基於網路服務行為側寫與機率推論模型之網路異常偵測方法

Shun-Wen Hsiao; 蕭舜文

請用此 Handle URI 來引用此文件： http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/65414

完整後設資料紀錄

DC 欄位	值	語言
dc.contributor.advisor	孫雅麗(Yeali S. Sun)
dc.contributor.author	Shun-Wen Hsiao	en
dc.contributor.author	蕭舜文	zh_TW
dc.date.accessioned	2021-06-16T23:41:32Z	-
dc.date.available	2012-07-30
dc.date.copyright	2012-07-30
dc.date.issued	2012
dc.date.submitted	2012-07-24
dc.identifier.citation	[1] Aho, A. V., Corasick, M. J.: Efficient String Matching: An Aid to Biblio-graphic Search. Communications of the ACM. 18, 333-340 (1975) [2] Blum, A., Song, D., Venkatraman, S.: Limits of Learning-based Signature Gen-eration with Adversaries. In: Proceedings of the Network and Distributed System Security Symposium (2008) [3] Borisov, N., Brumley, D., Wang, H. J., Dunagan, J., Joshi, P., Guo, C.: A Generic Application-Level Protocol Analyzer and its Language. In: Proceedings of the 14th Annual Network & Distributed System Security Symposium. (2007) [4] Brumley, D., Newsome, J., Song, D., Wang, H., Jha, S.: Towards Automatic Generation of Vulnerability-Based Signatures. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 2-16 (2006) [5] Caballero, J., Yin, H., Liang, Z., Song, D.: Polyglot: Automatic Extraction of Protocol Message Format using Dynamic Binary Analysis. In: Proceedings of the 14th ACM Conference on Computer and and Communications Security, pp. 317-329 (2007) [6] CERT Coordination Center, Trends in Denial of Service Attack Technology. http://www.cert.org/archive/pdf/DoS_trends.pdf [7] Cui, W., Peinado, M., Wang, H. J., Locasto, M. E.: ShieldGen: Automatic Data Patch Generation for Unknown Vulnerabilities with Informed Probing. In: Pro-ceedings of the IEEE Symposium on Security and Privacy, pp. 252-266 (2007) [8] Denning, D. E.: An Intrusion-Detection Model. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 118-133 (1986) [9] Ellis, D. R., Aiken, J. G., Attwood, K. S., Tenaglia, S. D.: A Behavioral Approach to Worm Detection. In: Proceedings of the ACM Workshop on Rapid Malcode, pp. 43-53 (2004) [10] Estevez-Tapiador, J. M., Garcia-Teodoro, P., Diaz-Verdejo, J. E.: Anomaly detec-tion methods in wired networks: a survey and taxonomy. Computer Communica-tions 27(16): 1569-1584 (2004) [11] Estevez-Tapiador, J. M., Garcia-Teodoro, P., Diaz-Verdejo, J. E.: Stochastic Pro-tocol Modeling for Anomaly Based Network Intrusion Detection. In: Proceed-ings of the 1st IEEE International Workshop on Information Assurance, pp. 3-12 (2003) [12] Fisk, M., Varghese, G.: Fast Content-Based Packet Handling for Intrusion Detection. Technical report, UC San Diego, CS2001-0670 (2001) [13] Forrest, S., Hofmeyr, S. A., Somayaji, A., Longstaff, T. A.: A sense of self for UNIX processes. In: Proceedings of the IEEE Symposium on Security and Pri-vacy, pp. 120-128 (1996) [14] Garvey, T. D., Lunt, T. F.: Model-based intrusion detection. In: Proceedings of the 14th National Computer Security Conference, pp. 372-385 (1991) [15] Giffin, J. T., Jha, S., Miller, B. P.: Detecting manipulated remote call streams. In: Proceedings of the 11th USENIX Security Symposium, pp. 61-79 (2002) [16] Giffin, J. T.: Model-based intrusion detection system design and evaluation. PhD dissertation, University of Wisconsin-Madison (2006) [17] Gowadia, V., Farkas, C., Valtorta, M.: PAID: A Probabilistic Agent- Based Intru-sion Detection system. Computers and Security. 24(7), 529- 545 (2005) [18] Hansman, S.: A Taxonomy of Network and Computer Attack Methodologies. Technical report, University of Canterbury, Christchurch, New Zealand (2003) [19] Hsiao, S.