應用線上分析處理與資料探勘監控網路入侵

Abstract

隨著網路使用量的成長，網路服務的地位變得越來越重要，並且有越來越多的攻擊被設計來入侵這些網路服務。許多研究探討了如何有系統地從各種資料來源分析網路入侵行為，為了取各研究方法之所長來監控網路入侵行為，我們在這篇論文中提出了網路入侵偵測系統(NIMS)來整合KDD cup 99、Snort警告記錄等等資料，並且對這整合的資料進行多維度、多概念層級的網路行為分析。網路入侵偵測係統共分為三個階段，分別是資料前處理階段、建立維度概念層級與資料立方體(Data cube)階段以及資料分析階段。在資料前處理階段中，我們利用多來源資料格式整合演算法來整合不同來源的資料格式，並且根據整合而得到的資料格式利用資料來源轉換演算法來彙整多種不同的資料來源。在建立維度概念層級與資料立方體(Data cube)階段以及資料分析階段中，我們利用維度概念層級知識擷取演算法來導引網路領域專家建立網路資料概念層級，根據網路資料概念層級，在前一階段彙整而成的資料便可轉換成資料立方體來進行多維度及多概念層級的分析。在資料分析階段中，導引式監控介面協助管理者有效率的監控網路入侵行為，並且允許使用者根據其所想要的維度顆粒大小，將資料立方體的網路資料匯出，利用資料探勘工具對網路入侵行為進行更進一步地分析。

As the growth of network environment dramatically increases, the network-based applications and services become more important, and a variety of network intrusions have also been developed to intrude these services. Previous researchers have developed different systematic approaches to analyze different network traffic sources. For monitoring network intrusion by taking advantages of these systematic approaches, a Network Intrusion Monitoring System (NIMS) Architecture is proposed in this thesis to integrate multiple data sources such as data set in KDD cup 99 and Snort alert log, etc. and to analyze network traffic data cross different concept level of each dimension. The NIMS Architecture consists of three phases: Data Preprocessing Phase, Concept Hierarchy and Data Cube Construction Phase and Data Analysis Phase. In Data Preprocessing Phase, the Multi-Source Data Format Integration (MSDFI) Algorithm is proposed to integrate multiple data source formats and Data Source Transformation (DST) Algorithm is proposed to merge multiple data sources according to the integrated data format generated by MSDFI algorithm. In Concept Hierarchy and Data Cube Construction Phase, the Dimension Concept Hierarchy Knowledge Acquisition (DCHKA) algorithm is proposed to guide experts to construct concept hierarchies of the integrated data. With the concept hierarchies, network traffic data can be easily transformed into a data cube for analyzing network traffic cross every concept level of each dimension. In Data Analysis Phase, the Guided Monitoring Interface (GMI) is proposed to assist administrators in monitoring network intrusions efficiently. At last the network traffic data at different concept level can be exported to DMAS according to the decisions of administrators for mining more information and intrusion patterns at different concept level.