Responsive image
博碩士論文 etd-0726105-140441 詳細資訊
Title page for etd-0726105-140441
論文名稱
Title
輕型網路入侵偵測
Lightweight Network Intrusion Detection
系所名稱
Department
畢業學年期
Year, semester
語文別
Language
學位類別
Degree
頁數
Number of pages
43
研究生
Author
指導教授
Advisor
召集委員
Convenor
口試委員
Advisory Committee
口試日期
Date of Exam
2005-07-25
繳交日期
Date of Submission
2005-07-26
關鍵字
Keywords
異常偵測、入侵偵測、網路安全
Anomaly Detection, Intrusion Detection, Network Security
統計
Statistics
本論文已被瀏覽 5919 次,被下載 3773
The thesis/dissertation has been browsed 5919 times, has been downloaded 3773 times.
中文摘要
  駭客常利用電腦系統或服務的漏洞攻擊程式碼來對目標電腦或服務進行攻擊。這些漏洞攻擊程式常常在與目標主機或服務建立連線後,即送出攻擊封包。又因這些攻擊常透過Telnet服務來進行,本研究即針對這樣特性的攻擊事件,設計一個輕型的網路入侵偵測系統來偵測網路上的Telnet流量。

  本研究只過濾每一個Telnet連線的前幾個資料封包,並只使用部分內容做入侵偵測,而非所有的封包和其內容,使本系統的負荷大大降低。本研究屬於異常偵測研究,我們將平日正常的網路流量過濾後建構成一個正常行為模式,在偵測時檢查過濾後的封包與正常行為模式的差異,透過異常分數計算函數,偏差愈大則給愈大的異常分數。最後,我們採用1999 DARPA入侵偵測評估資料集的資料來,5天訓練資料,10天測試資料,共44次攻擊事件,測試本研究提出的系統。本研究所提出的系統的偵測率在很低的誤報率 – 每日允許2次誤報下為73%; 在一些被DARPA認定是很難偵測的攻擊,其偵測率達80%。
Abstract
Exploit codes based on system vulnerabilities are often used by attackers to attack target computers or services. Such exploit programs often send attack packets in the first few packets right after a connection established with the target machine or service. And such attacks are often launched via Telnet service as well. A lightweight network-based intrusion detection system is proposed on detecting such attacks on Telnet traffic.

The proposed system filters the first a few packets after each Telnet connection established and only uses partial data of a packet rather than total of it to detect intrusion, i.e. such design makes system load reduced a lot. This research is anomaly detection. The proposed system characterizes the normal traffic behavior and constructs it as a normal model based on the filtered normal traffic. In detection phase, the system examines the deviation of current filtered packet from the normal model via an anomaly score function, i.e. a more deviate packet will receive a higher anomaly score. Finally, we use 1999 DARPA Intrusion Detection Evaluation Data Set which contains 5 days of training data and 10 days of testing data, and 44 attack instances of 16 types of attacks, to evaluate our proposed system. The proposed system has the detection rate of 73% under a low false alarm rate of 2 false alarms per day; 80% for the hard detected attacks which are poorly detected in 1999 DARPA IDEP.
目次 Table of Contents
Chapter 1 Introduction 1
1.1 Background 1
1.2 Research Motivation 3
1.3 Outline of the Thesis 4
Chapter 2 Literature Review 5
2.1 DARPA Off-Line Intrusion Detection Evaluation Program 5
2.1.1 DARPA Intrusion Detection Evaluation Dataset 6
2.1.2 Evaluation Measure 8
2.2 Related Studies 9
2.2.1 Lee et al.’s Work 9
2.2.2 Matthew V. Mahoney’s Work 13
Chapter 3 The Proposed Approach 15
3.1 Traffic Filter 16
3.2 Attribute Selection and Normal Profile Building 18
3.3 Anomaly Scoring Function 20
3.4. Post Process 22
Chapter 4 Experiment Design and Performance Analysis 23
4.1 Off-Line Evaluation Method 23
4.2 Experiment Design 25
4.3 Experiment Results 27
4.4 Performance Comparisons 30
4.4.1 Detection Rate Comparisons 30
4.4.2 Detection Rate Comparisons Based on False-Positive Error Rate 31
4.4.3 System load and Time Cost Comparisons 32
4.4.4 Anomaly Scoring Function Comparisons 33
4.4.5 Detection Comparisons on Hard Detected Attacks 35
Chapter 5 Conclusion 36
5.1 Contributions of LNID 36
5.2 Future Work 37
Reference 38
Appendix 41
Identification Scoring Truth in this Study 41
參考文獻 References
[1] 賴溪松, “網路安全基礎概念”, http://crypto.ee.ncku.edu.tw/class/network_security/93/Ch1.pdf.
