資訊系統的健全目前已是各研究人員、政府機關與商業團體所關注的課題之一。為了確保資訊系統的健全性，目前已有許多防禦技術不斷地被提出，例如:防火牆、防毒軟體、入侵偵測系統…等等。入侵偵測系統是一個新穎的防禦技術，它可以測定一個電腦網域或一台伺服器是否正遭受到一個未經認證的入侵行為。在本論文中，我們提出一個階層式的入侵偵測架構，其中我們使用了單類別支撐向量機與平滑支撐向量機做為這個入侵偵測架構的核心技術。一般來說，單類別支撐向量機多用在描述正常的行為於異常式入侵偵測當中。在此，我們利用單類別支撐向量機來刻劃正常行為與各種入侵活動的輪廓。有鑒於支撐向量機在許多二元分類問題上的成功案例，我們系統使用另一種版本的支撐向量機－平滑支撐向量機－來鑑別正常與異常行為。我們結合了單類別支撐向量機與平滑支撐向量機來架構出一套精心設計的架構以提供一個有效的入侵偵測。而在本論文當中，我們使用了分割區塊技巧於訓練過程中來處理大量資料集。最後，將我們的系統使用1999 KDD比賽的資料集來評估，經過實驗並使用KDD比賽中的評分方法，我們所提出的系統無論是在入侵偵測上或者在入侵診斷上皆比當年的第一名傑出;除此之外，我們的系統對於DoS與r2l這兩類攻擊的偵測率亦比一些知名的演算法來得高。

Information system assurance is one of the most concerned issues by researches, government organizations and many commercial firms. In order to assure the integrity of computer systems, more and more defense techniques are being brought out such as firewall, anti-virus software, intrusion detection system, etc. Intrusion detection system is a novel defense technique which can determine if a computer network or server has experienced an unauthorized intrusion. In this thesis, we proposed a cascading intrusion detection framework in which we use one class support vector machine (OCSVM) and smooth support vector machine (SSVM) as the core techniques. Generally, OCSVM is used to capture normal behavior in anomaly intrusion detection. Here we exploit OCSVM to profile normal behavior as well as all kinds of intrusion activities respectively. Due to the success of support vector machines in the applications of binary classification, we apply a variant version of support vector machines, SSVM, to discriminate between normal and intrusive activities. We combine OCSVM with SSVM to constitute a sophisticated structure to detect intrusions efficiently. In order to deal with the massive dataset in our training process, chunking technique is introduced in this thesis. By testing our system on 1999 KDD contest dataset, our system performs better than 1999 KDD winner in either intrusion detection or intrusion diagnostic based on the 1999 KDD scoring measure. Besides, our system also has better prediction rates toward DoS and r2l connections than other well-known algorithms.

[1] James Anderson. Computer security threat monitoring and surveillance. Technical
report, James P.Anderson Co., April 1980.
[2] John Shawe-Taylor Bernhard SchAolkpf, John C. Platt and Alex J. Smola. Estimating
the support of a high-dimensional distribution. Neual Computation, 13:1443{1471.
[3] M. Berry and G. LinoR. Data Mining Techniques: For Marketing, Sales, and Cus-
tomer Support. wiley, New York, 1997.
[4] M. Berry and G. LinoR. Mastering Data Mining, the Art & Science of Customer
Relationship Management. wiley, New York, 2000.
[5] P. S. Bradley, U. M. Fayyad, and O. L. Mangasarian. Data mining: Overview and
optimization opportunities. INFORMS Journal on Computing, 11:217{238, 1999.
ftp://ftp.cs.wisc.edu/math-prog/tech-reports/98-01.ps.
[6] P. S. Bradley and O. L. Mangasarian. Massive data discrimination via linear support
vector machines. Optimization Methods and Software, 13(1):1{10, 2000.
[7] C. J. C. Burges. A tutorial on support vector machines for pattern recognition. Data
Mining and Knowledge Discovery, 2(2):121{167, 1998.
[8] C. Chen and O. L. Mangasarian. Smoothing methods for convex inequalities and
linear complementarity problems. Mathematical Programming, 71(1):51{69, 1995.
[9] C. Chen and O. L. Mangasarian. A class of smoothing functions for nonlinear and
mixed complementarity problems. Computational Optimization and Applications,
5(2):97{138, 1996.
[10] V. Cherkassky and F. Mulier. Learning from Data - Concepts, Theory and Methods.
John Wiley & Sons, New York, 1998.
[11] R. Courant and D. Hilbert. Methods of Mathematical Physics. Interscience Publish-
ers, New York, 1953.
[12] N. Cristianini and J. Shawe-Taylor. An Introduction to Support Vector Machines.
Cambridge University Press, Cambridge, 2000.
[13] T. Frivold D. Anderson and A. Valdes. A next-generation intrusion detection expert
system (NIDES). Technical report, SRI International, Computer Science Laboratory,
May 1995.
[14] D. Denning. An intrusion detection model. IEEE Transactions on Software Engi-
neering SE-13, February 1987.
[15] M. H. Dunham. Data Mining: Introductory and Advanced Topics. Prentice Hall,
New Jersey, 2003.
[16] T. Evgeniou, M. Pontil, and T. Poggio. Regularization networks and support vector
machines. In A. Smola, P. Bartlett, B. SchAolkopf, and D. Schuurmans, editors,
Advances in Large Margin Classi¡Âers, pages 171{203, Cambridge, MA, 2000. MIT
Press.
