基於有限狀態機且具有預知能力的網路入侵偵測系統

Abstract

隨著各式各樣的網路攻擊行為日益增加，網路安全逐漸地受到重視。近年來，已經有很多網路入侵偵測系統被開發出來協助管理者偵測這些惡意的行為。但是在眾多的網路入侵偵測系統中，大部分都只能達到偵測攻擊，卻無法達到預防攻擊的目的。在這篇論文中，我們提出一個基於有限狀態機且具有預知能力的網路入侵偵測系統 (FA-FNIDS) 來預防攻擊的發生。這個系統擁有一個管理中心以及三個處理階段。首先，我們整合通訊協定的運作模式以及使用者的使用習慣來建構一套正常的通訊協定運作知識庫。透過這個知識庫所提供的知識以及我們所提的有限狀態機比對演算法，可以在真正的攻擊開始之前，就將這些可疑的攻擊者過濾掉，以達到預防攻擊的目標。同時，我們也利用SPIRIT[13]資料探勘演算法來對我們所收集的使用者習慣定期地做進一步的挖掘，以期讓我們的系統具有更準確的判斷力。所以，我們希望可以透過這套系統達到預防攻擊的目標，進而發現新的攻擊模式。效率的追求以及一般的偵測能力也是我們所注重的議題。最後，我們也做了三個實驗來驗證FA-FNIDS的效能及偵測能力。

Due to the rapid growth of various network intrusions, network security is becoming an important issue. In recent years, a lot of network intrusion detection systems (NIDSs) have been developed to assist administrators in detecting the malevolent attacks. However, most of the NIDSs may not prevent attacks in probing phase. In order to prevent attacks, a Finite Automata Based Foresight Network Intrusion Detection System (FA-FNIDS) will be proposed in this thesis. The FA-FNIDS consists of a Management Center and three phases. Firstly, the protocol behavior and user behavior will be integrated to construct normal enhanced protocol behaviors which are provided for finite automata matching algorithm. The matching algorithm is used to calculate the malevolent probability for Management Center judging the degree of dangerous for a connection. For increasing the detection accuracy of FA-FNIDS, the SPIRIT mining algorithm[13] is used to discover the frequent user behaviors periodically. Therefore, the FA-FNIDS can prevent attacks and further find novel attacks. Finally, three experiments will also be done for evaluating the efficiency and the detection ability of our FA-FNIDS.