網路上電腦的安全問題，是網路應用系統能否成熟發展的關鍵。目前雖有資料加密技術、防火牆、防毒軟體等安全防護系統，但仍無法杜絕入侵事件之發生。具不同技術、特性的入侵偵測系統，因而被發展成為系統的第二層防護。目前入侵偵測系統主要遭遇下列問題：(1)異質的入侵偵測系統各自具偵測不同攻擊的能力，但偵測的範圍有限；(2)入侵偵測系統產生大量未經整合的低階警訊，且包含過多的錯誤警報；(3)入侵偵測系統沒有辦法提供警訊的嚴重狀態及優先順序，造成管理者無法即時對攻擊事件做出回應或改善系統的漏洞。為了解決上述問題，本論文提出以基元攻擊為仲介的兩層式異質入侵警訊關聯系統，第一層為基元攻擊之建構與偵測，負責整合異質入侵警訊成為較少的基元攻擊，並將各種入侵偵測系統的能力整合轉化成以基元攻擊為代表的高階警訊；第二層為以基元攻擊為基礎之攻擊腳本關聯及預測，負責將基元攻擊關聯成攻擊腳本，以正確描述攻擊手段的全貌，並提供攻擊腳本的優先順序判斷，供專家從較高層觀念來作網路安全的評估。
本論文的研究旨趣在第二層的以基元攻擊為基礎之攻擊腳本關聯及預測子系統。我們採取以下技術來達成有效關聯真實攻擊的目標：(1)利用基元攻擊資料庫的基元攻擊序列分析及攻擊知識本體的攻擊知識來自動產生子攻擊計劃樣板，並以之將基元攻擊組合成攻擊腳本；(2)導入基元攻擊間的特徵相似度評估以決定關聯動作的發生，並提供相似度資訊來幫助判斷攻擊腳本的優先順序；(3)引進攻擊腳本融合技術來過濾單一的基元攻擊及非攻擊意圖的腳本；(4)引進HMM來描述攻擊腳本的行為，並透過Viterbi function來計算攻擊腳本的優先順序。本論文的貢獻如下：(1)子攻擊計劃自動建立技術：本系統利用基元攻擊序列的關係強度分析，及攻擊知識本體的輔助，來自動建立子攻擊計劃樣板，透過子攻擊計劃樣板的組合我們就能描述出一個完整的攻擊手法；(2)攻擊腳本縮減及融合技術：在關聯系統中所製作出的攻擊腳本，是整合攻擊事件後用來描述攻擊者意圖的攻擊序列。本論文藉由攻擊腳本的縮減及融合技術，來提供精簡且正確的攻擊腳本給管理者，以降低入侵偵測系統產生大量警訊的負擔；(3)攻擊腳本優先順序預測技術：本論文中我們導入HMM來計算攻擊腳本的發生機率，以幫助管理者能夠依照其機率的優先順序來進行攻擊腳本的分析。

The security of networked computers strongly affects network applications. Although we already have encryption, firewalls and anti-virus systems, intrusion still happens quite often. IDSs (Intrusion Detection Systems) with different techniques and characteristics have thus been developed to serve as the second layer protection. Nowadays some critical problems have emerged: (1) Heterogeneous IDSs have their specific capabilities of detecting attacks; however, their detection scopes are limited. (2) IDSs produce a large number of low level alerts which aren’t integrated, and include too many false alerts. (3) IDSs can’t provide informative information, such as severity degree and priority ranking of alerts, to help the administrator make quick responses to attacks or amend the system’s vulnerability immediately. To cope with the problems, we proposed a two-layered heterogeneous intrusion detection architecture, which is centered on primitive attacks as a mediator to correlate alerts. The first layer is the construction and detection of primitive attacks, responsible for integrating heterogeneous alerts into primitive attacks; this equivalently transforms low-level, different formats of alerts into a unified, higher-level representation. The second layer is the correlation and ranking of attack scenarios, responsible for correlating primitive attacks into attack scenarios and offering their priority ranking.
