資訊管理學報
林文暉;王平;吳保樺;周明勝;蔡東霖;蔡一郎;羅濟群;
頁: 465-494
日期: 2020/10
摘要: 資安防護思維模式已逐步朝向整合度高且具有機械學習和認知運算(cognitive computing)技術的資安平台,透過將威脅資料篩濾增加威脅辨識、詮釋及預測精度,並藉由預測性分析(predictive analysis)可視化顯示提高對企業網路的即時安全監控與認知,以期協助企業降低資安管理複雜性和專業人力成本。實務上,個別獨立資安系統的防護裝置已無法有效阻絕來自網路威脅,為了提升網路入侵偵測之威脅辨識確度並降低誤判率,本研究提出一個基於行為分析法(behavior analytics)為基礎之複合型時間卷積神經網路(temporal convolutional network; TCN)及卷積神經網路(convolutional neuron network; CNN)分類器,應用於網路入侵偵測系統之異常偵測,其整合歷史外地入侵資料庫與近期本地特有資料集的威脅行為特徵,透過擷取完整的行為特徵,以提升模式辨識精確度。實作上,先採用加拿大New Brunswick大學建立CIC-IDS-2017數據集(外地威脅)之行為特徵先作為模式預訓練(pre-training)學習網路入侵的基本樣態,並搭配蒐集近期本地網路威脅之資訊流特徵,透過CICFlowMeter-v4.0工具將資訊流轉化為行為特徵文字檔,加入以墒值為基礎之決策樹ID3演算法篩選高頻出現之特徵集,以訓練TCNs以提升網路入侵偵測模式之威脅辨識確度並降低誤判率。實驗證明所研提模式可即時辨識出94.56%五類分散式阻斷式服務的攻擊,協助雲端服務之管理者識別網路威脅。
關鍵字: 網路入侵偵測;時間卷積神經網路;卷積神經網路;行為分析分類器;
Abstract: Purpose - New ready-made malware on system vulnerability in networks or hosts has been increasing information security risks. Practically, the individual system for security protection has been unable to effectively prevent cyber threats. Thus, the security protection model has gradually moved towards a highly integrated platform with mechanical learning (MA) and cognitive computing technology to assist defenders reduce. Design/methodology/approach - To improve the classification accuracy of threat detection and reduce its false positive rate for DDoS threats, this study proposes a behavior analysis-based learning classifier for network anomaly detection by training a fused learning classifier aggregating both Temporal Convolutional Network (TCN) and Convolutional Neuron Network (CNN) with ID3-based feature selection algorithm, network flow analyzer, CICFlowMeter-v4.0 on intrusion database generated from an global IDS dataset CIC-IDS-2017 released by the University of New Brunswick and local intrusion dataset to analyze the complete attack features that increase the pattern recognition accuracy and also reduces false negative rate in network intrusion detection. Findings - The experimental results revealed that the proposed model accuracy is 94.56% in identifying five different types of threats of 94.56% DDoS network intrusion in real time, assisting cloud service managers to recognize network threats. Research limitations/implications - Although MA techniques for intrusion detection problem have been proposed in this paper. The converge performance of complex networks with new attack types such as APT (advanced persistent threat) will be tackled in future studies. Practical implications - This paper provides several technical implications in training behavior analysis-based learning classifier for network anomaly detection. Originality/value - This paper is an empricial analysis report that applies an TCN/CNN architecture with ID3-based feature selection algorithm, to analyze the complete attack features on CIC-IDS-2017 intrusion database and local intrusion patterns in Taiwan. It advances perceptions on the behavior analysis-based learning classifier for network anomaly detection. The paper concludes with performance analysis results in identifying five different types of DDoS threats for enhancing detction accuracy for DDoS attacks.
