簡易檢索 / 詳目顯示

回結果列表
研究生: 林慧璇
Hui-Hsuan Lin
論文名稱: 利用權重基礎適應性規則學習法降低入侵偵測虛警報
False Alarm Detection by Weighted Score-based Rule Adaptation through Expert Feedback
指導教授: 李漢銘
Hahn-Ming Lee
口試委員: 李育杰
none
項天瑞
none
黃淇竣
none
劉聰德
none
學位類別: 碩士
Master
系所名稱: 電資學院 - 資訊工程系
Department of Computer Science and Information Engineering
論文出版年: 2009
畢業學年度: 97
語文別: 英文
論文頁數: 64
中文關鍵詞: 分類分析適應性學習規則學習虛警報入侵偵測
外文關鍵詞: classify analysis, adaptative learning, rule-base learning, false positives, intrusion detection
相關次數: 點閱:201下載:1
分享至:
查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報

    • 現今網際網路環境的蓬勃發展,資訊系統廣泛的應用,然而系統安全漏洞頻傳,竊取重要資訊或攻擊癱瘓網路服務的侵事件時有所聞,入侵偵測系統(Intrusion Detection System)成為網路資訊安全的基本防護。由於駭客攻擊的手法日新月異,網路封包傳輸量大且持續的成長,傳統的法則常出現誤判的狀況,當誤判率過高,網路管理人員疲於調查追蹤錯誤的警訊,而造成安全設備與網路管理人員的效率降低。 當入侵偵測系統要判定一個行為是否為入侵,必須要靠事先定義好的學習模型,而攻擊行為的不斷更新及偽裝,模組往往需要累積所有的資訊重新學習新的模組,資料量無限的成長及不斷的重新學習,影響系統執行的效能。
    因此我們的研究貢獻是利用適應性學習方法來調整學習的模組,協助網路管理人員快速的取得真正有意義的警訊,並且幫助他們重新調整入侵偵測系統。我們的研究是利用規則學習法,以萃取概念特徵的方法(Concept Feature Extraction) 產生學習模組(Rule set),再以專家回饋的資訊漸進式的調整學習模組;一方面計算規則的權重(weighting),以觀察不適用的規則並予刪除,另外以現有的資訊重新建構(relearning)新規則,若與原有規則衝突則不予新增,在不斷交互修正的方式下調整學習模組,以達到萃取真正攻擊警報的正確性。根據實驗證實應用適應性學習方法在攻擊警報的預測上確實比一般的方法有更好的偵測效果。

    An adaptation mechanism is quite important for false alarm reduction in intrusion detection system (IDS) for solving the problem of environment change and wrongly trigger from irrelevant signatures. In this study, we proposed a weighted score-based rule adaptation (WSRA) mechanism from expert’s feedback in order to reduce the massive false alarm produced by IDS. The rule set is generated by rule learner (e.g.: RIPPER) for identify the false alert in addition to a score which represents its availability. The weighted score-based rule adaptation is intent to adjust the score according to the incoming labeled information form expert. Besides, we also proposed the concept level features to the false alarm reduction issues for easily retrieving the feedback from experts. We proposed WSRA, which makes following contributions: (a) it automatically adapts with the network environment changes to identify false alarms, (b) it proposes a new weighted score-based rule adaptation mechanism, (c) it is easier to demonstrate the rules for retrieving experts feedback benefits from concept level features. Moreover, experimental results demonstrate that the proposed mechanism performs well in false alarm reduction then other false alarm approaches which without adaptation consideration.

    ABSTRACT ii ACKNOWLEDGEMENTS iii 1 Introduction 1 1.1 The Challenges of Current Research 1.2 Motivation 1.3 Goals 1.4 Contribution 1.5 Outlines of the Thesis 2 Background 7 2.1 False Alarm Reduction 2.2 Concept Feature 2.3 Adaptive Rule Learning and Weighting 3 System Architecture 3.1 Concept Feature Extraction 3.2 False Alarm Detection 3.3 Feedback-oriented Adaptive Rule Learning 3.3.1 Rule Weight Adaption 3.3.2 Relearning . 3.3.3 Rule Validation 4 Experiments 28 4.1 Dataset 4.2 Experimental Setup 4.3 Experimental Results 4.3.1 Concept Features Comparison 4.3.2 Rule Weighting Strategy Analysis 4.3.3 Effectiveness Analysis 4.3.4 Explanation of Rules 4.4 Discussion 5 Conclusion and FurtherWork 5.1 Conclusion 5.2 Further Work

