在資安威脅不斷變化的環境下，入侵偵測系統（IDS, Intrusion Detection System）是一道重要的防線，但是，隨著資訊科技不斷的進步，網路速度及傳輸量也隨之增加，在每秒動輒數十萬封包的網路上，兼顧資訊安全與網路品質是非常重要的議題。
近年來資料探勘（Data mining）技術非常熱門，被成功的運用在各種領域，資料探勘技術能在大量的資料中發掘出有用的知識，因此可運用資料探勘技術來降低入侵偵測系統分析資料的資源浪費，並增加效能。但是，至今運用資料探勘技術在入侵偵測的成效仍然有許多問題需要克服，如不平衡資料集、少數類別偵測率不佳、準確率偏低等問題。因此，本研究結合資料篩選、取樣機制、特徵選取等多種處理不平衡資料集的方法，提出「強化式整合學習(EIL, Enhanced Integrated Learning)演算法」來提升分類效能，最後運用集成系統之優點，提出「基於EIL演算法集成系統(EILBES, EIL- Algorithm Based Ensemble System)」來強化分類模型及其效能。
本論文採用KDD99資料集為資料來源，實驗結果證實，本論文所提出之演算法能夠強化少數類別的分類效能，在U2R類別的Recall和F-measure分別可達到57.01%與38.98%，為目前入侵偵測系統技術中最佳，有效提升對U2R攻擊類別的分類效能，並同時強化網路異常入侵偵測系統的整體分類效能。

In the environment of changing information security threats, an intrusion detection system (IDS) is an important line of defense. With the continuous progress of information technology, the network speed and throughput are also increasing. There are hundreds of thousands of packets per second in the network. Taking both information security and network quality into account are a very important issue.
In recent years, data mining technology becomes very popular and is applied in various fields successfully. Data mining can discover the useful information from a large volume of data. The current research tends to apply data mining technology in constructing the IDSs. However, many challenges still exist to be overcomed in the field of data mining-based IDSs, such as the imbalanced data sets, poor detection rate of the minority class, and low accuracy rate, etc. Therefore, by integrating the data selection, sampling, and feature selection methods, this thesis proposes an “Enhanced Integrated Learning” algorithm and an “EIL-Algorithm Based Ensemble System” to strengthen the classification model and its performance.
This thesis uses KDD99 data set as the experiment data source. A series of experiments are conducted to show that the proposed algorithms can enhance the classification performance of the minority class. For U2R attack class, Recall and F-measure are 57.01% and 38.98%, respectively, which shows the classification performance for U2R attack class is effectively improved. Meanwhile, the overall classification performance of anomaly network-based IDS is enhanced.

誌謝 ii
摘要 iii
ABSTRACT iv
目錄 v
表目錄 vii
圖目錄 viii
1. 緒論 1
1.1 研究背景與動機 1
1.2 研究目的 2
1.3 論文架構 2
2. 文獻探討 4
2.1 入侵偵測系統 4
2.1.1 入侵偵測系統的架構 4
2.1.2 入侵偵測系統的模式 5
2.1.3 入侵偵測系統相關研究 6
2.2 KDD99資料集 6
2.3 資料探勘 11
2.3.1 分類技術 11
2.3.2 分類技術的評估方式 14
2.4 可適式回饋機制演算法[9] 16
2.5 不平衡資料集 17
2.6 中位數平衡化取樣機制演算法[8] 20
2.7 特徵選取 20
2.8 整合式不平衡學習演算法[8] 21
2.9 集成系統 22
2.9.1 Bagging演算法 24
2.9.2 Boosting演算法 25
2.9.3 AdaBoost演算法 26
2.9.4 異質式階層分類架構 26
2.9.5 多層次混合分類架構 27
3. 演算法設計 29
3.1 強化式整合學習演算法 29
3.1.1 k倍交叉剔除演算法 30
3.1.2 多類別回饋機制演算法 31
3.2 基於EIL演算法集成系統 32
4. 實驗設計與分析 34
4.1 實驗架構與設計 34
4.2 KFCR演算法訓練資料篩選效能比較 34
4.3 AFMA及MCFM演算法的比較 36
4.4 EIL演算法實驗 37
4.5 EILBES實驗 38
4.6 實驗結果綜合分析 40
5. 結論與未來研究 42
參考文獻 44
自傳 48

