English  |  正體中文  |  简体中文  |  全文筆數/總筆數 : 80990/80990 (100%)
造訪人次 : 41077690      線上人數 : 882
RC Version 7.0 © Powered By DSPACE, MIT. Enhanced by NTU Library IR team.
搜尋範圍 查詢小技巧:
  • 您可在西文檢索詞彙前後加上"雙引號",以獲取較精準的檢索結果
  • 若欲以作者姓名搜尋,建議至進階搜尋限定作者欄位,可獲得較完整資料
  • 進階搜尋


    請使用永久網址來引用或連結此文件: http://ir.lib.ncu.edu.tw/handle/987654321/13348


    題名: 基於漸進式隱藏馬可夫模型與Windows系統呼叫之可調適性異常入侵偵測方法;An Adaptive Anomaly Detection Method Based on Incremental Hidden Markov Model and Windows Native API
    作者: 施文富;Wen-Fu Shih
    貢獻者: 資訊管理研究所
    關鍵詞: 程式行為;Windows系統呼叫;異常入侵偵測;漸進式隱藏馬可夫模型;Windows Native API;Program behavior;Intrusion Detection;Incremental Hidden Markov Model
    日期: 2007-06-25
    上傳時間: 2009-09-22 15:29:38 (UTC+8)
    出版者: 國立中央大學圖書館
    摘要: 近年網路攻擊的盛行使得傳統的入侵偵測方法與防火牆等技術已不足以防禦電腦的安全,而利用隱藏馬可夫模型與程式所使用的系統呼叫進行異常入侵偵測,在相關研究中已證明可達到良好的成效,但是應用隱藏馬可夫模型時,模型訓練成本過高卻造成了實際應用上的窒礙。因此,在本研究中使用異常入侵偵測的作法,針對微軟視窗作業系統,以漸進式隱藏馬可夫模型為理論基礎,實做一個具有模型調適性質之異常入侵偵測系統。我們利用漸進式隱藏馬可夫模型對正常程式行為塑模,並且以漸進式隱藏馬可夫模型中漸進式學習的特色結合訓練架構的改良來減少訓練所需的成本。此外,正常行為模型的更新與調適是異常入侵偵測系統所遭遇的一大問題,因此我們也利用從多個觀察序列學習隱藏馬可夫模型的方法,設計了一個模型調適方法,能夠幫助解決正常程式因程式更新而容易導致誤判狀況發生的問題。最後並且透過新墨西哥大學所提供之Sendmail系統呼叫資料集,以及自行蒐集之Windows系統呼叫資料,證明本研究所提出的方法確實能夠區分程式的執行有異常的入侵行為,程式更新時也能夠對於模型進行相對的調適,能夠降低誤判的情況,且經實驗顯示,進行訓練所需時間與所需記憶體空間亦將較原本節省約66%與93%。 Vulnerabilities are typically discovered months before the worm outbreak, but more and more worms and various malicious programs are released in few days after the vulnerabilities were announced. More and more automated penetration testing tools helps attacker to develop attack programs easily and create zero-day worms for vulnerabilities that unknown to network defenses which based on signatures. Therefore, host-based intrusion detection systems play an important role to detect such newly attacks. Our research mainly takes use of Windows Native Application Interface (API) sequences and Incremental Hidden Markov Model to propose a host intrusion detection method. Hidden Markov Model has proved to be good at expressing dynamic sequence data. In this research, it could help to describe probability relation the of Windows Native API sequences. But the training cost of Hidden Markov Model was so high that it’s almost impossible to design on-line learning and detecting mechanisms for intrusion detection. So we take use of Incremental Hidden Markov Model algorithm and propose an effective training scheme that could help to save the time and memory usage. In additions, we proposed an adaptive detection scheme that could be used for model adaption. A prototype system is developed by us using the proposed method. We did several experiments to evaluate the performance of this system. The experiments use the dataset of the New Mexico University and the data of the Windows Native API dataset collected by ourselves. The results of experiments prove the effectiveness the intrusion detection method and could save 66% time usage and 93% memory usage. And we also proved that the model adaption method is effective.
    顯示於類別:[資訊管理研究所] 博碩士論文

    文件中的檔案:

    檔案 大小格式瀏覽次數


    在NCUIR中所有的資料項目都受到原著作權保護.

    社群 sharing

    ::: Copyright National Central University. | 國立中央大學圖書館版權所有 | 收藏本站 | 設為首頁 | 最佳瀏覽畫面: 1024*768 | 建站日期:8-24-2009 :::
    DSpace Software Copyright © 2002-2004  MIT &  Hewlett-Packard  /   Enhanced by   NTU Library IR team Copyright ©   - 隱私權政策聲明