-W., Sun, Y. S., Chen, M. C., Zhang, H.: Behavior profiling for robust anomaly detection. In: Proceeding of the IEEE International Conference on Wireless Communications, Networking and Information Security (WCNIS), pp. 465-471 (2010) [20] Hsiao, S.-W., Sun, Y. S., Chen, M. C., Zhang, H.: Cross-level behavioral analysis for robust early intrusion detection. In: Proceedings of the IEEE International Conference on Intelligence and Security Informatics (ISI), pp. 95-100 (2010) [21] Ilgun, K., Kemmerer, R. A., Porras, P. A.: State Transition Analysis: A Rule-Based Intrusion Detection Approach. IEEE Transactions on Software En-gineering. 21(3), 181-199 (1995) [22] Jiang, X., Xu, D.: Profiling self-propagating worms via behavioral footprinting. In: Proceedings of the 4th ACM workshop on Recurring malcode, pp. 17-24 (2006) [23] Jolliffe, I. T.: Principal Component Analysis. Springer-Verlag (1986) [24] Kannan, J., Jung, J., Paxson, V., Koksal, C. E.: Semi-automated discovery of ap-plication session structure. In: Proceedings of the Internet Measurement Confer-ence, pp. 119-132 (2006) [25] Kataria, G., Anand, G., Araujo, R., Krishnan, R., Perrig, A.: A Distributed Stealthy Coordination Mechanism for Worm Synchronization. In: Proceedings of the SecureComm, pp. 1-8 (2006) [26] Kim, H., Karp, B.: Autograph: Toward automated distributed worm signature detection. In: Proceedings of the USENIX Security Symposium, pp. 271-286 (2004) [27] Ko, C., Fink, G., Levitt, K.: Automated detection of vulnerabilities in privileged programs by execution monitoring. In: Proceedings of the 10th Annual Computer Security Applications Conference, pp. 134-144 (1994) [28] Kreibich, C., Crowcroft, J.: Honeycomb – creating intrusion detection signatures using honeypots. In: Proceedings of the 2nd Workshop on Hot Topics in Net-works (2003) [29] Kumar, S.: Classification and Detection of Computer Intrusions. PhD disserta-tion, Purdue University, IN (1995) [30] Lakhina, A., Crovella, M., Diot, C.: Characterization of Network-Wide Anoma-lies in Traffic Flows. In: Proceedings of the 4th ACM SIGCOMM Conference on Internet Measurement, pp. 201-206 (2004) [31] Lakshman, T. V., Stiliadis, D.: High-speed Policy-based Packet Forwarding Us-ing Efficient Multi-dimensional Range Matching. In: Proceedings of the ACM SIGCOMM '98 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communication, pp. 203-214 (1998) [32] Levine, J., Mason, T., Brown, D.: lex & yacc, O’REILLY (1992) [33] Li, P., Salour, M., Su, X.: A Survey of Internet Worm Detection and Containment. IEEE Communications Surveys & Tutorials. 10, 20-35 (2008) [34] Li, Z., Sanghi, M., Chavez, B., Chen, Y., Kao, M.: Hamsa: Fast Signature Gener-ation for Zero-day Polymorphic Worms with Provable Attack Resistance. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 32-47 (2006) [35] Lyon, G.: Nmap Network Scanning: The Official Nmap Project Guide to Net-work Discovery and Security Scanning. Nmap Project (2009) [36] Ma, J., Voelker, G. M., Savage, S.: Self-stopping worms. In: Proceedings of the 2005 ACM Workshop on Rapid Malcode (RAID), pp. 12-21 (2005) [37] Martinoni, L., Stinson, E., Fredrikson, M., Jha, S., Mitchell, J. C.: A Layered Architecture for Detecting Malicious Behaviors. In: Proceedings of the 11th in-ternational symposium on Recent Advances in Intrusion Detection, pp. 78-97 (2008) [38] Moore, D., Shannon, C., Brown, J.: Code-Red: a case study on the spread and victims of an Internet worm. In: Proceedings of the 2nd ACM SIGCOMM Workshop on Internet