一個新的以共同刺激機制為基礎之入侵偵測架構

Abstract

False Positive為現今入侵偵測系統(IDS，Intrusion Detection System)的最大問題之一，它的狀況為” 針對符合入侵規則卻沒有真正入侵的行為發出警報”。這情形使得網路管理員需要耗費大量時間來判斷警報的真假，進而造成管理員對於入侵偵測系統所發出的大量警告產生不信任與無力感。 因此本論文為降低False Positive的需求，提出一個入侵偵測的架構。本架構以共同刺激機制(Co-stimulation)之二階段確認的偵測方式為基礎，並配合異常封包分類處理的設計，分別處理「網路型」與「主機型」的異常封包，以達到有效過濾在主機上不會產生異常狀況的攻擊封包，另外亦可偵測出針對False Positive的攻擊類型，藉此以提升系統偵測入侵行為的效能。

Now false positive is one of the most important problems for an Intrusion Detection System (IDS). False positive is the wrong alert sent by IDS when the behavior fit in with the signature of intrusion rule but no real intrusion actions. The wrong alerts will take administrators a lot of time to check that the alerts are valid or not. Let us have no much time to handle other jobs. We also have no confidence about these alerts.

Therefore, in our research, we propose an intrusion detection framework based on a co-stimulation mechanism, which triggers the Monitor Agents on the host system to make sure if there are any real intrusion actions. For filtering invalid alerts efficiently, we classify unusual packets in accordance with two types, network-based and host-based type. Our proposed framework can reduce false positive alerts and increase the rate of correct detection.