基於網路內容的網路入侵偵測系統

Abstract

近年來，多樣網路應用程式在各方面提供了許多的服務，因為種種因素，各式各樣的網路異常行為也大量增加，其中最著名的就是屬於網路入侵攻擊。不論它的目的為何，均可以造成嚴重的傷害及損失。然而每一種網路應用程式都有它自己的行為模式，所以如何用網路協定來辨識網路應用程式的行為模式是我們關注的焦點。在這篇論文中我們提出了記錄網路使用者的行為跟線上即時的辨識目前網路連線的方法。我們提出了一套網路協定格式的描述語言，它是一種重現網路協定格式的知識表示法。如此一來網路協定的命令格式可以很容易的被了解及被快速的利用。同時我們也提出一種新的特徵資料探勘的方法，利用網路協定的命令來挖掘出網路上各種應用裡大部分使用者的動作及行為並且有效的記錄下來。而線上偵測器則是利用我們在特徵資料探勘中建立的使用者資料庫來辨認網路異常行為的方法。透過這樣的系統可以區別正常的網路行為及異常的網路行為。

In recent years, various network-based applications have been developed to provide services in many different areas. A variety of network abnormal behavior also appeared because of many causes. The famous abnormal behavior, intrusion, causes damage for many purposes. However, every application has its own behavior on network. The behaviors of network are concerned by protocols operations of applications. In this thesis, we propose an offline method to extract users’ behavior from connections and a detecting module to recognize connections online. We design the Protocol Format Description Language (PFDL) as the knowledge representation of protocols. Thus the format of commands in protocols can be easy to understand and easy to use. A new offline Characteristic mining method which transforms commands of connections to user behavior profile from most standard protocols and network applications is also proposed. And the users’ records can be stored efficiently. Finally, the Online detector which recognizes users’ behavior with the database from Characteristic mining will be described. Through our proposed intrusion detection system, we can distinguish abnormal behavior from normal behavior online.