The KIPS Transactions:PartC (정보처리학회논문지C)

Korea Information Processing Society (한국정보처리학회)
권호 표지
DOI QR코드

DOI QR Code

A Hybrid Model of Network Intrusion Detection System : Applying Packet based Machine Learning Algorithm to Misuse IDS for Better Performance

Misuse IDS의 성능 향상을 위한 패킷 단위 기계학습 알고리즘의 결합 모형

  • 원일용 (건국대학교 대학원 컴퓨터공학과) ;
  • 송두헌 (용인송담대학 컴퓨터소프트웨어) ;
  • 이창훈 (건국대학교 컴퓨터공학과)
  • Published : 2004.06.01
Download PDF
⟨ Previous Next ⟩

Abstract

Misuse IDS is known to have an acceptable accuracy but suffers from high rates of false alarms. We show a behavior based alarm reduction with a memory-based machine learning technique. Our extended form of IBL, (XIBL) examines SNORT alarm signals if that signal is worthy sending signals to security manager. An experiment shows that there exists an apparent difference between true alarms and false alarms with respect to XIBL behavior This gives clear evidence that although an attack in the network consists of a sequence of packets, decisions over Individual packet can be used in conjunction with misuse IDS for better performance.

전문가의 침입 분석 지식을 기반으로 한 Misuse IDS는 침입 탐지 비율은 우수하지만 도한 오경보를 생성하여 관리 효율성이 낮다. 우리는 패킷 정보 중심의 사례 기반 학습을 Misuse IDS와 결합하여 그 행동 특성에 따라 오경보를 줄이는 모형을 제안하고 실험하였다. 또 기존의 IBL(교stance Based Learner)을 개선한 XIBL(Extended Instance Based Learner)을 이용하여 Snort의 alarm을 패킷 수준에서 역 추적 분석하여, 그 alarm이 실제로 보내질 가치가 있는지를 검사한다. 실험 결과 진성경보와 오경보 사이에는 XIBL의 행동상 분명한 차이가 드러나며, 네트워크 상의 공격이 비록 여러 패킷의 결합된 형태로 나타나지만, 개별 패킷에 대한 정상/비정상 의사 결정도 Misuse IDS와 결합하면 전체 시스템의 성능을 향상하는 데에 기여할 수 있음을 실증적으로 보여주었다.

Keywords

References

  1. S. Patton, W. Yurcik and D. Doss, 'An Achilles Heel in Signature-Based IDS : Squealing False Positives in SNORT,' Lecture Notes in Computer Science, 2001
  2. W. LEE, 'A Data Mining Framework for constructing Features and Models for Intrusion Detection Systems,' Ph.D. Dissertation, Columbia University, 1999
  3. I. Weon, D. Song, C. Lee, Y. Heo and J. Jang, 'A Machine Learning approach toward an environment-free network anomaly IDS A primer report,' Proc. of 5th International Conference on Advanced Communication Technology, 2003
  4. C. Kruegel and T. Toth, 'Using decision trees to improve signature-based detection,' In 6th Symposium on Recent Advances in Intrusion Detection (RAID), Lecture Notes in Computer Science, Springer Verlag, USA, September, 2003
  5. M. Mahoney and P. Chan, 'PHAD : Packet Header Anomaly Detection for Identifying Hostile Network Traffic,' Florida Institute for Technology Technical Report CS-2001-04
  6. R. Lippman et als., 'Evaluation intrusion detection systems : The 1998 DARPA off-line intrusion detection evaluation,' Proc. of DARPA Information Survivability Conference and Exposition, pp.12-26, 2000
  7. K. Julisch, 'Mining alarm clusters to improve alarm handling efficiency,' 17th Annual Computer Security Application Conference (ACSAC), pp.12-21, 2000 https://doi.org/10.1109/ACSAC.2001.991517
  8. K. Julisch and M. Dacier, 'Mining Intrusion Detection Alarms for Actionable Knowledge,' 8th ACM International Conference on Knowledge Discovery and Data Mining, 2002 https://doi.org/10.1145/775047.775101
  9. S. Manganaris, M. Christensen, D. Zerkle and K. Hermiz, 'A Data Mining Analysis of RTID Alarms,' 2nd Workshop on Recent Advances in Intrusion Detection (RAID99), 1999
  10. SNORT, http://www.snort.org
  11. D. Aha and D. Kibler, 'Noise-tolerant instance-based learning algorithms,' Proceedings of the Eleventh International Joint Conference on Artificial Intelligence, pp.794-799, 1989
  12. McHugh, J., 'Testing Intrusion Detection Systems : A critique of the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory,' ACM Transactions on Information and System Security, Vol.3, No.4, Nov., 2000 https://doi.org/10.1145/382912.382923
  13. M. Roech, 'SNORT-lightweight Intrusion Detection in Networks,' USENIX/LISA Conference, 1999
  14. J. R. Quinlan, 'Probabilistic Decision Trees, in Machine Learning : An Artificial Intelligence approach,' in Machine Learning III, (ed. Yves Kodratoff), Morgan Kaufmann Publishers, Inc., San Mateo, California, pp.140-152, 1990
  15. C. Stanfill and D. Waltz, 'Toward memory-based reasoning,' Communications of the ACM, 1986 https://doi.org/10.1145/7902.7906
  16. S. Cost and S. Salzberg, 'A Weighted Nearest Neighbor Algorithm for Learning with Symbolic Features,' Machine Learning 10, pp.57-78, 1993 https://doi.org/10.1023/A:1022664626993
  17. 김도진, 'IBL을 사용한 네트워크 기반 침입탐지 시스템과 평가 모델의 연구,' 건국대학교 석사학위 청구논문, 2003