以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：50

、訪客IP：3.140.186.218

姓名	陳威棋(Wei-Chi Chen)  查詢紙本館藏	畢業系所	資訊管理學系
論文名稱	結合隱藏式馬可夫模型與支援向量機於異常偵測系統之研究 (Combining Hidden Markov Model and Support Vector Machine for Host-based Anomaly Detection Systems)
相關論文	★ 應用數位版權管理機制於數位影音光碟內容保護之研究 ★ 以應用程式虛擬化技術達成企業軟體版權管理之研究 ★ 以IAX2為基礎之網頁電話架構設計 ★ 應用機器學習技術協助警察偵辦詐騙案件之研究 ★ 擴充防止詐欺及保護隱私功能之帳戶式票務系統研究-以大眾運輸為例 ★ 網際網路半結構化資料之蒐集與整合研究 ★ 電子商務環境下網路購物幫手之研究 ★ 網路安全縱深防護機制之研究 ★ 國家寬頻實驗網路上資源預先保留與資源衝突之研究 ★ 以樹狀關聯式架構偵測電子郵件病毒之研究 ★ 考量地區差異性之隨選視訊系統影片配置研究 ★ 不信任區域網路中數位證據保留之研究 ★ 入侵偵測系統事件說明暨自動增加偵測規則之整合性輔助系統研發 ★ 利用程序追蹤方法關聯分散式入侵偵測系統之入侵警示研究 ★ 一種網頁資訊擷取程式之自動化產生技術研發 ★ 應用XML/XACML於工作流程管理系統之授權管制研究
檔案	[Endnote RIS 格式]    [Bibtex 格式]    [相關文章]   [文章引用]   [完整記錄]   [館藏目錄]   [檢視]  [下載] 本電子論文使用權限為同意立即開放。 已達開放權限電子全文僅授權使用者為學術研究之目的，進行個人非營利性質之檢索、閱讀、列印。 請遵守中華民國著作權法之相關規定，切勿任意重製、散佈、改作、轉貼、播送，以免觸法。
摘要(中)	近年來，網路上木馬與後門程式到處橫行，而一些自動化滲透工具的出現，讓攻擊所需的知識大幅減少。在各種惡意程式猖獗的網路環境上，最後把關系統安全的責任大都落在主機入侵偵測系統身上。本研究主要是以隱藏式馬可夫模型（Hidden Markov Model）及支援向量機（Support Vector Machine）為理論基礎，在微軟作業系統上提出一個主機型異常入侵偵測系統。 本研究使用Windows Native API序列資料來建立程式行為模型，而且這類型資料有一個最大的特性，便是有先後順序的概念，因此我們利用隱藏式馬可夫模型這個善於表達動態序列關係的工具，來描述Windows Native API之間先後順序的機率關係，再經由隱藏式馬可夫模型將系統呼叫序列中的隱藏狀態輸出，最後將隱藏狀態轉換成向量的型式以供後續利用支援向量機來建立正常程式行為模型以及異常入侵判斷。此程式行為模型能用來刻劃正常行為的規範，所以只要所監控程式的行為被支援向量機歸類為異常，就可告知使用者得知目前此程式有異常的狀態發生。 本研究也根據上述想法開發出一套異常入侵偵測的雛型系統，並在最後的實驗中，透過美國新墨西哥大學系統呼叫資料集以及本研究在微軟作業系統上自行蒐集的資料，來證明結合隱藏式馬可夫模型及支援向量機於異常偵測系統上，可以區分出目前程式執行時有異常的行為發生。
摘要(英)	Various malicious programs, such as Trojan horse and backdoor, have become popular on the Internet in recent years. More and more automated penetration testing tools appear and now less background knowledge of attack is needed than before. As a result, the responsibility of computer is transferred to the host-based intrusion detection systems. Our research mainly combines Hidden Markov Model and Support Vector Machine and proposes a host-based anomaly detection system under Windows platforms. We use Windows Native Application Interface (API) sequences to establish the program normal behavior model. This kind of data has a significant characteristic that is the order of API appearing sequence. So we utilize the Hidden Markov Model that is good at expressing dynamic sequences relation to describe the probability relation of order between Windows Native APIs. After obtaining the hidden state sequences of Native API sequences by Hidden Markov Model, we put it into Support Vector Machine to train normal behavior of programs. If our prototype system detects the state of program belonging to the anomaly, we can inform users about the anomalous behavior of the program. A prototype system is developed by us using the proposed method. We did several experiments to evaluate the performance of this system. The experiments use the dataset of the New Mexico University and the data of the Windows Native API dataset collected by ourselves. The results of experiments prove the effectiveness of the combination of the Hidden Markov Model and Support Vector Machine that can distinguish anomalous program behavior from normal program behavior.
