偵測網路流量異常之多變量Hotelling's T2管制圖   免費試閱

An Anomaly Detection System Based on the Multivariate Hotelling’s T2 Control Chart

隨著網際網路的迅速發展，電子商務已成為傳統行銷以外的一個新興通路，加上Facebook、Twitter或其他社群媒介的活躍，網路已融入多數民眾的日常生活當中。然而網路安全是最令人頭痛的問題，一旦系統遭受網路駭客入侵，輕則影響網路服務品質，重則造成無法彌補的損失。由於當前駭客攻擊手法伴隨科技發展日新月異，傳統入侵偵測系統比對單一流量特徵資料庫之效能有限，因此本研究考慮基於多變量統計製程管制的原理和建模手法，首先針對銘傳大學資訊學院2012年5月18日～6月22日合計36天網路正常流量Netflow封包數據，利用相關性分析提取網絡流量的三項特徵變數：連結數目、封包數量及封包大小，再根據此三項特徵資料庫建立監控網路流量變化之多變量Hotelling’sT2管制圖。關於管制圖參數α值的設定及偵測能力的評估，本研究則以網路模擬器NS2模擬產生正常與異常流量資料，並在不同的參數α值下，分別計算管制圖之誤報率與漏報率。結果顯示在控制誤報率極小化漏報率的準則下，合理的α值範圍介於.08～.10之間，對應之誤報率約為12%～14%，漏報率約為2%～7%。

The varieties of network applications provide convenient services to users and create many commerce markets. However, lots of network hacking activities have been attacking the services and cause extensive damage and inconvenience. It is very important for network managers to protect the services and improve the QoS and the security. Many network intrusion detection systems are developed to protect the services. Systems only using single signature to detect the abnormal behaviors achieve limited accuracy. In this paper we use multivariate statistical processes control scheme, MSPC, to establish the control chart. The network traffic data were collected from Ming Chuan University. The dataset are stored in Netflow format and dated from 2012/05/18 to 2012/06/22. Three parameters: connection numbers, packet numbers and packet octets are computed to create the Hotelling’s T2 control chart to monitor the traffic behaviors. We use NS2 simulation to generate normal and abnormal traffic data to calculate the α values for the control chart. False positive rate and false negative rate are computed for different α values. The results show that the false positive rate is 12%-14% and the false negative rate is 2%-7% when minimizing false negative rate and α values are between .08 and .1.