學術產出-學位論文
文章檢視/開啟
書目匯出
-
題名 惡意行為檢測規則生成之研究
Rule Synthesis for Malicious Behavior Detection作者 彭雅筠
Peng, Ya Yun貢獻者 蔡瑞煌<br>郁方
Tsaih, Rua Huan<br>Yu, Fang
彭雅筠
Peng, Ya Yun關鍵詞 惡意行為
離群值
分散式運算
學習演算法
異常偵測
Malicious behavior
Outliers
Distributed computing
Learning algorithm
Anomaly detection日期 2015 上傳時間 3-八月-2015 13:21:14 (UTC+8) 摘要 未知的惡意行為對電腦安全機制造成很大的威脅,如果沒有有效的檢測規則,那些透過監控系統行為的工具可能無法識別未知攻擊,即使是那些配備了比傳統電腦系統還能收集更多更詳細資訊的虛擬機管理員的雲端系統仍然會受到其威脅,要能夠從大量資料中辨別出異常行為才能夠解決這個問題。因此,我們提出一個新的分散式異常值偵測演算法,利用倒傳導類神經網路與信封模組來找出大部份行為的模式,而那些沒有被歸類至此模式的行為則會被當作是異常值,具體而言,此演算法所產生的規則可以用來找出未知攻擊,因為那些不屬於已知攻擊與正常行為的樣本,會被當作是異常值。而透過分散式運算,我們可以加強演算法的效能,並處理大量資料。
Malicious behavior that has unknown patterns poses a great challenge to security mechanisms of computers. Without effective detection rules, tools via monitoring system behaviors may fail to identify unknown attacks. The threats continue to cloud systems, even for those equipped with VMMs that are capable of collecting much larger and more detailed online system and operation information in a virtualization environment than a traditional PC system. It is essential to be able to identify abnormal behavior out from a large data set to detect unknown attacks. To address this issue, we propose a new distributed outlier detection algorithm that characterizes the majority pattern of observations as a backpropagation neural network and derive detection rules to reveal abnormal samples that fail to fall into the majority. Specifically, the rules generated by the algorithm can be used to distinguish samples as outliers that violate patterns of known attacks and normal behaviors and hence to identify unknown attacks and reform their patterns. With distributed computing we can enhance the performance of the algorithm and handle huge amounts of data.參考文獻 [1] Almeida, L., & Silva, F. (1990). Speeding up backpropagation. Adv Neural Comput, 151-158.[2] Bayer, U., Comparetti, P. M., Hlauschek, C., Kruegel, C., & Kirda, E. (2009, February). Scalable, Behavior-Based Malware Clustering. In NDSS (Vol. 9, pp. 8-11).[3] Cortes, C., & Vapnik, V. (1995). Support-vector networks. Machine learning,20(3), 273-297.[4] Faour, A., Leray, P., & Bassam, E. T. E. R. (2007). Growing hierarchical self-organizing map for alarm filtering in network intrusion detection systems. InNew Technologies, Mobility and Security (pp. 631-631). Springer Netherlands.[5] Faour, A., Leray, P., & Eter, B. (2006). A SOM and Bayesian network architecture for alert filtering in network intrusion detection systems. InInformation and Communication Technologies, 2006. ICTTA`06. 2nd (Vol. 2, pp. 3175-3180). IEEE.[6] Feyereisl, J., & Aickelin, U. (2009). Self-Organising Maps in Computer Security.Computer Security: Intrusion, Detection and Prevention, Ed. Ronald D. Hopkins, Wesley P. Tokere, 1-30.[7] Figueroa-Nazuno, J. Neural Networks: A Comprehensive Foundation.Computación y Sistemas, 4(2), 188-190.[8] Garfinkel, T., & Rosenblum, M. (2003, February). A Virtual Machine Introspection Based Architecture for Intrusion Detection. In NDSS (Vol. 3, pp. 191-206).[9] Hodge, V. J., & Austin, J. (2004). A survey of outlier detection methodologies. Artificial Intelligence Review, 22(2), 85-126.[10] Hofmeyr, S. A., Forrest, S., & Somayaji, A. (1998). Intrusion detection using sequences of system calls. Journal of computer security, 6(3), 151-180.[11] Huang, S. Y., Yu, F., Tsaih, R. H., & Huang, Y. (2014, July). Resistant learning on the envelope bulk for identifying anomalous patterns. In Neural Networks (IJCNN), 2014 International Joint Conference on (pp. 3303-3310). IEEE.