题名

一個基於行為分析學習模式之網路入侵偵測分類器

并列篇名

A Study on Network Intrusion Detection Using Behaviorial Analysis-based Learning Classifier

作者

林文暉(Wen-Hui Lin);王平(Ping Wang);吳保樺(Bao-Hua Wu);周明勝(Ming-Sheng Jhou);蔡東霖(Dung-Lin Tsai);蔡一郎(Yi-Lang Tsai);羅濟群(Chi-Chun Lo)

关键词

網路入侵偵測 ; 時間卷積神經網路 ; 卷積神經網路 ; 行為分析分類器 ; network intrusion detection ; temporal convolutional networks ; convolutional neuron networks ; behavior analysis-based classifier

期刊名称

資訊管理學報

卷期/出版年月

27卷4期(2020 / 10 / 31)

页次

465 - 494

内容语文

繁體中文
中文摘要

資安防護思維模式已逐步朝向整合度高且具有機械學習和認知運算(cognitive computing)技術的資安平台,透過將威脅資料篩濾增加威脅辨識、詮釋及預測精度,並藉由預測性分析(predictive analysis)可視化顯示提高對企業網路的即時安全監控與認知,以期協助企業降低資安管理複雜性和專業人力成本。實務上,個別獨立資安系統的防護裝置已無法有效阻絕來自網路威脅,為了提升網路入侵偵測之威脅辨識確度並降低誤判率,本研究提出一個基於行為分析法(behavior analytics)為基礎之複合型時間卷積神經網路(temporal convolutional network; TCN)及卷積神經網路(convolutional neuron network; CNN)分類器,應用於網路入侵偵測系統之異常偵測,其整合歷史外地入侵資料庫與近期本地特有資料集的威脅行為特徵,透過擷取完整的行為特徵,以提升模式辨識精確度。實作上,先採用加拿大New Brunswick大學建立CIC-IDS-2017數據集(外地威脅)之行為特徵先作為模式預訓練(pre-training)學習網路入侵的基本樣態,並搭配蒐集近期本地網路威脅之資訊流特徵,透過CICFlowMeter-v4.0工具將資訊流轉化為行為特徵文字檔,加入以墒值為基礎之決策樹ID3演算法篩選高頻出現之特徵集,以訓練TCNs以提升網路入侵偵測模式之威脅辨識確度並降低誤判率。實驗證明所研提模式可即時辨識出94.56%五類分散式阻斷式服務的攻擊,協助雲端服務之管理者識別網路威脅。
英文摘要

