2010 22 Rodney D. Van Meter III 23 2 13
- 2010 ( 22 ) : 1, 2., 3., 4,
Abstract of Bachelor s Thesis - Academic Year 2010 Network Traffic Visualization to Enhance Security Awareness For typical computer users these days, information security practice is considered as passive as users take necessary actions only when malicious software or attack attempts were detected. However, recent security breach due to continuous appearing of new malwares raised needs for users to recognize threats and to consider countermeasures against it. In this thesis, design and implementation of a computer game software that observes network traffic and uses it as game components to enhance end-users security awareness has been conducted. In addition to existing anti-virus software by using this software, a user would be able to monitor network traffic while improving awareness of information security autonomously. End-users can see the state of network traffic without technical knowledge, and recognize malwares and security incidents on his or her network simultaneously. Because this software replaces every technical term by a familiar object, it accelerates the user s understanding without requiring the user to know any technical languages. This thesis aims to bring enlightenment to end-users with a software, and to establish a beachhead to change their security consciousness. Keywords : 1. Packet Capturing, 2. Entertainment, 3. Internet Security, 4. Network Monitoring Keio University, Faculty of Policy Management Hideaki Fukuoka
1 1 1.1................................ 1 1.2.................................. 2 1.2.1............................... 2 1.2.2............................. 2 1.2.3............................... 2 1.3.................................. 3 2 4 2.1................................... 4 2.1.1.......................... 4 2.1.2................... 5 2.2...................................... 6 2.3...................... 6 2.4...................................... 6 3 7 3.1....................... 7 3.2......................... 8 3.3................. 8 3.4...................................... 9 4 10 4.1.............................. 10 4.1.1.......................... 10 4.1.2......................... 11 4.2........................... 11 4.2.1........................ 11 4.2.2................... 12 4.2.3....................... 13 4.3...................................... 14 iii
5 15 5.1................................. 15 5.1.1.................. 15 5.1.2......................... 15 5.1.3............................ 16 5.2................................... 16 5.2.1........................ 16 5.2.2.......................... 17 5.2.3........................ 18 5.2.4............................. 18 5.3............................ 19 5.3.1..................... 19 5.3.2.............................. 20 5.3.3......................... 21 5.4................................. 22 5.4.1............................ 22 5.4.2....................... 22 5.4.3.......................... 23 5.4.4................................. 23 5.5...................................... 