進階搜尋


 
系統識別號 U0026-0812200915262432
論文名稱(中文) 資料探勘應用於安全之智慧型安全分析平台
論文名稱(英文) DM2Security:An Intelligent Security Analysis Platform
校院名稱 成功大學
系所名稱(中) 工程科學系碩博士班
系所名稱(英) Department of Engineering Science
學年度 97
學期 2
出版年 98
研究生(中文) 黃培軒
研究生(英文) Pei-Hsuan Huang
學號 N9696416
學位類別 碩士
語文別 中文
論文頁數 66頁
口試委員 指導教授-黃悅民
口試委員-曾龍
口試委員-王宗一
口試委員-楊竹星
口試委員-曾黎明
中文關鍵字 行為分析  警報縮減  異常行為偵測  網路安全中心 
英文關鍵字 Anomaly detection  Behavior Analysis  Network Security Center  Alert Reduction 
學科別分類
中文摘要 建置大型網路安全中心之挑戰性問題,主要來自於所使用之入侵偵測系統遭受攻擊時常產生大量重複性警報,或者過多無效的警報,因而造成安全管理人員龐大的負擔且無法從大量的警報中掌握攻擊跡象。另外,應用程式層級之攻擊已漸漸成為現行之攻擊趨勢,這些攻擊不斷的推陳出新,使得一般以特徵為基礎之入侵偵測系統在無法即時取得特徵規則的情況下,毫無偵測之能力。
本論文提出一個智慧型安全分析平台,其包含警報縮減與行為分析兩大處理模組,來針對上述問題提供一套解決方案。藉由警報縮減模組內所整合的De-Duplication Aggregation、Priority-Based Filtering、伺服器端事件關連與跨區域事件關連四種演算法,來分層解決大量重複性警報等問題。而對於應用程式層級之未知攻擊行為,則是透過行為分析模組,來針對封包進行取樣,建立正常網路行為模式,進行以Payload為基礎之異常行為偵測,藉此找出可能潛藏之應用程式層級未知的網路攻擊行為資訊,提供給安全專家分析,使其可進一步撰寫成特徵規則,彌補IDS之不足。
最後,本論文也規劃了6種不同的測試場景來驗證我們所提出之智慧型安全分析平台之有效性。根據前四種測試結果,可明確的證實我們所提出之警報縮減模組確實可針對相同的警報事件進行警報融合,並可根據用戶端Profile而調整其警報優先權高低與過濾,而對於5千多筆大量警報則具有97.7%的縮減率以及可於高優先權事件中找出潛藏之跨區域攻擊。最後兩種測試結果中,充分顯示其行為分析模組確實可根據用戶端網路行為建立其對應之網路行為資料庫,並可藉此偵測到未知的應用層級之攻擊。
英文摘要 There are several challenges for building and maintaining of Large Scale Network Security Center. A naive deployment of IDS can cause huge duplicate alerts and too many false alerts. Besides, application level network attack has become far more serious, traditional intrusion detection systems based on signatures are unable to deal with those attacks.
To overcome these problems, we proposed an Intelligent Security Analysis Platform naming DM2Security. This platform includes both alert reduction module and behavior analysis module. The alert reduction module employs different intelligent technology such as alert correlation and alert filtering to solve huge duplicate alerts and false alert problems. The behavior analysis module which is Payload-Based application level network anomaly detection can help security analyst to identify the unknown application level attacks.
Finally, we conduct six scenario-based testings that are designed to test the effectiveness of Intelligent Security Analysis Platform. Our test result demonstrated the effectiveness of our proposed Intelligent Security Analysis Platform.
