網路上電腦的安全問題，是網路應用系統能否成熟發展的關鍵。目前雖有防火牆、加解密等安全防護系統，但仍無法杜絕入侵事件之發生。具不同技術、特性的入侵偵測系統，因而被發展成為系統的第二層防護。目前入侵偵測系統主要遭遇下列問題：(1)入侵偵測系統常產生過多未經整合的低階警訊；(2)入侵偵測系統產生太多的錯誤警報；(3)異質的入侵偵測系統各自具偵測不同攻擊的能力，但偵測的範圍有限。為了解決上述問題，本實驗室提出一以基元攻擊為仲介的兩層式異質入侵警訊關聯系統，第一層為基元攻擊之自動建構與偵測，負責整合異質入侵警訊成為較少的基元攻擊，將各種入侵偵測系統的能力整合轉化成以基元攻擊為代表的較高層意義與可信度；第二層為以基元攻擊為基礎之攻擊腳本關聯，負責將基元攻擊關聯成攻擊腳本，以還原攻擊手段的全貌，供專家從較高層觀念來作網路安全的評估。
本論文的研究重點在改善第一層的基元攻擊之自動建構與偵測子系統，加入了自動化建構基元攻擊樣版模組及提供完整的警訊知識本體。我們採取以下技術來達成有效自動化建構攻擊基元樣版的目標：(1)引進警訊規則挖掘器學習警訊間的互動關係；(2)從警訊間的互動關係自動建立基元攻擊樣版；(3)引進基元攻擊定位器將基元攻擊樣版定位進攻擊知識本體。本研究的貢獻如下：(1)引進自動建構基元攻擊樣版技術：基元攻擊樣版定義了異質警訊間的互動規則，並利用異質警訊的共通內容來描述基元攻擊的相關屬性，我們的自動產生基元攻擊樣版技術可以降低以人力方式來訂定基元攻擊樣版的困難。(2) 完成警訊知識本體(包含網路與主機警訊)之建構：網路警訊知識本體可整合同為網路型入侵偵測系統的警訊並予以分類，用來判斷警訊間的關聯性強度並提供警訊語意註解；主機警訊知識本體則針對各主機型入侵偵測系統的警訊分別予以分類，並提供警訊語意註解、警訊特徵及資源存取資訊。本本體除可支援基元攻擊樣版的自動產生過程，尚可支援入侵偵測系統的設計與分析，是網路安全研究的重要資訊。

The security of networked computers strongly affects network applications. Although we already have firewalls and encryption systems, intrusion still happens often. IDSs (Intrusion Detection Systems) with different techniques and characteristics have thus been developed to serve as the second layer protection. Problems associated with IDS include: (1) IDSs often produce lots of low level alerts which aren’t integrated. (2) IDSs produce lots of false alerts. (3) Heterogeneous IDSs have their specific capabilities of detecting attacks; however, their detection scopes are limited. To cope with the problems, we proposed a two-layered heterogeneous intrusion detection architecture, which advocates primitive attacks to work as a mediator for correlating alerts. The first layer is the construction and detection of primitive attacks, responsible for integrating heterogeneous alerts into primitive attacks. This equivalently transforms low-level, different formats of alerts into a unified, higher-level representation. The second layer is the correlation of attack scenarios, responsible for correlating primitive attacks into attack scenarios and reporting their priorities.
This thesis focuses on improving the first layer, the construction and detection of primitive attacks, mainly by introducing a module to automatically construct primitive attack templates. The module involves the following techniques. First, we apply the constrained data mining technique to learn interactive relationships among the alerts. Second based on the interaction relationships and the support of alert ontology, we automatically create primitive attack templates. Finally, we anchor the auto-generated primitive attack templates into attack ontology. Our experiments showed the auto-generated primitive attack templates successfully subsumed all manually constructed real primitive attack templates. The contributions of the work are as follows. First, the automatic construction technique of primitive attack templates can reduce the difficulties with manual construction of primitive attack templates by experts. Second, the constrained data mining technique can effectively discover interactive relationships among (heterogeneous) alerts and allows us to use their common contents to describe the relevant attributes of a primitive attack. Finally, the completed alert ontology (including network-based and host-based alerts) comprehensively classifies the alerts attached with annotated information, not only supporting the automatic construction of primitive attack templates in this thesis but also serving as a valuable resource for design and analysis of intrusion detection systems.

[Ales01] D. Alessandri (Ed.), Towards a Taxonomy of Intrusion Detection Systems and Attacks. Deliverable D3, Project MAFTIA IST-1999-11583, Research Report, RZ 3366, IBM Zurich Laboratory, also available at http://www.MAFTIA.org, 2001.

[Ande02] D. Andersson, M. Fong, and A. Valdes, “Heterogeneous Sensor Correlation: A Case Study of Live Traffic Analysis,” Proc. of IEEE Information Assurance Workshop, United States Military Academy, West Point, NY, June 2002.

[Axel00] S. Axelsson, Intrusion Detection Systems: A Taxomomy and Survey. Technical Report 99-15, Dept. of Computer Engineering, Chalmers University of Technology, Goteborg, Sweden, March 2000.