This thesis focuses on the second layer, the correlation and ranking of attack scenarios. We adopt the following techniques to accomplish the goal of effectively correlating attack scenarios. First, automatic construction technique of attack subplan templates: we analyze the sequences of primitive attacks and consult the attack ontology to automatically generate attack subplan templates. Second, attack subplan template-based scenario correlation technique: we use the auto-generated attack subplan templates to guide the composition of primitive attacks into attack scenarios. Third, scenario fusion technique: we detect and remove noisy single primitive attacks as well as fuse attack scenarios by removing accidental or failure attack scenarios. Finally, HMM (Hidden Markov Model)-based scenario ranking technique: we introduce HMM to describe the behavior of attack scenarios and calculate their priorities by Viterbi function. Our experiments showed that auot-generated attack subplan template-directed correlation of attack scenarios can effectively discover significant primitive attacks inside each attack scenario, which facilitates the discovery of motive and intention of the attackers. The scenario fusion technique can eliminate false primitive attacks and reduce a large number of attack scenarios, while the HMM-based scenario ranking technique can filter low-priority attack scenarios. They integratively can dramatically reduce the cognitive loading of the administrator in recognizing important attacks and proposing suitable responses.

[Ales01] D. Alessandri (Ed.), Towards a Taxonomy of Intrusion Detection Systems and Attacks. Deliverable D3, Project MAFTIA IST-1999-11583, Research Report, RZ 3366, IBM Zurich Laboratory, also available at http://www.MAFTIA.org, 2001.
[Axel00] S. Axelsson, Intrusion Detection Systems: A Taxonomy and Survey. Technical Report 99-15, Dept. of Computer Engineering, Chalmers University of Technology, Goteborg, Sweden, March 2000.
[Cupp00] F. Cuppens and R. Ortalo, “LAMBDA: A Language to Model a Database for Detection of Attacks,” Proc. of the 3th International Workshop on the Recent Advances in Intrusion Detection(RAID 2000), Toulouse, France, October 2000.
[Cupp02] F. Cuppens and A. Miege, “Alert Correlation in a Cooperative Intrusion 　　Detection Framework,” Proc. of 2002 IEEE Symposium on Security and Privacy, pp. 202-215, Oakland, CA, 2002.
[Curr01] D. Curry and H. Debar, “Intrusion Detection Message Exchange Format Data Model and Extensible Markup Language (XML) Document Type Definition,” draft-itetf-idwg-idmef-xml-03.txt, February 2001.
[Dain01] O. Dain, R. Cunningham, “Building Scenarios from a Heterogeneous Alert Stream”, IEEE Workshop on Information Assurance and Security, pp. 231–235, June 2001.
[Deba00] H. Debar, M. Dacier, and A. Wespi, “A Revised Taxonomy for Intrusion-Detection Systems,” Annales des Télécommunications, Vol. 55, No. 7/8, pp. 361-378, 2000.
[Deba01] H. Debar and A. Wespi, “Aggregation and Correlation of Intrusion-Detection Alerts,” Proc. of the 4th International Symposium on Recent Advances in Intrusion Detection (RAID 2001), Lecture Notes on Computer Science, Vol. 2212, Springer-Verlag, pp. 85-103, Davis, CA, USA, October 2001.
[ISS] ISS, Inc.(1998) “Network- VS. Host-based Intrusion System.” (Available at http://www.sss.co.nz/pdfs/iss/nvh_id.pdf).
[Josh03] H. Joshua, K. R. Dorene, T. Laura and T. Stephen, “Validation of Sensor Alert Correlation.” Proc. by the IEEE Security and Privacy, February, 2003.
[Lind01] U. Lindqvist and P. Porras, “eXpert-BSM: A Host-based Intrusion Detection Solution for Sun Solaris,” Proc. of 17th Annual Computer Security Applications Conference (ACSAC), pp. 240-251, New Orleans, Louisiana, 2001.