23 6 24 6.1............................. 24 6.2.................................. 24 6.2.1............................. 24 6.2.2.............................. 26 6.2.3 SYN.......................... 28 6.3.................................. 29 6.3.1.............................. 29 6.3.2................................. 29 6.3.3................................... 32 6.3.4.......................... 33 6.3.5.............................. 35 6.4...................................... 37 7 39 7.1............................. 39 7.2......................... 39 7.2.1............................... 39 7.2.2................................... 41 iv
7.3................................ 41 7.3.1............... 41 7.3.2.................. 41 7.3.3 Web. 42 7.3.4.................. 42 7.3.5....................... 43 7.3.6........ 43 7.3.7................... 43 7.3.8................................... 44 7.4................................... 44 7.5...................................... 45 8 46 8.1................................. 46 8.2................................... 47 48 A 52 A.1.............................. 52 B 55 B.1................................ 55 B.2....................... 56 C 60 C.1......................... 60 C.2................................ 62
3.1 Packet Garden GIGAZINE[18]..................... 8 4.1....................... 11 4.2.................... 12 4.3........................... 13 5.1 PacketCapture........................... 16 5.2.................. 17 5.3...................... 19 5.4........................ 21 5.5................................. 22 6.1................... 25 6.2................................. 27 6.3 SYN.................................. 28 6.4................................... 29 6.5.................................. 30 6.6.................................. 32 6.7................................ 34 6.8.................................. 34 6.9................................. 35 6.10.............................. 36 6.11 1................................. 37 6.12 2................................. 37 7.1................... 42 7.2...................... 42 7.3...................... 43 7.4........................... 43 7.5............ 44 7.6....................... 44 C.1................... 62 C.2...................... 63 C.3...................... 63 vi
C.4........................... 64 C.5............ 65 C.6....................... 65
6.1............................ 25 A.1 1........................... 53 A.2 2........................... 54
1 1.1 JNSA 2009 166 1539 [1] Winny[2] Antinny[3] XSS Scareware[4] 87.4% [5] 2009 IPA [5] 9 4 8 1
1 1.2 1.2.1 1.2.2 1.2.3 IP 2
1 1.3 8 2 3 2 5 6 5 7 6 8 3
2 3 2.1 2010 3 [6] 1.44 1 79.3 5.2 [5] 2.1.1 2 [7] 4
2 Security Tools[8] Scareware[4] Antinny[3] 1 Antinny [9] [10] 2009 2010 [11] 2010 9 Twitter[12] XSS [13] javascript Twitter 1 [5] 2.1.2 2009 IPA [5] 4 [14] 8 [5] 4-3-1-1. 80 2.1.1 5
2 2.2 2.3 2.4 1 1 3 6
3 3.1 [15] HTTP DNS ( )[16] 80 Packet Garden[17] 3.1 7
3 3.1: Packet Garden GIGAZINE[18] 3.2 [19] 3.3 [20] 1998 [21] [22] 1 8
3 1998 4 1 [23] 2007 Wii[24] Wii Fit[25] 2006 Nintendo DS[26] DS[27] 2005 DS [28] 3.4 9
