簡易檢索 / 詳目顯示

研究生: 沈介國
Chieh-kuo Shen
論文名稱: 透過階層式警報分類器及資料探勘技術降低假警報
False Alarm Reduction via Hierarchical Alert Classifier and Data Mining Approach
指導教授: 李育杰
Yuh-Jye Lee
口試委員: 鮑興國
Hsing-Kuo Kenneth Pao
Tien-Ruey Hsiang
Chuan-Kai Yang
學位類別: 碩士
系所名稱: 電資學院 - 資訊工程系
Department of Computer Science and Information Engineering
論文出版年: 2009
畢業學年度: 97
語文別: 英文
論文頁數: 50
中文關鍵詞: 入侵偵測假警報RIPPER階層式警報分類器
外文關鍵詞: intrusion detection, false alarm, RIPPER, hierarchical alert classifier
相關次數: 點閱:430下載:4
查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報


Intrusion Detection System (IDS) is a software or hardware device deployed to monitor host activities and network for detecting intrusions, which are action that attempt to compromise the confidentiality, integrity and availability of computer resources. Nevertheless, IDSs are faced with a serious problem on a huge number of false alarms. It is really infeasible for security analysts to investigate lots of these alarms. In this thesis, we proposed a framework incorporated with the Informative KDD Instance Generator that is able to generate the more informative KDD'99 (a common used intrusion dataset) type instances and a hierarchical alert classifier that identifies true attacks and filters out the highly possible false alarms to alleviate a security analyst's burden. In order to make the alert classifier fit to different network environments, we propose the Informative KDD Instance Generator which is capable to convert the alert of IDS view from packet to KDD type instance. For reducing the false alarm, we adopt hierarchical alert classifier which combined misuse intrusion detection and anomaly intrusion detection. Our experiments were designed for simulating the scenario for applying our proposed framework to real world security systems. The experimental results demonstrate that the hierarchical alert classifier will improve the original IDS.

教授推薦書 ..................................... i 論文口試委員審定書 ................................ ii 中文摘要 ...................................... iii 英文摘要 ...................................... iv 誌謝 ......................................... v 目錄 ......................................... vi 表目錄 ......................................... viii 圖目錄 ........................................ ix 演算法目錄 ..................................... x 1 Introduction ................................... 1 1.1 Background ................................ 3 1.2 ThesisOrganization............................ 4 2 IntrusionDetectionSystem........................... 5 2.1 IncidentsandAttacks........................... 5 2.2 TaxonomyofIDSs ............................ 8 2.2.1 Host-based IDS vs. Network-based IDS ....... 8 2.2.2 Anomalyvs.Misusedetection .................. 9 2.3 Snort.................................... 9 2.4 IntrusionPreventionSystem ....................... 11 3 DataMiningMethodsandSystemFramework ............... 12 3.1 RIPPER.................................. 12 3.2 SystemFramework ............................ 16 3.2.1 Informative KDD Instance Generator ............ 16 3.2.2 Hierarchical Alert Classifier ................... 17 4 ExperimentsandResults ............................ 20 4.1 Dataset Descriptions and Preprocessing ........ 20 4.1.1 DARPA1999Dataset ...................... 20 4.1.2 Alert Labeling and Separated Alerts Dataset .......... 21 4.1.3 FeatureExtraction ........................ 21 4.2 BuildingHierarchicalAlertClassifier ....... 24 4.2.1 Blacklist .............................. 24 4.2.2 Whitelist.............................. 27 4.3 Hierarchical Alert Classification Experiment .... 27 4.3.1 1st-Tier:MisuseDetector .................... 29 4.3.2 2nd-Tier:AnomalyDetector ................... 30 4.4 NumericalComparison .......................... 30 5 ConclusionsandDiscussions .......................... 35 Bibliography .................................... 37