Measurement, pp. 273-284 (2002) [39] Moore, D., Shannon, C., Voelker, G. M., Savage, S.: Network telescopes: Tech-nical report. Technical report, TR-2004-04, CAIDA (2004) [40] MS03-026: Buffer Overrun in RPC May Allow Code Execution. http://support.microsoft.com/kb/823980 [41] Nessus. http://www.nessus.org/ [42] Newsome, J., Karp, B., Song, D.: Paragraph: Thwarting signature learning by training maliciously. In: Proceedings of the 9th International Symposium On Recent Advances in Intrusion Detection, pp. 81-105 (2006) [43] Newsome, J., Karp, B., Song, D.: Polygraph: Automatically generating signatures for polymorphic worms. In: 2005 IEEE Symposium on Security and Privacy, pp. 226-241 (2008) [44] Ning, P., Cui, Y., Reeves, D. S.: Constructing Attack Scenarios through Correla-tion of Intrusion Alerts. In: Proceedings of the 9th ACM conference on Computer and communications security, pp. 245-254 (2002) [45] Noel, S., Robertson, E., Jajodia, S.: Correlating Intrusion Events and Building Attack Scenarios through Attack Graph Distances. In: Proceedings of the 20th Annual Computer Security Applications Conference, pp. 350-359 (2004) [46] Paxson, V.: Bro: A system for Detecting Network Intruders in Real-Time. Com-puter Networks. 31(23-24), 2435-2463 (1999) [47] Perdisci, R., Dagon, D., Lee, W., Fogla, P.: Misleading Worm Signature Genera-tors Using Deliberate Noise Injection. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 17-31 (2006) [48] Postel, J.: Transmission Control Protocol. IETF RFC 793 (1981) [49] Protocol Anomaly Detection for Network-based Intrusion Detection. http://www.sans.org/reading_room/whitepapers/detection/protocol_anomaly_detection_for_networkbased_intrusion_detection_349 [50] Roesch, M.: Snort: Lightweight Intrusion Detection for Networks. In: Proceed-ings of the 13th Conference on Systems Administration, pp. 229-238 (1999) [51] Singh, S., Estan, C., Varghese, G., Savage, S.: Automated Worm Fingerprinting. In: Proceedings of the 6th Symposium on Operating System Design and Imple-mentation, pp. 45-60 (2004) [52] Staniford, S., Paxson, V., Weaver, N.: How to 0wn the Internet in Your Spare Time. In: Proceedings of the 11th USENIX Security Symposium, pp. 149-167 (2002) [53] The Open Web Application Security Project (OWASP) Top 10 Web Application Security Risks. https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project [54] Treurniet, J.: A Finite State Machine Algorithm for Detecting TCP Anomalies. Technical report, Defence R&D Canada – Ottawa (2005) [55] Turner, D., et al.: Symantec Internet Security Threat Report Volume VIII. Tech-nical report, Symantec Corporation, CA (2005) [56] Valdes, A., Skinner, K.: Adaptive, model-based monitoring for cyber attack de-tection. In: Proceedings of the 3rd International Workshop on the Recent Ad-vances in Intrusion Detection, pp. 80-92 (2000) [57] Valdes, A., Skinner, K.: Probabilistic alert correlation. In: Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection, pp. 54-68 (2001) [58] Vigna, G., Kemmerer, R. A.: NetSTAT: A Network-Based Intrusion Detection Approach. In: Proceedings of the 14th Annual Computer Security Applications Conference, pp. 25-38 (1998) [59] Wagner, A., Plattner, B.: Entropy Based Worm and Anomaly Detection in Fast IP Networks. In: Proceedings of the 14th IEEE International Workshops on Ena-bling Technologies, pp. 172-177 (2005) [60] Wagner, D., Dean, D.: Intrusion detection via static analysis. In: Proceedings of the IEEE Symposium on Security and Privacy (2001) [61] Wagner, D., Soto, P.: Mimicry Attacks on