結合漸進式隱藏馬可夫模型與Adaboost之異常入侵偵測

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：13

、訪客IP：3.15.31.22

姓名

陳毓書(Yu-Shu Chen) 查詢紙本館藏

畢業系所

資訊管理學系

論文名稱

結合漸進式隱藏馬可夫模型與Adaboost之異常入侵偵測
(Combining Incremental Hidden Markov Model and Adaboost Algorithm for Anomaly Intrusion Detection)

相關論文

★ 應用數位版權管理機制於數位影音光碟內容保護之研究	★ 以應用程式虛擬化技術達成企業軟體版權管理之研究
★ 以IAX2為基礎之網頁電話架構設計	★ 應用機器學習技術協助警察偵辦詐騙案件之研究
★ 擴充防止詐欺及保護隱私功能之帳戶式票務系統研究-以大眾運輸為例	★ 網際網路半結構化資料之蒐集與整合研究
★ 電子商務環境下網路購物幫手之研究	★ 網路安全縱深防護機制之研究
★ 國家寬頻實驗網路上資源預先保留與資源衝突之研究	★ 以樹狀關聯式架構偵測電子郵件病毒之研究
★ 考量地區差異性之隨選視訊系統影片配置研究	★ 不信任區域網路中數位證據保留之研究
★ 入侵偵測系統事件說明暨自動增加偵測規則之整合性輔助系統研發	★ 利用程序追蹤方法關聯分散式入侵偵測系統之入侵警示研究
★ 一種網頁資訊擷取程式之自動化產生技術研發	★ 應用XML/XACML於工作流程管理系統之授權管制研究

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

[檢視]

[下載]

本電子論文使用權限為同意立即開放。
已達開放權限電子全文僅授權使用者為學術研究之目的，進行個人非營利性質之檢索、閱讀、列印。
請遵守中華民國著作權法之相關規定，切勿任意重製、散佈、改作、轉貼、播送，以免觸法。

摘要(中)

由於全球惡意碼及攻擊入侵數量急遽的攀升，因此開發有效的入侵偵測系統提高入侵偵測的準確率變得十分重要。傳統隱藏馬可夫模型(Hidden Markov Model, HMM)基於塑模正常行為模式(Normal Profile)成功應用於異常入侵偵測。而漸進式隱藏馬可夫模型(Incremental HMM, IHMM)改善傳統隱藏馬可夫模型訓練時間成本。
然而兩者隱藏馬可夫模型仍無法有效正確偵測，具有偵測上誤報率過高的問題，因此本研究提出結合漸進式隱藏馬可夫模型與Adaboost之異常入侵偵測，簡稱Adaboost-IHMM。Adaboost藉由多個漸進式隱藏馬可夫模型共同對樣本分類，最後決定樣本分類結果，因此可提升分類準確率。此外，本研究針對Adaboost-IHMM提出一個正常行為模式即時調適的方法，來反應因正常行為發生改變而導致誤判的情況。
最後透過新墨西哥大學提供的Stide及Sendmail系統呼叫資料集，以及自行蒐集的Internet Explorer實驗資料，來驗證本研究方法能確實區分正常及入侵程序以及正常行為模式能即時的調適。實驗結果得知此方法能明顯改善誤報率而不失偵測率，改善Stide實驗資料集誤報率70%。而正常行為發生改變也能相應的即時調整，改善訓練新的正常行為模式的時間成本90%。

摘要(英)