4 2 4.1 4.1.1 2.2 2 4.1 10
4 4.1: 4.1.2 4.2 3 4.2.1 HTTP DNS IP 4.2 Web 11
4 4.2: Web 4.2.2 4.3 12
4 4.3: 4.2.3 13
4 4.3 3 3 3 5 14
5 4 3 3 5.1 3 5.1.1 1 5.1.2 2 15
5 5.1: PacketCapture 5.1.3 5.2 3 5.2.1 5.1 16
5 5.2: 1 5.2.2 5.2 17
5 5.2.3 3 5.2.4 18
5 5.3: 5.3 5.3 5.3.1 IP IP IP DDOS 1 IP 32bit 128bit IP IP 19
5 80 135 139 445 1 SYN SYN TCP SYN SYN 5.3.2 20
5 5.4: 5.3.3 HTTP 1024 Registered Port Number 5.4 SYN 6 IP 21
5 5.5: 5.4 5.5 5.4.1 5.4.2 22
5 1 5.4.3 HTTP Web 6 5.4.4 100 5.5 3 23
6 5 6.1 C++ Visual Studio 2008 DirectX9 C++ Windows Windows C++ Windows XP Windows OS Windows Windows OS 2010 12 90.19 [29] 6.2 SYN 6.1 6.2.1 3 1 FTP DNS HTTP WELL KNOWN PORT NUMBERS 1023 TCP UDP TCP UDP 24
6 6.1: 6.1: TCP UDP 1023 1024 6.1 A A.1 A.2 6.2.1 80 8080 HTTP SSL SMTP POP3 MSN AOL IRC P2P SSH DHCP NETBIOS 25
6 135 139 445 WELL KNOWN PORT NUMBERS REGISTERED PORT NUMBERS 1024 49151 DYNAMIC AND/OR PRIVATE PORTS 49152 65535 4 49152 12800 UDP TCP 6.2.2 6.2 5.3.3 IP 26
6 6.2: 4 6.1 M 0.3 1 L T otal L th C T otal C th L th 50000 C th 100 50000 100 ( 0.3 + min 0.35 L ) ( T otal, 0.35 + min 0.35 C ) T otal, 0.35 L th C th (6.1) 27
6 6.3: SYN 6.2.3 SYN SYN SYN SYN 6.3 SYN 1 SYN TCP SYN SYN 28
6 6.4: 6.3 6.4 6.3.1 1 1 5 6.3.2 1 9 2 2 29
6 6.5: 10 30 10 1 6.2 P 60 Hp Hp limit Ht Ht max Eq Eq max 0.2 ( ) Hplimit Hp 2 P = random(60) random 120 ( random(50) 0.5 Ht ) Ht ( max random(20) 0.5 Eq ) Eq max P = P 0.2 (6.2) 6.5 10 30
6 10 1 5 6.3 I Ec Ec limit P opulation T x (0.7) 0 0 I = Ec P opulation T x 0.7; (6.3) Ec limit 100 6.4 Ec Ec amp 10 MerchantP ower P opulation Ec middle 800 P opulation (100 )P opulation th 69200 70000 Ec middle Ec limit 2 Ec (10000) 6.5 Hp Hp rnd 10 Hp rnd 0 MerchantP ower Ec = Ec amp + Ec amp + Ec middle P opulation ( Ec amp = min 800 + P opulation ) 69200, 70000 P opulation th Ec middle = Ec limit 2 Ec 10000 (6.4) 31
6 Hp = 10 + random(hp rnd ) Hp rnd = 0 > 1000 + 20 100 + 5 10% + 5 (6.5) 10 6.3.3 1 6.6 6.6: 1 6.6 32
6 Amount T ech T ech max Demand 3 Supply 3 1 3 Ec = Amount 100 T ech ( ) Demand 3 min 0.98, 1.0 2.2 (6.6) T ech max Supply 3 1 700 3 3 6.7 Duty 100G IX amount Amount 1/2 0G 1 5000G 0 3 IX amount = Amount 1 2 Duty 100 (6.7) 6.3.4 6.7 5.4.3 6.8 33
6 6.7: 6.8: / 34
6 6.9: 9 6.9 6.3.5 35
6 6.10: 6.10 6.116.12 36
6 6.11: 1 6.12: 2 6.4 37
6 B 38
7 6 7.1 WindowsXP SP3 7.2 6 0 4 12 10 7.2.1 C.1 39
7 4.17 6 5 4.17 3 4 5 4 4.08 4 5 3 4 3.58 4.08 4 40
7 4.75 7.2.2 6 5 5 7.3 6 Web 35 10 Google Docs[30] C.2 Google Docs[30] 7.3.1 C.1 7.3.2 C.2 35 27 5 4 3 41
7 7.1: 7.2: 7.3.3 Web C.2 35 29 29 82.8% 6 17.2% 7.3.4 C.3 27 4 3 42
7 7.3: 7.3.5 C.4 2 7.4: 7.3.6 C.5 2 7.3.7 C.6 5 3 35 34 43
7 7.5: 7.6: 7.3.8 3 7.4 2 70% 44
7 7.5 45
8 8.1 35 70% 88% 46
8 8.2 47
Rodney D.Van Meter III Doan Viet Tung 4 22 48
