博碩士論文 944203020 詳細資訊


姓名 施文富(Wen-Fu Shih)  查詢紙本館藏   畢業系所 資訊管理學系
論文名稱 基於漸進式隱藏馬可夫模型與Windows系統呼叫之可調適性異常入侵偵測方法
(An Adaptive Anomaly Detection Method Based on Incremental Hidden Markov Model and Windows Native API)
檔案 [Endnote RIS 格式]    [Bibtex 格式]    [檢視]  [下載]
  1. 本電子論文使用權限為同意立即開放。
  2. 已達開放權限電子全文僅授權使用者為學術研究之目的,進行個人非營利性質之檢索、閱讀、列印。
  3. 請遵守中華民國著作權法之相關規定,切勿任意重製、散佈、改作、轉貼、播送,以免觸法。

摘要(中) 近年網路攻擊的盛行使得傳統的入侵偵測方法與防火牆等技術已不足以防禦電腦的安全,而利用隱藏馬可夫模型與程式所使用的系統呼叫進行異常入侵偵測,在相關研究中已證明可達到良好的成效,但是應用隱藏馬可夫模型時,模型訓練成本過高卻造成了實際應用上的窒礙。因此,在本研究中使用異常入侵偵測的作法,針對微軟視窗作業系統,以漸進式隱藏馬可夫模型為理論基礎,實做一個具有模型調適性質之異常入侵偵測系統。我們利用漸進式隱藏馬可夫模型對正常程式行為塑模,並且以漸進式隱藏馬可夫模型中漸進式學習的特色結合訓練架構的改良來減少訓練所需的成本。此外,正常行為模型的更新與調適是異常入侵偵測系統所遭遇的一大問題,因此我們也利用從多個觀察序列學習隱藏馬可夫模型的方法,設計了一個模型調適方法,能夠幫助解決正常程式因程式更新而容易導致誤判狀況發生的問題。最後並且透過新墨西哥大學所提供之Sendmail系統呼叫資料集,以及自行蒐集之Windows系統呼叫資料,證明本研究所提出的方法確實能夠區分程式的執行有異常的入侵行為,程式更新時也能夠對於模型進行相對的調適,能夠降低誤判的情況,且經實驗顯示,進行訓練所需時間與所需記憶體空間亦將較原本節省約66%與93%。
摘要(英) Vulnerabilities are typically discovered months before the worm outbreak, but more and more worms and various malicious programs are released in few days after the vulnerabilities were announced. More and more automated penetration testing tools helps attacker to develop attack programs easily and create zero-day worms for vulnerabilities that unknown to network defenses which based on signatures. Therefore, host-based intrusion detection systems play an important role to detect such newly attacks. Our research mainly takes use of Windows Native Application Interface (API) sequences and Incremental Hidden Markov Model to propose a host intrusion detection method. Hidden Markov Model has proved to be good at expressing dynamic sequence data. In this research, it could help to describe probability relation the of Windows Native API sequences. But the training cost of Hidden Markov Model was so high that it’s almost impossible to design on-line learning and detecting mechanisms for intrusion detection. So we take use of Incremental Hidden Markov Model algorithm and propose an effective training scheme that could help to save the time and memory usage. In additions, we proposed an adaptive detection scheme that could be used for model adaption. A prototype system is developed by us using the proposed method. We did several experiments to evaluate the performance of this system. The experiments use the dataset of the New Mexico University and the data of the Windows Native API dataset collected by ourselves. The results of experiments prove the effectiveness the intrusion detection method and could save 66% time usage and 93% memory usage. And we also proved that the model adaption method is effective.
