Improving the Efficiency of Intrusion Alarm with Heterogeneous Information Sources
碩士 === 中原大學 === 資訊工程研究所 === 92 === As the role of intrusion detection systems become more and more important to network security, many managerial problems emerge. One among the most concerned is the alarm flooding problem. In order to achieve high detection rate, system administrators often set th...
Main Authors: | , |
---|---|
Other Authors: | |
Format: | Others |
Language: | zh-TW |
Published: |
2004
|
Online Access: | http://ndltd.ncl.edu.tw/handle/k6p8q5 |
id |
ndltd-TW-092CYCU5392002 |
---|---|
record_format |
oai_dc |
spelling |
ndltd-TW-092CYCU53920022018-06-25T06:06:10Z http://ndltd.ncl.edu.tw/handle/k6p8q5 Improving the Efficiency of Intrusion Alarm with Heterogeneous Information Sources 運用異質資訊提升入侵警報正確率 Hong-Ji Chen 陳鴻吉 碩士 中原大學 資訊工程研究所 92 As the role of intrusion detection systems become more and more important to network security, many managerial problems emerge. One among the most concerned is the alarm flooding problem. In order to achieve high detection rate, system administrators often set the sensitivity level of IDS to high, which inevitably resulted in a huge number of alarms with false alarms occupying sizable proportion. On one hand, administrators need to inspect carefully to discover useful information from them, which is a heavy burden to the administrators. On the other hand, attackers may make use of the large amount of false alarms to obstruct the detection process and deceive intrusion detection systems. Therefore, after achieving high detection rate, how to improve the detection efficiency of intrusion detection systems and effectively reduce the number of false alarms becomes a vital problem to face. In intrusion detection systems adopting misuse detection methods, the attack signatures are mostly characterized with information from single data source: for examples, the packet information from the network or the resource utilization information from the host. Without utilizing other available information, the accuracy of judgment made in generating alarm may not be satisfactory. In this thesis, we propose an alarm filtering scheme to improve the efficiency of misuse-type network intrusion detection system. Through careful analysis, a preliminarily recognized attack threat can be verified against heterogeneous data sources in determining if an attack may really succeed before it is reported. The proposed scheme has been implemented. Experiment result shows that, with the heterogeneous information, the occurrences of false alarm are obviously reduced and none of the real alarms are among those non-reported ones. Shih-Kuh Huang Hsiao-Rong Tyan 黃世昆 田筱榮 2004 學位論文 ; thesis 55 zh-TW |
collection |
NDLTD |
language |
zh-TW |
format |
Others
|
sources |
NDLTD |
description |
碩士 === 中原大學 === 資訊工程研究所 === 92 === As the role of intrusion detection systems become more and more important to network security, many managerial problems emerge. One among the most concerned is the alarm flooding problem. In order to achieve high detection rate, system administrators often set the sensitivity level of IDS to high, which inevitably resulted in a huge number of alarms with false alarms occupying sizable proportion. On one hand, administrators need to inspect carefully to discover useful information from them, which is a heavy burden to the administrators. On the other hand, attackers may make use of the large amount of false alarms to obstruct the detection process and deceive intrusion detection systems. Therefore, after achieving high detection rate, how to improve the detection efficiency of intrusion detection systems and effectively reduce the number of false alarms becomes a vital problem to face. In intrusion detection systems adopting misuse detection methods, the attack signatures are mostly characterized with information from single data source: for examples, the packet information from the network or the resource utilization information from the host. Without utilizing other available information, the accuracy of judgment made in generating alarm may not be satisfactory. In this thesis, we propose an alarm filtering scheme to improve the efficiency of misuse-type network intrusion detection system. Through careful analysis, a preliminarily recognized attack threat can be verified against heterogeneous data sources in determining if an attack may really succeed before it is reported. The proposed scheme has been implemented. Experiment result shows that, with the heterogeneous information, the occurrences of false alarm are obviously reduced and none of the real alarms are among those non-reported ones.
|
author2 |
Shih-Kuh Huang |
author_facet |
Shih-Kuh Huang Hong-Ji Chen 陳鴻吉 |
author |
Hong-Ji Chen 陳鴻吉 |
spellingShingle |
Hong-Ji Chen 陳鴻吉 Improving the Efficiency of Intrusion Alarm with Heterogeneous Information Sources |
author_sort |
Hong-Ji Chen |
title |
Improving the Efficiency of Intrusion Alarm with Heterogeneous Information Sources |
title_short |
Improving the Efficiency of Intrusion Alarm with Heterogeneous Information Sources |
title_full |
Improving the Efficiency of Intrusion Alarm with Heterogeneous Information Sources |
title_fullStr |
Improving the Efficiency of Intrusion Alarm with Heterogeneous Information Sources |
title_full_unstemmed |
Improving the Efficiency of Intrusion Alarm with Heterogeneous Information Sources |
title_sort |
improving the efficiency of intrusion alarm with heterogeneous information sources |
publishDate |
2004 |
url |
http://ndltd.ncl.edu.tw/handle/k6p8q5 |
work_keys_str_mv |
AT hongjichen improvingtheefficiencyofintrusionalarmwithheterogeneousinformationsources AT chénhóngjí improvingtheefficiencyofintrusionalarmwithheterogeneousinformationsources AT hongjichen yùnyòngyìzhìzīxùntíshēngrùqīnjǐngbàozhèngquèlǜ AT chénhóngjí yùnyòngyìzhìzīxùntíshēngrùqīnjǐngbàozhèngquèlǜ |
_version_ |
1718705374928830464 |