系統識別號 | U0002-3006201422581500 |
---|---|
DOI | 10.6846/TKU.2014.01255 |
論文名稱(中文) | 運用軟體定義網路消弭網路攻擊初期災害 |
論文名稱(英文) | Employing Software-defined Network to Eliminate the Early Disaster of Cyber Attacks |
第三語言論文名稱 | |
校院名稱 | 淡江大學 |
系所名稱(中文) | 資訊管理學系碩士班 |
系所名稱(英文) | Department of Information Management |
外國學位學校名稱 | |
外國學位學院名稱 | |
外國學位研究所名稱 | |
學年度 | 102 |
學期 | 2 |
出版年 | 103 |
研究生(中文) | 黃翊宸 |
研究生(英文) | Yi-Chen Huang |
學號 | 600630056 |
學位類別 | 碩士 |
語言別 | 繁體中文 |
第二語言別 | |
口試日期 | 2014-06-21 |
論文頁數 | 69頁 |
口試委員 |
指導教授
-
梁德昭
委員 - 鄭啟斌 委員 - 江俊毅 |
關鍵字(中) |
軟體定義網路 OpenFlow 入侵偵測系統 Open vSwitch OpenDaylight |
關鍵字(英) |
SDN OpenFlow IDS Open vSwitch OpenDaylight |
第三語言關鍵字 | |
學科別分類 | |
中文摘要 |
在網路的世界中,防杜外部入侵與內部網路攻擊所造成的災害一向是重要的議題。如何有效的防範並減少網路攻擊成功的機會至關重要。早期通常仰賴入侵偵測或入侵防範系統來預警,如今有了軟體定義網路(SDN)的架構提出,使得原本的網路架構得以配合上自行開發之SDN應用程式能夠有效而及時的針對潛在的網路攻擊進行防衛及因應處置。 本文將提出將IDS配合SDN應用程式自動化的構想,用以優化IDS或IPS告警程序並縮短網管人員進行防火牆等網路設備修訂網路政策所需時間,進而降低網路攻擊成功之機會,同時封鎖網路攻擊封包來源,使攻擊封包進網路交換器傳送前即被丟棄,從而大量減少網路攻擊封包所消耗的頻寬。 |
英文摘要 |
In cyber world, it has been always an important issue that to prevent disasters from external intrusion as well as internal attacks. How to effectively prevent from cyber attacks or reduce the damage of a successful cyber attacks are then critical to be explored. Usually they are rely on intrusion detection or intrusion prevention systems for early warning, however, a software-defined network (SDN) architecture has been proposed such that a self-developed SDN application program can be employed to effectively defense and timely response to the potential network attack . In this article, a concept that using IDS application with SDN automation is proposed. It can optimize IDS/IPS alert procedures and shorten the time of amending network security policy on network equipments such as firewall and routers. It is supposed to reduce the possibility of a successful cyber attack than the usual way. Furthermore, SDN cooperated with Open Flow can also discard attack packets in advance before they can enter into network switch, this will reduce the bandwidth consumed by network attacks. |
第三語言摘要 | |
論文目次 |
目錄 第壹章 緒論 1 第貳章 入侵偵測的現行技術與可運用提升效能的開放資源 4 2.1 OpenFlow 6 2.2 OpenFlow交換器介紹 7 2.3 OpenFlow交換器與傳統交換器架構比較 10 2.4 SDN Controller 12 2.4.1 OpenDaylight 12 2.4.2 NOX 和 POX 14 2.4.3 Beacon 15 2.4.4 Big Network Controller & Floodlight 16 2.4.5 Maestro 17 2.4.6 Ryu 17 2.5 OpenDaylight Northbound Interface 18 2.5.1 Topology REST APIs 18 2.5.2 Host Tracker REST APIs 21 2.5.3 Flow Programmer REST APIs 25 2.5.4 Static Routing REST APIs 29 2.5.5 Statistics REST APIs 32 2.6 Open vSwitch 42 2.7 入侵偵測系統 43 2.7.1 入侵系統依設計方式分類 43 2.7.2 入侵偵測系統依偵測方式分類 45 第參章IDS/IPS自動反應之系統配置 47 3.1 自動反應系統架構 47 3.1.1 OpenDaylight Controller控制伺服器 48 3.1.2 OpenFlow交換機 48 3.1.3 IDS – 入侵偵測系統 48 3.1.4 Web Server 49 3.1.5 SDN Application 49 3.2 IDS/IPS反映自動化之處理流程 50 第肆章IDS/IPS自動反應系統的實作與展示 52 4.1 實作電腦系統規格 52 4.2 系統架設及操作 53 4.2.1 OpenDaylight Controller 53 4.2.2 OpenFlow Switch 55 4.2.3 Snort入侵偵測系統: 57 4.2.4 Web Server 58 4.2.5 SDN Application: 58 4.3 自動反應展示 59 第伍章 結論 67 第陸章 參考文獻 68 圖目錄 圖 2-1、入侵偵測系統偵測到入侵活動時的反應處理過程 5 圖 2-2、Openflow 運作示意圖[15] 7 圖 2-3、ofdatapath 封包處理流程圖 8 圖 2-4、傳統與SDN網路架構圖 11 圖 2-5、OpenDayLight 對應於SDN的層級(控制平台)架構[16] 13 圖 2-6、網路式入侵偵測系統 44 圖 2-7、SIEM網路事件分析平台 45 圖 3-1、IDS/IPS自動反應之系統架構 48 圖 3-2、IDS/IPS反映自動化之處理流程 50 圖 4-1、OpenDaylight的執行 54 圖 4-2、OpenDaylight的圖形化介面 55 圖 4-3、open vswitch正常啟動螢幕顯示 56 圖 4-4、Snort圖形化的監控管理畫面 58 圖 4-5、實驗環境接線圖 60 圖 4-6、初始的Flow Entry 61 圖 4-7、設定了封包複製的Flow Entry 61 圖 4-8、IDS發出syslog示意圖 62 圖 4-9、SDN Application收到IDS發出syslog的反應 62 圖 4-10、阻擋異常封包及HTTP Redirect Flow Entry 63 圖 4-11、警告畫面示意圖 63 圖 4-12、SDN Application移除HTTP Redirect規則 64 圖 4-13、使用者上常使用網頁示意圖 65 圖 4-14、SDN Application寄出件信內容 66 表目錄 表 2-1、Flow Table的欄位 9 表 2-2、傳統與SDN網路架構功能比較表 12 |