    [1] Abadeh, M. SanieeHabibi, and Jafar. Computer intrusion detection using an iterative fuzzy rule learning approach. In Proceedings of Fuzzy Systems Conference, 2007. FUZZ-IEEE 2007. IEEE International, pages 1–6, 2007.
    [2] S. O. Al-Mamory and H. Zhang. Intrusion detection alarms reduction using root cause analysis and clustering. In Proceedings of the Computer Communications, pages 419–430. ELSEVIER, 2009.
    [3] A. Alharbt and H. Imai. Ids false alarm reduction using continuous and discontinuous patterns. In Proceedings of the 3th International conf. on Applied Cryptography and Network Security, pages 192–205, 2005.
    [4] D. Barbar, J. Couto, S. Jajodia, and N. Wu. Adam: a testbed for exploring the use of data mining in intrusion detection. In Proceedings of ACM SIGMOD Record: SPECIAL ISSUE: Special section on data mining for intrusion detection and threat analysis, 2001.
    [5] D. Bolzoni and S. Etalle. Aphrodite: an anomaly-based architecture for false positives reduction. In University of Twente, Netherlands, Tech. Rep. TR-CTIT-06-13, 2006.
    [6] G. A. Carpenter and S. Grossberg. The art of adaptive pattern recognition by a self-organizing neural network. In Proceedings of Computer, pages 77–88, 1988.
    [7] G. A. Carpenter, S. Grossberg, and J. H. Reynolds. Artmap: Supervised realtime learning and classification of nonstationary data by a self organizing neural network. In Proceedings of Neural Networks, pages 565–588, 1991.
    [8] F. Chu and C. Zaniolo. Fast and light boosting for adaptive mining of data streams. In Proceedings of the 8th Pacific-Asia Conf. on Knowledge Discovery and Data mining (PAKDD 2004), pages 282–292, 2004.
    [9] W. W. Cohen. Fast effective rule induction. In Proceedings of the Twelfth International Conference on Machine Learning, pages 115–123. Morgan Kaufmann, 1995.
    [10] O. Dain and R. K. Cunningham. Fusing a heterogeneous alert stream into scenarios. In Proceedings of the 8th ACM Conf. on Computer and Communications Security (CCS), pages 1–13, 2001.
    [11] F. Ferrer-Troyano, J. S. Aguilar-Ruiz, and J. C. Riquelme. Data streams classification by incremental rule learning with parameterized generalization. In Proceedings of the 2006 ACM symposium on Applied computing, pages 657–661,2006.
    [12] J. Frnkranz and G. Widmer. Incremental reduced error pruning. In Proceedings of 11th International Conference on Machine Learning (ML-94), New Brunswick, NJ, pages 70–77, 1994.
    [13] D. H. and A. Wespi. Aggregation and correlation of intrusion detection alerts. In Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection, 2001.
    [14] J. Hipp, U. G. ntzer, and G. Nakhaeizadeh. Algorithms for association rule mining - a general survey and comparison. In Proceedings of the ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, 2000.
    [15] Jackson, T. Levine, J. Grizzard, J. Owen, and H.L. An investigation of a compromised host on a honeynet being used to increase the security of a large enterprise network. In Proceedings of the 2004 IEEE Workshop on Information Assurance and Security. IEEE, 2004.
    [16] K. Julisch. Clustering intrusion detection alarms to support root cause analysis. In Proceedings of ACM Transactions on Information and System Security, volume 6, pages 443–471, 2003.
    [17] I. K. Protecting network servers. In Proceedings of Technical Report, Department of Computer Science, University of New Mexico., 2003.
    [18] R. A. Kemmerer and G. Vigna. Intrusion detection: A brief history and overview. In Proceedings of Computer, volume 35, pages 27–30. IEEE Computer Society, 2002.
    [19] J. Kolter and M. Maloof. Dynamic weighted majority: a new ensemble method for tracking concept drift. In Proceedings of the 3rd IEEE International Conf. on Data Mining ICDM-2003, pages 123–130, 2003.
    [20] K. H. Law and L. F. Kwok. Ids false alarm filtering using knn classifier. In Proceedings of the 5th International Workshop on Information Security Applications (WISA 2004), pages 114–121, 2004.
    [21] W. Lee, W. Fan, M. Miller, S. J. Stolfo, and E. Zadok. Toward cost-sensitive modeling for intrusion detection and response. In Proceedings of Journal of Computer Security 10, pages 5–22, 2002.
    [22] W. Lee and S. J. Stolfo. Data mining approaches for intrusion detection. In Proceedings of the 7th USENIX Security Symposium, 1998.