[1] J.P. Anderson. Computer Securtity Threat Monitoring and Surveillance. Tech¬nical report, Anderson Co., 1980.
[2] S. Axelsson. Intrusion Detection Systems: A Survey and Taxonomy. Depart¬ment of Computer Engineering, Chalmers University of Technology, 2000.
[3] Cisco Co. Cisco: Host Sensor Product. http://www.cisco.com/.
[4] NetworkICE Co. BlackICE Defender. http://www.networkice.com/products/blackice sentry.html/.
[5] W.W. Cohen. Fast Effective Rule Induction. In Proceeding of the Twelfth International Conference on Machine Learning, pages 115–123, 1995.
[6] H. Debar, M. Dacier, and A. Wespi. Towards a taxonomy of intrusion-detection systems. Computer Networks, 1999.
[7] H. Debar and A. Wespi. Aggregation and correlation of intrusion-detection alerts. Recent Advances in Intrustion Detection: 4th International Symposium, pages 85–103, 2001.
[8] F. Endorf, E. Schultz, and J. Mellander. Intrusion Detection & Prevention. Technical report, McGraw-Hill Osborne Media, 2003.
[9] J. Furnkranz and G. Widmer. Incremental Reduced Error Pruning. In Pro¬ceeding of the Eleventh International Conference on Machine Learning, pages 70–77, 1994.
[10] T.S. Hwang, T.J. Lee, and Y.J. Lee. A three-tier IDS via data mining approach. In Proceedings of the 3rd annual ACM workshop on Mining network data, pages 1–6, 2007.
[11] V. Jacobson, C. Leres, and S. McCanne. The Tcpdump Manual Page. Lawrence Berkeley Laboratory, Berkeley, CA, 1989.
[12] K. Julisch. Clustering Intrusion Detection Alarms to Support Root Cause Anal¬ysis. In ACM Transactions on Information and System Security, pages 443–471, 2003.
[13] H.G. Kayacik, A.N. Zincir-Heywood, and M.I. Heywood. Selecting Features for Intrusion Detection: A Feature Relevance Analysis on KDD 99 Intrusion De¬tection Datasets. Technical report, Dalhousie University, Faculity of Computer Science, 2005.
[14] G.H. Kim and E.H. Spaffor. The design and implementation of Tripwire: A file system integrity checker. In Proceedings of the 2nd ACM Conference on Computer and Communications Security, pages 18–29, 1994.
[15] MIT Lincoln Laboratory. DARPA Intrusion Detection Evaluation Documenta¬tion. http://www.ll.mit.edu/mission/communications/list/corpora/ideval/docs/index.html/.
[16] MIT Lincoln Laboratory. DARPA1999 Intrusion Detection Data Sets. http://www.ll.mit.edu/mission/communications/list/corpora/ideval/data/index.html/.
[17] W. Lee, S.J. Stolfo, and K.W. Mok. A Data Mining Framework for Building Intrusion Detection Models. In IEEE Symposium on Security and Privacy, pages 120–132, 1999.
[18] R. Lippmann, J.W. Haines, D.J. Fried, J. Korba, and K. Das. The 1999 DARPA Off-Line Intrusion Detection Evaluation. Computer Networks, 2000.
[19] J. McHugh. Testing Intrusion Detection System: A Critique of the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory. In ACM Transactions on Information and System Security, pages 262–294, 2000.
[20] The University of Walikato. Weka 3: Data Mining Software in JAVA. http://www.cs.waikato.ac.nz/ml/weka/.
[21] OSSEC. Open Source Host-based Intrusion Detection System. http://www.ossec.net/.
[22] V. Paxson, J. Rothfuss, and B. Tierney. Bro User Manual. Lawrence Berkley Laboratory, Berkeley, CA, 2006.
[23] T. Pietraszek. Using Adaptive Alert Classification to Reduce False Positives in Intrusion Detection. Recent Advances in Intrustion Detection: 7th International Symposium, pages 102–124, 2004.
[24] P.A. Porras and A. Valdes. Live Traffic Analysis of TCP/IP Gateways. In Networks and Distributed Systems Security Symposium, 1998.
[25] J.R. Quinlan. Intoduction of Detection Trees. Machine Learning, 1986.
[26] R. Richardson. CSI Survey 2008: The 13th Annual Computer Crime and Security Survey. Technical report, Computer Security Institute, 2008.
[27] M. Roesch. Snort–Lightweight Intrusion Detection for Networks. In Proceedings of the 13th USENIX conference on System administration, pages 229–238, 1999.
[28] IBM Internet Security Systems. X-Force 2007 Trend & Risk Report. Technical report, IBM Global Technology Services, 2007.
[29] F. Valeur, G. Vina, C. Kruegel, and R.A. Kemmerer. Comprehensive Approach to Intrusion Detection Alert Correlation. IEEE Transactions on Dependable and Secure computing, 2004.
[30] K. Zaraska. Prelude IDS: Current State and Development Perspectives. Tech¬nical report, Prelude IDS Technologies, 2003.