| Summary: | 碩士 === 國立雲林科技大學 === 電子與資訊工程研究所碩士班 === 91 === Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. However, Snort cannot generate intrusion pattern automatically. It means that experts must first analyze and categorize attack packets, and hand-code the corresponding patterns and rules for misuse detection. After that, system administrators configure Snort detection rules manually to the network intrusion detection system. This results in Snort having limited extensibility and adaptability.
In this paper, we propose a framework for Snort to make it have the ability of not only catching new attack patterns automatically, but also detecting sequential attack behaviors. To do that, we first build an Intrusion Pattern Discovery Module to find single intrusion patterns and sequential intrusion patterns from a collection of attack packets in off-line training. The module applies data mining technique to extract descriptive attack signatures from large stores of packets, and then it converts the signatures to Snort detection rules for on-line detection. In order to detect sequential intrusion behavior, the Snort detection engine is accompanied with our Instruction Behavior Detection Engine. When a series of incoming packets match the signatures representing sequential intrusion scenarios, Instruction Behavior Detection Engine will make an alert. In summary, we enhance the functionality of Snort by adding the Intrusion Pattern Discovery Module and Instruction Behavior Detection Engine to the original Snort system. That not only makes Snort to mine instruction patterns automatically, but also extends the detecting ability of Snort. Furthermore, it improves the false negative rate and false positive rate for Snort misuse detection.
|
|---|
