針對日益複雜的網路環境，網路安全議題成為現今相當受到矚目的重要問題之一。近年來伴隨網路應用的普及與方便，基於網路互連互通的應用和服務也急遽成長。隨即而來的網路安全也成為需面對的問題。而且各種網路攻擊與入侵的手法也有愈來愈多、愈來愈複雜而且難以偵別的趨勢。針對各式各樣的變形網路攻擊，現有的偵測方式多數僅針對已清楚分析且了解的網路攻擊行為來加以識別。而一旦對現有可以被偵別的攻擊進行修改，往往成為這一類偵測方法的漏洞，更遑論對未知攻擊而言，此類偵測方法更無招架之力。如何建構獨立於樣本更新，且以系統的自適應能力，針對未知的異常網路行為或攻擊進行分析且快速找出攻擊來源及模式的網路入侵偵測系統，一直是安全性資訊環境所研究的重要課題。本文針對這樣的目標嘗試研究網路中的各種攻擊及模式，找出一種能快速、有效且簡易設置的偵測系統，能在攻擊發生時即時提供網路管理人員告警，適時的介入處置，防範企業產生更大的損失。
在研究中，我們分析很多網路攻擊與網路的入侵手法，發現初始階段使用各種網路掃瞄是多數手法的共通特徵。而如何即時、快速、有效偵測網路掃瞄就成為我們研究的重點方向。經詳細研究TCP/IP協定及相關研究後我們找出可利用TCP的3方交握確認連線的訊息來過濾出惡意的連線資訊。在本文中提出計數以3方交握連線錯誤數量來偵測可能的攻擊掃瞄，這種計數方式是以HASH函數為基礎的Counting Bloom Filter實做系統應用，所以其時間及空間複雜度均能控制在O(1)的層級，做到快速偵測且能有效控制系統運作所需的資源。在相關研究中，許多的文獻使用(源IP，目的IP)成對的方式進行HASH，做為KEY來計數，但這樣造成其項目集合會達到 264 ，本文提出以(源IP)及(目的IP)分別各自HASH後做為計數的KEY，這樣其IP集合的項目數只有232 ，明顯地改善碰撞機率及降低計數陣列的空間需求。本文也提出以門檻值做為攻擊偵測的判斷，並在演算法中將達到門檻的KEY值的計數記錄清除，以達到整個系統長期有效的偵測運行。最後在文中也演示這個系統的實際運作成果及效能狀況。
多數以計數方式研究攻擊的論文，只用到累加式的計數而少有參考時間軸檢驗計數的有效性。然而要實施有效的網路攻擊，通常需在短時間產生大量攻擊，以此癱瘓網路服務。所以相隔太久的計數其實不具有效性。因此本文再導入data mining 在實時挖掘中常用的時間衰減的概念，對過時的計數予以歸零重算，以此來增加計數的有效性與正確性。
另一方面，網路的安全性除了外部的惡意攻擊外，新架構，新應用的快速發展也衍生新的安全威脅，尤其是在應用系統層的網路安全，在現今行動裝置普及且行動應用程式 (Mobile applications，簡稱 APP)大量被使用後，行動應用系統的網路安全也成為新的、重要的研究議題。行動應用系統的網路安全不僅需要網路安全設備來偵測攻擊，攔截惡意份子，更需採用廣泛可靠的軟體安全架構，以避免網路犯罪或經濟損失是來自系統本身所暴露的各種安全缺陷。本文也就行動裝置的安全議題，研究分析後提出一種基於WEB service架構的跨平台發展模式，可以就原有的WEB service的安全認知及管理延伸到跨平台的APP發展模式。在本文中也演示這種跨平台的APP發展模式實作系統。

Network security now plays an important role in modern society. With the network being widely used, the number of services based on network protocol has significantly increased.
But malicious attack has followed, and even prospered, which makes it more difficult to detect. Most intrusion detection today aims at the typical sign of attacking activity. Thus it is impossible to correctly recognize every types of intrusion, since the attacks keep changing all the time .
This thesis presents a real-time packet-filtering module of DDoS, which can accurately portray the capabilities of attackers.
The benefits of it are efficiency and flexibility.The efficiency means a filter can quickly capture network packets, while the flexibility refers to the filter’s ability to be easily customized for different packet patterns.
