Basic Search / Detailed Display

Author: 楊貴麟
Kuei-Lin Yang
Thesis Title: 利用適應性與成本效益之機器學習模型於降低入侵偵測虛警量
An Adaptive and Cost-Sensitive Learning Model for False Alarm Reduction in IDSs
Advisor: 李育杰
Yuh-Jye Lee
Committee: 吳怡樂
Yi-Leh Wu
鄧惟中
Wei-Chung Teng
金台齡
none
賴源正
Yuan-Cheng Lai
Degree: 碩士
Master
Department: 電資學院 - 資訊工程系
Department of Computer Science and Information Engineering
Thesis Publication Year: 2007
Graduation Academic Year: 95
Language: 英文
Pages: 37
Keywords (in Chinese): 成本敏感學習決策樹假警報入侵偵測系統RIPPER
Keywords (in other languages): cost-sensitive learning, decision trees, false alarm, IDS, RIPPER
Reference times: Clicks: 436Downloads: 4
Share:
School Collection Retrieve National Library Collection Retrieve Error Report
  • 入侵偵測系統為監控主機與網路運作的軟體或硬體設備,用於偵測有意圖洩露電腦資源的保密性、完整性和可用性之活動。然而入侵偵測系統會有產生大量虛警量的嚴重問題,資訊安全人員要分析這些警報是非常不可行地。我們提出了警報過濾的機制,能事先確認真正攻擊與過濾掉大量虛警量來減輕資安人員分析的負擔。實際上真正攻擊與大量的假警報間的分佈是非常不均衡,我們引進成本敏感學習讓真正攻擊有鑑別力。為了讓警報分類器能適應不同的網路環境,我們導入由資安人員回饋知識的適應性學習概念來改善警報分類器。機器學習是採用成本敏感學習搭配決策樹及RIPPER 不同的基本學習。實驗為摸擬我們提出的架構在實際網路資安系統中是可行的。實驗結果說明由資安人員回饋的適應性學習概念會改善警報分類器,並比較事先過濾掉大量可能的假警報與分析全部警報的結果,顯示我們提出的架構是可行地。


    Intrusion Detection System (IDS) is a software system or hardware device deployed to monitor host activities and network to detect intrusions, which are actions that attempt to compromise the confidentiality, integrity and availability of computer resources. Nevertheless, IDSs are faced with a serious problem on a huge number of false alarms. It is really infeasible for security analysts to investigate lots of these alarms. In this thesis, we proposed the framework incorporated with an alert filter which is able to identify true attacks and filter out the highly possible false alarms to alleviate a security analyst's burden. Due to the distribution of alerts is very skewed, we lead in the concept of cost-sensitive learning to classify true attacks. In order to make the alert classifier fit to different network environment, we introduced an adaptive learning model that utilizes the ID analyst's feedback to improve the alert classifier. We adopt cost-sensitive meta-classifier with two base learners respectively, including decision trees and RIPPER, to train the alert classifier. Our experiments were designed for simulating the scenario for applying our proposed framework to real world security systems. The experimental results demonstrate that the adaptive learning model with the feedback of ID analysts will improve the alert classifier and show the results of our proposed framework which are as close as to those of analysis of entire alerts.

    1 Introduction 1.1 Related Work 1.2 Thesis Organization 2 Intrusion Detection Systems 2.1 Intrusion Detection and IDSs 2.2 Taxonomy of IDSs 2.2.1 Misuse Detection vs. Anomaly Detection 2.2.2 Host-based IDS vs. Network-based IDS 2.2.3 ProtocolModeling 2.3 Alerts and Incidents 2.4 Factors of False Alarms 2.5 Snort 3 Machine Learning Methods and Tools 3.1 Machine Learning 3.2 Decision Trees 3.2.1 Growing Phase 3.2.2 Pruning Phase 3.3 RIPPER 3.4 Cost Sensitive Learning 3.5 Weka 4 System Framework 4.1 Motivation 4.2 Our Proposed Framework 5 Experiments and Results 5.1 Dataset Descriptions 5.1.1 DARPA1999 Dataset and Alerts 5.1.2 Alert Labeling and Separated Alert Datasets 5.2 Evaluation Measurements 5.3 Training Scenario 5.4 Experimental Results 5.4.1 Evidences for An Adaptive Learning 5.4.2 Results of Our Proposed Framework 6 Conclusions and Discussions

