針對未知攻擊辨識之混合式入侵偵測系統

Abstract

入侵偵測系統(IDS)用途是作為偵測網路惡意行為的防線，透過流量、封包等資料所擷取出的特徵，交由系統來做惡意行為的偵測與過濾，以防止惡意入侵行為，並減少其所造成的各種損失。 入侵偵測系統又可分為特徵偵測(Signature-based)與異常偵測(Anomaly-based)兩大類型。特徵偵測系統主要藉由過去的攻擊行為所取出的特徵，建立異常特徵資料庫，往後便依據特徵的比對結果來偵測惡意及入侵行為；而異常偵測系統，則是利用如機器學習(Machine Learning)的方法，針對資料集的樣本，根據其特徵與標籤的關係，建構出攻擊行為的模型，來做為辨識的依據。異常偵測類型的系統，相較於特徵偵測之系統，其優勢是有找出零時攻擊(Zero-day Attack)之能力。 本研究之目的便在於針對使用異常偵測機制的入侵偵測系統，加強其辨識零時攻擊或未知攻擊(Unknown Attack)之能力，來達到對零時攻擊更全面的捕捉。為了加強辨識零時攻擊的能力，將透過多種方法的混合應用來達成目的，如自我學習機制(Self-Learning)、多層次系統(Multilevel System)、分群法(Clustering)、以及隱藏馬可夫模型(Hidden Markov Model)等等，而從實驗數據可看到，透過自我學習機制(Self-Learning)，對於未知攻擊的偵測率結果有明顯的上升，同時代表誤判的偽陽性(False Posi-tive)僅微幅的上升，也因此，整體的偵測準確率(Accuracy)也較原始結果來的好；然而，其他如混合分群法的方式，或是隱藏馬可夫模型等，卻較無實質上之效能改善及偵測能力之提升，此結果除了與資料集的特性有關，也意味著藉由簡單的馬可夫狀態之模型，可能無法建立出完整的惡意行為模型以做為辨識之用，應需要有更詳盡的演算法及定義其他相關的特徵資訊，才有辦法對惡意入侵行為達到更完善的偵測結果。

Intrusion detection system (IDS) is used to detect the malicious network behavior(e.g., Denial-of-Service、Trojan Horse). It detects attacks by the features extract from network traffic, packet, etc. and alert the users when a potentially threat was be detected to reduce the damage of data, system, and money. IDS could fall into 2 categories, signature-based and anomaly-based. Signature-base IDS is scanned for known signs of attacks. A database of signature is built by human expert, they extract the signature by the knowledge and analysis of past attacks. Anomaly-based IDS is built the malicious behavior model by training data and machine learning algorithm. The machine learning model will classify the instance is anomaly or not. The most import thing is that anomaly-based IDS have ability to detect the zero-day attack what signature-based IDS couldn’t. In this paper, we will focus on the ability to detect zero-day attack or unknown attack on anomaly-based IDS. To improve the detection rate of unknown attack, we apply self-learning, multilevel, and voting algorithms and combine these mechanisms to make the hybrid IDS more powerful. In addition, we have proposed a HMM classifier take the continues feature of netflow as observations. According to the result of experiment, we could find that self-learning will obviously make the classification result better, both of detection rate and accuracy increase significantly. But the hybrid system of self-learning and multilevel couldn’t improve the result anymore and HMM classifier take a bad classification result. It was not only related the dataset property but also about the feature what we defined. And it illustrate that simply markov model possibly couldn’t model the complicated attack behavior. These problems will be discuss in the paper.