[17] U. Fayyad, G. Piatetsky-Shapiro, and P. Smyth. From data mining to knowledge
discovery in databases. Ai Magazine, 17:37{54, 1996.
[18] U. Fayyad, G. Piatetsky-Shapiro, and P. Smyth. The KDD process for extracting
useful knowledge from volumes of data. Communications of the ACM, 39(11):27{34,
November 1996.
[19] R. Fletcher. Practical Methods of Optimization. wiley, Chichester, second edition,
1987.
[20] T. Heberlien. Network security monitor (NSM){¡Ânal report, 1995. Lawrence Liver-
more National Laboratory, Davis, CA.
[21] Paul Innella. The evolution of intrusion detection systems, November 2001.
http://www.securityfocus.com/infocus/1514.
[22] T. Joachims. Learning to Classify Text Using Support Vector Machines: Methods,
Theory, and Algorithms. Kluwer Academic Publishers, Dordrecht, The Netherlands,
2002.
[23] Anita K. Jones and Robert S. Sielken. Computer system intrusion detection: A
survey. Technical report, University of Virginia Computer Science Department, 1999.
[24] Angelos D. Keromytis Katherine A. Heller, Krysta M. Svore and Salvatore J. Stolfo.
One class support vector machine for detecting anomalous windows registry. Dept.
of Computer Science, Columbia University, 1214 Amsterdam Avenue, New York, NY
10025.
[25] Y.-J. Lee and O. L. Mangasarian. SSVM: A smooth support vector machine. Compu-
tational Optimization and Applications, 20:5{22, 2001. Data Mining Institute, Uni-
versity of Wisconsin, Technical Report 99-03. ftp://ftp.cs.wisc.edu/pub/dmi/tech-
reports/99-03.ps.
[26] Y.-J. Lee, O. L. Mangasarian, and W. H. Wolberg. Breast cancer survival and
chemotherapy: A support vector machine analysis. Technical Report 99-10, Data
Mining Institute, Computer Sciences Department, University of Wisconsin, Madi-
son, Wisconsin, December 1999. DIMACS Series in Discrete Mathematics and The-
oretical Computer Science, American Mathematical Society, Volume 55, 2000, 1-10.
ftp://ftp.cs.wisc.edu/pub/dmi/tech-reports/99-10.ps.
[27] Matt Mahoney. Computer security: A survey of attacks and defenses, 2000.
http://www.cs.¡Ât.edu/ mmahoney/ids.html.
[28] O. L. Mangasarian. Mathematical programming in neural networks. ORSA Journal
on Computing, 5(4):349{360, 1993.
[29] O. L. Mangasarian and D. R. Musicant. Successive overrelaxation for support
vector machines. IEEE Transactions on Neural Networks, 10:1032{1037, 1999.
ftp://ftp.cs.wisc.edu/math-prog/tech-reports/98-18.ps.
[30] Stephen Northcutt and Judy Novak. Network Intrusion Detection. New Riders, third
edition, 2003.
[31] E. Osuna, R. Freund, and F. Girosi. Training support vector machines: An ap-
plication to face detection. In IEEE Conference on Computer Vision and Pattern
Recognition, pages 130{136, 1997.
[32] Haixin Duan Quang-Anh Tran and Xing Li. One-class support vector machine for
anomaly network tra¡Óc detection. China Education and Research Network (CER-
NET), Tsinghua University, Main Building, 310 Beijing 100084, China.
[33] A. Maccabe R. Heady, G. Luger and M. Servilla. The architecture of a network
level intrusion detection system. Technical report, Computer Science Department,
University of New Mexico, August 1990.
[34] Maheshkumar Sabhnani and Gursel Serpen. An application of machine learning
algorithms to KDD intrusion detection dataset within misuse detection context. In
Proceedings of the International Conference on Machine Learning, Models, Technolo-
gies and Applications (MLMTA 2003), pages 209{215, 2003.
[35] Bernhard SchAolkpf and Alexander J. Smola. Learning with Kernels. Massachusetts
Institute of Technology Press, 2002.
[36] V. N. Vapnik. The Nature of Statistical Learning Theory. Springer-Verlag, New York,
1995.
[37] V. N. Vapnik. Statistical Learning Theory. John Wiley & Sons, New York, 1998.
[38] Ke Wang and Salvatore J. Stolfo. One class support vector machine for detecting
anomalous windows registry. Computer Science Department, Columbia University,
500 West 120th Street, New York, NY, 10027.
[39] Wolfgang Weber. Firewall basics. 4th International Conference on Telecommunica-
tions in Modern Satellite, Cable and Broadcasting Services, TELSIKS 99, Proceed-
ings of Papers, 1999.
[40] Wikipedia. Anti-virus software. http://en.wikipedia.org/wiki/Antivirus software.
[41] Wikipedia. Intrusion-detection system. http://en.wikipedia.org/wiki/Intrusion-
detection system.
[42] I. H. Witten and E. Frank. Data Mining: Practical Machine Leaning Tools and Tech-
niques with JAVA Implementations. Morgan Kaufmann, Pine Street, Sixth Floor,
San Francisco, 1999.
[43] Robert Zalenski. Firewall technologies. IEEE Potentials, 2002.