A Research of Using Multi-Information to Develop Intrusion Detection Systems
碩士 === 中國文化大學 === 資訊管理研究所 === 97 === This Intrusion attack and worm are a major threat to the security of today’s network and cause significant worldwide disruptions, a huge number of infected hosts generating overwhelming traffic will impact the performance of network. The typical solution, combine...
| Main Authors: | , |
|---|---|
| Other Authors: | |
| Format: | Others |
| Language: | zh-TW |
| Published: |
2009
|
| Online Access: | http://ndltd.ncl.edu.tw/handle/83029796983393256572 |
| id |
ndltd-TW-097PCCU1396026 |
|---|---|
| record_format |
oai_dc |
| spelling |
ndltd-TW-097PCCU13960262017-03-18T04:35:19Z http://ndltd.ncl.edu.tw/handle/83029796983393256572 A Research of Using Multi-Information to Develop Intrusion Detection Systems 多樣化資訊發展入侵偵測系統之研究 Chia-Hsien Lin 林佳憲 碩士 中國文化大學 資訊管理研究所 97 This Intrusion attack and worm are a major threat to the security of today’s network and cause significant worldwide disruptions, a huge number of infected hosts generating overwhelming traffic will impact the performance of network. The typical solution, combined with the common practice of using Firewall and Intrusion Detection System in the network. The traditional IDSs detect attack via capturing network packet and signature which is a pattern that we want to look for in traffic. In good security practice, a collection of these signatures must be constantly updated to mitigate emerging threats. Outdated signature databases can leave the IDS vulnerable to Zero-Day attack and generate amount of false positive and false negative situation. This leads to research which are better at detecting some attacks than others, and so to the use of multiple different types of information within a network to develop IDS. In this paper, we propose three different information which is netflow, alerts of signature base IDS and host’s vulnerability and require sophisticated management of heterogenous alerts from multiple sources. This management should enable correlation of alerts with the goal of better detecting attacks, and reducing the monitoring workload on administrators. This thesis presents an architecture utilizing commodity components and the Intrusion Detection Message Exchange Format (IDMEF) to enable this type of alert management. We also implement a prototype system to approve the multi-information IDS which can help network administrators to monitor suspect attack activities in their managed networks. Our evaluation of the prototype system on testing network environment validates that it achieves pretty low false positive and negative rate and good detecting rate. Dwen-Ren Tsai Wen-Pin Tai 蔡敦仁 戴文彬 2009 學位論文 ; thesis 79 zh-TW |
| collection |
NDLTD |
| language |
zh-TW |
| format |
Others
|
| sources |
NDLTD |
| description |
碩士 === 中國文化大學 === 資訊管理研究所 === 97 === This Intrusion attack and worm are a major threat to the security of today’s network and cause significant worldwide disruptions, a huge number of infected hosts generating overwhelming traffic will impact the performance of network. The typical solution, combined with the common practice of using Firewall and Intrusion Detection System in the network. The traditional IDSs detect attack via capturing network packet and signature which is a pattern that we want to look for in traffic. In good security practice, a collection of these signatures must be constantly updated to mitigate emerging threats. Outdated signature databases can leave the IDS vulnerable to Zero-Day attack and generate amount of false positive and false negative situation. This leads to research which are better at detecting some attacks than others, and so to the use of multiple different types of information within a network to develop IDS. In this paper, we propose three different information which is netflow, alerts of signature base IDS and host’s vulnerability and require sophisticated management of heterogenous alerts from multiple sources. This management should enable correlation of alerts with the goal of better detecting attacks, and reducing the monitoring workload on administrators. This thesis presents an architecture utilizing commodity components and the Intrusion Detection Message Exchange Format (IDMEF) to enable this type of alert management. We also implement a prototype system to approve the multi-information IDS which can help network administrators to monitor suspect attack activities in their managed networks. Our evaluation of the prototype system on testing network environment validates that it achieves pretty low false positive and negative rate and good detecting rate.
|
| author2 |
Dwen-Ren Tsai |
| author_facet |
Dwen-Ren Tsai Chia-Hsien Lin 林佳憲 |
| author |
Chia-Hsien Lin 林佳憲 |
| spellingShingle |
Chia-Hsien Lin 林佳憲 A Research of Using Multi-Information to Develop Intrusion Detection Systems |
| author_sort |
Chia-Hsien Lin |
| title |
A Research of Using Multi-Information to Develop Intrusion Detection Systems |
| title_short |
A Research of Using Multi-Information to Develop Intrusion Detection Systems |
| title_full |
A Research of Using Multi-Information to Develop Intrusion Detection Systems |
| title_fullStr |
A Research of Using Multi-Information to Develop Intrusion Detection Systems |
| title_full_unstemmed |
A Research of Using Multi-Information to Develop Intrusion Detection Systems |
| title_sort |
research of using multi-information to develop intrusion detection systems |
| publishDate |
2009 |
| url |
http://ndltd.ncl.edu.tw/handle/83029796983393256572 |
| work_keys_str_mv |
AT chiahsienlin aresearchofusingmultiinformationtodevelopintrusiondetectionsystems AT línjiāxiàn aresearchofusingmultiinformationtodevelopintrusiondetectionsystems AT chiahsienlin duōyànghuàzīxùnfāzhǎnrùqīnzhēncèxìtǒngzhīyánjiū AT línjiāxiàn duōyànghuàzīxùnfāzhǎnrùqīnzhēncèxìtǒngzhīyánjiū AT chiahsienlin researchofusingmultiinformationtodevelopintrusiondetectionsystems AT línjiāxiàn researchofusingmultiinformationtodevelopintrusiondetectionsystems |
| _version_ |
1718433027351117824 |