論文目次 第1章緒論 1
1.1. 研究背景 1
1.2. 研究動機 3
1.3. 論文架構 4
第2章 研究背景與文獻探討 5
2.1. 入侵偵測技術 5
2.1.1. 特徵偵測 5
2.1.2. 異常偵測 5
2.2. 智慧型技術 6
2.2.1. 關連技術 7
2.2.2. 資料探勘技術 10
2.3. 測試資料集 17
2.3.1. DARPA 1999 17
2.3.2. KDD CUP 99 20
第3章 智慧型技術之應用 24
3.1. 系統架構 24
3.2. 警報縮減模組 25
3.2.1. De-Duplication Aggregation Algorithm 26
3.2.2. Priority-Based Filtering Algorithm 26
3.2.3. 伺服器端關連演算法 28
3.2.4. 跨區域事件關連演算法 30
3.3. 行為分析模組 32
3.3.1. 封包抽樣策略 33
3.3.2. 行為模式分析 35
3.3.3. 以Payload為基礎之異常偵測 38
第4章 實作與測試 44
4.1. 系統開發環境與工具 44
4.2. Scenario-based Testing 48
4.2.1. 測試工具 48
4.2.2. 測試環境之建置 49
4.2.3. 測試結果 51
第5章 結論 60
第6章 參考文獻 61
參考文獻 [1] ADMmutate, http://www.ktwo.ca/ADMmutate-0.8.4.tar.gz
[2] Anup K. Ghosh and Aaron Schwartzbard,” A study in using neural networks for anomaly and misuse detection”, In Proceedings of the Eighth USENIX Security Symposium, pages 141–151, Washington, DC, 1999.
[3] Andersson D.,Fong M.,Valdes A., "Heterogeneous Sensor Correlation: A Case Study of Live Traffic Analysis", Proc. 3rd Annual Information Assurance Workshop, United States Military Academy, West Point, New York, June 2002.
[4] Barbara D., Wu N., and Jajodia S., ”Detecting novel network intrusions using bayes estimators”, In Proceedings of First SIAM Conference on Data Mining, Chicago, IL, 2001.
[5] Boyer S,Dain,O,Cunningham R., "Stellar: A Fusion System for Scenario Construction and Security Risk Assessment", Proceedings of the 3rd IEEE International Workshop on Information Assurance (IWIA 2005),23-24 March 2005, College Park, MD, USA. IEEE Computer Society 2005
[6] Cuppens F.,Ortalo R. ,"LAMBDA: A Language to Model a Database for Detection of Attacks", Recent Advances in Intrusion Detection 2000,197-216,2000.
[7] Charu C. Aggarwal and Philip S. Yu., "Outlier detection for high dimensional data", In SIGMOD Conference, 2001.
[8] Cuppens F., "Managing alerts in a multi-intrusion detection environment”, In Proceedings of the 17th Annual Computer Security Applications Conference, p.22, December 2001.
[9] Cuppens F.,A. Miege., "Alert Correlation in a Cooperative Intrusion Detection Framework", Security and Privacy, IEEE Symposium on, pp. 202, 2002 IEEE Symposium on Security and Privacy, 2002.
[10] D. Anderson, T. Lunt, H. Javitz, A. Tamaru, and A. Valdes., ” Detecting unusual program behavior using the statistical component of the next-generation intrusion detection expert system NIDES”, Technical Report SRI-CSL-95-06, Computer Science Laboratory, SRI International, 1995.
[11] Dain,O. M., Cunningham,R. K., "Fusing a Heterogeneous Alert Stream Into Scenarios", Proceedings of the Eighth {ACM} Conference on Computer and Communications Security,2001.
[12] Dain,O. M.,Cunningham,R. K., "Building Scenarios from a Heterogeneous Alert Stream", IEEE Transactions on Systems, Man and Cybernetics,2002.
[13] D. Xu, P. Ning., "Alert Correlation through Triggering Events and Common Resources, In Proceedings of the 20th Annual Computer Security Applications Conference (ACSAC'04), 2004.
[14] D. Xu, P. Ning., "Privacy-Preserving Alert Correlation: A Concept Hierarchy Based Approach", Computer Security Applications Conference, Annual, pp. 537-546, 21st Annual Computer Security Applications Conference (ACSAC'05), 2005
[15] Eleazar Eskin, Andrew Arnold, Michael Prerau, Leonid Portnoy, and Sal Stolfo, ” A geometric framework for unsupervised anomaly detection: Detecting intrusions in unlabeled data”, Data Mining for Security Applications, 2002.
