基於拔靴法之網路異常偵測系統   免費試閱

Using Bootstrap Method to Develop the Network Anomaly Detection Control Chart

在眾多的網路入侵偵測系統中，以偵測方法區分大致可分成誤用偵測與異常偵測系統兩種類型，其中異常偵測系統主要是藉由蒐集過去網路正常使用行為的歷史紀錄，建立正常行為模組，將目前的網路使用行為與正常行為模組進行比對，若兩種行為模組有顯著差異，即判定為異常或入侵的網路使用行為。此一作法與統計製程管制的概念相似，然而流量資料具自我相關性質且不一定服從常態分配，以致傳統的Shewhart管制圖並不能直接套用。故本研究從時間縱斷面整理資料以降低相關性，並採用分配不拘的無母數拔靴法，針對銘傳大學2012年5月18日～6月22日資訊學院的網路正常流量Netflow封包數據進行重抽樣，再根據拔靴分布分別建構100(1-α)%信賴區間及K倍數管制界限，最後得到用來監控網路流量變化之管制圖。管制圖參數制定與偵測能力的驗證方面，本研究則利用網路模擬器NS2分別模擬正常與異常流量數據，代入拔靴法求得信賴區間及管制界限，在控制誤報率低於5%極小化漏報率的準則下，模擬結果顯示，合理的信賴水準約90%、管制界限倍數K=8.5，對應的誤報率約為4.4%～4.7%，漏報率約為0.0%～0.13%。

Network intrusion detection techniques are categorized into misuse and anomaly detection. An anomaly netflow detection system uses normal network traffic to establish models. A target netflow will be classified as abnormal if it is sufficiently different from the normal models. This is similar to the concept of statistical process control, SPC. However, netflow is autocorrelated and does not sure whether the series obeying normal distribution, thus the Shewhart control chart cannot be applied directly to netflow data. This paper adopts longitudinal time scheme to collect netflow in order to reduce the data dependency and uses nonparametric bootstrapping method to sample the netflow data of Ming Chuan University recorded from 2012/5/18 to 2012/6/22. The 100(1 - α)% confidence interval and K-control limit are established basing on bootstrapping distribution to generat e the control chart which is used to monitor the traffic behaviors. We use NS2 network simulator to generate normal and abnormal traffic data for bootstrapping to compute the confidence interval and control limit. The results show that 4.4%~4.7% of the false positive and 0.0%~0.13% of the false negative is achieved when minimizing false negative rate under 5% and confidence interval is 90% and K = 8.5.