Purpose - New ready-made malware on system vulnerability in networks or hosts has been increasing information security risks. Practically, the individual system for security protection has been unable to effectively prevent cyber threats. Thus, the security protection model has gradually moved towards a highly integrated platform with mechanical learning (MA) and cognitive computing technology to assist defenders reduce. Design/methodology/approach - To improve the classification accuracy of threat detection and reduce its false positive rate for DDoS threats, this study proposes a behavior analysis-based learning classifier for network anomaly detection by training a fused learning classifier aggregating both Temporal Convolutional Network (TCN) and Convolutional Neuron Network (CNN) with ID3-based feature selection algorithm, network flow analyzer, CICFlowMeter-v4.0 on intrusion database generated from an global IDS dataset CIC-IDS-2017 released by the University of New Brunswick and local intrusion dataset to analyze the complete attack features that increase the pattern recognition accuracy and also reduces false negative rate in network intrusion detection. Findings - The experimental results revealed that the proposed model accuracy is 94.56% in identifying five different types of threats of 94.56% DDoS network intrusion in real time, assisting cloud service managers to recognize network threats. Research limitations/implications - Although MA techniques for intrusion detection problem have been proposed in this paper. The converge performance of complex networks with new attack types such as APT (advanced persistent threat) will be tackled in future studies. Practical implications - This paper provides several technical implications in training behavior analysis-based learning classifier for network anomaly detection. Originality/value - This paper is an empricial analysis report that applies an TCN/CNN architecture with ID3-based feature selection algorithm, to analyze the complete attack features on CIC-IDS-2017 intrusion database and local intrusion patterns in Taiwan. It advances perceptions on the behavior analysis-based learning classifier for network anomaly detection. The paper concludes with performance analysis results in identifying five different types of DDoS threats for enhancing detction accuracy for DDoS attacks.
主题分类 基礎與應用科學 > 資訊科學
社會科學 > 管理學
参考文献
  1. Bai, S.,Kolter, J.Z.,Koltun, V.(2018).,未出版
  2. Canadian Institute for Cybersecurity (2018), ‘CICFlowMeter’, University of New Brunswick, NB, Canada, https://github.com/ahlashkari/CICFlowMeter.
  3. Canadian Institute for Cybersecurity (2017), ‘Intrusion detection evaluation dataset CSE-CIC-IDS2017’, University of New Brunswick, NB, Canada, https://www.unb.ca/cic/datasets/ids-2017.html.
  4. Ding, L.,Xu, C.(2017).,未出版
  5. Firat, O.,Aksan, E.,Oztekin, I.,Vural, F.T.Y.(2015).Learning deep temporal representations for brain decoding.Proceedings of the First International Workshop on Machine Learning in Medical Imaging (MLMMI 2015),Lille, France:
  6. Gupta, D. (2017), ‘Fundamentals of deep learning – Introduction to recurrent neural networks’, Analytics Vidhya (2107), https://www.analyticsvidhya.com/blog/2017/12/introduction-to-recurrent-neural-networks/.
  7. Hochreiter, S.,Schmidhuber, J.(1997).Long-short term memory.Neural Computation,9(8),1735-1780.
  8. Kandpal, A. (2018), ‘Generating text using an LSTM network’, https://codeburst.io/generating-text-using-an-lstm-network-no-libraries-2dff88a3968.
  9. Kang, M.-J.,Kang, J.-W.(2016).Intrusion detection system using deep neural network for in-vehicle network security.PLoS ONE,11(6),e0155781.
  10. Lea, C.,Flynn, M.D.,Vidal, R.,Reiter, A.,Hager, G.D.(2017).Temporal convolutional networks for action segmentation and detection.Proceedings of the 30th IEEE Conference on Computer Vision and Pattern Recognition (CVPR 2017),Honolulu, HI, USA:
  11. Mishra, N.,Rohaninejad, M.,Chen, X.,Abbeel, P.(2018).A simple neural attentive meta-learner.Proceedings of the 6th International Conference on Learning Representations (ICLR 2018),Vancouver, BC, Canada:
  12. Niyaz, Q.,Sun, W.,Javaid, A.Y.,Alam, M.(2015).A deep learning approach for network intrusion detection system.Proceedings of the 9th EAI International Conference on Bio-inspired Information and Communications Technologies,New York, NY, USA:
  13. Saxe, J.,Berlin, K.(2015).Deep neural network based malware detection using two dimensional binary program features.Proceedings of the 10th International Conference on Malicious and Unwanted Software (MALWARE 2015),Fajardo, PR, USA:
  14. Sharafaldin, I.,Lashkari, A.,Ghorbani, A.(2018).Toward gnerating a new intrusion detection dataset and intrusion traffic characterization.Proceedings of the 4th International Conference on Information Systems Security and Privacy (ICISSP 2018),Funchal, Portugal:
  15. Tan, Z.Y.(2013).Sydney, Australia,University of Technology.
  16. Tang, T.A.,Mhamdi, L.,McLernon, D.,Zaidi, S.A.R.,Ghogho, M.(2016).Deep learning approach for network intrusion detection in software defined networking.Proceedings of the International Conference on Wireless Networks and Mobile Communications (WINCOM ’16),Fez, Morocco:
  17. Tomiyama, S.,Yamaguchi, Y.,Shimada, H.,Ikuse, T.,Yagi, T.(2016).Malware detection with deep neural network using process behavior.Proceedings of the 40th IEEE Computer Society International Conference on Computers, Software & Applications (COMPSAC 2016),Atlanta, GA, USA:
  18. Wang, Y.,Cai, W.-D.,Wei, P.-C.(2016).A deep learning approach for detecting malicious JavaScript code.Security and Communication Networks,9(11),1520-1534.
  19. Witten, I.H.,Frank, E.,Hall, M.A.(2011).Data Mining: Practical Machine Learning Tools and Techniques.Burlington, Massachusetts, USA.:Morgan Kaufmann.
  20. Yan, J.-E.,Yuan, C.-Y.,Xu, H.-Y.,Zhang, Z.-X.(2013).Method of detecting IRC botnet based on the multi- features of traffic flow.Journal on Communications,34(10),49-64.
  21. Yu, F.,Koltun, V.(2016).Multi-scale context aggregation by dilated convolutions.Proceedings of the 4th International Conference on Learning Representations (ICLR 2016),San Juan, PR, USA:
  22. 寇廣,湯光明,王碩,宋海濤,邊媛(2016)。深度學習在僵屍雲檢測中的應用研究。通信學報,37(11),114-128。
  23. 鍾玉峰,張文鎰,蔡惠峰,蘇威智(2018)。基於深度學習之環境空污智能預測。TANET 2018 臺灣網際網路研討會
  24. 韓曉光,曲武,姚宣霞,郭長友,周芳(2014)。基於紋理指紋的惡意程式碼變種檢測方法研究。通信學報,35(8),125-136。
print cancel