| DC 欄位 |
值 |
語言 |
| DC.contributor | 資訊管理學系 | zh_TW |
| DC.creator | 施文富 | zh_TW |
| DC.creator | Wen-Fu Shih | en_US |
| dc.date.accessioned | 2007-7-12T07:39:07Z | |
| dc.date.available | 2007-7-12T07:39:07Z | |
| dc.date.issued | 2007 | |
| dc.identifier.uri | http://ir.lib.ncu.edu.tw:88/thesis/view_etd.asp?URN=944203020 | |
| dc.contributor.department | 資訊管理學系 | zh_TW |
| DC.description | 國立中央大學 | zh_TW |
| DC.description | National Central University | en_US |
| dc.description.abstract | 近年網路攻擊的盛行使得傳統的入侵偵測方法與防火牆等技術已不足以防禦電腦的安全,而利用隱藏馬可夫模型與程式所使用的系統呼叫進行異常入侵偵測,在相關研究中已證明可達到良好的成效,但是應用隱藏馬可夫模型時,模型訓練成本過高卻造成了實際應用上的窒礙。因此,在本研究中使用異常入侵偵測的作法,針對微軟視窗作業系統,以漸進式隱藏馬可夫模型為理論基礎,實做一個具有模型調適性質之異常入侵偵測系統。我們利用漸進式隱藏馬可夫模型對正常程式行為塑模,並且以漸進式隱藏馬可夫模型中漸進式學習的特色結合訓練架構的改良來減少訓練所需的成本。此外,正常行為模型的更新與調適是異常入侵偵測系統所遭遇的一大問題,因此我們也利用從多個觀察序列學習隱藏馬可夫模型的方法,設計了一個模型調適方法,能夠幫助解決正常程式因程式更新而容易導致誤判狀況發生的問題。最後並且透過新墨西哥大學所提供之Sendmail系統呼叫資料集,以及自行蒐集之Windows系統呼叫資料,證明本研究所提出的方法確實能夠區分程式的執行有異常的入侵行為,程式更新時也能夠對於模型進行相對的調適,能夠降低誤判的情況,且經實驗顯示,進行訓練所需時間與所需記憶體空間亦將較原本節省約66%與93%。 | zh_TW |
| dc.description.abstract | Vulnerabilities are typically discovered months before the worm outbreak, but more and more worms and various malicious programs are released in few days after the vulnerabilities were announced. More and more automated penetration testing tools helps attacker to develop attack programs easily and create zero-day worms for vulnerabilities that unknown to network defenses which based on signatures. Therefore, host-based intrusion detection systems play an important role to detect such newly attacks. Our research mainly takes use of Windows Native Application Interface (API) sequences and Incremental Hidden Markov Model to propose a host intrusion detection method. Hidden Markov Model has proved to be good at expressing dynamic sequence data. In this research, it could help to describe probability relation the of Windows Native API sequences. But the training cost of Hidden Markov Model was so high that it’s almost impossible to design on-line learning and detecting mechanisms for intrusion detection. So we take use of Incremental Hidden Markov Model algorithm and propose an effective training scheme that could help to save the time and memory usage. In additions, we proposed an adaptive detection scheme that could be used for model adaption. A prototype system is developed by us using the proposed method. We did several experiments to evaluate the performance of this system. The experiments use the dataset of the New Mexico University and the data of the Windows Native API dataset collected by ourselves. The results of experiments prove the effectiveness the intrusion detection method and could save 66% time usage and 93% memory usage. And we also proved that the model adaption method is effective. | en_US |
| DC.subject | 程式行為 | zh_TW |
| DC.subject | Windows系統呼叫 | zh_TW |
| DC.subject | 異常入侵偵測 | zh_TW |
| DC.subject | 漸進式隱藏馬可夫模型 | zh_TW |
| DC.subject | Windows Native API | en_US |
| DC.subject | Program behavior | en_US |
| DC.subject | Intrusion Detection | en_US |
| DC.subject | Incremental Hidden Markov Model | en_US |
| DC.title | 基於漸進式隱藏馬可夫模型與Windows系統呼叫之可調適性異常入侵偵測方法 | zh_TW |
| dc.language.iso | zh-TW | zh-TW |
| DC.title | An Adaptive Anomaly Detection Method Based on Incremental Hidden Markov Model and Windows Native API | en_US |
| DC.type | 博碩士論文 | zh_TW |
| DC.type | thesis | en_US |
| DC.publisher | National Central University | en_US |