入侵偵測系統(IDS)是一套架設用來監控系統及網路狀態中的軟硬體設備，偵測企圖洩漏機密及危害系統資源的入侵行為。然而大量的假警報是入侵偵測系統需要面對的嚴峻問題，分析研究大量的警報對於資安人員來說是難以實現的。在此篇論文中，我們提出一種架構能降低專家在處理資安警報的負擔。此架構結合了能產生更具資訊的KDD'99(一種經常應用在入侵資料分析的數據)資料型態之KDD事件產生器及一種能判定真實攻擊並降低大量的假警報的階層式警報分類器。為了能讓警報分類器能在不同的網路環境下處理警報，我們提出KDD事件產生器將IDS警報從封包轉為KDD事件。並且採取結合了不當行為與異常行為偵測的階層式警報分類器來降低假警報。我們設計了模擬真實環境的腳本，並且使用我們的架構來進行實驗。實驗結果證明階層式警報分類器的確能改善原本的入侵偵測系統。

Intrusion Detection System (IDS) is a software or hardware device deployed to monitor host activities and network for detecting intrusions, which are action that attempt to compromise the confidentiality, integrity and availability of computer resources. Nevertheless, IDSs are faced with a serious problem on a huge number of false alarms. It is really infeasible for security analysts to investigate lots of these alarms. In this thesis, we proposed a framework incorporated with the Informative KDD Instance Generator that is able to generate the more informative KDD'99 (a common used intrusion dataset) type instances and a hierarchical alert classifier that identifies true attacks and filters out the highly possible false alarms to alleviate a security analyst's burden. In order to make the alert classifier fit to different network environments, we propose the Informative KDD Instance Generator which is capable to convert the alert of IDS view from packet to KDD type instance. For reducing the false alarm, we adopt hierarchical alert classifier which combined misuse intrusion detection and anomaly intrusion detection. Our experiments were designed for simulating the scenario for applying our proposed framework to real world security systems. The experimental results demonstrate that the hierarchical alert classifier will improve the original IDS.

[1] J.P. Anderson. Computer Securtity Threat Monitoring and Surveillance. Tech¬nical report, Anderson Co., 1980.
[2] S. Axelsson. Intrusion Detection Systems: A Survey and Taxonomy. Depart¬ment of Computer Engineering, Chalmers University of Technology, 2000.
[3] Cisco Co. Cisco: Host Sensor Product. http://www.cisco.com/.
[4] NetworkICE Co. BlackICE Defender. http://www.networkice.com/products/blackice sentry.html/.
[5] W.W. Cohen. Fast Effective Rule Induction. In Proceeding of the Twelfth International Conference on Machine Learning, pages 115–123, 1995.
[6] H. Debar, M. Dacier, and A. Wespi. Towards a taxonomy of intrusion-detection systems. Computer Networks, 1999.
[7] H. Debar and A. Wespi. Aggregation and correlation of intrusion-detection alerts. Recent Advances in Intrustion Detection: 4th International Symposium, pages 85–103, 2001.
[8] F. Endorf, E. Schultz, and J. Mellander. Intrusion Detection & Prevention. Technical report, McGraw-Hill Osborne Media, 2003.
[9] J. Furnkranz and G. Widmer. Incremental Reduced Error Pruning. In Pro¬ceeding of the Eleventh International Conference on Machine Learning, pages 70–77, 1994.
[10] T.S. Hwang, T.J. Lee, and Y.J. Lee. A three-tier IDS via data mining approach. In Proceedings of the 3rd annual ACM workshop on Mining network data, pages 1–6, 2007.
[11] V. Jacobson, C. Leres, and S. McCanne. The Tcpdump Manual Page. Lawrence Berkeley Laboratory, Berkeley, CA, 1989.
[12] K. Julisch. Clustering Intrusion Detection Alarms to Support Root Cause Anal¬ysis. In ACM Transactions on Information and System Security, pages 443–471, 2003.
[13] H.G. Kayacik, A.N. Zincir-Heywood, and M.I. Heywood. Selecting Features for Intrusion Detection: A Feature Relevance Analysis on KDD 99 Intrusion De¬tection Datasets. Technical report, Dalhousie University, Faculity of Computer Science, 2005.
[14] G.H. Kim and E.H. Spaffor. The design and implementation of Tripwire: A file system integrity checker. In Proceedings of the 2nd ACM Conference on Computer and Communications Security, pages 18–29, 1994.
[15] MIT Lincoln Laboratory. DARPA Intrusion Detection Evaluation Documenta¬tion. http://www.ll.mit.edu/mission/communications/list/corpora/ideval/docs/index.html/.
[16] MIT Lincoln Laboratory. DARPA1999 Intrusion Detection Data Sets. http://www.ll.mit.edu/mission/communications/list/corpora/ideval/data/index.html/.
[17] W. Lee, S.J. Stolfo, and K.W. Mok. A Data Mining Framework for Building Intrusion Detection Models. In IEEE Symposium on Security and Privacy, pages 120–132, 1999.
[18] R. Lippmann, J.W. Haines, D.J. Fried, J. Korba, and K. Das. The 1999 DARPA Off-Line Intrusion Detection Evaluation. Computer Networks, 2000.
[19] J. McHugh. Testing Intrusion Detection System: A Critique of the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory. In ACM Transactions on Information and System Security, pages 262–294, 2000.
[20] The University of Walikato. Weka 3: Data Mining Software in JAVA. http://www.cs.waikato.ac.nz/ml/weka/.
[21] OSSEC. Open Source Host-based Intrusion Detection System. http://www.ossec.net/.
[22] V. Paxson, J. Rothfuss, and B. Tierney. Bro User Manual. Lawrence Berkley Laboratory, Berkeley, CA, 2006.
[23] T. Pietraszek. Using Adaptive Alert Classification to Reduce False Positives in Intrusion Detection. Recent Advances in Intrustion Detection: 7th International Symposium, pages 102–124, 2004.
[24] P.A. Porras and A. Valdes. Live Traffic Analysis of TCP/IP Gateways. In Networks and Distributed Systems Security Symposium, 1998.
[25] J.R. Quinlan. Intoduction of Detection Trees. Machine Learning, 1986.
[26] R. Richardson. CSI Survey 2008: The 13th Annual Computer Crime and Security Survey. Technical report, Computer Security Institute, 2008.
[27] M. Roesch. Snort–Lightweight Intrusion Detection for Networks. In Proceedings of the 13th USENIX conference on System administration, pages 229–238, 1999.
[28] IBM Internet Security Systems. X-Force 2007 Trend & Risk Report. Technical report, IBM Global Technology Services, 2007.
[29] F. Valeur, G. Vina, C. Kruegel, and R.A. Kemmerer. Comprehensive Approach to Intrusion Detection Alert Correlation. IEEE Transactions on Dependable and Secure computing, 2004.
[30] K. Zaraska. Prelude IDS: Current State and Development Perspectives. Tech¬nical report, Prelude IDS Technologies, 2003.