Due to global malwares and intrusions grow sharply; hence it’s important to develop effective Intrusion Detection Systems (IDSs) to promote the accurate rate of intrusion detection. IDSs determine whether the current system is incurred intrusion by analyzing system call sequences, system logs or network packets. All of these data include the time series events.
Traditional Hidden Markov Model (HMM), which has the great capability to describe the time series data, has been successfully applied to anomaly intrusion detection to model a normal profile. Incremental HMM (IHMM) further improves the training time of the HMM. However, both HMM and IHMM still have the problem of high false positive rate.
In this thesis, we propose to combine IHMM and adaboost for anomaly intrusion detection and name it as Adaboost-IHMM. As Adaboost firstly uses many IHMMs to collectively classify samples, then decides the results of samples’ classifications, the Adaboost-IHMM can improve the accurate rate of classifications.
Finally, we do experiments by using Stide and Sendmail system call datasets from UNM and Internet Explorer datasets collected by ourselves. Experimental results with Stide datasets show that the proposed method can significantly improve the false positive rate by 70% without decreasing the detection rate.
Besides, we also propose a method to adjust the normal profile for avoiding erroneous detection caused by changes of normal behavior. We perform with experiments with realistic datasets extracted from the use of popular browsers. Compared with traditional HMM method, our method can improve the training time by 90% to build a new normal profile.

關鍵字(中)

★ Adaboost
★ 異常入侵偵測
★ 正常行為模式
★ 漸進式隱藏馬可夫模型

關鍵字(英)

★ Adaboost
★ IHMM
★ Anomaly Intrusion Detection
★ Normal Profile

論文目次

中文摘要 I
英文摘要 II
目錄 III
圖目錄 V
表目錄 VII
第一章緒論 1
1.1 研究背景 1
1.2 研究動機與目的 5
1.3 研究範圍 7
1.4 研究貢獻 8
1.5 章節架構 8
第二章相關研究 9
2.1異常入侵偵測的資料來源 9
2.2 隱藏式馬可夫模型運用於異常入侵偵測 13
2.2.1 漸進式隱藏式馬可夫模型 14
2.2.2 基於隱藏式馬可夫模型的異常偵測 17
2.3 Adaboost演算法運用於異常入侵偵測 21
2.3.1 Adaboost演算法 21
2.3.2 基於Adaboost演算法於異常入侵偵測 25
2.4結合隱藏馬可夫模型與Adaboost 28
第三章結合Adaboost-IHMM之異常入侵偵測 32
3.1漸進式隱藏馬可夫模型 32
3.2 結合漸進式隱藏馬可夫模型與Adaboost演算法 34
3.3 運用Aadboost-IHMM進行序列評估 38
3.4即時調適正常行為模式 40
第四章系統設計與實作 44
4.1 訓練階段 45
4.2 偵測階段 47
4.3 調適階段 49
第五章實驗分析 51
5.1 實驗採用參數 51
5.2 Stide異常偵測實驗 52
5.3 Sendmail異常偵測實驗 56
5.4 Internet Explorer異常偵測實驗 58
5.5正常行為模式即時調適實驗 61
5.6 Adaboost Resampling訓練方式 65
5.7 不同門檻值入侵偵測結果影響 67
5.8 實驗小結 68
第六章結論 70
6.1 研究貢獻 70
6.2 未來研究 71
參考文獻 72

