跳到主要內容

臺灣博碩士論文加值系統

(44.222.189.51) 您好!臺灣時間:2024/05/24 18:25
字體大小: 字級放大   字級縮小   預設字形  
回查詢結果 :::

詳目顯示

: 
twitterline
研究生:陳雅玲
研究生(外文):Ya-lin Chen
論文名稱:輕型網路入侵偵測
論文名稱(外文):Lightweight Network Intrusion Detection
指導教授:陳嘉玫陳嘉玫引用關係鄭炳強鄭炳強引用關係
指導教授(外文):Chia-mei ChenBing-chiang Jeng
學位類別:碩士
校院名稱:國立中山大學
系所名稱:資訊管理學系研究所
學門:電算機學門
學類:電算機一般學類
論文種類:學術論文
論文出版年:2005
畢業學年度:93
語文別:英文
論文頁數:43
中文關鍵詞:異常偵測入侵偵測網路安全
外文關鍵詞:Anomaly DetectionIntrusion DetectionNetwork Security
相關次數:
  • 被引用被引用:4
  • 點閱點閱:262
  • 評分評分:
  • 下載下載:42
  • 收藏至我的研究室書目清單書目收藏:7
  駭客常利用電腦系統或服務的漏洞攻擊程式碼來對目標電腦或服務進行攻擊。這些漏洞攻擊程式常常在與目標主機或服務建立連線後,即送出攻擊封包。又因這些攻擊常透過Telnet服務來進行,本研究即針對這樣特性的攻擊事件,設計一個輕型的網路入侵偵測系統來偵測網路上的Telnet流量。

  本研究只過濾每一個Telnet連線的前幾個資料封包,並只使用部分內容做入侵偵測,而非所有的封包和其內容,使本系統的負荷大大降低。本研究屬於異常偵測研究,我們將平日正常的網路流量過濾後建構成一個正常行為模式,在偵測時檢查過濾後的封包與正常行為模式的差異,透過異常分數計算函數,偏差愈大則給愈大的異常分數。最後,我們採用1999 DARPA入侵偵測評估資料集的資料來,5天訓練資料,10天測試資料,共44次攻擊事件,測試本研究提出的系統。本研究所提出的系統的偵測率在很低的誤報率 – 每日允許2次誤報下為73%; 在一些被DARPA認定是很難偵測的攻擊,其偵測率達80%。
Exploit codes based on system vulnerabilities are often used by attackers to attack target computers or services. Such exploit programs often send attack packets in the first few packets right after a connection established with the target machine or service. And such attacks are often launched via Telnet service as well. A lightweight network-based intrusion detection system is proposed on detecting such attacks on Telnet traffic.