Keywords: network intrusion detection;temporal convolutional networks;convolutional neuron networks;behavior analysis-based classifier;
瀏覽次數: 23128 下載次數: 366
引用 導入Endnote
頁: 465-494
日期: 2020/10
摘要: 資安防護思維模式已逐步朝向整合度高且具有機械學習和認知運算(cognitive computing)技術的資安平台,透過將威脅資料篩濾增加威脅辨識、詮釋及預測精度,並藉由預測性分析(predictive analysis)可視化顯示提高對企業網路的即時安全監控與認知,以期協助企業降低資安管理複雜性和專業人力成本。實務上,個別獨立資安系統的防護裝置已無法有效阻絕來自網路威脅,為了提升網路入侵偵測之威脅辨識確度並降低誤判率,本研究提出一個基於行為分析法(behavior analytics)為基礎之複合型時間卷積神經網路(temporal convolutional network; TCN)及卷積神經網路(convolutional neuron network; CNN)分類器,應用於網路入侵偵測系統之異常偵測,其整合歷史外地入侵資料庫與近期本地特有資料集的威脅行為特徵,透過擷取完整的行為特徵,以提升模式辨識精確度。實作上,先採用加拿大New Brunswick大學建立CIC-IDS-2017數據集(外地威脅)之行為特徵先作為模式預訓練(pre-training)學習網路入侵的基本樣態,並搭配蒐集近期本地網路威脅之資訊流特徵,透過CICFlowMeter-v4.0工具將資訊流轉化為行為特徵文字檔,加入以墒值為基礎之決策樹ID3演算法篩選高頻出現之特徵集,以訓練TCNs以提升網路入侵偵測模式之威脅辨識確度並降低誤判率。實驗證明所研提模式可即時辨識出94.56%五類分散式阻斷式服務的攻擊,協助雲端服務之管理者識別網路威脅。
關鍵字: 網路入侵偵測;時間卷積神經網路;卷積神經網路;行為分析分類器;
A Study on Network Intrusion Detection Using Behaviorial Analysis-based Learning Classifier
Abstract: Purpose - New ready-made malware on system vulnerability in networks or hosts has been increasing information security risks. Practically, the individual system for security protection has been unable to effectively prevent cyber threats. Thus, the security protection model has gradually moved towards a highly integrated platform with mechanical learning (MA) and cognitive computing technology to assist defenders reduce. Design/methodology/approach - To improve the classification accuracy of threat detection and reduce its false positive rate for DDoS threats, this study proposes a behavior analysis-based learning classifier for network anomaly detection by training a fused learning classifier aggregating both Temporal Convolutional Network (TCN) and Convolutional Neuron Network (CNN) with ID3-based feature selection algorithm, network flow analyzer, CICFlowMeter-v4.0 on intrusion database generated from an global IDS dataset CIC-IDS-2017 released by the University of New Brunswick and local intrusion dataset to analyze the complete attack features that increase the pattern recognition accuracy and also reduces false negative rate in network intrusion detection. Findings - The experimental results revealed that the proposed model accuracy is 94.56% in identifying five different types of threats of 94.56% DDoS network intrusion in real time, assisting cloud service managers to recognize network threats. Research limitations/implications - Although MA techniques for intrusion detection problem have been proposed in this paper. The converge performance of complex networks with new attack types such as APT (advanced persistent threat) will be tackled in future studies. Practical implications - This paper provides several technical implications in training behavior analysis-based learning classifier for network anomaly detection. Originality/value - This paper is an empricial analysis report that applies an TCN/CNN architecture with ID3-based feature selection algorithm, to analyze the complete attack features on CIC-IDS-2017 intrusion database and local intrusion patterns in Taiwan. It advances perceptions on the behavior analysis-based learning classifier for network anomaly detection. The paper concludes with performance analysis results in identifying five different types of DDoS threats for enhancing detction accuracy for DDoS attacks.
Keywords: network intrusion detection;temporal convolutional networks;convolutional neuron networks;behavior analysis-based classifier;
瀏覽次數: 23128 下載次數: 366
引用 導入Endnote