[16] JBoss Application Server, http://www.jboss.org/jbossas/
[17] Jpcap, http://netresearch.ics.uci.edu/kfujii/jpcap/doc/
[18] Jinqiao Yu, Y.V. Ramana Reddy, Sentil Selliah, Sumitra Reddy, Vijayanand Bharadwaj, Srinivas Kankanahalli, “TRINETR: An architecture for collaborative intrusion detection and knowledge-based alert evaluation”, Advanced Engineering Informatics, Volume 19, Issue 2, Collaorative Environment for Desing and Manufacturing, April 2005, Pages 93-101, ISSN 1474-0346,2005.
[19] KDD Cup 1999 Data,http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html.
[20] Knorr, E. M. and Ng, R. T. ,”Algorithms for mining distance-based outliers in large datasets”, Proceedings of the 24rd international Conference on Very Large Data Bases, A. Gupta, O. Shmueli, and J. Widom, Eds. Very Large Data Bases. Morgan Kaufmann Publishers, San Francisco, CA, 392-403.1998.
[21] Kruegl C.,Toth T.,Kirda E., ”Service Specific Anomaly Detection for Network Intrusion Detection”, Proceedings of the 2002 ACM symposium on Applied computing (SAC 2002), pp. 201-208, Madrid, Spain, 2002
[22] Kruegl C.,Vigna G., “Anomaly Detection of Web-based Attacks”, Proceedings of the 10th ACM Conference on Computer and Communication Security (CCS’03), pp. 251-261, Washington, DC, October, 2003
[23] Kruegl C.,Vigna G., Robertson W., “A multi-model approach to the detection of web-based attacks”, Computer Networks, vol. 48, no. 5, pp. 717-738, August, 2005
[24] Lee, W.,Stolfo, S.,Chan, P., "Learning Patterns from Unix Process Execution Traces for Intrusion Detection”, AAAI Workshop: AI Approaches to Fraud Detection and Risk Management, July 1997
[25] Lee, W., Stolfo, S.J.,” Data mining approaches for intrusion detection”, In Proceedings of the 7th USENIX Security Symposium, San Antonio, TX, 1998.
[26] Lee, W., Stolfo, S.J. and Mok, K.W.,"A Data Mining Framework for Building Intrusion Detection Models”, Proceedings of the 1999 IEEE Symposium on Security and Privacy, Oakland, CA, May 1999
[27] Luo J.,” Integrating fuzzy logic with data mining methods for intrusion detection”, Master’s thesis, Department of Computer Science, Mississippi State University, 1999.
[28] Lippmann, R.P. and Cunningham, R.K.,” Improving intrusion detection performance using keyword selection and neural networks”, Computer Networks, 34:597–603, 2000.
[29] Lippmann, R., Haines, J. W., Fried, D. J., Korba, J., and Das, K. ,”The 1999 DARPA off-line intrusion detection evaluation”,. Computer Networks. 34, 4, 579-595,2000.
[30] Lazarevic, A., Ertoz, L., Ozgur, A, Srivastava, J., Kumar, V., “A Comparative Study of Anomaly Detection Schemes in Network Intrusion Detection”, Proceedings of the 3rd SIAM Conference on Data Mining, San Francisco, May, 2003
[31] MIT Lincoln Lab, Info. System Tech. Group,http://www.ll.mit.edu/IST/ideval/data/data_index.html
[32] Manganaris, S., Christensen, M., Zerkle, D., and Hermiz, K.,” A data mining analysis of rtid alarms”, In Proceedings of the 2nd International Workshop on Recent Advances in Intrusion Detection RAID,West Lafayette, IN, 1999.
[33] Markus Breunig, Hans-Peter Kriegel, Raymond T. Ng, and J¨org Sander., ” Lof: Identifying density based local outliers”, In Proceedings of the ACM SIGMOD onference, Dallas, TX, 2000.
[34] Matthew V. Mahoney and Philip K. Chan.,” PHAD: Packet header anomaly detection for identifying hostile network traffic”, Technical report, Florida Tech., 2001.