    [23] W. Lee, S. J. Stolfo, and K. W. Mok. Adaptive intrusion detection: a data mining approach. In Proceedings of Artificial Intelligence Review, volume 14, pages 533–567, 2000.
    [24] M. Mahoney and P. Chan. An analysis of the 1999 darpa/lincoln laboratory evaluation data for network anomaly detection. In Proceedings of the 6th International Symposium on Recent Advances in Intrusion Detection (RAID 2003), pages 220–237, 2003.
    [25] S. Manganaris, M. Christensen, D. Zerkle, and K. Hermiz. A data mining analysis of rtid alarms. In Proceedings of the International Journal of Computer and Telecommunications Networking, pages 571–577, 2000.
    [26] J. McHugh. The 1998 lincoln laboratory ids evaluation. In Proceedings of the Third International Workshop on Recent Advances in Intrusion Detection. London, pages 145–161, 2000.
    [27] P. Ning, Y. Cui, D. S. Reeves, and D. Xu. Techniques and tools for analyzing intrusion alerts. In Proceedings of ACM Trans. on Information and System Security (TISSEC), pages 274–318, 2004.
    [28] P. Ning, D. S. Reeves, and Y. Cui. Correlating alerts using prerequisites of intrusions. In Proceedings of Technical Report TR-2001-13, North Carolina State University, 2001.
    [29] P. Ning and D. Xu. Learning attack strategies from intrusion alerts. In proceedings of the 10th ACM conference on Computer and communications security, 2003.
    [30] T. Pietraszek. Using adaptive alert classification to reduce false positives in intrusion detection. In Proceedings of the 7th International Symposium on Recent Advances in Intrusion Detection (RAID 2004), pages 102–124, 2004.
    [31] Y. Qiao and X.Weixin. A network ids with low false positive rate. In Proceedings of the IEEE congress on Evolutionary Computation (CEC 2002), pages 1121–1126, 2002.
    [32] B. C. Rhodes, J. A. Mahaffey, and J. D. Cannady. Multiple self-organizing maps for intrusion detection. In Proceedings of the 23rd national information systems security conference, 2000.
    [33] M. Roesch. Snortlightweight intrusion detection for networks. In Proceedings of the 13th Large Installation System Administration Conf. (USENIX LISA 99), pages 229–238, 1999.
    [34] S. Selvakani and R. Rajesh. Genetic algorithm for framing rules for intrusion detection. In Proceedings of International Journal of Computer Science and Network Security, VOL.7 No.11,, 2007.
    [35] A. Siraj and R. B. Vaughn. A cognitive model for alert correlation in a distributed environment. In Proceedings of Lecture Notes in Computer Science vol.3495, 2005.
    [36] W. Street and Y. Kim. A streaming ensemble algorithm (sea) for large-scale classification. In Proceedings of the 7th ACM SIGKDD International Conf. on Knowledge Discovery and Data Mining KDD-2001, pages 377–382, 2001.
    [37] G. Tandon. Weighting versus pruning in rule validation for detecting network and host anomalies. In Proceedings of the 13th ACM SIGKDD international. ACM Press, 2007.
    [38] S. Tesink. Improving intrusion detection systems through machine learning. In Proceedings of ILK Research Group Technical Report Series no. 07-02. Tilburg University, 2007.
    [39] A. Valdes and K. Skinner. Probabilistic alert correlation. In Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection, 2001.
    [40] F. Valeur, G. Vigna, C. Kruegel, and R. Kemmerer. Comprehensive approach to intrusion detection alert correlation. In Proceedings of IEEE Trans. on Dependable and Secure Computing, pages 146–169, 2004.
    [41] H. Wang, W. Fan, P. Yu, and J. Han. Mining concept-drifting data streams using ensemble classifiers. In Proceedings of the 9th ACM SIGKDD International Conf. on Knowledge Discovery and Data Mining KDD-2003, pages 226–235, 2003.
    [42] G. Widmer and M. Kubat. Learning in the presence of concept drift and hidden contexts. In Proceedings of Machine Learning, pages 69–101, 1996.
    [43] I. Witten and E. Frank. Data mining - practical machine learning tools and techniques with java implementations. In Proceedings of 2nd ed., J. Gray, Ed. CA: Morgan Kaufmann, 2005.
    [44] B. Zhu and A. A. Ghorbani. Alert correlation for extracting attack strategies. In Proceedings of International Journal of Network security , vol. 3, no. 3, 2006.
    [45] M. Zolghadri and E. Mansoori. Weighting fuzzy classification rules using receiver operating characteristics (roc) analysis. In Proceedings of Information Sciences, 2007.

    QR CODE