臺灣博碩士論文加值系統

動機：對於企業組織而言，防火牆系統可說是目前最為普遍的資訊安全防禦機制。隨著系統以及網路環境的動態改變，防火牆政策規則表必須不斷更新調整，才能確實達到防護功效。運用日誌分析方式來輔助政策管理是可行的作法，然而傳統以人工方式分析，不但耗時且容易發生錯誤。因此，如何利用資料探勘技術分析網路日誌，輔助網路管理者進行防火牆政策管理，是非常值得去研究的課題。
作法：本論文採用關聯規則演算法來探勘防火牆日誌資料，從中萃取網路連線的異常行為，例如：出現頻繁的來源位址、短時間內最常被連線的Port等，以推導出適合且有效的防火牆規則。在實際系統環境中，日誌資料是屬於累加性質的動態資料，容易使得日誌分析工作成為系統的效能瓶頸。我們針對這些影響系統效能的因素進行探討，並提出對應的解決辦法。與現有的方法相比，本論文首先運用動態探勘技術來改進傳統靜態探勘方法，並提出改良的加速演算法，解決過去方法探勘效能不佳的問題。此外，還與資訊安全專家討論，歸納出重要的分析項目，例如：木馬程式之行為分析。論文中針對提出之方法效率皆加以優化，提升整體系統之執行效能，更符合實用上的需要。
結果：本研究實際開發一個防火牆日誌探勘分析與政策偵錯管理工具，並以實際防火牆日誌進行測試。實驗結果顯示，所提出的一系列防火牆日誌分析演算法，在處理速度上皆比過去的傳統方法要來更好。使得系統能更快速地分析防火牆日誌，進而適時推導出有效之政策規則，輔助防火牆進行政策最佳化管理。

Motivation: Firewall system is the most popular network security mechanism for enterprises. Due to the dynamic feature of network environment, firewall policy rules must be constantly revised and adapted to assure the security of intranet. The problem we address is how to apply data mining technology for analyzing firewall logs and assisting network administrators to improve firewall efficiency and to safeguard the network.
Method: We apply association rule mining to analyze network logs and detect anomalous behaviors, such as connections those shown frequently in short period with the same source IP and port. From these anomalous behaviors, we could inference useful, up-to-dated and efficient firewall policy rules. Comparing with the method proposed by K. Golnabi et al. in NOMS’ 2006, we utilize incremental mining to handle the increasingly changed traffic log data to enhance the efficiency in analyzing. Moreover, our approach has analyzed not only high-frequent network logs but also other significant security factors to make whole system more feasible and effective.
Results: In this thesis, we have developed fast algorithm to optimize the execution performance. Experimental results show that the execution efficiency of our proposed method is significantly better than that of traditional method when dealing with the large-sized log file.

口試委員審定書I
誌謝II
摘要III
ABSTRACT IV
第一章 緒論 1
1.1 研究背景 1
1.2 研究動機與目的 2
1.3 論文架構 4
第二章 相關研究 5
2.1 防火牆系統 5
2.1.1 防火牆政策規則 5
2.1.2 防火牆日誌記錄 6
2.1.3 防火牆政策管理 8
2.2 資料探勘於防火牆政策管理上的應用 9
2.2.1 關聯規則演算法 11
2.2.2 現有方法存在的問題 14
第三章 提出之系統架構 17
3.1 防火牆政策管理系統 17
3.1.1 規則分析階段 19
3.1.2 規則編輯階段 20
第四章 日誌規則分析方法及加速演算法 23
4.1 防火牆日誌規則分析 23
4.2 漸進式關聯規則分析 24
4.2.1 SWF漸進式關聯規則演算法 25
4.2.2 日誌壓縮樹之C-SWF關聯規則分析 27
4.3 專家規則分析 32
4.3.1 高密度分析 32
4.3.2 木馬行為分析 33
第五章 方法實作與實驗結果 36
5.1 雛型系統之方法實作 36
5.1.1 漸進式關聯規則分析模組 37
5.1.2 專家規則分析模組 38
5.1.3 規則異常偵測模組 39
5.2 效能實驗結果 41
5.2.1 C-SWF漸進式關聯規則分析之效能測試 41
5.2.2 專家規則分析及其加速方法之效能測試 46
第六章 結論與未來研究 47
參考文獻 49

[1] 王義智, “2006年台灣大型企業資訊安全應用需求,” 財團法人資訊工業策進會市場情報中心（MIC）研究報告, http://tsii.org.tw/tsii_epaper/9509/index.htm, 2006年4月.
