利用Meta決策樹結合Blast的方法預測入侵

Abstract

隨著網際網路的入侵手法不斷更新，使得網路安全遭受到更嚴厲的挑戰，在目前的防禦機制中，入侵偵測系統便能偵測出可能的入侵行為，提高系統防禦能力。一般來說，偵測對象可以分為Host based（HIDS）和Network based（NIDS），顧名思義HIDS是針對主機，分析日誌（log）為主，而NIDS則是針對整個網域，分析網路封包來進行偵測。偵測方式可以分為Signature偵測系統和Anomaly偵測系統，Signature偵測系統可以辨識出網路流量或應用程式的已知惡意行為，而Anomaly偵測系統則是界定一個正常行為的門檻值，以此偵測入侵。 其中一個被廣泛研究的領域是系統呼叫的分析，一個被感染、入侵的使用者程式會一直嘗試一些正常程式不常做的動作（訪問文件系統、開機磁區），因此我們可以從系統呼叫序列中檢查該程式做的所有動作，從而分析其是否是被感染、入侵。 本篇論文使用的是生物資訊學中的BLAST序列排比結合Meta決策樹的方法對HIDS的UNM 數據集做分析，後面也單獨使用Meta決策樹對NIDS的NSL-KDD數據集做分析。在獨立測試資料下，其結果顯示在大部分情況下，我們得到了比前方法更好的預測結果。

Along with the constantly updated Internet intrusions, the network security keeps getting severely challenged. In the current defense mechanism, Intrusion Detection System (IDS) is capable of detecting activities that attempt to compromise the confidentiality, integrity or availability of a system or network. Traditionally, IDS can be classified as signature detection system and anomaly detection system. Signature IDS is able to identify known malicious activities in network traffic or applications, while Anomaly IDS compares an activity against a defined "normal" baseline. One of the most investigated fields is system call analysis. An infected/intruding user program will keep trying to do some activities (e.g. Accessing file system or boot sector) which a "normal" user program seldom does. Therefore, we can inspect if the user program is an intrusion by analyzing system call sequence which allows us to check all the history activities that the program did. In this paper, we combine BLAST biological sequence alignment and Meta Decision Tree (MDT) on host based UNM dataset which is system call sequence data and we also use MDT alone on network based NSL-KDD dataset which is network packet feature based data. The result shows our method performs better than previous ones in most cases.