| Summary: | 碩士 === 國立嘉義大學 === 資訊工程學系研究所 === 94 === As the Internet becomes more and more diverse, the events of malicious users penetrating system defenses through vulnerable points are increasing rapidly. Consequently, in order to preemptively safeguard the system against various intrusions, it is necessary to develop an intrusion detection system which has a learning ability to automatically add the detection rules from the stores traffic records. Most of the intrusion detection systems used today utilizes the misuse detection techniques (MIDS) that can define known attack behaviors. However, such IDSs are inadequate to predict possible anomalous behaviors, and hence many false negatives would be generated that leads the computer systems into seriously hazardous conditions. Another frequently used approach is to perform anomaly detection techniques (AIDS). However, an attack-free traffic data needed for training the anomaly-based IDS. In practice it is difficult to obtain such an ideal data from real network. If the training data contains attacks, erroneous normal profile could be generated. Therefore the anomaly-based IDSs have inborn problem of high false positive rate. To overcome these problems, we will build a collaborative IDS that contains the advantages of both MIDS and AIDS.
In this thesis, we provide a collaboration methodology to obtain packet features according to the normal information during training phase and the alarms during detection phase. Features of anomalous behaviors are extracted by an approach of classification in data mining. The rule set of misuse IDS is updated with rule transformation and feedback strategies. That can avoid the false negatives when the collaborative IDS suffers the same attack type in the next round of detection. Moreover, we also implement our collaborative IDS by merging real and simulated network traffic data and analyze possible problems in the synthetic data sets.
|
|---|