[2] 劉信義, 張瑞益, 莊棨椉, “關聯法則挖礦法之研究-採用群聚壓縮樹演算法,” 電子商務與數位生活研討會, 2006. (台北大學) [佳作論文獎]
[3] A. Chuvakin, “Five Mistakes of Security Log Analysis,” netForensics 2004, www.infosecwriters.com/text/resources/pdf/top-log-analysis-mistakes.pdf.
[4] A. Savasere, E. Omiecinski, and S. Navathe, “An Efficient Algorithm for Mining Association Rules in Large Databases,” Conference on Very Large Data Bases (VLDB 95), pp. 432-444, 1995.
[5] A. Wool, “A Quantitative Study of Firewall Configuration Errors,” IEEE Computer, Vol. 37, No. 6, pp. 62-67, 2004.
[6] C. H. Lee, C. R. Lin, and M.S. Chen, “Sliding-Window Filtering: An Efficient Algorithm for Incremental Mining,” ACM 10th International Conference on Information and Knowledge Management (CIKM-01), pp. 263-270, Nov 2001.
[7] CERT/CC, “CERT/CC Statistics 1988-2006 – incidents reported,” http://www.cert.org/stats/cert_stats.html.
[8] D. Barbara, J. Couto, S. Jajodia, and N. Wu, “ADAM: A Test-bed for Exploring the Use of Data Mining in Intrusion Detection,” IEEE SMC Information Assurance Workshop, SIGMOD Record, Vol. 30, No. 4, pp.15-24, 2001.
[9] D. Barbara, J. Couto, S. Jajodia, and N. Wu, “ADAM: An architecture for anomaly detection,” Applications of Data Mining in Computer Security, ISBN 1-4020-7054-3, Kluwer Academic Publishers, Boston, pp. 63-76, 2002.
[10] D.W. Cheung, J. Han, V.T. NG, and C.Y. Wong, “Maintenance of Discovered Association Rules in Large Databases: An incremental Updating Technique,” International Conference on Data Engineering, pp. 106-114, Feb 1996.
[11] D. W. Cheung, V. T. Ng, A. W. Fu, and Y. Fu, “Efficient Mining of Association Rules in Distributed Databases,” IEEE Transactions on Knowledge and Data Engineering, Vol. 8, No. 6, pp. 911-922, Dec 1996.
[12] D.W. Cheung, S.D. Lee, and B. Kao, “A General Incremental Technique for Maintaining Discovered Association Rules,” International Conference on Database System for Advanced Applications, pp. 185-194, Apr 1997.
[13] E. Al-Shaer and H. Hamed, “Firewall Policy Advisor for Anomaly Detection and Rule Editing,” IEEE/IFIP Integrated Management Conference (IM 2003), pp. 17-30, Mar 2003.
[14] E. Al-Shaer and H. Hamed, “Discovery of Policy Anomalies in Distributed Firewalls,” IEEE INFOCOM’04, vol. 23, no. 1, pp. 2605-2616, Mar 2004.
[15] E. Ukkonen, “Constructing Suffix-trees Online in Linear Time,” Algorithms, Software, Architecture: Information Processing 92, vol. 1, pp. 484-492, Elsevier, 1992.
[16] E. W. Fulp, “Optimization of Network Firewalls Policies using Directed Acyclic Graphs,” IEEE Internet Management Conference, 2005.
[17] G. H. Gonnet, R. A. Baeza-Yates, and T. Snider, “New Indices for Text: PAT Trees and PAT Arrays,” Information Retrieval: Data Structures and Algorithms, pp.66-82, Prentice Hall, 1992.
