結合入侵偵測和蜜罐之分散式預警系統的設計與實現

 

Design and Implementation of a Distributed Early Warning System Combined with Intrusion Detection System and Honeypot

 

黃培生

高雄師範大學資訊教育研究所

和平一路116

高雄市802苓雅區

blhtw@hotmail.com

 

楊中皇

高雄師範大學資訊教育研究所

和平一路116

高雄市802苓雅區

chyang@nknucc.nknu.edu.tw

 

 

摘要

網路世界的攻防是永無止境的戰爭。伴隨著網際網路的快速發展,網路攻擊也隨之增加且多樣化,面對不斷變種的惡意程式和推陳出新的攻擊手法,僅使用傳統防火牆和入侵偵測技術的系統已無法對應此一快速變化。為因應此一趨勢,可藉蜜罐吸引惡意攻擊,並將攻擊過程記錄下來,藉蜜罐收集的資訊 (如:攻擊類型、惡意程式檔案、執行的程序和指令等),分析惡意攻擊所使用的方法、工具及動機,以作為預測或防治攻擊的參考資料。

本研究結合開放原始碼軟體建立一套分散式預警系統,收集大範圍的網路攻擊趨勢(包含惡意程式活動和駭客攻擊行為) 及警示訊息通知,藉由彙整過的資訊,讓資訊安全人員提前收到警訊通知,並瞭解目前網路攻擊的行為與意圖,以擬定應變措施、確保網路安全。本系統結合 SnortNepenthesSebek 等入侵偵測及蜜罐工具,增加不同攻擊面向的記錄、分析能力。若發生攻擊行為,管理者可收到正在進行的攻擊警告,並使用統計攻擊資訊,來瞭解攻擊行為特性、推論發動攻擊的工具與方式。建置完成的分散式預警系統可安裝於 Live USB,藉由 Live USB 的高可攜性與隨插即用的特色,降低分散式預警系統部署的負擔。

 

關鍵詞: 防火牆、入侵偵測系統、蜜罐、惡意程式。

 

Abstract

Network attack and defense is a never-ending war. Along with the rapid development of the Internet, network attacks have increased and diversified. Use of traditional firewall and intrusion detection technologies cannot match to this rapid change. In response to this trend, we designed and implemented a distributed early warning system where several clients collected a wide range of network attack activities, such as malicious codes, sent attack activities back to a central server, and provided warning messages to the network administrator. The proposed system consists of Snort intrusion detection system with Nepenthes/Sebek honeypot software.  This combination comes with client and server architecture so that various aspects of attack-oriented records with analytical capabilities are provided. Network administrators will receive warning notices when the entire network under monitoring was attacking.  To reduce the burden on the deployment of distributed early warning system, we also implemented the system on the live USB and our system can be easily installed with high portability and plug-and-play features.

 

Keywords: Firewall, Intrusion Detection System, Honeypot, Malware