A Study of IDML-based Distributed Intrusion Detection System

• Main Authors: Shun-Chieh Lin, 林順傑
• Other Authors: Shian-Shyong Tseng
• Format: Others
• Published: 2001
• Online Access: http://ndltd.ncl.edu.tw/handle/60772014878383539633

碩士 === 國立交通大學 === 資訊科學系 === 89 === As the growth of network environment dramatically increases, the network-based applications and services become more important, and a variety of network intrusions have also been developed to intrude these services. As to these intrusions, several issues including how to identify possible intrusion behaviors, how to detect these identified intrusion behaviors, and how to secure the system infrastructure are needed to be considered. In this thesis, for identifying the intrusion behaviors, a new Intrusion Detection Markup Language (IDML) is proposed to describe the well-known intrusion behaviors. Each intrusion pattern described in IDML can be transformed into an intrusion pattern state machine. Then, an IDML-based Distributed Intrusion Detection System (IDIDS), which consists of Intrusion Detection Device (IDD) and Center of Intrusion Detection System (CIDS), is proposed. IDD performs online misuse detection with the pre-compiled intrusion pattern state machines and reports the suspected event to CIDS for further analysis. CIDS performs offline anomaly detection with our multi-phases behavior pattern discovering method. In preprocessing phase, these reported events are encoded to feature vectors. These obtained features vectors may be grouped into several clusters in behaviors clustering phase. In sequential pattern discovering phase, the sequence of cluster labels that represents user’s behaviors may be discovered. Finally, these patterns can be transformed into a sequence of property sets in property extracting phase and then be compared with well-known patterns to determine normal or abnormal in classifier. The results of our offline behavior pattern discovering method can feedback and enhance the detection capability of IDIDS.