參考文獻

[施文富2007] 施文富“基於漸進式隱藏馬可夫模型與Windows系統呼叫之可調適性異常入侵偵測方法” ,中央大學資訊管理系,碩士論文,2007.
[AH1999] Levent M. Arslan, and John H. L. Hansen, “Selective training for hidden markov models with applications to speech classification,” IEEE Transactions on Speech and Audio Processing, vol.7, NO.1, January 1999.
[B2001] Marco Botta, “Resampling vs Reweighting in Boosting a Relational Weak Learner,” Springer-Verlag Berlin Heidelberg 2001.
[BCS2006] Sandeep Bhatkar, Abhishek Chaturvedi, R. Sekar, “Dataﬂow Anomaly Detection,” Proceedings of the 2006 IEEE Symposium on Security and Privacy (S&P’06), 2006.
[BT2006] Tom Bylander and Lisa Tate, “Using validation sets to avoid overfitting in adaboost,” American Association for Artificial Intelligence, 2006.
[CBS2006] Abhishek Chaturvedi, Sandeep Bhatkar and R. Sekar, “Improving Attack Detection in Host-Based IDS by Learning Properties of System Call Arguments,” In IEEE Symposium on Security and Privacy, 2006.
[CH2003] S. Cho, S. Han, “Two sophisticated techniques to improve hmm-based intrusion detection systems,” Proceedings of International Symposium on Recent Advances in Intrusion Detection, 2003.
[CHS2005] W.H. Chen, S.H. Hsu, H.P. Shen, “Application of SVM and ANN for intrusion detection,” Computers Operations Research, Volume 32, Issue 10, pp. 2617-2634, 2005.
[ELS2001] E.Eskin, W.Lee, and S.J.Stolfo, “Modeling system calls for intrusion detection with dynamic window sizes,” In Proceedings of DARPA Information Survivability Conference & Exposition II,2001.DISCEX’01, June 2001.
[FBH2005] German Florez-Larrahondo, Susan Bridges and Eric A. Hansen, “Incremental Estimation of Discrete Hidden Markov Models Based on a New Backward Procedure,” In Proceedings of the Twentieth National Conference on Artificial Intelligence, 2005.
[FBV2005] German Florez-Larrahondo, Susan M. Bridges, and Rayford Vaughn, “Efficient Modeling of Discrete Events for Anomaly Detection Using Hidden Markov Models,” In 8th Information Security Conference, 2005.
[FHSL1996] S. Forrest, S.A. Hofmeyr, A. Somayaji, and T.A. Longstaff, “A sense of self for unix processes,” In Proceedings of the 1996 IEEE Symposium on Security and Privacy, May 1996.
[FKFLG2003] Henry Hanping Feng, Oleg M. Kolesnikov, Prahlad Fogla, Wenke Lee, and Weibo Gong, “Anomaly Detection Using Call Stack Information,” In Proceedings of the 2003 IEEE Symposium on Security and Privacy, 2003.
[FLD2004] Say Wei Foo, Yong Lian, and Liang Dong, “Recognition of visual speech elements using adaptively boosted hidden markov models,” IEEE Transactions on Circuits and Systems for Video Technology, vol. 14, NO. 5, May 2004.
[FS1997] Yoav Freund and Robert E. Schapire, “A decision-theoretic generalization of on-line learning and an application to boosting,” Journal of Computer and System Sciences 55, 119-139, 1997.
[FS1999] Yoav Freund and Robert E. Schapire, “A short introduction to boosting,” Journal of Japanese Society for Artificial Intelligence, 14(5):771-780, September, 1999.
[HAK2008] Kjetil Haslum, Ajith Abraham and Svein Knapskog, “Fuzzy online risk assessment for distributed intrusion prediction and prevention systems,” Computer Modeling and Simulation, 2008.
[HFS1998] S. A. Hofmeyr, S. Forrest, and A. Somayaji, “Intrusion detection using sequences of system calls,” Journal of Computer Security, Volume 6, pages 151-180, 1998.
[HHM2008] Weiming Hu, Wei Hu, and Steve Maybank, “Adaboost-based algorithm for network intrusion detection,” IEEE Transactions on Systems, Man, and Cybernetics—part B: Cybernetics, vol. 38, NO. 2, April 2008.
[HMK2008] Kjetil Haslum, Marie E. G. Moe and Svein J. Knapskog, “Real-time intrusion prevention and security analysis of networks using HMMs,” Local Computer Networks, 2008.
