信譽基準的權重投票以減少入侵偵測的誤判漏判

Abstract

誤判和漏判發生於每台入侵偵測系統，而誤判和漏判發生的頻率和多寡被用來評估入侵偵測系統的能力。單一台入侵偵測系統的偵測能力常不理想是因為伴隨大量的誤判，再加上單單只有一台的偵測結果是無法調查其漏判的狀況。據此顯示單靠一台來偵測是有所不足和其限制，因此為了克服單一台的限制，藉由整合多台不同知識能力的入侵偵測系統為一方法，然而，在偵測同一份網路流量時，不同的偵測能力可能會產生不同的偵測結果，所以如何利用這些偵測結果來對該被偵測的網路流量做出一個好的決策是具挑戰性的難題。因此本研究提出一個信譽基準的權重投票方法，用以整合考量各家入侵偵測系統的知識能力並嘗試同時降低誤判和漏判的機會，且藉此提升多台所產生之警報處理的有效性。提出的方法主要程序為：調查各家入侵偵測系統的偵測能力並對他們建立相對應的信譽值，然後根據各信譽值分配權重給相對應的投票者，再實際對該被處理的網路流量執行決策以決定是否為惡意的。在結果中，不同的信譽數值證明不同台入侵偵測系統的偵測能力是不同的，即證明其知識能力不相同的特性。再者，在投票方法中，我們使用Accuracy及Efficiency用以評估投票演算法，本文所提出的投票方法準確性和有效性達到95%和94%，優於多數決的66%和41%。此外，本文提出的投票方法相較於各台入侵偵測系統，在平均誤判及漏判減少的百分比數值為21%和58%。

False Positive (FP) and False Negative (FN) happen to every Intrusion Detection System (IDS). How frequently they occur is used to evaluate the performance of an IDS. A large number of FPs will degrade the performance of the IDS. Furthermore, FNs cannot be investigated from one IDS’s alerts. Thus, to overcome the limitation of one IDS, a way to leverage multiple IDSs’ domain knowledge is used. However, due to different detection capabilities, different IDSs may have different detection results for a traffic trace. Hence, using these results to make a good decision regarding the trace’s status turns out to be challenging. This work proposes a Creditability-based Weighted Voting (CWV) to reduce both FPs/FNs and increase the performance of multiple IDSs. The CWV first investigates the detection capabilities of all IDSs and models the corresponding creditabilities to them. Then, according to the creditabilities, it assigns the weights to IDSs and makes a decision concerning the trace. From the experiment results, we demonstrate the different IDSs’ detection capabilities by their creditabilities. In addition, we use Accuracy and Efficiency to evaluate the CWV and the majority voting (MV). The CWV achieves the accuracy of 95% and the efficiency of 94% compared to 66% and 41% of the MV. Besides, with the CWV, the average percentages of FP/FN reduction for an IDS are 21% and 58%, respectively.