數據,Thank You!,