Host-Based Intrusion Detection Sys-tems. In: Proceedings of the 9th ACM conference on Computer and communica-tions security, pp. 255-264 (2002) [62] Wang, H. J., Guo, C., Simon, D. R., Zugenmaier, A.: Shield: Vulnerability-Driven Network Filters for Preventing Known Vulnerability Exploits. In: Proceedings of the ACM SIGCOMM Conference on Applications, Technologies, Architectures, and Protocols for Computer Communication, pp. 193-204 (2004) [63] Wang, K., Cretu, G., Stolfo, S. J.: Anomalous Payload-based Worm Detection and Signature Generation. In: Proceedings of the 8th International conference on Recent Advances in Intrusion Detection, pp. 227-246 (2005) [64] Weaver, N., Paxson, V., Staniford, S., Cunningham, R.: A Taxonomy of Comput-er Worms. In: Proceedings of the 2003 ACM Workshop on Rapid Malcode, pp. 11-18 (2003) [65] Xie, Y., Sekar, V., Maltz, D. A., Reiter, M., Zhang, H.: Worm Origin Identifica-tion Using Random Moonwalks. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 242-256 (2005) [66] Yoo, I.: Protocol Anomaly Detection and Verification. In: Proceedings of the Fifth Annual IEEE SMC Information Assurance Workshop, pp. 74-81 (2004) [67] Zhou, H., Wen, Y., Zhao, H.: Passive Worm Propagation Modeling and Analysis. In: Proceedings of the International Multi-Conference on Computing in the Global Information Technology, pp. 32 (2007) [68] Zou, C. C., Gong, W., Toesley, D., Goa, L.: The Monitoring and Early Detection of Internet Worms. IEEE/ACM Transactions on Networking. 13(5), 961-974 (2005)
dc.identifier.uri	http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/65414	-
dc.description.abstract	近年來剝削網路服務弱點的攻擊事件層出不窮。攻擊者可在網路遠端發送帶有惡意訊息的封包給具有弱點的網路服務主機，藉以攻擊該弱點並於受害主機上取得執行權限。現今大部分的網路蠕蟲以及部分的殭屍網路皆採用此類的攻擊手法。由於攻擊者可以取得遠端電腦的執行權限，因此這類型的剝削攻擊常造成電腦或網路系統嚴重的損害。正常的網路服務是藉由預定的軟體和網路協定來執行正常的通訊程序與遠端伺服器共同完成某項任務。網路惡意程式也使用相似的方法和遠端的伺服器聯繫，但惡意行為與正常行為是不可能完全相同的，因此在本論文中我們設計一個創新的異常偵測架構來偵測此類的網路攻擊，該異常偵測架構是針對剝削網路服務弱點的攻擊而設計的。對於異常偵測來說，最為關鍵的假設如下：若以「正常」的觀點為基準，未知而可疑的行為則可被視為「異常」。因此本文著眼於定義「正常」這個概念，並且以網路服務為基礎來偵測異常事件。一旦網路服務的「正常」行為被定義之後，不符合「正常」的網路行為則被定義為異常行為。在過去的觀察當中，我們發現某些特別而不正常通訊步驟可被用來描述異常和攻擊。當攻擊者和受害者暗地在進行一連串與弱點剝削有關的攻擊時，其中所顯露的異常通訊行為可被我們的偵測系統視為是攻擊徵兆，進而提出警告並推論攻擊是否發生。過去在描述「正常」時所使用的描述模型方法通常有兩個缺點：缺乏驗證方法以及只使用單一的模型。為了降低第一個缺點所來的影響，我們使用靜態分析與動態分析的方法來建立網路通訊協定的正常模型，如此以確保其正確性和準確性。對於第二個缺點，我們合併多個網路協定或服務模型來建構一個複合式的行為模型，使得該模型可以更詳盡而精確地描述複雜的網路行為以及不同協定之間的關係。網路協定之間的互動以及交互關係皆於建立複合模型時被考慮進去。於動態分析時，我們採用主成分析（Principal Component Analysis）的方法來分析網路行為，並且將重要的通訊狀態截取出來用以建立其通訊協定的正常模型。我們以真實世界的網路行為用於主成分析上，將同一通訊協定中不同的通訊行為區分開來。正常以及重要的行為狀態會被挑選出來重新建立正常的模型，並以有限狀態機的形式展現。我們的雛型系統能狀態化地擷取和監控網路協定，藉由我們設計的多層式與跨層式的行為追蹤架構，再配合先前建立的正常模型，我們可以主動地偵測於不同通訊層的異常狀態或是相關的攻擊徵兆。為了增加偵測過程中評估攻擊的信心水準，我們也發展了基於機率的攻擊推論模型。根據我們當下所觀察到的攻擊徵兆，推論模型可以計算並推論出當時的偵測信心指數。我們在觀察中發現，每一個攻擊徵兆會有不同的比重（表示他們具有不同的重要性）。因此我們採用機率這個數學方法來表示不同的比重並進行推論是適切的方向。於最後的實驗中，我們搜集了數種不同的網路攻擊，並針對其底層的通訊協定製作正常的行為模型。我們的系統可以偵測其異常行為和攻擊徵兆，即使這些攻擊是已知的、未知的或是變種攻擊，甚至這些攻擊的弱點都不相同亦可以被偵測出異常。本論文針對過去文獻未有琢磨的網路協定和服務為偵測基礎，同時採用靜態與動態的模型建構方法，並且建構複合式的模型以及跨層式偵測系統，以上皆為本論文創新之處，可以補足當前入侵偵測系統的不足。	zh_TW
dc.description.abstract	Network attacks that exploit network service vulnerabilities become popular in recent years. An attacker can remotely send malicious messages to a vulnerable service and gain the execution right to control the victim. Most of the Internet worms and part of the Botnet fall into this attack category, and such attacks often cause severe damages to our computers and network systems. As we know, benign software would perform normal procedure to communication with a server to accomplish a network task collaboratively via predefined network protocols. Although malware