關鍵字(中)	★ 支援向量機 ★ 隱藏式馬可夫模型 ★ Windows Native API ★ 程式行為	關鍵字(英)	★ Program behavior ★ Hidden Markov Model ★ Windows Native API ★ Support Vector Machine
論文目次	圖目錄 III 表目錄 V 第一章 緒論 1 1.1 研究背景 1 1.2 研究動機及目的 3 1.3 研究範圍 3 1.4 研究貢獻 4 1.5 章節架構 4 第二章 相關研究 5 2.1 異常入侵偵測分析的資料來源 5 2.2 序列分析方法 7 2.3 隱藏式馬可夫模型運用於異常入侵偵測系統上 10 2.3.1 隱藏式馬可夫模型 10 2.3.2 基於隱藏式馬可夫模型的主機異常偵測 11 2.4 支援向量機運用於異常入侵偵測系統上 15 2.4.1 支援向量機 15 2.4.2 基於支援向量機的主機異常偵測 16 第三章 結合HMM與SVM於異常偵測系統 19 3.1 為何採用隱藏式馬可夫模型及支援向量機 19 3.2 如何結合隱藏式馬可夫模型及支援向量機之說明 20 3.3 應用隱藏式馬可夫模型 23 3.3.1 如何建立序列關係模型 24 3.3.2 隱藏狀態序列特徵擷取 25 3.3.3 參數的初始估計以及狀態個數的選擇 26 3.4 應用支援向量機 27 3.5 實作於微軟作業系統上的議題探討 28 3.5.1 存取Windows上系統資源的流程 28 3.5.2 攔截Native API呼叫 29 3.5.3 選擇哪些種類的Native API 31 第四章 系統流程與架構 33 4.1 運作流程 33 4.1.1 訓練正常行為階段 33 4.1.2 異常入侵偵測階段 34 4.2 系統架構 35 4.3 模組設計 36 4.3.1 開發環境與工具介紹 37 4.3.2 Windows Native API收集模組實作 37 4.3.3 特徵擷取模組實作 38 4.3.4 正常行為訓練模組實作 38 4.3.5 異常偵測模組實作 38 第五章 實驗分析 40 5.1 利用UNM資料集來驗證「結合HMM與SVM」的可行性 40 5.2 滑動視窗長度大小選擇 43 5.3 程式正常行為與異常行為的異常程度比較 44 5.4 IE與其他windows應用程式行為的異常程度比較 45 5.5 針對IE上的WMF漏洞攻擊來進一步地探討 46 第六章 結論 53 6.1 研究貢獻 53 6.2 未來研究方向 53 參考文獻 55 中文參考文獻 55 英文參考文獻 55 相關網站 60
參考文獻	中文參考文獻 [林景仁 2004] 林景仁 “一種以系統呼叫異常為判斷基礎之入侵防禦系統” ,中央大學資訊管理系，碩士論文,2004 [官炳宏 2005] 官炳宏 “結合隱藏式馬可夫模型與彩色派翠網以關聯多步驟攻擊警訊之方法”,中央大學資訊管理系，碩士論文,2005 [王子彥 2005] 王子彥 ”基於資料探勘技術之監視型間諜程式偵測系統” ,台灣科技大學資訊工程系,碩士論文,2005 [賴申洲 2005] 賴申洲 ”運用混合式分析方法於辨識新型攻擊” 中原大學資訊工程系,碩士論文,2005 英文參考文獻 [ACGSZ2005] S. Andersson, A. Clark, G. Mohay, B. Schatz, J. Zimmermann ,”A Framework for Detecting Network-based Code Injection Attacks Targeting Windows and UNIX” ,21st Annual Computer Security Applications Conference 2005 [BGM2004] R.Battistoni, E. Gabrielli, and L. V. Mancini. A host intrusion prevention system for Windows operating systems. In ESORICS’04, 2004. [BKJK2005] T.M. Bae, C.S. Kim, S.H. Jin, S.H. Kim, K.H. Ro, Y.M. “Semantic Event Detection in Structured Video Using Hybrid HMM/SVM”. Image and Video Retrieval Springer-Verlag ,2005 [BUR1998] C. J. C. Burges “A tutorial on support vector machines for pattern recognition,”Data Mining and Knowledge Discovery, vol. 2, no. 2, 1998 [CHO2002] S.-B. Cho, “Incorporating soft computing techniques into a probabilistic intrusion detection system,” IEEE Trans. On Systems, Man and Cybernetics-Part C:Applications and Reviews, vol. 32, no. 2, pp. 154-160, May 2002. [CHS2005] W.H. Chen, S.H. Hsu , H.P. Shen, Application of SVM and ANN for intrusion detection, Computers Operations Research, Volume 32, Issue 10, pp. 2617-2634, 2005. [CH2003] S. Cho, S. Han, "Two Sophisticated Techniques to Improve HMM-Based Intrusion Detection Systems", Proceedings of International Symposium on Recent Advances in Intrusion Detection, 2003 [CP2003] S.B.Cho, H.J. Park, “Efficient anomaly detection by modeling privilege flows using hidden Markov model”, Computers and Security, 2003 [FHSL1996] S. Forrest, S.A. Hofmeyr, A. Somayaji, and T.A. Longstaff. A sense of self for unix processes. In Proceedings of the 1996 IEEE Symposium on Security and Privacy, pages 120-128. IEEE, May 1996. [HC2003] S.-J. Han and S.