The key idea is a hash-based synopsis data structure for sampling network data streams. This structure can efficiently track down the attacks and offer speedily synopses under the guarantee of costing a relatively small space. The algorithm can count the distinct destination or source IP by distinguishing different connection types. In other researches, source IP and destination IP CBF arrays are count in pair to hash in SYN attacks packet, which then contributes 264 items. In this article, SourceIP, DestinationIP are hashed respectively as the KEY of counter, so that the items of IP would be 232 instead. In this way, we can decrease the collision and memory consumption at the same time.
Besides, this article points out the important role of the threshold value in attack-detection. When the algorithm finds an alarm from an IP reaching the KEY threshold, this IP counter data and record would be delimited to start over. This is why the system can work effectively in continuous.
Most of the intrusion detect nowadays is disable to analysis a stream immediately and thoroughly. In this paper, we present a sliding window to maintain the recently arrived data and eliminate the old data outside the sliding window. Only malicious connecting data reserved in the sliding window would be counted, and once those data surpass the threshold, an alarm is sent. After the alarm, the system reset the data and start a new counting. As the contents of the sliding windows evolve as time goes by, users can receive updated answers.
As to the mobile device safety issue, a novel algorithm is used in this paper. Cross platform mobile apps (CPMA) combines the features of Web applications and “native” mobile apps. On the one hand, like Web applications, CPMA is implemented in portable, platform-independent languages such as HTML and JavaScript; on the other hand, like native apps, CPMA has direct access to local device resources—file system, location, camera, contacts, etc. Owing to the above advantages, CPMA has gaining more and more popularity.
To sum up, how to develop a secured cross platform mobile apps to prevent users’ personal information from being invaded becomes the most interesting and critical issue. In this thesis, we present a security CPMA to provide IT network services developers with related idea and model case study to refer to.

Chapter 1. INTRODUCTION………...……………………..……………1
1.1 Network Security and Potential Threats ………………………….1
1.2 Attacks Detection……………………………………...………….4
1.3 Rapid Development Security APP ……………………………….5
1.4 Contributions ……………………………………………………..7
1.5 Thesis Organization …………………………………..………….7
Chapter 2. OVERVIEW OF TCP/IP BASED AND SECURITY……...…9
2.1 Review TCP/IP Protocol Suite ………………………………...….9
2.2 The Nature Defect of TCP/IP………………………………….…15
2.3 Network Vulnerability and Attacks……………………………...17
Chapter 3. PACKET INSPECTION AND ATTACK DETECTION…...29
3.1 Current Techniques in Network Security ……………………….30
3.2 Prevent DoS/DDos Attacks …………………………………….35
3.3 Packet Filtering ……………………………………………….....36
3.4 Detection System with Packet Filtering ………………………..40
3.5 Detect Network Attacks with Packet Filtering…………………..41
3.6 How to Detect DDoS Network Attacks with Packet Filtering…..43
Chapter 4. BLOOM FILTER ………………………………………..…47
4.1 Hash …………………………………………………………….47
4.2 Basic Bloom Filter ………………………………………….….47
4.3 Counting Bloom Filter …………………………………..…..…49
4.4 Time Decay to Adapt Counting ………………………………..52
Chapter 5. DETECTION SYSTEM AND IMPLENMENTATION ……53
5.1 Architecture for CBF Packet Inspection ……………………..….53
5.2 Counting Algorithm ………………………………………….…54
5.3 Time Decay to Adapt Counting …………………..………….…57
Chapter 6. EXPERIMENTAL RESULTS ………………………………59
6.1 Running the GCBF Packet Inspection …………………………..59
6.2 Analysing Data from GCBF Detection System ………………...60
6.3 Analysing Data from SWCBF System …………………………61
Chapter 7. SECURITY IN RAPIDILY APP DEVELOPMENT ……….65
7.1 The Mobile App ……………………………………………...…66
7.2 Mobile Platforms ………………………………………………67
7.3 Categories of Mobile Application ……………………………..68
7.4 Security of Mobile APP ……………………………………….70
7.5 Cross-Platform APP Implenmentation ………………………..71
7.6 Implementation and Discussion ……………………………….72
Chapter 8. CONCLUSION AND FUTURE WORKS …………………77
8.1 Conclusion to CBF …………………………………………..…77
8.2 Conclusion to CPMA ………………………………………..…78
8.3 Future Works ………………………………………………...…79

References ………………………………………………………..……80

[1] Arnfield, R. (2013). Mobile malware to have doubled in 2013, says McAfee. Retrieved January, 29, 2014.