takes similar actions to communicate with the server that it intends to compromise, malware behavior is not exactly the same as normal behavior. In our work, we design a novel anomaly detection framework targets on the attack vector of vulnerability exploitation on network service. The key hypothesis to anomaly detection assumes anomalous behaviors are suspicious from a normality point of view. We focus on defining the notion of normality in a new perspective – network service – to detect anomalies. Once the definition of normality is specified, the violation of the normality (i.e., anomaly) is determined. We found certain abnormal communication procedures can be used to profile anomaly behavior. They are considered as the sign of an attack (i.e., attack symptom) when the attacker and the victim undergo sequences of compromising actions. Past models often suffer from lacking of model normality verification, and they only focus on individual model. To confront the first issue, we show how to construct underlying protocol models by static and dynamic approach to guarantee the normality. For the latter issue, we combine multiple protocol/service models to construct a composite model for complex network services. We propose a method to construct composite service model with protocol interaction and correlation. To build the normal protocol models for anomaly detection, we adopt the Principal Component Analysis (PCA) to analysis the normal behavior of a network protocol and extract the significant communication states. The PCA analyzes the real world network traffic traces and perform data classification to cluster different communication behaviors. Normal and significant behavior will be chosen to build the normal behavior model that is a form of finite state machine. Our prototype system can statefully capture and monitor activities between hosts, and it progressively assesses possible network anomalies by multi-level behavior tracking, cross-level behavior triggering, and correlation of different network protocols and services. To increase the confidence level of assessing attacks, we develop a probabilistic inference model to infer and compute the belief score of possible attacks based on the observation of the attack symptoms. In our observation, each attack symptom has a different degree of significance in the attack evaluation so that probability is an appropriate mathematical tool for attack inference. We collect several real world attacks and build the normal protocol models that they use. Several anomalies and attack symptoms are detected by our system; no matter the attack is known, unknown, or a variant; even they do not exploit the same vulnerability. The work has several novel research concepts. We focus on the network protocol and service as a basis to detect anomalies. We both adopt static and dynamic approach to build normal models. Using PCA to build normal model has not been seen in the past. Developing a cross-level monitoring system and composite service model are also new to this research field. The result shows our system can detect anomalies and is a good solution for intrusion detection. Keyword: Anomaly detection, network service, behavior profiling, principal component analysis, inference model, finite state machine.	en
dc.description.provenance	Made available in DSpace on 2021-06-16T23:41:32Z (GMT). No. of bitstreams: 1 ntu-101-F93725011-1.pdf: 1710739 bytes, checksum: f278d631fda078cd1d13cecace9d30b3 (MD5) Previous issue date: 2012	en