[1] NPO. ver.1.1. http://www.jnsa.org/result/incident/data/ 2009incident_survey_v1.1.pdf, 9 2010. [2] 47. Winny. http://www.geocities.co.jp/siliconvalley/2949/, 11 2003. [3] Antinny - / / / it. http://e-words. jp/w/antinny.html, 8 2003. [4] - wikipedia. http://ja.wikipedia.org/wiki/%e5%81% BD%E8%A3%85%E3%82%BB%E3%82%AD%E3%83%A5%E3%83%AA%E3%83%86%E3%82%A3%E3% 83%84%E3%83%BC%E3%83%AB, 12 2010. [5] IPA. 2009. http://www.ipa.go.jp/security/fy21/reports/ishiki/documents/ 2009-ishiki.pdf, 4 2009. [6]. 2010 3. http://www.mcafee.com/ japan/about/prelease/pr_10b.asp?pr=10/11/17-1, 11 2010. [7] Symantec. bloodhound. http: //www.symantec.com/region/jp/avcenter/reference/heuristc.pdf, 5 1998. [8] GIGAZINE. security tool - gigazine. http://gigazine.net/news/20100927_ security_tool/, 9 2010. [9] Internet Watch. 1 winny pc. http://internet.watch.impress.co.jp/cda/news/2007/06/13/16027.html, 5 2007. [10] Internet Security Knowledge. Winny. http://is702.jp/news/130/partner/34_i/, 3 2008. 49
8 [11] IPA. 11. http://www.ipa.go.jp/security/txt/2010/ 12outline.html, 12 2010. [12] Twitter. twitter. http://twitter.com, 9 2009. [13] IT media. Twitter xss - itmedia. http://www.itmedia.co.jp/enterprise/articles/1009/24/news023.html, 9 2010. [14]. 80. http://www.secomtrust.net/infomeasure/rouei/column1.html, 12 2010. [15],,,, and.. 57, pages 47 52, 3 2009. [16] and. ( ).. OIS, 104(714), pages 7 12, 3 2005. [17] Packet Garden. Packet garden : Main - home page title. http://www.selectparks. net/~julian/pg/pmwiki.php?n=main.homepage, 7 2007. [18] GIGAZINE. packet garden - gigazine. http://gigazine.net/news/20070117_packetgarden/, 1 2007. [19] and. :., Vol.41, No.12, pages 3265 3275, 12 2000. [20].. http://www.nintendo.co.jp/, 11 1947. [21].. http://www.nintendo.co.jp/n09/pokepika/index. html, 3 1998. [22] BANDAI.. http://tamagotch.channel.or.jp/, 11 1996. [23] JATY ( ). wiki - (jaty 1998 ). http://wiki.fdiary.net/animesales/, 12 2010. [24]. Wii. http://www.nintendo.co.jp/wii/, 11 2006. [25].. http://www.nintendo.co.jp/wii/rfnj/, 12 2007. [26]. Nintendo ds. http://www.nintendo.co.jp/ds/, 11 2004. 50
[27] and. ds. http://www.rocketcompany.co.jp/kanken/, 9 2006. [28]. ds. http://www.nintendo.co.jp/ds/andj/, 5 2005. [29] Net Applications. Os market share. http://marketshare.hitslink.com/ os-market-share.aspx?qprid=11#, 12 2010. [30] Google. Google docs. https://docs.google.com/, 1 2011.
A A.1 52
A A.1: 1 HTTP HTTPS SMTPS NNTPS SMTP POP3 IMAP IMAPS POP3S MESSANGER CD FTP P2P IRC SSH Telnet DNS DCHP NNTP NETBIOS UPnP WELL KNOWN PORT (SEND) WELL KNOWN PORT (RECV) RPC File Sharing NON TCP and NON UDP Registered by User DropBox 53
A A.2: 2 TCP (SEND) Registered Port Number TCP (RECV) Registered Port Number TCP (SEND) Dynamic Port Number TCP (RECV) Dynamic Port Number UDP (SEND) Registered Port Number with Port 12800 UDP (RECV) Registered Port Number with Port 12800 UDP (SEND) Registered Port Number with Port = 12800 UDP (RECV) Registered Port Number with Port = 12800 UDP (SEND) Dynamic Port Number UDP (RECV) Dynamic Port Number 54
B B.1 Windows XP SP3 C++ WinPCap DirectX 147,965 UI 55
B B.2 56
57 B
58 B
59 B
C C.1 5 6 4 3 3 2 2 1 1 0 5 5 4 4 3 3 2 0 1 0 5 4 4 5 3 3 2 0 1 0 60
C 5 2 4 4 3 5 2 1 1 0 5 6 4 2 3 3 2 1 1 0 5 9 4 3 3 0 2 0 1 0 61
C C.2 5 5 4 20 3 TXT 9 2 1 1 0 C.1: 5 10 4 17 3 6 2 2 1 0 62
C C.2: Web 29 82.8% 6 17.2% 5 4 4 15 3 12 2 4 1 0 C.3: 63
C 5 8 4 8 3 18 2 1 1 0 C.4: 5 13 4 11 3 8 2 2 1 1 64
C C.5: 5 19 4 8 3 7 2 1 1 0 C.6: 65