DOI QR코드

DOI QR Code

A Combination of Signature-based IDS and Machine Learning-based IDS using Alpha-cut and Beta pick

Alpha-cut과 Beta-pick를 이용한 시그너쳐 기반 침입탐지 시스템과 기계학습 기반 침입탐지 시스템의 결합

  • 원일용 (건국대학교 컴퓨터공학과) ;
  • 송두헌 (용인송담대학 컴퓨터정보과) ;
  • 이창훈 (건국대학교 컴퓨터공학과)
  • Published : 2005.08.01

Abstract

Signature-based Intrusion Detection has many false positive and many difficulties to detect new and changed attacks. Alpha-cut is introduced which reduces false positive with a combination of signature-based IDS and machine learning-based IDS in prior paper [1]. This research is a study of a succession of Alpha-cut, and we introduce Beta-rick in which attacks can be detected but cannot be detected in single signature-based detection. Alpha-cut is a way of increasing detection accuracy for the signature based IDS, Beta-pick is a way which decreases the case of treating attack as normality. For Alpha-cut and Beta-pick we use XIBL as a learning algorithm and also show the difference of result of Sd.5. To describe the value of proposed method we apply Alpha-cut and Beta-pick to signature-based IDS and show the decrease of false alarms.

시그너쳐 기반 침입탐지 기술은 과탐지(false positive)가 많고 새로운 공격이나 변형된 유형의 공격을 감지하기 어렵다 우리는 앞선 논문[1]을 통해 시그너쳐 기반 침입 탐지 시스템과 기계학습 기반 침입 탐지 시스템을 Alpha-cut 방법을 이용하여 결합한 모델을 제시 하였다. 본 논문은 Alpha-cut의 후속연구로 기존 모델에서 감지하지 못하는 미탐지(false negative)를 줄이기 위한 Beta-pick 방법을 제안한다. Alpha-cut은 시그너쳐 기반 침입탐지 시스템의 공격 탐지결과에 대한 정확성을 높이는 방법인 반면에, Beta-rick은 공격을 정상으로 판단하는 경우를 줄이는 방법이다. Alpha-cut과 Beta-pick을 위해 사용된 기계학습 알고리즘은 XIBL(Extended Instance based Learner)이며, C4.5를 적용했을 때와 차이점을 결과로서 제시한다. 제안한 방법의 효과를 설명하기 위해 시그너쳐 기반 침입탐지 시스템의 탐지결과에 Alpha-cut과 Beta-pick을 적용하여 오경보(false alarm)가 감소함을 보였다.

Keywords

References

  1. 원일용, 송두헌, 이창훈, 'Misuse IDS의 성능 향상을 위한 패킷 단위 기계학습 알고리즘의 결합 모형', 정보처리학회논문지C, 제11-C권, pp.301-308, 2004 https://doi.org/10.3745/KIPSTC.2004.11C.3.301
  2. W. LEE, 'A Data Mining Framework for constructing Features and Models for Intrusion Detection Systems', Ph.D. Dissertation, Columbia University, 1999
  3. I. Won, D. Song, C. Lee, C. Heo, Y. Jang, 'A Machine Learning approach toward an environment-free network anomaly IDS-A primer report', In Proc. of 5th International Conference on Advanced Communication, 2001
  4. K. Julisch, 'Mining alarm clusters to improve alarm handling efficiency', In 17th Annual Computer Security Application Conference (ACSAC), pp.12-21, 2000
  5. K. Julisch, 'Mining Intrusion Detection Alarms for Actionable Knowledge', In 8th ACM International Conference on Knowledge Discovery and Data Mining, 2002 https://doi.org/10.1145/775047.775101
  6. I. Won, D. Song, C. Lee, 'The Architecture of Network Intrusion Detection Systems', Communication of the Korean Institute of Communication Sciences, 19(8), pp. 41-51, 2002
  7. D. Aha, D. Kibler, 'Noise-tolerant instance-based learning algorithms', Proceedings of the Eleventh International Joint Conference on Artificial Intelligence, pp.794-799, 1989
  8. Kruegel, C.& Toth, T., 'Using decision trees to improve signature-based detection', In 6th Symposium on Recent Advances in Intrusion Detection(RAID), Lecture Note in Computer Science, Springer Verlag, USA, September, 2003
  9. SNORT:http://www.snort.org
  10. DARPA data set : www.ll.mit.edu/IST/ideval
  11. Stanfill C., & Waltz, D., 'Toward memory-based reasoning', Communications of the ACM, 1986 https://doi.org/10.1145/7902.7906
  12. Cost, Scott and Salzberg and Steven Salzberg, 'A Weighted Nearest Neighbor Algorithm for Learning with symbolic Features', In Journal of Machine Learning, Vol.10, pp.57-78,1993 https://doi.org/10.1023/A:1022664626993
  13. Lippman. R. et. Al., 'Evaluation intrusion detection systems: The 1998 DARPA Off-line intrusion detection evaluation', Proc. Of DARPA Information Survivability Conference and Exposition, pp.12-26, 2000
  14. Manganaris, S., Christensen, M., Zerkle, D. & Hermiz, K., 'A Data Mining Analysis of RTID Alarms', In 2nd Workshop on Recent Advances in Intrusion Detection (RAID99), 1999
  15. Patton, S., Yurcik, W., & Doss, D., 'An Achilles' Heel in Signature-based IDS: Squealing False Positives in SNORT', Lecture Notes in Computer Science, Springer Verlag, USA, 2003
  16. C. Stanfill and D. Waltz, 'Toward memory-based reasoning', Communications of the ACM, 1986 https://doi.org/10.1145/7902.7906
  17. S. Cost, and S. Salzberg, 'A Weighted Nearest Neighbor Algorithm for Learning with Symbolic Features', In Journal of Machine Learning, Vol.10, pp.57-78, 1993 https://doi.org/10.1023/A:1022664626993