The proposed system filters the first a few packets after each Telnet connection established and only uses partial data of a packet rather than total of it to detect intrusion, i.e. such design makes system load reduced a lot. This research is anomaly detection. The proposed system characterizes the normal traffic behavior and constructs it as a normal model based on the filtered normal traffic. In detection phase, the system examines the deviation of current filtered packet from the normal model via an anomaly score function, i.e. a more deviate packet will receive a higher anomaly score. Finally, we use 1999 DARPA Intrusion Detection Evaluation Data Set which contains 5 days of training data and 10 days of testing data, and 44 attack instances of 16 types of attacks, to evaluate our proposed system. The proposed system has the detection rate of 73% under a low false alarm rate of 2 false alarms per day; 80% for the hard detected attacks which are poorly detected in 1999 DARPA IDEP.
Chapter 1 Introduction 1
1.1 Background 1
1.2 Research Motivation 3
1.3 Outline of the Thesis 4
Chapter 2 Literature Review 5
2.1 DARPA Off-Line Intrusion Detection Evaluation Program 5
2.1.1 DARPA Intrusion Detection Evaluation Dataset 6
2.1.2 Evaluation Measure 8
2.2 Related Studies 9
2.2.1 Lee et al.’s Work 9
2.2.2 Matthew V. Mahoney’s Work 13
Chapter 3 The Proposed Approach 15
3.1 Traffic Filter 16
3.2 Attribute Selection and Normal Profile Building 18
3.3 Anomaly Scoring Function 20
3.4. Post Process 22
Chapter 4 Experiment Design and Performance Analysis 23
4.1 Off-Line Evaluation Method 23
4.2 Experiment Design 25
4.3 Experiment Results 27
4.4 Performance Comparisons 30
4.4.1 Detection Rate Comparisons 30
4.4.2 Detection Rate Comparisons Based on False-Positive Error Rate 31
4.4.3 System load and Time Cost Comparisons 32
4.4.4 Anomaly Scoring Function Comparisons 33
4.4.5 Detection Comparisons on Hard Detected Attacks 35
Chapter 5 Conclusion 36
5.1 Contributions of LNID 36
5.2 Future Work 37
Reference 38
Appendix 41
Identification Scoring Truth in this Study 41
[1]賴溪松, “網路安全基礎概念”, http://crypto.ee.ncku.edu.tw/class/network_security/93/Ch1.pdf.
[2]Lincoln Laboratory, Massachusetts Institute of Technology, “1999 DARPA Intrusion Detection Evaluation Data Set,” http://www.ll.mit.edu/SST/ideval/data/1999/1999_data_index.html.
[3]Richard P. Lippmann et al., “Evaluating Intrusion Detection Systems: The 1998 DARPA Off-line Intrusion Detection Evaluation,” http://www.ll.mit.edu/SST/ideval/pubs/pubs_index.html.
[4]Richard P. Lippmann et al., “The 1999 DARPA Off-line Intrusion Detection Evaluation”, http://www.ll.mit.edu/SST/ideval/pubs/pubs_index.html.
[5]MIT Lincoln Laboratory, Information Systems Technology Group, “The 1998 Intrusion Detection off-line Evaluation Plan”, http://www.ll.mit.edu/SST/ideval/docs/1998/id98-eval-ll.txt.
[6]Air Force Rome Laboratory (AFRL/SNH-1), “The 1998 Intrusion Detection Real-time Evaluation Plan”, http://www.ll.mit.edu/SST/ideval/docs/1998/id98-eval-rl.txt.
[7]Tcpdump official website, http://www.tcpdump.org/.
[8]Matthew V. Mahoney, “Network Traffic Anoma1y Detection Based on Packet Bytes,” ACM SAC 2003.
[9]Matthew V. Mahoney and P. K. Chan, “Learning Nonstationary Models of Normal Traffic for Detecting Novel Attacks,” Proc. SIGKDD, 2002, pp 376-385.
[10]Matthew V. Mahoney and P. K. Chan, “PHAD: Packet Header Anoma1y Detection for Identifying Hostile Network Traffic,” Florida Institute of Technology Technica1 Report 2001-04, http://c5.f1t.edu/~tr/.
[11]Wenke Lee, Savatore J. Stolfo, and Kui W. Mok, “Mining Audit Data to Build Intrusion Detection Models,” AAAI 1998.
[12]Wenke Lee, Savatore J. Stolfo, and Kui W. Mok, “A data mining framework for building intrusion detection models,” Proceeding of the 1999 IEEE symposium on Security and Privacy, May 1999, pp. 120-132.
[13]Wenke Lee, Savatore J. Stolfo, and Kui W. Mok, “Mining in a data-flow environment: Experience in network intrusion detection,” ACM SIGKDD 1999.
[14]Wenke Lee and Savatore J. Stolfo, “A framework for constructing features and models for intrusion detection systems,” ACM SIGKDD 2000.
[15]Sung-Bae Cho, and Hyuk-Jang Park, “Efficient Anomaly Detection by Modeling Privilege Flows Using Hidden Markov Model,” Computer & Security, Vol .22, No. 1, pp 45-55, 2003.