[18] J. Han, J. Pei and Y. Yin, “Mining Frequent Patterns without Candidate Generation,” ACM SIGMOD International Conference Management of Data, pp. 1-12, 2000.
[19] J. S. Park, M. S. Chen, and P. S. Yu, “Using a Hash-Based Method with Transaction Trimming and Database Scan Reduction for Mining Association Rules,” IEEE Transactions on Knowledge and Data Engineering, vol. 9, no. 5, pp. 813-825, Oct 1997.
[20] K. Golnabi, R. Min, L. Khan, E. Al-Shaer, “Analysis of Firewall Policy Rules using Data Mining Techniques,” 10th IEEE/IFIP Network Operations and Management Symposium, pp. 305-315, Apr 2006.
[21] K. Hatonen, J-F. Boulicaut, M. Klemettinen, M. Miettinen, C. Masson, “Comprehensive Log Compression with Frequent Patterns,” International Conference on Data Warehousing and Knowledge Discovery (DaWaK-2003), Springer-Verlag LNCS 2737. pp. 360-370, Sept 2003.
[22] L. Brown, “An Approach to Creating your Firewall Security Policy,” USM. http://www.usmd.edu/usm/adminfinance/itcc/appfirepolicy.doc.
[23] M. Berry and B. Linoff, “Data Mining Techniques: For Marketing, Sales and Customer Support,” New York: John Wiley & Sons, 1997.
[24] M. J. Zaki, “Parallel and Distributed Association Mining: A Survey,” IEEE Concurrency, Vol. 7 Issue 4, pp. 14-25, Oct-Dec 1999.
[25] M. Z. Ashrafi, D. Taniar, K. Smith, “ODAM: An Optimized Distributed Association Rule Mining Algorithm,” IEEE Distributed Systems, vol. 5, No 3, Mar 2004.
[26] P. Verma and A. Prakash, “FACE: A Firewall Analysis and Configuration Engine,” Symposium on Applications and the Internet (SAINT), pp. 74-81, 31 Jan - 4 Feb 2005.
[27] R. Agrawal, T. Imielinski, and A. Swami, “Mining Association Rules Between Sets of Items in Large Databases,” ACM SIGMOD Conference on Management of Data, pp. 207-216, 1993.
[28] R. Agrawal and R. Srikant, “Fast Algorithms for Mining Association Rules,” International Conference on Very Large Data Bases (VLDB’ 94), pp. 487-499, Sept 1994.
[29] R. Agarwal, C. Aggarwal, and V. Prasad, “A tree projection algorithm for generation of frequent item sets,” Journal of Parallel and Distributed Computing, Volume 61, Issue 3, pp. 350-371, Mar 2001.
[30] R. I. Chang, L. B. Lai, W. D. Su, J. H. Wang, and J. S. Kouh, “Intrusion Detection by Backpropagation Neural Networks with Sample-Query and Attribute-Query,” International Conference on Neural Information Processing (ICONIP 2006), Vol. 3, No.1, pp. 6-10, 2007.
[31] S. Acharya, J. Wang, Z. Ge, T. Znati, and A. Greenberg, “Simulation Study of Firewalls to Aid Improved Performance,” Annual Simulation Symposium’06, pp. 18-26, Apr 2006.
[32] S. Acharya, J. Wang, Z. Ge, T. Znati, and A. Greenberg, “Traffic Aware Firewall Optimization Strategies,” IEEE International Conference on Communications, pp. 2225-2230, June 2006.
[33] S. Brin, R. Motwani, J. Ullman and S. Tsur, “Dynamic Itemset Counting and Implication Rules for Market Basket Data,” ACM SIGMOD International Conference Management of Data, ACM Press, New York, pp. 255-264, 1997.
[34] S. M. Bellovin, A. D. Rubin, and W. R. Cheswick, “Firewalls and Internet Security, Repelling the Wily Hacker,” 2nd ed., Addison Wesley, 2003.
[35] W. Lee, and S. J. Stolfo, “Data Mining Approaches for Intrusion Detection,” the 7th USENIX Security Symposium (SECURITY’98), pp. 79-94., 1998.