Author: |
楊貴麟 Kuei-Lin Yang |
---|---|
Thesis Title: |
利用適應性與成本效益之機器學習模型於降低入侵偵測虛警量 An Adaptive and Cost-Sensitive Learning Model for False Alarm Reduction in IDSs |
Advisor: |
李育杰
Yuh-Jye Lee |
Committee: |
吳怡樂
Yi-Leh Wu 鄧惟中 Wei-Chung Teng 金台齡 none 賴源正 Yuan-Cheng Lai |
Degree: |
碩士 Master |
Department: |
電資學院 - 資訊工程系 Department of Computer Science and Information Engineering |
Thesis Publication Year: | 2007 |
Graduation Academic Year: | 95 |
Language: | 英文 |
Pages: | 37 |
Keywords (in Chinese): | 成本敏感學習 、決策樹 、假警報 、入侵偵測系統 、RIPPER |
Keywords (in other languages): | cost-sensitive learning, decision trees, false alarm, IDS, RIPPER |
Reference times: | Clicks: 436 Downloads: 4 |
Share: |
School Collection Retrieve National Library Collection Retrieve Error Report |
入侵偵測系統為監控主機與網路運作的軟體或硬體設備,用於偵測有意圖洩露電腦資源的保密性、完整性和可用性之活動。然而入侵偵測系統會有產生大量虛警量的嚴重問題,資訊安全人員要分析這些警報是非常不可行地。我們提出了警報過濾的機制,能事先確認真正攻擊與過濾掉大量虛警量來減輕資安人員分析的負擔。實際上真正攻擊與大量的假警報間的分佈是非常不均衡,我們引進成本敏感學習讓真正攻擊有鑑別力。為了讓警報分類器能適應不同的網路環境,我們導入由資安人員回饋知識的適應性學習概念來改善警報分類器。機器學習是採用成本敏感學習搭配決策樹及RIPPER 不同的基本學習。實驗為摸擬我們提出的架構在實際網路資安系統中是可行的。實驗結果說明由資安人員回饋的適應性學習概念會改善警報分類器,並比較事先過濾掉大量可能的假警報與分析全部警報的結果,顯示我們提出的架構是可行地。
Intrusion Detection System (IDS) is a software system or hardware device deployed to monitor host activities and network to detect intrusions, which are actions that attempt to compromise the confidentiality, integrity and availability of computer resources. Nevertheless, IDSs are faced with a serious problem on a huge number of false alarms. It is really infeasible for security analysts to investigate lots of these alarms. In this thesis, we proposed the framework incorporated with an alert filter which is able to identify true attacks and filter out the highly possible false alarms to alleviate a security analyst's burden. Due to the distribution of alerts is very skewed, we lead in the concept of cost-sensitive learning to classify true attacks. In order to make the alert classifier fit to different network environment, we introduced an adaptive learning model that utilizes the ID analyst's feedback to improve the alert classifier. We adopt cost-sensitive meta-classifier with two base learners respectively, including decision trees and RIPPER, to train the alert classifier. Our experiments were designed for simulating the scenario for applying our proposed framework to real world security systems. The experimental results demonstrate that the adaptive learning model with the feedback of ID analysts will improve the alert classifier and show the results of our proposed framework which are as close as to those of analysis of entire alerts.
[1] http://en.wikipedia.org/wiki/Hacker (computer security).
[2] http://www.cert.org/stats/cert stats.html#vulnerabilities.
[3] http://www.ll.mit.edu/IST/ideval/docs/docs index.html.
[4] Weka. http://www.cs.waikato.ac.nz/ml/weka/.
[5] Wiki weka. http://en.wikipedia.org/wiki/Weka (machine learning).
[6] J. P. Anderson. Computer security threat monitoring and surveillance. Technical report, James P. Anderson Co.
[7] S. Axelsson. Intrusion detection systems: A survey and taxonomy. Technical report.
[8] S. Axelsson. Understanding Intrusion Detection Through Visualization. PhD thesis, Chalmers University of Technology, 2005.
[9] W. W. Cohen. Fast effective rule induction. In Proceedings of the 12th International Conference on Machine Learning, Tahoe City, CA, 115-123,.
