結合漸進式隱藏馬可夫模型與Adaboost之異常入侵偵測; Combining Incremental Hidden Markov Model and Adaboost Algorithm for Anomaly Intrusion Detection

NCU Institutional Repository > 管理學院 > 資訊管理研究所 > 博碩士論文 > Item 987654321/13536

jsp.display-item.identifier=請使用永久網址來引用或連結此文件: http://ir.lib.ncu.edu.tw/handle/987654321/13536

题名:	結合漸進式隱藏馬可夫模型與Adaboost之異常入侵偵測;Combining Incremental Hidden Markov Model and Adaboost Algorithm for Anomaly Intrusion Detection
作者:	陳毓書;Yu-Shu Chen
贡献者:	資訊管理研究所
关键词:	Adaboost;異常入侵偵測;正常行為模式;漸進式隱藏馬可夫模型;Adaboost;IHMM;Anomaly Intrusion Detection;Normal Profile
日期:	2009-06-23
上传时间:	2009-09-22 15:34:22 (UTC+8)
出版者:	國立中央大學圖書館
摘要:	由於全球惡意碼及攻擊入侵數量急遽的攀升，因此開發有效的入侵偵測系統提高入侵偵測的準確率變得十分重要。傳統隱藏馬可夫模型(Hidden Markov Model, HMM)基於塑模正常行為模式(Normal Profile)成功應用於異常入侵偵測。而漸進式隱藏馬可夫模型(Incremental HMM, IHMM)改善傳統隱藏馬可夫模型訓練時間成本。然而兩者隱藏馬可夫模型仍無法有效正確偵測，具有偵測上誤報率過高的問題，因此本研究提出結合漸進式隱藏馬可夫模型與Adaboost之異常入侵偵測，簡稱Adaboost-IHMM。Adaboost藉由多個漸進式隱藏馬可夫模型共同對樣本分類，最後決定樣本分類結果，因此可提升分類準確率。此外，本研究針對Adaboost-IHMM提出一個正常行為模式即時調適的方法，來反應因正常行為發生改變而導致誤判的情況。最後透過新墨西哥大學提供的Stide及Sendmail系統呼叫資料集，以及自行蒐集的Internet Explorer實驗資料，來驗證本研究方法能確實區分正常及入侵程序以及正常行為模式能即時的調適。實驗結果得知此方法能明顯改善誤報率而不失偵測率，改善Stide實驗資料集誤報率70%。而正常行為發生改變也能相應的即時調整，改善訓練新的正常行為模式的時間成本90%。 Due to global malwares and intrusions grow sharply; hence it’s important to develop effective Intrusion Detection Systems (IDSs) to promote the accurate rate of intrusion detection. IDSs determine whether the current system is incurred intrusion by analyzing system call sequences, system logs or network packets. All of these data include the time series events. Traditional Hidden Markov Model (HMM), which has the great capability to describe the time series data, has been successfully applied to anomaly intrusion detection to model a normal profile. Incremental HMM (IHMM) further improves the training time of the HMM. However, both HMM and IHMM still have the problem of high false positive rate. In this thesis, we propose to combine IHMM and adaboost for anomaly intrusion detection and name it as Adaboost-IHMM. As Adaboost firstly uses many IHMMs to collectively classify samples, then decides the results of samples’ classifications, the Adaboost-IHMM can improve the accurate rate of classifications. Finally, we do experiments by using Stide and Sendmail system call datasets from UNM and Internet Explorer datasets collected by ourselves. Experimental results with Stide datasets show that the proposed method can significantly improve the false positive rate by 70% without decreasing the detection rate. Besides, we also propose a method to adjust the normal profile for avoiding erroneous detection caused by changes of normal behavior. We perform with experiments with realistic datasets extracted from the use of popular browsers. Compared with traditional HMM method, our method can improve the training time by 90% to build a new normal profile.
显示于类别:	[資訊管理研究所] 博碩士論文

文件中的档案:

档案	大小	格式	浏览次数

在NCUIR中所有的数据项都受到原著作权保护.

社群 sharing

数据加载中.....