演化式模糊推理系統於攻擊行為模式分群之應用

Abstract

傳統的入侵偵測系統主要是著重在網路上過濾封包以篩選出攻擊事件或是不尋常的部分，並且個別對這些異常的事件發出警訊。但這樣的做法會有兩個問題存在。第一、這些個別被紀錄下來的攻擊事件之間，或許具有某種邏輯性的相關性。在大部分情況下，攻擊事件之間是具有關連性，或是前後步驟的關係，而不是單純被視為混在攻擊事件中的錯誤警訊。但類似這樣具有行為模式的攻擊事件，對於人類使用者或是入侵回報系統來說，都是很不容易能從紀錄檔中將這類的資訊擷取出來並且採取很適當的回應措施。第二、在現今網際網路如此發達的今日，網路攻擊的發生頻率也隨之大幅提高。入侵偵測系統所紀錄的攻擊事件警訊，每天都以增加上萬筆資料的速度倍增，對於事後的分析工作來說，無疑是一大障礙。 本論文提出一個以演化式模糊推理系統為基礎的分群模型。採取系統化的程式方法來處理入侵偵測系統所紀錄的大量資料，有效率地將每筆攻擊事件分群成具有相關性的群集，以供專家做更進一步的攻擊行為分析。

Traditional intrusion detection systems (IDSs) focus on low-level attacks or anomalies, and raise alerts independently. Two problems occur when this approach is used. First, there may be logic connections between attack events. In situations where the intrusions have correlation between them, actual alerts will be mixed with false alerts. It is not easy for human users or intrusion response systems to understand the attack events based on attack scenarios and take appropriate actions. Second, attack events substantially occur today and the huge amount of information causes difficulties in analyzing attack events efficiently. This thesis proposes a clustering model base on evolutionary fuzzy inference systems. The system deals with the log file of IDS by clustering the related attack events into groups, thus providing information for experts to conduct further analysis of attack scenarios.