混合式入侵偵測系統基於模糊關聯式規則

Abstract

入侵偵測包含錯誤偵測與異常偵測,錯誤偵測可以找出已知攻擊而異常偵測 則著重在找出未知攻擊。故入侵偵測系統應該同時具有處理已知攻擊與未知攻擊 的能力。本研究提出一個入侵偵測系統架構可以達成錯誤偵測與異常偵測,可以 達到錯誤偵測的準確度又能偵測到新穎攻擊。本研究並以模糊關聯式規則自動化 產生入侵偵測系統規則檔供管理者偵測而關聯式規則探勘產生出的規則檔更可 依照管理者的需求自由作更動或是自行產生規則檔以達成更彈性的使用。 本研究以 KDD Cup99 與自行收集的資料集作評估與分析,利用模糊關聯式規 則所產生的規則來偵測下可以讓錯誤偵測的偵測率在 KDD Cup 資料集最高達 97.4%,異常偵測偵測率與誤判率約在 95%與 10%。自製的資料集則可在幾乎沒 有誤判率的情形下偵測率達約 86%。

Intrusion detection includes both misuse detection and anomaly detection. Misuse detection concerns the detection of known attacks, while anomaly detection is about the detection of attacks that might be unknown. It is important for an intrusion detection system to have ability to detection both misuse and anomlay situations. The thesis presents an intrusion detection system (IDS) that architecture can achieve both misuse detection and anomaly detection. The goal of misuse detection is to achieve higher accuracy and anomaly detection to detect unknown attacks. The rule files can be edited and added to modify or expand the functionality. In this study, we use fuzzy association rule mining to automatically generate rule files for IDS. In this study, KDD Cup 99 dataset and our own dataset are for assessment and analysis. By using KDD Cup 99 dataset, the detection rate of misuse detection can reach almost 97.4% and the detection rate of anomaly detection can achieve 95% with false positive rate equal to 0%. Using our own dataset, the detection rate is 95% and the false positive rate is 10%.