[Capo00] J. Capoulade, P. Carle, E. Cochevelou, F. Cuppens, M. Diop, S. Dubus, S. Gombault, L. Mé, C. Michel, B. Morin, “Mirador: A cooperative approach of IDS”, 6th European Symposium on Research in Computer Security (ESORICS), Toulouse, France, October 2000.

[Cupp00] F. Cuppens, “LAMBDA: A Language to Model a Database for Detection of Attacks,” Proc. of the Third International Workshop on the Recent Advances in Intrusion Detection (RAID’2000), Toulouse, France, October 2001.

[Cupp01] F. Cuppens, “Managing Alerts in Multi-Intrusion Detection Environments,” Proc. of 17th Annual Computer Security Applications Conference (ACSAC), pp. 22-31, New Orleans, Louisiana, 2001.

[Cupp02] F. Cuppens and A. Miege, “Alert Correlation in a Cooperative Intrusion Detection Framework,” Proc. of 2002 IEEE Symposium on Security and Privacy, pp. 202-215, Oakland, CA, 2002.

[Chang05] E. X. Chang, “An AutomaticAattack Plan Construction Technique for Attack Correlation and Prediction”, Master Thesis, Department of Computer Science and Information Engineering, National Taiwan University of Science and Technology, Taiwan, ROC, 2005.

[Deba00] H. Debar, M. Dacier, and A. Wespi, “A Revised Taxonomy for Intrusion-Detection Systems,” Annales des Télécommunications, Vol. 55, No. 7/8, pp. 361-378, 2000.

[Deba01] H. Debar and A. Wespi, “Aggregation and Correlation of Intrusion-Detection Alerts,” Proc. of the 4th International Symposium on Recent Advances in Intrusion Detection (RAID 2001), LNCS (Lecture Notes In Computer Science), Vol. 2212, Springer-Verlag, pp. 85-103, Davis, CA, USA, October 2001.

[Expe] eXpert-BSM, available at http://www.sdl.sri.com/projects/emerald/releases/eXpert-BSM/

[Grub93] T. R. Gruber, “A Translation Approach to Portable Ontology Specifications,” Knowledge Acquisition, Vol. 5, No. 2, pp. 199-220, 1993.

[ICAT] ICAT database, http://icat.nist.gov/icat.cfm

[Lind01] U. Lindqvist and P. Porras, “eXpert-BSM: A Host-based Intrusion Detection Solution for Sun Solaris,” Proc. of 17th Annual Computer Security Applications Conference (ACSAC), pp. 240-251, New Orleans, Louisiana, 2001.

[MIT99] MIT Lincoln Lab Intrusion Detection Attacks Database, available at http://www.ll.mit.edu/IST/ideval/docs/1999/attackDB.html

[MIT00] 2000 DARPA Intrusion Detection Scenario Specific Data Sets, available at http://www.ll.mit.edu/IST/ideval/data/2000/2000_data_index.html

[Mori02] B. Morin, L. M, H. Debar, and M. Ducass, “M2D2:a Formal Data Model for IDS Alert Correlation,” Proc. of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID 2002), LNCS (Lecture Notes In Computer Science), Vol. 2516, Zurich, Switzerland, pp. 115-137, October 2002.

[Ning04] P. Ning, Y. Cui, D. S. Reeves, and D. Xu, “Tools and Techniques for Analyzing Intrusion Alerts,” ACM Transactions on Information and System Security, Vol. 7, No. 2, pp. 214-318, May 2004.

[Porr02] P. A. Porras, M. W. Fong and A. Valdes, “A Mission-Impact-based Approach to INFOSEC Alarm Correlation,” Proc. of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID 2002), LNCS (Lecture Notes In Computer Science), Vol. 2516, pp. 95-114, Springer-Verlag, 2001.

[Prot] Protégé, available at http://protege.stanford.edu/

[Real] RealSecure Network Sensor, available at http://www.iss.net/

[Roes99] M. Roesch, “Snort - lightweight intrusion detection for networks,” Proc. of LISA'99: 13th Systems Administration Conference, pp. 229-238, Seattle, Washington, November 1999.

[Snor] Snort, available at http://www.snort.org/

[Vald00] A. Valdes and K. Skinner, “Adaptive, Model-Based Monitoring for Cyber Attack Detection,” Proc. of the 3th International Symposium on Recent Advances in Intrusion Detection (RAID 2000), LNCS (Lecture Notes In Computer Science), Vol. 1907, Springer-Verlag, pp. 80-92, October 2000.

[Vald01] A. Valdes and K. Skinner, “Probabilistic alert correlation,” Proc. of the 4th International Symposium on Recent Advances in Intrusion Detection (RAID 2001), LNCS (Lecture Notes In Computer Science), Vol. 2212, Springer-Verlag, pp. 54-68, Davis, CA, USA, 2001.

[Vign96] G. Vigna, “A Topological Characterization of TCP/IP Security,” Proc. of the 12th International FME Symposium, LNCS (Lecture Notes In Computer Science), Vol. 2805, Springer-Verlag, pp. 914-940, Pisa, Italy, September 2003.

[Yu04] C. Y. Yu, “A Primitive Attack-based New Correlation Technique for Heterogeneous Intrusion Alert-Construction and Detection of Primitive Attack”, Master Thesis, Department of Computer Science and Information Engineering, National Taiwan University of Science and Technology, Taiwan, ROC, 2004.