關鍵字(中) ★ 程式行為
★ Windows系統呼叫
★ 異常入侵偵測
★ 漸進式隱藏馬可夫模型
關鍵字(英) ★ Windows Native API
★ Program behavior
★ Intrusion Detection
★ Incremental Hidden Markov Model
論文目次 論文摘要 I
Abstract II
目錄 IV
圖目錄 VI
表目錄 VIII
第一章 緒論 1
1.1 研究背景 1
1.2 研究動機與目的 5
1.3 研究範圍 6
1.4 研究貢獻 7
1.5 章節架構 7
第二章 相關研究 9
2.1 基於系統呼叫之異常入侵偵測 9
2.2 基於隱藏式馬可夫模型的異常偵測系統 12
2.2.1 隱藏式馬可夫模型 12
2.2.2 基於隱藏式馬可夫模型的異常偵測 13
2.3 Windows作業系統之入侵偵測應用 17
2.4 具模型調適之入侵偵測方法 19
第三章 應用漸進式隱藏馬可夫模型與Windows系統呼叫 23
3.1漸進式隱藏馬可夫模型 23
3.2 應用漸進式隱藏馬可夫模型於異常入侵偵測 28
3.3 應用漸進式隱藏馬可夫模型進行序列評估 30
3.4 Windows異常入侵偵測實作議題探討 31
第四章 系統設計與實作 36
4.1 訓練階段 37
4.2偵測階段 41
第五章 實驗分析 44
5.1 訓練成本比較實驗 44
5.2 Sendmail異常偵測實驗 47
5.3 Internet Explorer異常偵測實驗 49
5.4 正常行為模型調適實驗 51
第六章 結論 55
6.1 研究貢獻 55
6.2 未來研究 56
參考文獻 57
參考文獻 中文參考文獻:
[李冠儀 2006]李冠儀,以Windows Registry為基礎之使用者行為異常偵測方法,國立中央大學資訊管理學系碩士論文,6月,2006。
[李勁頤 2000]李勁頤,利用程序追蹤方法關聯分散式入侵偵測系統之入侵警示研究,國立中央大學資訊管理學系碩士論文,6月,2000。
[官炳宏 2005]官炳宏,結合隱藏式馬可夫模型與彩色派翠網以關聯多步驟攻擊警訊之方法,國立中央大學資訊管理學系碩士論文,6月,2005。
[林景仁 2003]林景仁,一種以系統呼叫異常為判斷基礎之入侵防禦系統,國立中央大學資訊管理學系碩士論文,6月,2003。
[邱銘彰 2004]邱銘彰,行為分析之惡意程式偵測,大同大學資訊工程研究所碩士論文,6月,2004。
[許明陽 2002]許明陽,利用攔截API偵測電腦病毒,逢甲大學資訊工程研究所碩士論文,6月,2006。
[陳威棋 2006]陳威棋,結合隱藏式馬可夫模型與支援向量機於異常偵測系統之研究,國立中央大學資訊管理學系碩士論文,6月,2006。
英文參考文獻:
[Andersson et al. 2005] Stig Andersson, Andrew Clark, George Mohay, Bradley Schatz, Jakub Zimmermann, “A Framework for Detecting Network-based Code Injection Attacks Targeting Windows and UNIX”, In 21st Annual Computer Security Applications Conference, 2005.
[Allen et al. 2000] Julia Allen, Julia Allen, Alan Christie, William Fithen, John McHugh, Jed Pickel, Ed Stoner, State of the Practice of Intrusion Detection Technologies, Technical Report CMU/SEI-99-TR-028, Software Engineering Institute, Carnegie Mellon, January 2000.
[BGM 2004] R. Battistoni, E. Gabrielli, and L. V. Mancini, “A host intrusion prevention system for windows operating systems”, In 9th European Symposium on Research in Computer Security, 2004.
[Bojanic 2005] Irena Bojanic. On-line Adaptive IDS Scheme for Detecting Unknown Network Attacks using HMM Models. Master thesis of Electrical and Computer Engineering Department, University of Maryland, 2005.
[CP 2003] S. B. Cho, H. J. Park, “Efficient anomaly detection by modeling privilege flows using hidden Markov model”, Computer & Security, Vol. 22, No. 1, pp 45-55, 2003.
[DL 2002] Richard I. A. Davis and Brian C. Lovell, “Improved Estimation of Hidden Markov Model Parameters from Multiple Observation Sequences”, In Proceedings International Conference on Pattern Recognition, August 11-14, 2002.
[FBH 2005] German Florez-Larrahondo, Susan Bridges and Eric A. Hansen, “Incremental Estimation of Discrete Hidden Markov Models Based on a New Backward Procedure”, In Proceedings of the Twentieth National Conference on Artificial Intelligence, 2005.
[FBV 2005] German Florez-Larrahondo, Susan M. Bridges, and Rayford Vaughn, “Efficient Modeling of Discrete Events for Anomaly Detection Using Hidden Markov Models”, In 8th Information Security Conference, 2005.
[FHSL 1996] S. Forrest, S.A. Hofmeyr, A. Somayaji, and T.A. Longstaff, “A sense of self for unix processes”, In Proceedings of the 1996 IEEE Symposium on Security and Privacy, May 1996.