參考文獻 |
[1] D. Cameron, Internet2: The Future of the Internet and Next-Generation Initiatives: Computer Technology Research Corp., 1999. [2] G. Fairhurst, B. Collini-Nocker, and L. Caviglione, "FIRST: Future Internet — a role for satellite technology," Satellite and Space Communications, 2008. IWSSC 2008. IEEE International Workshop on, pp. 160-164, Oct. 2008. [3] D. Y. Kim, L. Mathy, M. Campanella, R. Summerhill, J. Williams, S. Shimojo, et al., "Future Internet: Challenges in Virtualization and Federation," Telecommunications, 2009. AICT '09. Fifth Advanced International Conference on, pp. 1-8, May. 2009. [4] J. Lee, S. Kang, Y. Lee, and J. Lee, "A Study on the Future Internet Requirement and Strategy in Korea," Advanced Communication Technology, 2008. ICACT 2008. 10th International Conference on, vol. 1, pp. 627-629, Feb. 2008. [5] P. Stuckmann and R. Zimmermann, "European research on future Internet design," IEEE Wireless Communications, vol. 16, pp. 14-22, Oct. 2009. [6] Open Network Foundation. Available: https://www.opennetworking.org/ [7] SDN white paper. Available: https://www.opennetworking.org/sdn-resources/sdn-library/whitepapers [8] K. Bakshi, "Considerations for Software Defined Networking (SDN): Approaches and use cases," Aerospace Conference, 2013 IEEE, pp. 1-9, Mar. 2013. [9] A. C. Risdianto and E. Mulyana, "Implementation and analysis of control and forwarding plane for SDN," Telecommunication Systems, Services, and Applications(TSSA), 2012 7th International Conference on, pp. 227-237, Oct. 2012. [10] M.-K. Shin, K.-H. Nam, and H.-J. Kim, "Software-defined networking (SDN): A reference architecture and open APIs," ICT Convergence (ICTC), 2012 International Conference on, pp. 360-361, Oct. 2012. [11] S. McClure, J. Scambray, and G. Kurtz, Hacking exposed - network security secrets & solutions, 4 ed.: McGraw Hill, 2004. [12] T. Crothers, Implementing Intrusion Detection Systems: A Hands-On Guide for Securing the Network: Willey, 2002. [13] 黃勝獅, "Botnet Traffic Analysis and Dectection by Using OpenFlow Switch," 2011. [14] N. Gude, T. Koponen, J. Pettit, B. Pfaff, M. Casado, N. McKeown, et al., "NOX: towards an operating system for networks," ACM SIGCOMM Computer Communication Review, vol. 38, pp. 105-110, Jul. 2008. [15] N. McKeown, T. Anderson, H. Balakrishnan, G. Parulkar, L. Peterson, J. Rexford, et al., "OpenFlow : enabling innovation in campus networks," ACM SIGCOMM Computer Communication Review, pp. 69-74, 2008. [16] OpenDaylight. Available: http://www.opendaylight.org/ [17] Open vSwitch. Available: http://openvswitch.org/ [18] XenServer Open Source Virtualization. Available: http://www.xenserver.org/ [19] KVM. Available: http://www.linux-kvm.org/ [20] VirtualBox. Available: https://www.virtualbox.org/ |
論文全文使用權限 |
如有問題,歡迎洽詢!
圖書館數位資訊組 (02)2621-5656 轉 2487 或 來信