[1]http://www.cert.org/stats。
[2]Doyle, J., Kohane, I., Long W., Shrobe, H., and Peter, S., “Event Recognition Beyond Signature and Anomaly,” Proceedings of the 2001 IEEE, Workshop on Information Assurance and Security, United States Military Academy, West Point, NY, pp. 17-23, 2001.
[3]Safaa O. Al-Mamory, and Hongli Zhang, “Intrusion detection alarms reduction using root cause analysis and clustering,” Proceedings of the ScienceDirect, Workshop on Computer Communications, Computer Science and Technology, Harbin Institute of Technology, China, pp. 419-430, 2009.
[4]Chia-Mei Chen, Ya-Lin Chen, and Hsiao-Chung Lin, “An efficient network intrusion detection,” Proceedings of the ScienceDirect, Proceedings of Computer Communications, Information Management, National Sun Yat-Sen University, Taiwan, pp. 477-484, 2010.
[5]Kamran Shafi, and Hussein A. Abbass, “An adaptive genetic-based signature learning system for intrusion detection,” Proceedings of the ScienceDirect, Proceedings of Expert Systems with Applications, Information Technology and Electrical Engineering, Australian Defence Force Academy, Australia, pp. 12036-12043, 2009.
[6]Ming-Yang Su, Gwo-Jong Yu, and Chun-Yuen Lin, “A real-time network intrusion detection system for large-scale attacks based on an incremental mining approach,” Proceedings of the ScienceDirect, Workshop on computers & security, Computer Science and Information Engineering, Ming Chuan University and Aletheia University, Taiwan, pp. 301-309, 2009.
[7]Chih-Fong Tsai, and Chia-YingLin, “A triangle area based nearest neighbors approach to intrusion detection,” Proceedings of the ScienceDirect, Workshop on Pattern Recognition, Information Management, National Central University, Taiwan, pp. 222-229, 2010.
[8]詹益東，“網路異常入侵偵測分類效能改善方法”，碩士論文，國防大學中正理工學院資訊科學所，桃園，2010。
[9]潘致誠，“強健式網路入侵偵測演算法則之研究”，碩士論文，國防大學中正理工學院資訊科學所，桃園，2009。
[10]http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html。
[11]Tan, P. N., Steinbach, M., and Kumar, V., Introduction to Data Mining, Pearson Addison Wesley, U.S.A, 2006.
[12]竇祥霖，“異質式階層分類架構的設計與運用”，碩士論文，國防大學中正理工學院資訊科學所，桃園，2008。
[13]尹相志，Microsoft SQL Server 2005 資料採礦聖經，學貫行銷股份有限公司，台北，第4-20、4-21頁，2007。
[14]Haibo He, and Edwardo A. Garcia, “Learning from Imbalanced Data,” Knowledge and Data Engineering, vol. 21, no. 9, pp. 1263-1284, 2009.
[15]Elkan, C., “Results of the KDD'99 classifier learning”, ACM SIGKDD Explorations, pp. 63–64, 2000.
[16]葉志飛，文益民，呂寶糧，“不平衡分類問題研究綜述”， 智能系統學報，第四卷，第二期，第148-156頁，2009。
[17]Qiong Gu, Zhihua Cai, Li Zhu, and Bo Huang, “Data Mining on Imbalanced Data Sets, ” 2008 International Conference on Advanced Computer Theory and Engineering, 2008.
[18]林智勇，郝志峰，楊曉偉，“不平衡數據分類的研究現狀”，計算機應用研究，第二十五卷，第二期，第332-336頁，2008。
[19]張琦、吳斌、王柏，“非平衡數據訓練方法概述”，計算機科學，第三十二卷，第十期，第181-186頁，2005。
[20]N.V. Chawla, K.W. Bowyer, L.O. Hall, and W.P. Kegelmeyer, “SMOTE: Synthetic Minority Over-Sampling Technique,” Artificial Intelligence Research, Vol. 16, pp. 321–357, 2002.
[21]Naeem Seliya, Zhiwei Xu, and Taghi M. Khoshgoftaar, “Addressing Class Imbalance in Non-Binary Classification Problems,” 20th IEEE International Conference on Tools with Artificial Intelligence, 2008.
[22]Abu H. M Kamal, Xingquan Zhu, Abhijit Pandya and Sam Hsu, “Feature Selection with Biased Sample Distributions,” IEEE IRI 2009, 2009.
[23]楊正三，葉明龍，莊麗月，陳禹融，楊正宏，“利用資訊增益與瀰集演算法於基因微陣列之特徵選取與分類問題”，資訊科技國際期刊，第二卷，第十期，第50-62頁，2008。
[24]朱芳輝，“資料選取方法於鑑別式聲學模型訓練之研究”，碩士論文，國立台灣師範大學，台北，2008。
[25]Robi Polikar, “Ensemble based systems in decision making,” IEEE Circuits and Systems Magazine, Vol. 6, pp. 21-45, 2006.
[26]Weiming Hu, Wei Hu, and Steve Maybank, “AdaBoost-Based Algorithm for Network Intrusion Detection,” Proceedings of the 2008 IEEE, Workshop on IEEE TRANSACTIONS ON SYSTEMS, MAN, AND CYBERNETICS, Senior Member, IEEE, vol. 38, no. 2, pp. 1083-4419, 2008.
[27]Rajeswari, L. P., and Kannan, A. “An Intrusion Detection System Based on Multiple Level Hybrid Classifier using Enhanced C4.5” IEEE International Conference on Signal processing, Communications and Networking, India, Jan 4-6, 2008. pp. 75-79, 2008.
[28]http://www.cs.waikato.ac.nz/ml/weka/。