[HFS 1998] S. A. Hofmeyr, S. Forrest, and A. Somayaji, “Intrusion detection using sequences of system calls”, Journal of Computer Security, Volume 6, pages 151-180, 1998.
[HH 2004] X.A Hoang, J. Hu, “An efficient hidden Markov model training scheme for anomaly intrusion detection of server applications based on system calls”, 12th IEEE International Conference on ICON, Nov. 2004
[HHB 2003] X.D. Hoang, J. Hu, P. Bertok, “A Multi-layer Model for Anomaly Intrusion Detection”, In Proceedings of the IEEE International Conference on Networks, 2003.
[LS 1998] W. Lee and S. J. Stolfo, “Data mining approaches for intrusion detection”, In Proceedings of the 7th USENIX Security Symposium, 1998.
[MSAR 2004] Srinivas Mukkamala, Andrew H. Sung, Ajith Abraham, Vitorino Ramos, “Intrusion Detection Systems Using Adaptive Regression Splines”, In 6th Internal Conference on Enterprise Information Systems, 2004.
[Nebbet 2000] Gary Nebbet. Windows NT/2000 native API reference. Sams, 2000.
[QXBG 2002] Y. Qiao, X. W. Xin, Y.Bin and S.Ge, “Anomaly intrusion detection method based on HMM”, In IEEE Electronic Letters Online No. 20020467, 2002.
[Rabiner 1989] Lawrence R. Rabiner, “A Tutorial on Hidden Markov Models and Selected Applications in Speech Recognition”, In Proceedings of the IEEE, Vol. 77, No. 2, February 1989.
[RJ 1986] L. R. Rabiner and B. H. Juang, “An Introduction to Hidden Markov Models”, IEEE ASSP Magazine, January 1986.
[RJ 1993] L.R. Rabiner and B.H. Juang, Fundamentals of Speech Recognition. Prentice Hall, 1993.
[WFP 1999] C. Warrender, S. Forrest, B. Pearlmutter, “Detecting intrusions using system calls: alternative data models”, In Proceedings of the 1999 IEEE Symposium on Security and Privacy, 1999.
[WGZ 2004] W. Wang, X.H. Guan, X.L. Zhang, “Modeling Program Behaviors by Hidden Markov Models for Intrusion Detection”, In Proceedings of 2004 International Conference on Machine Learning and Cybernetics, 2004.
[WGZY 2006] Wei Wang, Xiaohong Guan, Xiangliang Zhang, Liwei Yang, “Profiling program behavior for anomaly intrusion detection based on the transition and frequency property of computer audit data”, Computer and Security, Volume 25, Issue 7, 2006.
[XCY 2004] M. Xu, C. Chen, J. Ying, “Anomaly detection based on system call classification”, Journal of Software, Vol. 15, No. 3, 2004.
[YD 2003] D.Y. Yeung, Y. Ding, “Host-based Intrusion Detection using Dynamic and Static Behavioral Models”, Pattern Recognition, Vol. 36, 2003.
相關網站:
[資策會] 資策會FIND網站:
http://www.find.org.tw/find/home.aspx
[GMSS] Global Market Share Statistics Website
http://marketshare.hitslink.com/report.aspx?qprid=2
[JAHM] Jahmm - An implementation of HMM in Java
http:// www.run.montefiore.ulg.ac.be/ ~francois/software/jahmm/
[META] Metasploit Project Website
http://www.metasploit.com/
[RIES 2006] C. Ries, “ROOTKIT IN WINDOWS”, available at
http://www.issa.org/Pittsburgh/Archives/issa%20rootkit.pdf
[STRA] Strace for NT WebSite
http://www.bindview.com/Services/RAZOR/Utilities/Windows/ strace_readme.cfm
[SYMA 2007] Symantec Internet Security Threat Report
http://www.symantec.com/enterprise/theme.jsp?themeid=threatreport
[UNM] UNM system call datasets
http://www.cs.unm.edu/~immsec/systemcalls.htm
指導教授 陳奕明(Yi-Ming Chen) 審核日期 2007-7-12
推文 facebook   plurk   twitter   funp   google   live   udn   HD   myshare   reddit   netvibes   friend   youpush   delicious   baidu   

若有論文相關問題,請聯絡國立中央大學圖書館推廣服務組 TEL:(03)422-7151轉57407,或E-mail聯絡