[35] Matthew V. Mahoney and Philip K. Chan, “Learning Nonstationary Models of Normal Traffic for Detecting Novel Attacks”, Proceedings of the 8th International Conference on Knowledge Discovery and Data Mining, pp. 376-385, 2002
[36] Mathew S.Shah C.Upadhyaya S., "An Alert Fusion Framework for Situation Awareness of Coordinated Multistage Attacks", Third IEEE International Workshop on Information Assurance,95-10,2005
[37] Nikto, http://cirt.net/nikto2
[38] Nmap, http://nmap.org/
[39] Nong Ye and Qiang Chen.,” An anomaly detection technique based on a chi-square statistic for detecting intrusions into information systems”, Quality and Reliability Engineering International, 17:105–112, 2001.
[40] Phillip A. Porras,Martin W. Fong,Alfonso Valdes, "A Mission-Impact-Based Approach to INFOSEC Alarm Correlation", Proceedings Recent Advances in Intrusion Detection, Pages 95–114,2003
[41] Pei-Hsuan Huang, Benjamin Tseng, Y.M. Huang, "Adaptive Reduction of Redundant and Invalid Alerts traffics for Large Scale Network Security Center via Correlation algorithm",UHC2008 The Conference on Ubiquitous Home, Kun Shan University, Tainan, 11/2008
[42] Ramaswamy, S., Rastogi, R., and Shim, K.,” Efficient algorithms for mining outliers from large data sets”, In Proceedings of the ACM SIGMOD Conference, pages 427–438, Dallas, TX, 2000.
[43] Sinclair, C., Pierce, L., and Matzner, S.,” An Application of Machine Learning to Network Intrusion Detection”, In Proceedings of the 15th Annual Computer Security Applications Conference, ACSAC. IEEE Computer Society, Washington, DC, 371. 1999
[44] Staniford, S., Hoagland, J. A., and McAlerney, J. M.,” Practical automated detection of stealthy portscans”, Journal of Computer Security, 10:105–136, 2002.
[45] Tcpdump,http://www.tcpdump.org/
[46] Valdes A., Skinner K., “Adaptive Model-based Monitoring for Cyber Attack Detection”, Proceedings 2000 International Workshop on Recent Advances in Intrusion Detection (RAID), Toulouse, France, October 2000.
[47] Valdes A., Skinner K., “Probabilistic alert correlation“ . In Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection, Pages 54—68, 2001
[48] Wang K.,Stolfo S. J., “Anomalous Payload-based Network Intrusion Detection”, Recent Advances in Intrusion Detection, RAID 2004, Sophia Antipolis, France, September 2004.
[49] Wang K.,Cretu G., Stolfo S. J., "Anomalous Payload-based Worm Detection and Signature Generation", Proceedings of the Eighth International Symposium on Recent Advances in Intrusion Detection(RAID 2005)
[50] Yamanishi, K., Takeuchi, J., Williams, G., and Milne, P.,” On-line unsupervised oultlier detection using finite mixtures with discounting learning algorithms”, In KDD, pages 320–324, Boston, MA, 2000.
[51] Yu, J., Reddy, Y.V.R., Sentil Selliah; Srinivas Kankanahalli, Sumitra Reddy, Vijayanand Bharadwaj, "TRINETR: an intrusion detection alert management systems," Enabling Technologies: Infrastructure for Collaborative Enterprises, 2004. WET ICE 2004. 13th IEEE International Workshops on , vol., no., pp. 235-240, 14-16 June 2004
[52] Zhang, L. and White, G. B., ”Analysis of Payload Based Application level Network Anomaly Detection”, In Proceedings of the 40th Annual Hawaii international Conference on System Sciences (January 03 - 06, 2007). HICSS. IEEE Computer Society, Washington, DC, 99, 2007.
論文全文使用權限
  • 同意授權校內瀏覽/列印電子全文服務,於2014-07-31起公開。
  • 同意授權校外瀏覽/列印電子全文服務,於2014-07-31起公開。


  • 如您有疑問,請聯絡圖書館
    聯絡電話:(06)2757575#65773
    聯絡E-mail:etds@email.ncku.edu.tw