[10] F. Cuppens and A. Miege. Alert correlation in a cooperative intrusion detection framework. In Proceedings of the 2002 IEEE Symposium on Security and Privacy, IEEE Computer Society, Berkeley, California, USA, 202-215, 2002.
[11] H. Debar, M. Dacier, and A. Wespi. A revised taxonomy for intrusion detection systems. IBM Research Report, 1999.
[12] C. Drummond and R. C. Holte. C4.5, class imbalance, and cost sensitivity: Why under-sampling beats over-sampling. In Proceedings of the International Conference on Machine Learning (ICML 2003) Workshop on Learning from Imbalanced Data Sets II., Washington, DC, USA.
[13] J. Furnkranz and G. Widmer. Incremental reduced error pruning. In International Conference on Machine Learning, 70-77, 1994.
[14] K. Julisch. Clustering intrusion detection alarms to support root cause analysis. In ACM Transactions on Information and System Security, 443-471, 2003.
[15] M. Kubat and S. Matwin. Addressing the curse of imbalanced training sets: Onesided selection. In Proceedings of the 14th International Conference on Machine Learning, 1997.
[16] M. V. Mahoney and P. K. Chan. An analysis of the 1999 darpa/lincoln laboratory evaluation data for network anomaly detection. In Recent Advances in Intrusion Detection, 220-237, 2003.
[17] D. J. Marchette. Computer Intrusion Detection and Network Monitoring: A Statistical Viewpoint. Springer-Verlag New York, Inc., Secaucus, NJ, USA, 2001.
[18] K. McCarthy, B. Zabar, and G. Weiss. Dose cost-sensitive learning beat sampling for classifying rare classes? In Proceedings of the 1st international workshop on Utility-based data mining, Chicago, Illinois, 69-77, 2005.
[19] J. McHugh. Testing intrusion detection systems: A critique of the 1998 and 1999 darpa intrusion detection system evaluations as performed by lincoln laboratory. In ACM Transactions on Information and System Security, 262-294, 2001.
[20] T. M. Mitchell. Machine Learning. McGRAW-Hill International Editions, 1997.
[21] P. Ning, Y. Cui, and D. S. Reeves. Constructing attack scenarios through correlation of intrusion alerts. In Proceedings of the 9th ACM Conference on Computer and Communications Security, Washington, DC, USA, 245-254, 2002.
[22] T. Pietraszek. Using adaptive alert classification to reduce false positives in intrusion detection. In Recent Advances in Intrusion Detection: 7th International Symposium.
[23] M. Roesch. Snort. http://www.snort.org/.
[24] M. Roesch. Snort - lightweight intrusion detection for networks. In Proceedings of the 13th Systems Administration Conference (LISA XIII), Seattle, WA, USA.
[25] R. Shirey. Rfc 2828 - internet security glossary. gte/bbn technologies, 2000. http://www.faqs.org/rfcs/rfc2828.html.
[26] S. J. Stolfo, W. Lee, P. K. Chan, and A. Prodromidis. Cost-based modeling for fraud and intrusion detection: Results from the jam project. In Proceedings of DARPA Information Survivability Conference and Exposition, 2000. DISCEX ’00, Hilton Head, SC, USA, 130-144, 2000.
[27] S. Tesink. Improving intrusion detection systems through machine learning. Technical report, ILK Research Group.
[28] K. M. Ting. An instance-weighting method to induce cost-sensitive trees. In IEEE Transactions on Knowledge and Data Engineering, 659-665,.
[29] P. D. Turney. Cost-sensitive classification: Empirical evaluation of a hybrid genetic decision tree induction algorithm. Journal of Artificial Intelligence Research 2, 1995.
[30] Wikipedia. Intrusion detection. http://en.wikipedia.org/wiki/Intrusion detection.
[31] J. Yu, Y. V. R. Reddy, S. Selliah, S. Kankanahalli, S. Reddy, and V. Bharadwaj. Trinetr: An intrusion detection alert management system. In Proceedings of the 13th IEEE International Workshops on Enabling Technologies, 235-240, 2004.