[2] Arbor, N. (2014). Worldwide infrastructure security report, volume ix. URLpages. arbornetworks. com/rs/arbor/images/WISR2014. pdf.
[3] Bloom, B. H. (1970). Space/time trade-offs in hash coding with allowable errors. Communications of the ACM, 13(7), 422-426.
[4] Bellovin, S. M. (1989). Security problems in the TCP/IP protocol suite. ACM SIGCOMM Computer Communication Review, 19(2), 32-48.
[5] Batbilig, B., & Ionut, T. (2015). PhoneGap: Potentials of a Mobile Cross-Platform Application.
[6] Broder, A., & Mitzenmacher, M. (2004). Network applications of bloom filters: A survey. Internet mathematics, 1(4), 485-509.
[7] Claise, B. (2004). Cisco systems netflow services export version 9 (No. RFC 3954).
[8] Center, C. C. (1996). CERT Advisory CA-1996-01 UDP Port Denial-of-Service Attack.
[9] Center, C. C. (1998). CERT advisory CA-1998-01 smurf IP denial-of-service attacks.
[10] Carl, G., Brooks, R. R., & Rai, S. (2006). Wavelet based denial-of-service detection. Computers & Security, 25(8), 600-615.
[11] Conta, A., Deering, S., & Gupta, M. (2006). Internet control message protocol (icmpv6) for the internet protocol version 6 (ipv6) specification (No. RFC 4443).
[12] Carl, G., Kesidis, G., Brooks, R. R., & Rai, S. (2006). Denial-of-service attack-detection techniques. IEEE Internet computing, 10(1), 82-89.
[13] Dalmasso, I., Datta, S. K., Bonnet, C., & Nikaein, N. (2013, July). Survey, comparison and evaluation of cross platform mobile application development tools. In Wireless Communications and Mobile Computing Conference (IWCMC), 2013 9th International (pp. 323-328). IEEE.
[14] Dokas, P., Ertoz, L., Kumar, V., Lazarevic, A., Srivastava, J., & Tan, P. N. (2002, November). Data mining for network intrusion detection. In Proc. NSF Workshop on Next Generation Data Mining (pp. 21-30).
[15] Dillinger, P. C., & Manolios, P. (2004, November). Bloom filters in probabilistic verification. In International Conference on Formal Methods in Computer-Aided Design (pp. 367-381). Springer, Berlin, Heidelberg.
[16] Eddy, W. (2007). TCP SYN flooding attacks and common mitigations (No. RFC 4987).
[17] Estan, C., & Varghese, G. (2002). New directions in traffic measurement and accounting (Vol. 32, No. 4, pp. 323-336). ACM.
[18] Estan, C., Varghese, G., & Fisk, M. (2003, October). Bitmap algorithms for counting active flows on high speed links. In Proceedings of the 3rd ACM SIGCOMM conference on Internet measurement (pp. 153-166). ACM.
[19] Fosnock, C. (2005). Computer worms: past, present, and future. East Carolina University, 8.
[20] Fan, L., Cao, P., Almeida, J., & Broder, A. Z. (2000). Summary cache: a scalable wide-area web cache sharing protocol. IEEE/ACM Transactions on Networking (TON), 8(3), 281-293.
[21] Foroushani, V. A., & Zincir-Heywood, A. N. (2014, May). TDFA: traceback-based defense against DDoS flooding attacks. In Advanced Information Networking and Applications (AINA), 2014 IEEE 28th International Conference on (pp. 597-604). IEEE.
[22] Gartner, G. (2013). Gartner says mobile app stores will see annual downloads reach 102 billion in 2013. Press Release.
[23] Glaser, J. D. (2014). Secure Development for Mobile Apps: How to Design and Code Secure Mobile Applications with PHP and JavaScript. Auerbach Publications.