[16]Sang-Jun Han and Sung-Bae Chou, “Detecting Intrusion with Rule-Based Integration of Multiple Models”, Computer & Security, Vol .22, No. 7, pp 613-623, 2003.
[17]H.S. Venter and J.H.P. Eloff, "A Taxonomy for Information Security Technologies", Computer & Security, 2003.
[18]Giorgio Giacinto, Fabio Roli, Luca Didaci, “Fusion of Multiple Classifiers for Intrusion Detection in Computer Networks”, Pattern Recognition Letters, 2003.
[19]E. Biermann, E.Cloete, L.M. Venter, “A comparison of Intrusion Detection systems”, Computer & Security. 2003.
[20]Emilie Lundin and Erland Jonsson, “Anomaly-based intrusion detection: privacy concerns and other problems”, Computer Networks, 2000.
[21]Theuns Verwoerd and Ray Hunt, “Intrusion Detection Techniques and Approaches”, Computer Communications 25 (2002) pp.1356-1365, 2002.
[22]Yuebin Bai and Hidetsune Kobayashi, “Intrusion Detection Systems: Technology and Development”, Proceedings of the17 th International Conference on Advanced Information Networking and Applications (AINA’03), 2003.
[23]Alefiya Hussain, John Heidemann and Christos Papadopoulos, "A Framework for Classifying Denial of Service Attacks", ACM SIGCOMM’03, August 25–29, 2003.
[24]Matthias Schonlau, and Martin Theus, “Detecting Masquerades in Intrusion Detection Based on Unpopular Commands,” Information Processing Letters 76, 2000, pp 33-38.
[25]Midori Asaka, Takefumi Onabura, Tadashi Inoue, Shunji Okazawa and Shigeki Goto, “A New Intrusion Detection Method Based on Discriminant Analysis”, IEICE TRANS. INF. & SYST., Vol.E84–D, No.5 May 2001.
[26]Midori Asaka, Takefumi Onabura and Tadashi Inoue, “Remote Attack Detection Method in IDA: MLSI-Based Intrusion Detection using Discriminant Analysis”, Proceedings of the 2002 Symposium on Applications and the Internet (SAINT.02), IEEE, 2002.
[27]Nong Ye, Syed Masum Emran, Qiang Chen, and Sean Vilbert, “Multivariate Statistical Analysis of Audit Trails for Host-Based Intrusion Detection,” IEEE Transactions on Computers, Vol. 51, No. 7, July 2002.
[28]S. Jha and Hassan, “Building Agents for Rule-Based Intrusion Detection System,” Computer Communications 25 (2002) p.1366-1373, 2002.
[29]Vipin Kumar et al., “Data Mining for Network Intrusion Detection”, NSF workshop on next generation data mining, 2002, “http://www-users.cs.umn.edu/~kumar/.
[30]Wayne A. Jansen, “Intrusion Detection with Mobile Agents”, Computer Communications 25 (2002), pp.1392-1401, 2002.
[31]Yihua Liao and V. RaoVemuri, "Use of K-Nearest Neighbor Classifier for Intrusion Detection", Computer & Security Vol 21, No 5, pp 439-448, 2002.
[32]Lincoln Laboratory, Massachusetts Institute of Technology, “1998 DARPA Intrusion Detection Evaluation Data Set”, http://www.ll.mit.edu/SST/ideval/data/1998/1998_data_index.html.
[33]Lincoln Laboratory, Massachusetts Institute of Technology, “Detection Scoring Truth”, http://www.ll.mit.edu/SST/ideval/docs/1999/master-listfile-condensed.txt.
[34]Lincoln Laboratory, Massachusetts Institute of Technology, “Identification Scoring Truth”, http://www.ll.mit.edu/SST/ideval/docs/1999/master_identifications.list.
[35]Nong Ye, Syed Masum Emran, Qiang Chen, and Sean Vilbert, "Multivariate Statistical Analysis of Audit Trails for Host-Based Intrusion Detection", IEEE TRANSACTIONS ON COMPUTERS, VOL. 51, NO. 7, JULY 2002, pp.810-820.
[36]Srinivas Mukkamala, Andrew H. Sung and Ajith Abraham, "Intrusion detection using an ensemble of intelligent paradigms", Journal of Network and Computer Applications, 2004, http://www.elsevier.com/locate/jnca.
[37]Nong Ye, Yebin Zhang, and Connie M. Borror, "Robustness of the Markov-Chain Model for Cyber-Attack Detection", IEEE TRANSACTIONS ON RELIABILITY, VOL. 53, NO. 1, MARCH 2004, pp.116-123.
QRCODE
 
 
 
 
 
                                                                                                                                                                                                                                                                                                                                                                                                               
第一頁 上一頁 下一頁 最後一頁 top