[Liu04] W. T. Liu, “A Primitive Attack-based New Correlation Technique for Heterogeneous Intrusion Alert-Construction of Attack Scenarios Using Primitive Attacks,” Master Thesis, Department of Computer Science and Information Engineering, National Taiwan University of Science and Technology, Taiwan, ROC, 2004.
[Grub93] T. R. Gruber, “A Translation Approach to Portable Ontology Specifications,” Knowledge Acquisition, Vol. 5, No. 2, pp. 199-220, 1993.
[Guar98] N. Guarino, “Formal Ontology and Information Systems,” Proc. of the 1st International Conference on Formal Ontologies in Information System, FOIS'98, Trento, Italy, pp. 3-15, Amsterdam, IOS Press, June 1998.
[MIT00] 2000 DARPA Intrusion Detection Scenario Specific Data Sets, available at http://www.ll.mit.edu/IST/ideval/data/2000/2000_data_index.html.
[MIT99] MIT Lincoln Lab Intrusion Detection Attacks Database, available at http://www.ll.mit.edu/IST/ideval/docs/1999/attackDB.html.
[Mori02] B. Morin, L. Mé, H. Debar and M. Ducassé, “M2D2:a formal data model for IDS Alert Correlation”, Proc. of the 5th symposium on Recent Advances in Intrusion Detection (RAID 2002), Springer Lecture Notes on Computer Science, Vol, 2516, pp. 177-198, Zurich, Switzerland, October 2002.
[Mori03] B. Morin and H. Debar, “Correlation of intrusion symptoms: An application of chronicles.” In Proc. of the 6th International Conference on Recent Advances in Intrusion Detection , RAID2003.
[Ning02] P. Ning, Y. Cui and D. S. Reeves, “Constructing Attack Scenarios through Correlation of Intrusion Alerts,” Proc. of the 9th ACM Conference on Computer & Communications Security, pp. 245-254, Washington D.C., November 2002.
[Ning04] P. Ning, Y. Cui, D. S. Reeves, and D. Xu, “Tools and Techniques for Analyzing Intrusion Alerts,” ACM Transactions on Information and System Security, Vol. 7, No. 2, pp. 274-318, May 2004.
[Noy01] N. F. Noy and D. L. McGuinness, “Ontology Development 101: A Guide to Creating Your First Ontology,” Stanford Knowledge Systems Laboratory Technical Report KSL-01-05 and Stanford Medical Informatics Technical Report SMI-2001-0880, March 2001.
[Prot] Protégé, available at http://protege.stanford.edu/.
[Real] RealSecure Network Sensor, available at http://www.iss.net/.
[Rabi89] L. R. Rabimer, “A tutorial on hidden Markov models and selected applications in speech recognition.” Proc. Of the IEEE 77:257-286, 1989.
[Rabi86] L. R. Rabimer and Juang, “A introduction to hidden Markov models.” IEEE ASSP Magazine 3:4-16, B. H. 1986.
[Snor] Snort, available at http://www.snort.org/.
[SRI] SRI, available at http://www.sri.com/index.html/.
[USTA] USTAT, available at http://www.cs.ucsb.edu/~rsg/STAT/.
[Vald00] A. Valdes and K. Skinner, “Adaptive, Model-Based Monitoring for Cyber Attack Detection,” Proc. of the 3th International Symposium on Recent Advances in Intrusion Detection (RAID 2000), LNCS (Lecture Notes In Computer Science), Vol. 1907, Springer-Verlag, pp. 80-92, October 2000.
[Vald01] A. Valdes and K. Skinner, “Probabilistic alert correlation,” Proc. of the 4th International Symposium on Recent Advances in Intrusion Detection (RAID 2001), Lecture Notes on Computer Science, Vol. 2212, pp. 54-68, Davis, CA, USA, 2001.
[Yu04] C.Y. Yu, A Primitive Attack-based New Correlation Technique for Heterogeneous Intrusion Alert-Construction and Detection of Primitive Attack, Master Thesis, Department of Computer Science and Information Engineering, National Taiwan University of Science and Technology, Taiwan, ROC, 2004.