[JAHMM] Jahmm - An implementation of HMM in Java. http:// www.run.montefiore.ulg.ac.be/ ~francois/software/jahmm/.
[KASPERSKY2009] Kaspersky Security Bulletin: Malware Evolution 2008. http://www.viruslist.com/en/analysis?, Accessed on March 02, 2009.
[KL2008] Rahul Khanna, Huaping Liu, “Control theoretic approach to intrusion detection using a distributed hidden Markov model,” Wireless Communications, IEEE 2008.
[LGJB2008] Yongzhong Li, Yang Ge, Xu Jing, Zhao Bo, “A new intrusion detection method based on fuzzy HMM,” Industrial Electronics and Applications, 2008.
[LS1998] W. Lee and S. J. Stolfo, “Data mining approaches for intrusion detection,” In Proceedings of the 7th USENIX Security Symposium, 1998.
[LV2002] Y Liao, V.R. Vemuri, “Use of K-nearest neighbor classifier for intrusion detection,” Computers Security 2002.
[LZXY2008] Yong-Zhong Li, Bo Zhao, Jing Xu, Ge Yang, “Anomaly intrusion detection method based on rough set theory,” Proceedings of the 2008 International Conference on Wavelet Analysis and Pattern Recognition, Hong Kong, 30-31, Aug. 2008.
[META] The Metasploit Project. http://www.metasploit.com/.
[MILW0RM] The Milw0rm Website. http://www.milw0rm.com/.
[Nebbet 2000] Gary Nebbet, “Windows NT/2000 native API reference,” Sams, 2000.
[NMAP] Nmap – Free Security Scanner For Network Exploration & Security Audits
http://nmap.org/.
[O2001] Nikunj C. Oza, “Online ensemble learning,” Department of Electrical Engineering and Computer Science, University of California, Berkeley, 2001.
[OR2001] Nikunj C. Oza and Stuart Russell, “Online bagging and boosting,” In Artificial Intelligence and Statistics 2001, Key West, FL, USA, pp. 105-112. January 2001.
[PSJ2008] Chetan Parampalli, R. Sekar and Rob Johnson, “A Practical Mimicry Attack against Powerful System-Call Monitors,” ASIACCS ’08, March 18-20, Tokyo, Japan, 2008.
[QXBG2002] Y. Qiao, X. W. Xin, Y.Bin and S.Ge, “Anomaly intrusion detection method based on HMM,” In IEEE Electronic Letters Online No. 20020467, 2002.
[R1989] L. R. Rabiner, “A tutorial on hidden markov models and selected applications in speech recognition,” Proc. IEEE, vol. 77, pp. 257–286, Feb 1989.
[RJ1986] L. R. Rabiner, B. H. Juang, “An introduction to hidden markov models,” IEEE ASSP Magazine, January 1986.
[RJ1993] L.R. Rabiner and B.H. Juang, “Fundamentals of Speech Recognition. Prentice Hall,” 1993.
[SBDB2001] R. Sekar M. Bendre D. Dhurjati P. Bollineni, “A Fast Automaton-Based Method for Detecting Anomalous Program Behaviors,” In Proceedings of the 2001 IEEE Symposium on Security and Privacy, 2001.
[SKHN2008] Chris Seiffert, Taghi M. Khoshgoftaar, Jason Van Hulse, Amri Napolitano, “Resampling or Reweighting: A Comparison of Boosting Implementations,” 2008 20th IEEE International Conference on Tools with Artificial Intelligence, 2008.
[Strace] Strace for Windows NT, W2K, XP. http://www.waldsterben.uni-freiburg.de/Members/birgitmetzger/zipfolder.2008-12-12.5920807569/psychologie/testobjekte/testfolder/zipfolder/strace-0.3/README.html.
[SYMANTEC2009] Symantec Global Internet Security Threat Report Volume XIV. http://www.symantec.com/business/theme.jsp?themeid=threatreport. April, 2009.
[TS2007] Arnur G. Tokhtabayev and Victor A. Skormin, “Non-Stationary Markov Models and Anomaly Propagation Analysis in IDS,” Third International Symposium on Information Assurance and Security, IEEE 2007.
[UNM] UNM System Call Datasets. http://www.cs.unm.edu/~immsec/systemcalls.htm.
[VB2007] Alexander Vezhnevets and Olga Barinova, “Avoiding boosting overfitting by removing confusing samples,” Springer-Verlag Berlin Heidelberg 2007.
