近幾年來,資訊安全的觀念雖然逐漸受到重視,然而,許多系統的管理者對於網路安全的防範並未落實,再加上駭客工具越來越容易取得,攻擊者可以輕易的入侵主機或是透過某些攻擊方式癱瘓主機或網路設備,種種方式都造成公司單位或個人難以估計的損失。一些被動式的防禦與偵測工具,例如,Firewall、IDS(Intrusion Detection System)等,對於攻擊者的入侵行為只有警示作用,沒有嚇阻效果。事實上,惟有找到攻擊者,訴諸法律,才能有效的嚇阻攻擊事件的發生。 本文提出一個入侵偵測與追蹤機制,稱之為”區域聯防入侵偵測與追蹤系統(UDIDT, Union Defense of Intrusion Detection and Traceback System)”。UDIDT係在其所在區域內以多階段式入侵偵測系統(Multi-phase IDS)偵測入侵攻擊,透過紀錄在該區域內封包之Digests,及與其他區域的相互合作,而以「區域聯防」的方式追蹤大部分類型的攻擊來源。 本研究中首先蒐集歸納多種攻擊模式封包特性、入侵偵測系統及入侵追蹤系統,分析其優缺點,再以網路區域聯合防禦的觀念設計本系統,其中設計MIDS為到即時的入侵偵測系統,並提供UDIDT追蹤入侵者時所需之資料。最後以實驗來驗證MIDS的偵測效率。 In recent years, people have paid more and more attention on information security. However, illegal intrusions seriously prevail over the network due to widespread hacking tools and lots of insecure hosts. An intrusion of the system causes great financial(s) for a company or people. Tradition security tools such as Firewall, Intrusion Detection System only focus on warning, prevention and detection. In order to prevent a system from an illegal attack, finding and punishing malevolent hackers should be an effective way. In this paper, we proposed an intrusion detection and traceback system, called “Union Defense of Intrusion Detection and Traceback System (UDIDT)”. This system actively detects intrusions by a multi-stage detecting IDS named Multi-phase IDS. It keeps hash codes for packets flowing through a network section with which the traceback system can trace hackers of an attack with a union defense approach. In this research, we first sum up the characters of attacking packets, then the advantage and the lacks of current intrusion detection systems and trace back systems. We use the concept of union defense to design UDIDT. MIDS is a real-time intrusion detection system. It also supports the pre-recorded data for UDIDT to trace back the source of an intrusion. Finally, Experiment is involved to validate the efficiency and the availability of the Detecting Queue in MIDS.