[24] Ganguly, S., Garofalakis, M., Rastogi, R., & Sabnani, K. (2007, June). Streaming algorithms for robust, real-time detection of ddos attacks. In Distributed Computing Systems, 2007. ICDCS'07. 27th International Conference on (pp. 4-4). IEEE.
[25] Gresty, D. W., Shi, Q., & Merabti, M. (2001, December). Requirements for a general framework for response to distributed denial-of-service. In Computer Security Applications Conference, 2001. ACSAC 2001. Proceedings 17th Annual (pp. 422-429). IEEE.
[26] Hughes, L. J. (1995). Actually useful Internet security techniques. Larry J Hughes Jr.
[27] Internet outage in China on Jan 21. (2014). https://en.greatfire.org/blog/2014/jan/internet-outage-china-jan-21
[28] Joshua Epstein. (2014). http://blog.gizmox.com/Why-HTML5-Apps-are-more-secure-than-native-mobile-Apps.
[29] Joukov, N. (Ed.). (2017). Information Science and Applications (icisa) 2016. Springer Verlag, Singapore.
[30] Joorabchi, M. E., Mesbah, A., & Kruchten, P. (2013, October). Real challenges in mobile app development. In Empirical Software Engineering and Measurement, 2013 ACM/IEEE International Symposium on (pp. 15-24). IEEE.
[31] Jaiganesh, V., Mangayarkarasi, S., & Sumathi, P. (2013). Intrusion detection systems: A survey and analysis of classification techniques. International Journal of Advanced Research in Computer and Communication Engineering, 2(4), 1629-1635.
[32] Korf, M., & Oksman, E. (2012). Native, HTML5, or Hybrid: Understanding your mobile application development options. Online post available online from: http://wiki. developerforce. com/[Accessed Sept. 2015] Seilhamer, R., Baiyun C. & Sugar, A.(2013). A framework for Implementing Mobile Technology. In Z. Berge & L. Muilenburg (Eds.). Handbook of Mobile Learning, 382-394.
[33] Khattab, S. M., Sangpachatanaruk, C., Mosse, D., Melhem, R., & Znati, T. (2004). Roaming honeypots for mitigating service-level denial-of-service attacks. In Distributed Computing Systems, 2004. Proceedings. 24th International Conference on (pp. 328-337). IEEE.
[34] Li, M. (2004). An approach to reliably identifying signs of DDOS flood attacks based on LRD traffic pattern recognition. Computers & Security, 23(7), 549-558.
[35] Li, M. (2006). Change trend of averaged Hurst parameter of traffic under DDOS flood attacks. Computers & security, 25(3), 213-220.
[36] Lim, S. H. (2015). Experimental comparison of hybrid and native applications for mobile systems. International Journal of Multimedia and Ubiquitous Engineering, 10(3), 1-12.
[37] Ling, Y., Gu, Y., & Wei, G. (2009). Detect SYN flooding attack in edge routers. International Journal of Security and its Applications, 3(1), 31-45.
[38] Liao, H. J., Lin, C. H. R., Lin, Y. C., & Tung, K. Y. (2013). Intrusion detection system: A comprehensive review. Journal of Network and Computer Applications, 36(1), 16-24.
[39] Lu, Y., Montanari, A., Prabhakar, B., Dharmapurikar, S., & Kabbani, A. (2008). Counter braids: a novel counter architecture for per-flow measurement. ACM SIGMETRICS Performance Evaluation Review, 36(1), 121-132.
[40] Meghanathan, N. (2014). A Tutorial on Network Security: Attacks and Controls. arXiv preprint arXiv:1412.6017.
[41] Manna, M. E., & Amphawan, A. (2012). Review of syn-flooding attack detection mechanism. arXiv preprint arXiv:1202.1761.
[42] Miao, L., Ding, W., & Gong, J. (2015, April). A real-time method for detecting internet-wide SYN flooding attacks. In Local and Metropolitan Area Networks (LANMAN), 2015 IEEE International Workshop on (pp. 1-6). IEEE.
[43] Mittal, M., Khan, A., & Agrawal, C. (2013). A Study of Different Intrusion Detection and Prevension System. International Journal of Scientific & Engineering Research, 4(8), 1526-1531.