[VERLAB] Verlab Website. http://www.verlab.dcc.ufmg.br/cursos/visao/2008-1/grupo14/index.
[VS2005] R.M. Valdovinos, J.S. Sánchez, “Class-Dependant Resampling for Medical Applications,” Proceedings of the Fourth International Conference on Machine Learning and Applications (ICMLA’05), IEEE 2005.
[WD2001] D. Wagner and D. Dean, “Intrusion detection via static analysis,” In Proceedings of the 2001 IEEE Symposium on Security and Privacy, Oakland, California, 2001.
[WDD2000] A. Wespi, M. Dacier, H. Debar, “Intrusion Detection Using Variable-Length Audit Trail Patterns,” Proceedings of International Symposium on Recent Advances in Intrusion Detection, 2000.
[WFP1999] C. Warrender, S. Forrest, B. Pearlmutter, “Detecting intrusions using system calls: alternative data models,” In Proceedings of the 1999 IEEE Symposium on Security and Privacy, 1999.
[WGZ2004] W. Wang, X.H. Guan, X.L. Zhang, “Modeling Program Behaviors by Hidden Markov Models for Intrusion Detection,” In Proceedings of 2004 International Conference on Machine Learning and Cybernetics, 2004.
[WGZY2006] Wei Wang, Xiaohong Guan, Xiangliang Zhang, Liwei Yang, “Proﬁling program behavior for anomaly intrusion detection based on the transition and frequency property of computer audit data,” Computers and Security 25 539-550, ScienceDirect 2006.
[WZR2008] S.-J. Whittaker, M. Zulkernine, K. Rudie, “Towards Incorporating Discrete-Event Systems in Secure Software Development,” The Third International Conference on Availability, Reliability and Security, IEEE 2008.
[WZY2006] Miao Wang, Cheng Zhang, Jingjing Yu, “Native API Based Windows Anomaly Intrusion Detection Method Using SVM,” Proceedings of the IEEE International Conference on Sensor Networks, Ubiquitous, and Trustworthy Computing (SUTC’06), 2006.
[XMCW2008] Tian Xinguang, Duan Miyi, Sun Chunlai and Li Wenfa, “Intrusion detection based on system calls and homogeneous Markov chains,” Journal of Systems Engineering and Electronics Vol. 19, No. 3, 2008, pp.598–605, ScienceDirect 2008.
[YD2003] D.Y. Yeung, Y. Ding, “Host-based Intrusion Detection using Dynamic and Static Behavioral Models,” Pattern Recognition, 2003.
[YDY2007] Chun Yang, Feiqi Deng, Haidong Yang, “An unsupervised anomaly detection approach using subtractive clustering and hidden markov model,” Communications and Networking in China, 2007.
[YLCEX2001] N Ye, XY Li, Q Chen, SM Emran, M Xu, “Probabilistic techniques for intrusion detection based on computer audit data,” IEEE Trans on Systems, 2001.
[YT2004] Zhenwei Yu, Jeffrey J.P. Tsai, “A Multi-Class SLIPPER System for Intrusion Detection,” IEEE 2004.
[YTM2008] Chuanhuan Yin, Shengfeng Tian, Shaomin Mu, “High-order Markov kernels for intrusion detection,” Neurocomputing 71 (2008) 3247–3252, ScienceDirect 2008.
[YTW2007] Zhenwei Yu, Jeffrey J. P. Tsai, Thomas Weigert, “An Automatically Tuning Intrusion Detection System,” IEEE Transactions On Systems, Man, And Cybernetics—Part B: Cybernetics, Vol. 37, No. 2, April 2007.
[YYY2005] Wu Yang, Xiao-Chun Yun, Yong-Tian Yang, “Using Boosting Learning Method for Intrusion Detection,” ADMA 2005, LNAI 3584, pp.634-641, Springer 2005.
[ZZ2004] Xiao-Qiang Zhang, Zhong-Liang Zhu, “Combining the hmm and the neural network models to recognize intrusions,” Proceedings of the Third International Conference on Machine Learning and Cybernetics, Shanghai, 26-29 August 2004.
[ZZP2006] Xiaotong Zhuang, Tao Zhang, Santosh Pande, “Using Branch Correlation to Identify Infeasible Paths for Anomaly Detection,” The 39th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO'06), 2006.

指導教授

陳奕明(Yi-Ming Chen)

審核日期

2009-7-16

推文