[2] Lincoln Laboratory, Massachusetts Institute of Technology, “1999 DARPA Intrusion Detection Evaluation Data Set,” http://www.ll.mit.edu/SST/ideval/data/1999/1999_data_index.html.
[3] Richard P. Lippmann et al., “Evaluating Intrusion Detection Systems: The 1998 DARPA Off-line Intrusion Detection Evaluation,” http://www.ll.mit.edu/SST/ideval/pubs/pubs_index.html.
[4] Richard P. Lippmann et al., “The 1999 DARPA Off-line Intrusion Detection Evaluation”, http://www.ll.mit.edu/SST/ideval/pubs/pubs_index.html.
[5] MIT Lincoln Laboratory, Information Systems Technology Group, “The 1998 Intrusion Detection off-line Evaluation Plan”, http://www.ll.mit.edu/SST/ideval/docs/1998/id98-eval-ll.txt.
[6] Air Force Rome Laboratory (AFRL/SNH-1), “The 1998 Intrusion Detection Real-time Evaluation Plan”, http://www.ll.mit.edu/SST/ideval/docs/1998/id98-eval-rl.txt.
[7] Tcpdump official website, http://www.tcpdump.org/.
[8] Matthew V. Mahoney, “Network Traffic Anoma1y Detection Based on Packet Bytes,” ACM SAC 2003.
[9] Matthew V. Mahoney and P. K. Chan, “Learning Nonstationary Models of Normal Traffic for Detecting Novel Attacks,” Proc. SIGKDD, 2002, pp 376-385.
[10] Matthew V. Mahoney and P. K. Chan, “PHAD: Packet Header Anoma1y Detection for Identifying Hostile Network Traffic,” Florida Institute of Technology Technica1 Report 2001-04, http://c5.f1t.edu/~tr/.
[11] Wenke Lee, Savatore J. Stolfo, and Kui W. Mok, “Mining Audit Data to Build Intrusion Detection Models,” AAAI 1998.
[12] Wenke Lee, Savatore J. Stolfo, and Kui W. Mok, “A data mining framework for building intrusion detection models,” Proceeding of the 1999 IEEE symposium on Security and Privacy, May 1999, pp. 120-132.
[13] Wenke Lee, Savatore J. Stolfo, and Kui W. Mok, “Mining in a data-flow environment: Experience in network intrusion detection,” ACM SIGKDD 1999.
[14] Wenke Lee and Savatore J. Stolfo, “A framework for constructing features and models for intrusion detection systems,” ACM SIGKDD 2000.
[15] Sung-Bae Cho, and Hyuk-Jang Park, “Efficient Anomaly Detection by Modeling Privilege Flows Using Hidden Markov Model,” Computer & Security, Vol .22, No. 1, pp 45-55, 2003.
[16] Sang-Jun Han and Sung-Bae Chou, “Detecting Intrusion with Rule-Based Integration of Multiple Models”, Computer & Security, Vol .22, No. 7, pp 613-623, 2003.
[17] H.S. Venter and J.H.P. Eloff, "A Taxonomy for Information Security Technologies", Computer & Security, 2003.
[18] Giorgio Giacinto, Fabio Roli, Luca Didaci, “Fusion of Multiple Classifiers for Intrusion Detection in Computer Networks”, Pattern Recognition Letters, 2003.
[19] E. Biermann, E.Cloete, L.M. Venter, “A comparison of Intrusion Detection systems”, Computer & Security. 2003.
[20] Emilie Lundin and Erland Jonsson, “Anomaly-based intrusion detection: privacy concerns and other problems”, Computer Networks, 2000.
[21] Theuns Verwoerd and Ray Hunt, “Intrusion Detection Techniques and Approaches”, Computer Communications 25 (2002) pp.1356-1365, 2002.
