A Study of Collaborative Discovering of Suspicious Network Behaviors

• Main Authors: Yung-Yu Lin, 林永彧
• Other Authors: Shian-Shyong Tseng
• Format: Others
• Language: en_US
• Published: 2006
• Online Access: http://ndltd.ncl.edu.tw/handle/82199720080097230068

碩士 === 國立交通大學 === 資訊科學與工程研究所 === 94 === As the rapid growth of network attacking tools, patterns of network intrusion events change gradually. Referring to the newest Symantec Internet Security Threat Report, we found that network intrusion behaviors evolve into more hidden and target-specific behaviors. There are many researches had been proposed to analyze network intrusion behaviors in accordance with low-level network data. However, since these researches might suffer a large mount of false alerts, it is very difficult for network administrators to discover useful information from these alerts. To reduce the load of administrators, by collecting and analyzing unknown attack sequences systematically, administrators can do the duty of fixing the root causes and researching attack events. However, due to the different characteristics for each intrusion, there is no single analysis method which can correlate IDS alerts perfectly and discover all kinds of real intrusion patterns up to the present. Therefore, a knowledge-based framework for Collaborative Discovering Suspicious Network Behaviors (CDSNB) is proposed in this thesis. The framework of CDSNB consists of three phases: Data Preprocessing Phase, Alert Filtering Phase and Collaborative Analysis Phase. The Data Processing Phase is used to divide sensors into groups with specific system and network profiles, and IDS alerts of these groups are transformed into alert transactions with specific data formats according to requirements in the Collaborative Analysis Phase. Because of numerous of false alerts, the Alert Filtering Phase is used to construct Filter Model (FM) of sensors in specific group to filter most false alerts. The Collaborative Analysis Phase is used to analyze each alert pattern and classify the results into aggregated information for administrators as references of intrusion defense in the viewpoint of specific sensor groups with similar backgrounds and behaviors. In this knowledge-based analysis framework, the system interacts with administrators to assist them making appropriate decisions in each phase. According to the urgent situations of different levels, Network administrators can do event protecting or vulnerability repairing, even or cause tracing of attacks. Therefore, the knowledge-based framework of CDSNB can prevent attacks effectively, find novel attack patterns exactly and reduce the load of administrators efficiently.