dc.description.tableofcontents	口試委員會審定書 i 謝辭 ii 論文摘要 iii Abstract v Table of Contents viii List of Tables xi List of Figures xii Chapter 1 Introduction 1 1.1 Problem Statement and Motivation 1 1.2 Scope and Methodology 3 1.3 Contribution and Limitation 7 1.4 Organization of the Thesis 9 Chapter 2 Background and Related Work 11 2.1 Research Background 11 2.1.1 Network Attack Trend 11 2.1.2 Malware Classification 14 2.1.3 Intrusion Detection Approaches 19 2.1.4 Vulnerability Exploitation 21 2.2 Real World Attack Example 22 2.2.1 Worm Attack 22 2.2.2 Blaster Worm 28 2.3 Sophisticated Attack Techniques 36 2.3.1 Stealthy Attack 37 2.3.2 Polymorphism 40 2.4 Intrusion Detection 42 2.4.1 Misuse Detection Approach 45 2.4.2 Anomaly Detection Approach 49 2.5 Tools for Detection 55 2.5.1 Finite State Machine 55 2.5.2 Layered Structure 58 2.5.3 Correlation 59 2.5.4 Inference Model 61 2.6 The Overview of Proposed Detection Framework 63 2.6.1 Model-based Service Behavior Profiling 63 2.6.2 Probabilistic Inference Model 66 Chapter 3 Service Behavior Profiling 68 3.1 Normality 68 3.2 Normal Model Construction 73 3.2.1 Definition 73 3.2.2 Static Analysis on Service Specification 77 3.2.3 Dynamic Analysis Using PCA 79 3.2.4. Behavior Clustering Using PCA 81 3.2.5 Representative State Vector Selection and FSM Reconstruction 82 3.2.6 The Example of TCP Analysis Result 84 3.3 Composite Service Analysis 88 3.3.1 Interaction between two protocol models 89 3.3.2 Correlation between Multiple Service Models 92 3.4 Anomaly and Attack Symptom 95 3.4.1 Anomaly 95 3.4.2 System Architecture 97 3.4.3 Collect Attack Traces 100 3.4.4 Deviations and Attack Symptom 101 Chapter 4 Probabilistic Inference Model 105 4.1 Inference Model with Markov Property 106 4.2 Data Collection and Probabilities 108 4.2.1 Determining Probabilities of Attack Symptom for Known Attack and the Variants 108 4.2.2 A Statistical Approach for Determining Probabilities of and Between Attack Symptoms 108 Chapter 5 System Implementation 112 5.1 Prototype Design and Implementation 112 5.1.1 Traffic Classification Module 112 5.1.2 Attack Assessment Module 115 5.1.3 Script Processing Unit 115 5.1.4 Prototype System 116 Chapter 6 Evaluation 118 6.1 The Attack Symptom Detected in Real-World Attacks 118 6.2 Attack Symptom of Blaster 119 6.3 Random Trace 120 6.4 Stealthy and Unknown Attacks 121 6.5 Computation Performance 124 Chapter 7 Discussion and Future Work 126 Chapter 8 Conclusion 130 References 133
dc.language.iso	en
dc.subject	主成分析	zh_TW
dc.subject	有限狀態機	zh_TW
dc.subject	異常偵測	zh_TW
dc.subject	網路服務	zh_TW
dc.subject	推論模型	zh_TW
dc.subject	行為側寫	zh_TW
dc.subject	finite state machine	en
dc.subject	network service	en
dc.subject	behavior profiling	en
dc.subject	principal component analysis	en
dc.subject	inference model	en
dc.subject	anomaly detection	en
dc.title	基於網路服務行為側寫與機率推論模型之網路異常偵測方法	zh_TW
dc.title	Service Behavior Profiling and Probabilistic Inference for Anomaly Detection	en
dc.type	Thesis
dc.date.schoolyear	100-2
dc.description.degree	博士
dc.contributor.oralexamcommittee	蔡益坤(Yih-Kuen Tsay),陳孟彰(Meng Chang Chen),李漢銘(Hahn-Ming Lee),曾俊元(Chinyang Tseng)
dc.subject.keyword	異常偵測,網路服務,行為側寫,主成分析,推論模型,有限狀態機,	zh_TW
dc.subject.keyword	anomaly detection,network service,behavior profiling,principal component analysis,inference model,finite state machine,	en
dc.relation.page	138
dc.rights.note	有償授權
dc.date.accepted	2012-07-25
dc.contributor.author-college	管理學院	zh_TW
dc.contributor.author-dept	資訊管理學研究所	zh_TW
顯示於系所單位：	資訊管理學系

文件中的檔案：

檔案	大小	格式
ntu-101-1.pdf 未授權公開取用	1.67 MB	Adobe PDF

顯示文件簡單紀錄

系統中的文件，除了特別指名其著作權條款之外，均受到著作權保護，並且保留所有的權利。