以IDML為基礎的分散式入侵偵測系統之研究

Abstract

近年來，隨著網路環境的急遽成長，一些以網路為基礎的應用和服務變的愈來愈重要，而針對這一些網路服務的攻擊行為也有愈來愈多的趨勢。因此，如何去定義可能的網路攻擊行為、如何去偵測這些被定義好的攻擊行為以及如何製作更安全的系統等等都是值得考慮的關鍵問題。在本篇論文中，為了定義網路攻擊行為，我們首先設計了一個新的入侵偵測的標籤語言(IDML)來描述已知的網路攻擊行為，而每一個以IDML描述的網路攻擊行為都會被轉換成攻擊模式自動機。接著我們提出以IDML為基礎的分散式入侵偵測系統(IDIDS)來幫助我們監控所有網路上的行為。IDIDS包含入侵偵測元件(IDD)和入侵偵測系統管制中心(CIDS)兩個部分。IDD利用事先編譯完成的攻擊模式自動機執行線上已知網路攻擊行為的偵測並且回報可疑事件給CIDS進行更進一步的分析。CIDS利用我們提出的多階段行為模式探勘的方法來執行離線異常行為的偵測。在CIDS前處理的階段，我們將IDD所回報的可疑事件編成一個特徵向量代表使用者在某段時間內的行為。接著在行為分群的階段中將這一些特徵向量分成幾個不同的群集。在循序模式探勘的階段可以找出一些出現較頻繁的行為模式。最後在特徵萃取的階段中將這一些行為模式的特徵萃取出來，接著便和已知的行為模式作比較來決定所找出來的行為是屬於正常行為或是異常行為。而所得到的結果也經由適當的回饋機制來加強IDIDS的偵測能力。

As the growth of network environment dramatically increases, the network-based applications and services become more important, and a variety of network intrusions have also been developed to intrude these services. As to these intrusions, several issues including how to identify possible intrusion behaviors, how to detect these identified intrusion behaviors, and how to secure the system infrastructure are needed to be considered. In this thesis, for identifying the intrusion behaviors, a new Intrusion Detection Markup Language (IDML) is proposed to describe the well-known intrusion behaviors. Each intrusion pattern described in IDML can be transformed into an intrusion pattern state machine. Then, an IDML-based Distributed Intrusion Detection System (IDIDS), which consists of Intrusion Detection Device (IDD) and Center of Intrusion Detection System (CIDS), is proposed. IDD performs online misuse detection with the pre-compiled intrusion pattern state machines and reports the suspected event to CIDS for further analysis. CIDS performs offline anomaly detection with our multi-phases behavior pattern discovering method. In preprocessing phase, these reported events are encoded to feature vectors. These obtained features vectors may be grouped into several clusters in behaviors clustering phase. In sequential pattern discovering phase, the sequence of cluster labels that represents user’s behaviors may be discovered. Finally, these patterns can be transformed into a sequence of property sets in property extracting phase and then be compared with well-known patterns to determine normal or abnormal in classifier. The results of our offline behavior pattern discovering method can feedback and enhance the detection capability of IDIDS.