-B. Cho, "Combining multiple host-based detectors using decision tree," Lecture Notes in Computer Science 2903, Springer, Berlin, 2003. [HC2006] S.J. Han and S.B. Cho, "Evolutionary neural network for anomaly detection based on program's behavior," IEEE Transactions on Systems, Man and Cybernetics-Part B, 559-570, 2006 [HCL2003] C. W. Hsu, C. C. Chang , C. J. Lin, 2003, A practical guide to support vector classification. Available: http://www.csie.ntu.edu.tw/~cjlin/papers/guide/guide.pdf. [HFS1998] S. A. Hofmeyr, S. Forrest, and A. Somayaji. , “Intrusion detection using sequences of system calls”, Journal of Computer Security, Volume 6, pages 151-180, 1998. [HHB2003] X.D. Hoang, J. Hu, P. Bertok, “A Multi-layer Model for Anomaly Intrusion Detection ”IEEE International Conference on Networks (ICON), 1, 531-536, September 2003 [HH2004] X.A Hoang, J. Hu,” An efficient hidden Markov model training scheme for anomaly intrusion detection of server applications based on system calls”, Proceedings. 12th IEEE International Conference on ICON, Nov. 2004 [JH1998] T. Jaakkola and D. Haussler. Exploiting generative models in discriminative classifiers. In Advances in Neural Information Processing Systems 11, 1998 [JXX2005] W. Jiang, Y. Xu ,Y. Xu “A Novel Intrusions Detection Method Based on HMM Embedded Neural Network” In Advances in Natural Computation: First International Conference, ICNC 2005, Changsha, China, August 27-29, 2005 [KC2005] H.S. Kim, S.D. Cha “Empirical evaluation of SVM-based masquerade detection using UNIX commands” Computers & Security, Volume 24, 2005 [KNOP2005] D.S Kim, H.N.Nguyen, S.Y. Ohn, J. S. Park “Fusions of GA and SVM for Anomaly Detection in Intrusion Detection System” Second International Symposium on Neural Networks, 2005 [LS1998] W. Lee and S. J. Stolfo. Data mining approaches for intrusion detection. In Proceedings of the 7th USENIX Security Symposium, 1998. [LV2002] Y Liao , V.R. Vemuri . Use of K-nearest neighbor classifier for intrusion detection. Computers Security 2002 [LSSP2005] J. Long, D. G. Schwartz, S. Stoecklin, M. Patel, “Application of Loop Reduction to Learning Program Behaviors for Anomaly Detection”, IEEE International Conference on Information Technology ,ITCC 2005. [LBH2005] G Florez-Larrahondo, S Bridges, EA Hansen, “Incremental Estimation of Discrete Hidden Markov Models Based on a New Backward Procedure”, 20th National Conference on Artificial Intelligence,2005 [MS2005] D.J. Malan and M. D. Smith , “Host-Based Detection of Worms through Peer-to-Peer Cooperation” ,ACM Workshop on Rapid Malcode. Fairfax, Virginia. November 2005 [NEB2000] G. Nebbet.“Windows NT/2000 native API reference”, 2000 [PC2002] H. J. Park and S. B. Cho, “Privilege flows modeling for effective intrusion detection based on HMM”, Department of Computer Science, Yonsei University, Korea, 2002. [QXBG2002] Y. Qiao, X. W. Xin , Y.Bin and S.Ge:“Anomaly intrusion detection method based on HMM”, Electronics Letters, 20th, 2002 [RAB1989] Lawrence R. Rabiner, Fellow, IEEE, “A Tutorial on Hidden Markov Models and Selected Applications in Speech Recognition”, In Proceedings of the IEEE, Vol. 77, No. 2, February 1989. [RDY2003] X Rao, C.X. Dong, S.Q. Yang. “An intrusion detection system based on support vector machine.” Journal of Software, 