[44] Min, B., & Varadharajan, V. (2015, December). Design and evaluation of feature distributed malware attacks against the Internet of Things (IoT). In Engineering of Complex Computer Systems (ICECCS), 2015 20th International Conference on (pp. 80-89). IEEE.
[45] Mao, X., & Xin, J. (2014). Developing Cross-platform Mobile and Web Apps. CIGR Proceedings, 1(1).
[46] Nicole, R. (2014, December). Worldwide Smartphone Growth Forecast to Slow from a Boil to a Simmer as Prices Drop and Markets Mature, According to IDC. Abbrev, in press. http://www.idc.com/getdoc.jsp?containerId=prUS25282214.
[47] Ng, J., Joshi, D., & Banik, S. M. (2015, April). Applying data mining techniques to intrusion detection. In 2015 12th International Conference on Information Technology-New Generations (ITNG) (pp. 800-801). IEEE.
[48] Open Web Application Security Project (2013). OWASP Top Ten Project. Retrieved January 29,2014. https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
[49] Ponemon Institue, L. L. C. (2013). Cost of Cyber Crime Study: United States. Traverse City, http://media.scmagazine.com/documents/54/2013_us_ccc_report_final_6-1_13455.pdf, 2013. Last Accessed November 10, 2014.
[50] Postel, J. (1983). Character generator protocol.
[51] Paxson, V. (1999). Bro: a system for detecting network intruders in real-time. Computer networks, 31(23-24), 2435-2463.
[52] Phaal, P., Panchen, S., & McKee, N. (2001). InMon corporation's sFlow: A method for monitoring traffic in switched and routed networks (No. RFC 3176).
[53] Ramabhadran, S., & Varghese, G. (2003, June). Efficient implementation of a statistics counter architecture. In ACM SIGMETRICS Performance Evaluation Review (Vol. 31, No. 1, pp. 261-271). ACM.
[54] Shotts, K. (2014). PhoneGap for enterprise. Packt Publishing Ltd.
[55] Sun, C., Hu, C., Tang, Y., & Liu, B. (2009, August). More Accurate and Fast SYN Flood Detection. In ICCCN (pp. 1-6).
[56] Serrano, N., Hernantes, J., & Gallardo, G. (2013). Mobile web apps. IEEE software, 30(5), 22-27.
[57] Shah, D., Iyer, S., Prabhakar, B., & McKeown, N. (2001, August). Analysis of a statistics counter architecture. In Hot Interconnects (Vol. 9, pp. 107-111).
[58] Scarfone, K., & Mell, P. (2007). Guide to intrusion detection and prevention systems (idps). NIST special publication, 800(2007), 94.
[59] Weaver, N., Staniford, S., & Paxson, V. (2004, August). Very Fast Containment of Scanning Worms. In USENIX Security Symposium (Vol. 2, pp. 16-85).
[60] Wang, H., Zhang, D., & Shin, K. G. (2002, June). Detecting SYN flooding attacks. In INFOCOM 2002. Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies. Proceedings. IEEE (Vol. 3, pp. 1530-1539). IEEE.
[61] Yang, X., Ma, T., & Shi, Y. (2007, March). Typical dos/ddos threats under ipv6. In Computing in the Global Information Technology, 2007. ICCGI 2007. International Multi-Conference on (pp. 55-55). IEEE.
[62] Yang, J., Ma, H., Zhang, B., & Chen, P. (2008, October). An Efficient Approach for Analyzing Multidimensional Network Traffic. In Asia-Pacific Network Operations and Management Symposium (pp. 227-235). Springer, Berlin, Heidelberg.
[63] Yi, F., Yu, S., Zhou, W., Hai, J., & Bonti, A. (2008). Source-based filtering scheme against DDOS attacks. International Journal of Database Theory and Application, 1(1), 9-20.
[64] Zargar, S. T., Joshi, J., & Tipper, D. (2013). A survey of defense mechanisms against distributed denial of service (DDoS) flooding attacks. IEEE communications surveys & tutorials, 15(4), 2046-2069.
[65] Zhao, Q., Xu, J., & Liu, Z. (2006). Design of a novel statistics counter architecture with optimal space and time efficiency. ACM SIGMETRICS Performance Evaluation Review, 34(1), 323-334.