    [1] http://en.wikipedia.org/wiki/Hacker (computer security).
    [2] http://www.cert.org/stats/cert stats.html#vulnerabilities.
    [3] http://www.ll.mit.edu/IST/ideval/docs/docs index.html.
    [4] Weka. http://www.cs.waikato.ac.nz/ml/weka/.
    [5] Wiki weka. http://en.wikipedia.org/wiki/Weka (machine learning).
    [6] J. P. Anderson. Computer security threat monitoring and surveillance. Technical report, James P. Anderson Co.
    [7] S. Axelsson. Intrusion detection systems: A survey and taxonomy. Technical report.
    [8] S. Axelsson. Understanding Intrusion Detection Through Visualization. PhD thesis, Chalmers University of Technology, 2005.
    [9] W. W. Cohen. Fast effective rule induction. In Proceedings of the 12th International Conference on Machine Learning, Tahoe City, CA, 115-123,.
    [10] F. Cuppens and A. Miege. Alert correlation in a cooperative intrusion detection framework. In Proceedings of the 2002 IEEE Symposium on Security and Privacy, IEEE Computer Society, Berkeley, California, USA, 202-215, 2002.
    [11] H. Debar, M. Dacier, and A. Wespi. A revised taxonomy for intrusion detection systems. IBM Research Report, 1999.
    [12] C. Drummond and R. C. Holte. C4.5, class imbalance, and cost sensitivity: Why under-sampling beats over-sampling. In Proceedings of the International Conference on Machine Learning (ICML 2003) Workshop on Learning from Imbalanced Data Sets II., Washington, DC, USA.
    [13] J. Furnkranz and G. Widmer. Incremental reduced error pruning. In International Conference on Machine Learning, 70-77, 1994.
    [14] K. Julisch. Clustering intrusion detection alarms to support root cause analysis. In ACM Transactions on Information and System Security, 443-471, 2003.
    [15] M. Kubat and S. Matwin. Addressing the curse of imbalanced training sets: Onesided selection. In Proceedings of the 14th International Conference on Machine Learning, 1997.
    [16] M. V. Mahoney and P. K. Chan. An analysis of the 1999 darpa/lincoln laboratory evaluation data for network anomaly detection. In Recent Advances in Intrusion Detection, 220-237, 2003.
    [17] D. J. Marchette. Computer Intrusion Detection and Network Monitoring: A Statistical Viewpoint. Springer-Verlag New York, Inc., Secaucus, NJ, USA, 2001.
    [18] K. McCarthy, B. Zabar, and G. Weiss. Dose cost-sensitive learning beat sampling for classifying rare classes? In Proceedings of the 1st international workshop on Utility-based data mining, Chicago, Illinois, 69-77, 2005.
    [19] J. McHugh. Testing intrusion detection systems: A critique of the 1998 and 1999 darpa intrusion detection system evaluations as performed by lincoln laboratory. In ACM Transactions on Information and System Security, 262-294, 2001.
    [20] T. M. Mitchell. Machine Learning. McGRAW-Hill International Editions, 1997.
    [21] P. Ning, Y. Cui, and D. S. Reeves. Constructing attack scenarios through correlation of intrusion alerts. In Proceedings of the 9th ACM Conference on Computer and Communications Security, Washington, DC, USA, 245-254, 2002.
    [22] T. Pietraszek. Using adaptive alert classification to reduce false positives in intrusion detection. In Recent Advances in Intrusion Detection: 7th International Symposium.
    [23] M. Roesch. Snort. http://www.snort.org/.
    [24] M. Roesch. Snort - lightweight intrusion detection for networks. In Proceedings of the 13th Systems Administration Conference (LISA XIII), Seattle, WA, USA.
    [25] R. Shirey. Rfc 2828 - internet security glossary. gte/bbn technologies, 2000. http://www.faqs.org/rfcs/rfc2828.html.
    [26] S. J. Stolfo, W. Lee, P. K. Chan, and A. Prodromidis. Cost-based modeling for fraud and intrusion detection: Results from the jam project. In Proceedings of DARPA Information Survivability Conference and Exposition, 2000. DISCEX ’00, Hilton Head, SC, USA, 130-144, 2000.
    [27] S. Tesink. Improving intrusion detection systems through machine learning. Technical report, ILK Research Group.
    [28] K. M. Ting. An instance-weighting method to induce cost-sensitive trees. In IEEE Transactions on Knowledge and Data Engineering, 659-665,.
    [29] P. D. Turney. Cost-sensitive classification: Empirical evaluation of a hybrid genetic decision tree induction algorithm. Journal of Artificial Intelligence Research 2, 1995.
    [30] Wikipedia. Intrusion detection. http://en.wikipedia.org/wiki/Intrusion detection.
    [31] J. Yu, Y. V. R. Reddy, S. Selliah, S. Kankanahalli, S. Reddy, and V. Bharadwaj. Trinetr: An intrusion detection alert management system. In Proceedings of the 13th IEEE International Workshops on Enabling Technologies, 235-240, 2004.

    QR CODE