2003. [RIE2006] C. Ries “ROOTKIT IN WINDOWS” VigilantMinds Inc, 2006 [RJ1986] L. R. Rabiner, B. H. Juang, “An Introduction to Hidden Markov Models”,IEEE ASSP Magazine, January 1986. [SAEH2004] S. Stolfo, F Apap, E. Eskin, K. Heller, S. Hershkop, A. Honig, and K. Svore. “Detecting Malicious Software by Monitoring Anomalous Windows Registry Accesses” CU Tech Report Feb. 23, 2004. [SBS2003] B. Schlkopf, C. J. C. Burges & A. J. Smola, 1999, “Introduction to support vector learning, advances in kernel methods-support vector learning,” Cambridge, 1999 [TM2003] K. Tan and R. Maxion. Determining the operational limits of an anomaly based intrusion detector. IEEE Journal on selected areas in communications, 21(1):96-110, Jan. 2003. [WDD2000] A. Wespi, M. Dacier, H. Debar, "Intrusion Detection Using Variable-Length Audit Trail Patterns", Proceedings of International Symposium on Recent Advances in Intrusion Detection, 2000 [WFP1999] C. Warrender, S. Forrest, B. Pearlmutter, “Detecting intrusions using system calls: alternative data models”, In Proceedings of the 1999 IEEE Symposium on Security and Privacy, pages 133-152, Oakland, California,1999. [WGZ2004] W. Wang, X.H. Guan, X.L. Zhang, “Modeling Program Behaviors by Hidden Markov Models for Intrusion Detection”, In Proceedings of 2004 International Conference on Machine Learning and Cybernetics, Aug. 2004 [XCY2004] M. Xu, C. Chen, J. Ying, “Anomaly detection based on system call classification”, Journal of Software, 2004 [YD2003] D.Y. Yeung, Y. Ding, “Host-based Intrusion Detection using Dynamic and Static Behavioral Models” Pattern Recognition . 2003. [YLCEX2001] N Ye, XY Li, Q Chen, SM Emran, M Xu, “Probabilistic techniques for intrusion detection based on computer audit data”, IEEE Trans on Systems, 2001. [YSZLW2003] Q.B. Yin, L.R. Shen, R.B. Zhang, X.Y. Li, H.Q. Wang , “Intrusion detection based on hidden Markov model”, In Proceedings of 2003 International Conference on Machine Learning and Cybernetics, Nov. 2003 [ZFZ2003] X.Q. Zhang, P.Z. Fan, Z.L. Zhu. “A new anomaly detection method based on hierarchical HMM”. PDCAT2003,China, (2003), 249-252 相關網站 [CL 2001] C.C. Chang and C.J. Lin, LIBSVM : a library for support vector machines, 2001. Software at http ://www.csie.ntu.edu.tw/ ~cjlin/Libsvm [FSEC] F-secure weblog http://www.f-secure.com/weblog/ [GMSS] Global Market Share Statistics Website http://marketshare.hitslink.com/report.aspx?qprid=2 [JAHM] Jahmm Website, a Java implementation of Hidden Markov Model related algorithm, http:// www.run.montefiore.ulg.ac.be/ ~francois/software/jahmm/ [MILW] Milworm Website http://www.milworm.com [META] Metasploit Project Website http://www.metasploit.com/ [STRA] Strace for NT WebSite http://www.bindview.com/Services/RAZOR/Utilities/Windows/ strace_readme.cfm [SYMA2006] Symantec Website, 賽門鐵克網路安全威脅研究報告2006， http://www.symantec.com [UNM] UNM system call datasets http://www.cs.unm.edu/~immsec/systemcalls.htm
指導教授	陳奕明(Yi-Ming Chen)	審核日期	2006-7-21
推文	facebook   plurk   twitter   funp   google   live   udn   HD   myshare   reddit   netvibes   friend   youpush   delicious   baidu
網路書籤	Google bookmarks   del.icio.us   hemidemi   myshare