Building Intrusion Pattern Miner for Snort Network Intrusion Detection System
碩士 === 國立雲林科技大學 === 電子與資訊工程研究所碩士班 === 91 === Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. However, Snort cannot generate intrusion pattern automatically. It means that experts must first analyze and ca...
| Main Authors: | , |
|---|---|
| Other Authors: | |
| Format: | Others |
| Language: | zh-TW |
| Published: |
2003
|
| Online Access: | http://ndltd.ncl.edu.tw/handle/01429644317481328466 |
| id |
ndltd-TW-091YUNT5393181 |
|---|---|
| record_format |
oai_dc |
| spelling |
ndltd-TW-091YUNT53931812016-06-10T04:15:28Z http://ndltd.ncl.edu.tw/handle/01429644317481328466 Building Intrusion Pattern Miner for Snort Network Intrusion Detection System 在Snort網路型入侵偵測系統上建立入侵樣本探勘器 Sout-Fong Chen 陳少鋒 碩士 國立雲林科技大學 電子與資訊工程研究所碩士班 91 Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. However, Snort cannot generate intrusion pattern automatically. It means that experts must first analyze and categorize attack packets, and hand-code the corresponding patterns and rules for misuse detection. After that, system administrators configure Snort detection rules manually to the network intrusion detection system. This results in Snort having limited extensibility and adaptability. In this paper, we propose a framework for Snort to make it have the ability of not only catching new attack patterns automatically, but also detecting sequential attack behaviors. To do that, we first build an Intrusion Pattern Discovery Module to find single intrusion patterns and sequential intrusion patterns from a collection of attack packets in off-line training. The module applies data mining technique to extract descriptive attack signatures from large stores of packets, and then it converts the signatures to Snort detection rules for on-line detection. In order to detect sequential intrusion behavior, the Snort detection engine is accompanied with our Instruction Behavior Detection Engine. When a series of incoming packets match the signatures representing sequential intrusion scenarios, Instruction Behavior Detection Engine will make an alert. In summary, we enhance the functionality of Snort by adding the Intrusion Pattern Discovery Module and Instruction Behavior Detection Engine to the original Snort system. That not only makes Snort to mine instruction patterns automatically, but also extends the detecting ability of Snort. Furthermore, it improves the false negative rate and false positive rate for Snort misuse detection. none 伍麗樵 2003 學位論文 ; thesis 81 zh-TW |
| collection |
NDLTD |
| language |
zh-TW |
| format |
Others
|
| sources |
NDLTD |
| description |
碩士 === 國立雲林科技大學 === 電子與資訊工程研究所碩士班 === 91 === Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. However, Snort cannot generate intrusion pattern automatically. It means that experts must first analyze and categorize attack packets, and hand-code the corresponding patterns and rules for misuse detection. After that, system administrators configure Snort detection rules manually to the network intrusion detection system. This results in Snort having limited extensibility and adaptability.
In this paper, we propose a framework for Snort to make it have the ability of not only catching new attack patterns automatically, but also detecting sequential attack behaviors. To do that, we first build an Intrusion Pattern Discovery Module to find single intrusion patterns and sequential intrusion patterns from a collection of attack packets in off-line training. The module applies data mining technique to extract descriptive attack signatures from large stores of packets, and then it converts the signatures to Snort detection rules for on-line detection. In order to detect sequential intrusion behavior, the Snort detection engine is accompanied with our Instruction Behavior Detection Engine. When a series of incoming packets match the signatures representing sequential intrusion scenarios, Instruction Behavior Detection Engine will make an alert. In summary, we enhance the functionality of Snort by adding the Intrusion Pattern Discovery Module and Instruction Behavior Detection Engine to the original Snort system. That not only makes Snort to mine instruction patterns automatically, but also extends the detecting ability of Snort. Furthermore, it improves the false negative rate and false positive rate for Snort misuse detection.
|
| author2 |
none |
| author_facet |
none Sout-Fong Chen 陳少鋒 |
| author |
Sout-Fong Chen 陳少鋒 |
| spellingShingle |
Sout-Fong Chen 陳少鋒 Building Intrusion Pattern Miner for Snort Network Intrusion Detection System |
| author_sort |
Sout-Fong Chen |
| title |
Building Intrusion Pattern Miner for Snort Network Intrusion Detection System |
| title_short |
Building Intrusion Pattern Miner for Snort Network Intrusion Detection System |
| title_full |
Building Intrusion Pattern Miner for Snort Network Intrusion Detection System |
| title_fullStr |
Building Intrusion Pattern Miner for Snort Network Intrusion Detection System |
| title_full_unstemmed |
Building Intrusion Pattern Miner for Snort Network Intrusion Detection System |
| title_sort |
building intrusion pattern miner for snort network intrusion detection system |
| publishDate |
2003 |
| url |
http://ndltd.ncl.edu.tw/handle/01429644317481328466 |
| work_keys_str_mv |
AT soutfongchen buildingintrusionpatternminerforsnortnetworkintrusiondetectionsystem AT chénshǎofēng buildingintrusionpatternminerforsnortnetworkintrusiondetectionsystem AT soutfongchen zàisnortwǎnglùxíngrùqīnzhēncèxìtǒngshàngjiànlìrùqīnyàngběntànkānqì AT chénshǎofēng zàisnortwǎnglùxíngrùqīnzhēncèxìtǒngshàngjiànlìrùqīnyàngběntànkānqì |
| _version_ |
1718299525804720128 |