應用資料探勘技術於入侵偵測系統之研究

Abstract

近年來，寬頻網路的普及與網路應用程式的快速發展，使得網際網路對世人影響越來越大。而隨著資訊科技的進步與網路應用的持續創新，企業透過網路進行的資訊傳遞與交易也日趨頻繁與複雜。雖然網路的便利性為企業帶來了效益與競爭力，但是網路便利性背後伴隨的複雜行為，也產生了許多可供入侵的系統漏洞或風險。因此，在網路安全的領域中，入侵偵測系統是一個經常被討論與研究的議題，而網路安全的重要性，也逐漸受到企業的重視。

在本研究中，我們運用資料探勘技術建構一套結合誤用偵測與異常偵測的混合式入侵偵測系統。在誤用偵測方面；我們利用決策樹的分類法則，將已知的網路攻擊分類出來。在異常偵測方面；我們利用k-means 結合臨界值的判斷來偵測未知的網路攻擊。實驗證實，本研究所提出的誤用偵測系統其分類準確率可達92%，高於類神經的85%。在異常偵測系統上，k-means 結合臨界值的判斷也可正確地辨別出異常或新型態的網路攻擊行為。

The fast development and wide spread use of Internet has indeed brought the benefit and competitiveness for the enterprise: However, the complicated web may result in several vulnerabilities and risks which may jeopardize the host system. Therefore, the Intrusion Detection System has been a widely discussed and studied subject for Internet security. Moreover, the importance of the Internet security cannot be underestimated by most enterprises gradually.

In this study, we adopt data mining technology to construct a hybrid intrusion detection system base on the misuse detection and anomaly detection. For the misuse detection, we adopt the classification rule of decision tree to classify the identified Internet attacks. For the anomaly detection, we take k-means combined with the judgment of critical values to detect the unknown Internet attacks. The experiment proves that the accuracy rate of classification of the proposed misuse detection system can reach up to 92% and is 85% higher one of than the artificial neural. The judgment combined with the critical value can also determine a brand new Internet behavior correctly in the anomaly detection system.