[22] Yuebin Bai and Hidetsune Kobayashi, “Intrusion Detection Systems: Technology and Development”, Proceedings of the17 th International Conference on Advanced Information Networking and Applications (AINA’03), 2003.
[23] Alefiya Hussain, John Heidemann and Christos Papadopoulos, "A Framework for Classifying Denial of Service Attacks", ACM SIGCOMM’03, August 25–29, 2003.
[24] Matthias Schonlau, and Martin Theus, “Detecting Masquerades in Intrusion Detection Based on Unpopular Commands,” Information Processing Letters 76, 2000, pp 33-38.
[25] Midori Asaka, Takefumi Onabura, Tadashi Inoue, Shunji Okazawa and Shigeki Goto, “A New Intrusion Detection Method Based on Discriminant Analysis”, IEICE TRANS. INF. & SYST., Vol.E84–D, No.5 May 2001.
[26] Midori Asaka, Takefumi Onabura and Tadashi Inoue, “Remote Attack Detection Method in IDA: MLSI-Based Intrusion Detection using Discriminant Analysis”, Proceedings of the 2002 Symposium on Applications and the Internet (SAINT.02), IEEE, 2002.
[27] Nong Ye, Syed Masum Emran, Qiang Chen, and Sean Vilbert, “Multivariate Statistical Analysis of Audit Trails for Host-Based Intrusion Detection,” IEEE Transactions on Computers, Vol. 51, No. 7, July 2002.
[28] S. Jha and Hassan, “Building Agents for Rule-Based Intrusion Detection System,” Computer Communications 25 (2002) p.1366-1373, 2002.
[29] Vipin Kumar et al., “Data Mining for Network Intrusion Detection”, NSF workshop on next generation data mining, 2002, “http://www-users.cs.umn.edu/~kumar/.
[30] Wayne A. Jansen, “Intrusion Detection with Mobile Agents”, Computer Communications 25 (2002), pp.1392-1401, 2002.
[31] Yihua Liao and V. RaoVemuri, "Use of K-Nearest Neighbor Classifier for Intrusion Detection", Computer & Security Vol 21, No 5, pp 439-448, 2002.
[32] Lincoln Laboratory, Massachusetts Institute of Technology, “1998 DARPA Intrusion Detection Evaluation Data Set”, http://www.ll.mit.edu/SST/ideval/data/1998/1998_data_index.html.
[33] Lincoln Laboratory, Massachusetts Institute of Technology, “Detection Scoring Truth”, http://www.ll.mit.edu/SST/ideval/docs/1999/master-listfile-condensed.txt.
[34] Lincoln Laboratory, Massachusetts Institute of Technology, “Identification Scoring Truth”, http://www.ll.mit.edu/SST/ideval/docs/1999/master_identifications.list.
[35] Nong Ye, Syed Masum Emran, Qiang Chen, and Sean Vilbert, "Multivariate Statistical Analysis of Audit Trails for Host-Based Intrusion Detection", IEEE TRANSACTIONS ON COMPUTERS, VOL. 51, NO. 7, JULY 2002, pp.810-820.
[36] Srinivas Mukkamala, Andrew H. Sung and Ajith Abraham, "Intrusion detection using an ensemble of intelligent paradigms", Journal of Network and Computer Applications, 2004, http://www.elsevier.com/locate/jnca.
[37] Nong Ye, Yebin Zhang, and Connie M. Borror, "Robustness of the Markov-Chain Model for Cyber-Attack Detection", IEEE TRANSACTIONS ON RELIABILITY, VOL. 53, NO. 1, MARCH 2004, pp.116-123.
電子全文 Fulltext
本電子全文僅授權使用者為學術研究之目的,進行個人非營利性質之檢索、閱讀、列印。請遵守中華民國著作權法之相關規定,切勿任意重製、散佈、改作、轉貼、播送,以免觸法。
論文使用權限 Thesis access permission:校內校外完全公開 unrestricted
開放時間 Available:
校內 Campus: 已公開 available
校外 Off-campus: 已公開 available


紙本論文 Printed copies
紙本論文的公開資訊在102學年度以後相對較為完整。如果需要查詢101學年度以前的紙本論文公開資訊,請聯繫圖資處紙本論文服務櫃台。如有不便之處敬請見諒。
開放時間 available 已公開 available

QR Code