研究生: 楊貴麟
Kuei-Lin Yang
論文名稱: 利用適應性與成本效益之機器學習模型於降低入侵偵測虛警量
An Adaptive and Cost-Sensitive Learning Model for False Alarm Reduction in IDSs
指導教授: 李育杰
Yuh-Jye Lee
口試委員: 吳怡樂
Yi-Leh Wu
Wei-Chung Teng
Yuan-Cheng Lai
學位類別: 碩士
系所名稱: 電資學院 - 資訊工程系
Department of Computer Science and Information Engineering
論文出版年: 2007
畢業學年度: 95
語文別: 英文
論文頁數: 37
中文關鍵詞: 成本敏感學習決策樹假警報入侵偵測系統RIPPER
外文關鍵詞: cost-sensitive learning, decision trees, false alarm, IDS, RIPPER
入侵偵測系統為監控主機與網路運作的軟體或硬體設備,用於偵測有意圖洩露電腦資源的保密性、完整性和可用性之活動。然而入侵偵測系統會有產生大量虛警量的嚴重問題,資訊安全人員要分析這些警報是非常不可行地。我們提出了警報過濾的機制,能事先確認真正攻擊與過濾掉大量虛警量來減輕資安人員分析的負擔。實際上真正攻擊與大量的假警報間的分佈是非常不均衡,我們引進成本敏感學習讓真正攻擊有鑑別力。為了讓警報分類器能適應不同的網路環境,我們導入由資安人員回饋知識的適應性學習概念來改善警報分類器。機器學習是採用成本敏感學習搭配決策樹及RIPPER 不同的基本學習。實驗為摸擬我們提出的架構在實際網路資安系統中是可行的。實驗結果說明由資安人員回饋的適應性學習概念會改善警報分類器,並比較事先過濾掉大量可能的假警報與分析全部警報的結果,顯示我們提出的架構是可行地。

Intrusion Detection System (IDS) is a software system or hardware device deployed to monitor host activities and network to detect intrusions, which are actions that attempt to compromise the confidentiality, integrity and availability of computer resources. Nevertheless, IDSs are faced with a serious problem on a huge number of false alarms. It is really infeasible for security analysts to investigate lots of these alarms. In this thesis, we proposed the framework incorporated with an alert filter which is able to identify true attacks and filter out the highly possible false alarms to alleviate a security analyst's burden. Due to the distribution of alerts is very skewed, we lead in the concept of cost-sensitive learning to classify true attacks. In order to make the alert classifier fit to different network environment, we introduced an adaptive learning model that utilizes the ID analyst's feedback to improve the alert classifier. We adopt cost-sensitive meta-classifier with two base learners respectively, including decision trees and RIPPER, to train the alert classifier. Our experiments were designed for simulating the scenario for applying our proposed framework to real world security systems. The experimental results demonstrate that the adaptive learning model with the feedback of ID analysts will improve the alert classifier and show the results of our proposed framework which are as close as to those of analysis of entire alerts.

1 Introduction 1.1 Related Work 1.2 Thesis Organization 2 Intrusion Detection Systems 2.1 Intrusion Detection and IDSs 2.2 Taxonomy of IDSs 2.2.1 Misuse Detection vs. Anomaly Detection 2.2.2 Host-based IDS vs. Network-based IDS 2.2.3 ProtocolModeling 2.3 Alerts and Incidents 2.4 Factors of False Alarms 2.5 Snort 3 Machine Learning Methods and Tools 3.1 Machine Learning 3.2 Decision Trees 3.2.1 Growing Phase 3.2.2 Pruning Phase 3.3 RIPPER 3.4 Cost Sensitive Learning 3.5 Weka 4 System Framework 4.1 Motivation 4.2 Our Proposed Framework 5 Experiments and Results 5.1 Dataset Descriptions 5.1.1 DARPA1999 Dataset and Alerts 5.1.2 Alert Labeling and Separated Alert Datasets 5.2 Evaluation Measurements 5.3 Training Scenario 5.4 Experimental Results 5.4.1 Evidences for An Adaptive Learning 5.4.2 Results of Our Proposed Framework 6 Conclusions and Discussions

