偵測網際網路攻擊之基於熵的網路行為模式建立演算法

Abstract

由於網際網路的快速發展，近年來網路安全已成為大家所關注的主要領域。為了提升網路攻擊的偵測效率，在此研究中我們提出基於熵 (Entropy) 的網路行為模式建立演算法。此演算法包含兩個階段：第一階段目的是，以系統化的方式先將正常網路行為的封包，轉換成一個「相應不確定性」 (Relative Uncertainty) 的時間序列，再記錄此序列的機率分佈 (Probability Distribution)；在第二階段，使用卡方適合度檢驗法 (Chi-Square Goodness-of-Fit Test) 偵測異常網路行為，本階段會觀測短期網路行為所建立的機率分佈，並與第一階段所建構出的長期網路行為比較，由於卡方適合度檢驗法是量測兩個機率分佈差異程度的一種方法，故應用此法在這個階段。最後使用KDD CUP 1999的數據來驗證本研究所提出之演算法，實驗結果顯示此演算法，在選擇適當特徵集合的前提下，可達到高準確率及低計算複雜度的偵測結果。

Network security has become a major concern in recent years. In this research, we present an entropy-based network traffic profiling scheme for detecting security attacks. The proposed scheme consists of two stages. The purpose of the first stage is to systematically construct the probability distribution of Relative Uncertainty for normal network traffic behavior. In the second stage, we use the Chi-Square Goodness-of-Fit Test, a calculation that measures the level of difference of two probability distributions, to detect abnormal network activities. The probability distribution of the Relative Uncertainty for short-term network behavior is compared with that of the long-term profile constructed in the first stage. We demonstrate the performance of our proposed scheme for DoS attacks with the dataset derived from KDD CUP 1999. Experimental results show that our proposed scheme achieves high accuracy and low computation complexity if the features are selected appropriately.