Network Service Misuse Detection: A Data Mining Approach

博士 === 國立中山大學 === 資訊管理學系研究所 === 92 === As network services progressively become essential communication and information delivery mechanisms of business operations and individuals’ activities, a challenging network management issue emerges: network service misuse. Network service misuse is formally d...

Full description

Bibliographic Details
Main Authors: Han-wei Hsiao, 蕭漢威
Other Authors: Chih-Ping Wei
Format: Others
Language:en_US
Published: 2004
Online Access:http://ndltd.ncl.edu.tw/handle/28890760374553235599
Description
Summary:博士 === 國立中山大學 === 資訊管理學系研究所 === 92 === As network services progressively become essential communication and information delivery mechanisms of business operations and individuals’ activities, a challenging network management issue emerges: network service misuse. Network service misuse is formally defined as “abuses or unethical, surreptitious, unauthorized, or illegal uses of network services by those who attempt to mask their uses or presence that evade the management and monitoring of network or system administrators.” Misuses of network services would inappropriately use resources of network service providers (i.e., server machines), compromise the confidentiality of information maintained in network service providers, and/or prevent other users from using the network normally and securely. Motivated by importance of network service misuse detection, we attempt to exploit the use of router-based network traffic data for facilitating the detection of network service misuses. Specifically, in this thesis study, we propose a cross-training method for learning and predicting network service types from router-based network traffic data. In addition, we also propose two network service misuse detection systems for detecting underground FTP servers and interactive backdoors, respectively. Our evaluations suggest that the proposed cross-training method (specifically, NN->C4.5) outperforms traditional classification analysis techniques (namely C4.5, backpropagation neural network, and Naïve Bayes classifier). In addition, our empirical evaluation conducted in a real-world setting suggests that the proposed underground FTP server detection system could effectively identify underground FTP servers, achieving a recall rate of 95% and a precision rate of 34% (by the NN->C4.5 cross-training technique). Moreover, our empirical evaluation also suggests that the proposed interactive backdoor detection system have the capability in capturing “true” (or more precisely, highly suspicious) interactive backdoors existing in a real-world network environment.