[12] Jianliang, M., Haikun, S., & Ling, B. (2009, May). The application on intrusion detection based on -means cluster algorithm. In Information Technology and Applications, 2009. IFITA`09. International Forum on (Vol. 1, pp. 150-152). IEEE.[13] Kosoresow, A. P., & Hofmeyr, S. A. (1997). Intrusion detection via system call traces. IEEE software, 14(5), 35-42.[14] Kramer, A. H., & Sangiovanni-Vincentelli, A. (1989). Efficient parallel learning algorithms for neural networks. In Advances in neural information processing systems (pp. 40-48).[15] Lee, S. W., & Yu, F. (2014, January). Securing KVM-Based Cloud Systems via Virtualization Introspection. In System Sciences (HICSS), 2014 47th Hawaii International Conference on (pp. 5028-5037). IEEE.[16] Leonard, J., & Kramer, M. A. (1990). Improvement of the backpropagation algorithm for training neural networks. Computers & Chemical Engineering, 14(3), 337-341.[17] Leung, K., & Leckie, C. (2005, January). Unsupervised anomaly detection in network intrusion detection using clusters. In Proceedings of the Twenty-eighth Australasian conference on Computer Science-Volume 38 (pp. 333-342). Australian Computer Society, Inc..[18] Muda, Z., Yassin, W., Sulaiman, M. N., & Udzir, N. I. (2011, July). Intrusion detection based on K-Means clustering and Naïve Bayes classification. InInformation Technology in Asia (CITA 11), 2011 7th International Conference on (pp. 1-6). IEEE.[19] Mukkamala, S., Janoski, G., & Sung, A. (2002). Intrusion detection using neural networks and support vector machines. In Neural Networks, 2002. IJCNN`02. Proceedings of the 2002 International Joint Conference on (Vol. 2, pp. 1702-1707). IEEE.[20] Om, H., & Kundu, A. (2012, March). A hybrid system for reducing the false alarm rate of anomaly intrusion detection system. In Recent Advances in Information Technology (RAIT), 2012 1st International Conference on (pp. 131-136). IEEE.[21] Payne, B. D. (2012). Simplifying virtual machine introspection using libvmi.Sandia Report.[22] Pethick, M., Liddle, M., Werstein, P., & Huang, Z. (2003, November). Parallelization of a backpropagation neural network on a cluster computer. InInternational conference on parallel and distributed computing and systems (PDCS 2003).[23] Portnoy, L. (2000). Intrusion detection with unlabeled data using clustering.[24] Rauber, A., Merkl, D., & Dittenbach, M. (2002). The growing hierarchical self-organizing map: exploratory analysis of high-dimensional data. Neural Networks, IEEE Transactions on, 13(6), 1331-1341.[25] Rieck, K., Holz, T., Willems, C., Düssel, P., & Laskov, P. (2008). Learning and classification of malware behavior. In Detection of Intrusions and Malware, and Vulnerability Assessment (pp. 108-125). Springer Berlin Heidelberg.[26] Rieck, K., Trinius, P., Willems, C., & Holz, T. (2011). Automatic analysis of malware behavior using machine learning. Journal of Computer Security, 19(4), 639-668.[27] Riedmiller, M., & Braun, H. (1993). A direct adaptive method for faster backpropagation learning: The RPROP algorithm. In Neural Networks, 1993., IEEE International Conference on (pp. 586-591). IEEE.[28] Rumelhart, D. E., Hinton, G. E., & Williams, R. J. (1985). Learning internal representations by error propagation (No. ICS-8506). CALIFORNIA UNIV SAN DIEGO LA JOLLA INST FOR COGNITIVE SCIENCE.[29] Sahs, J., & Khan, L. (2012, August). A machine learning approach to android malware detection. In Intelligence and Security Informatics Conference (EISIC), 2012 European (pp. 141-147). IEEE.[30] Salomon, R. (1989). Adaptive Regelung der Lernrate bei back-propagation. Technische Universität Berlin. FB 20. Institut für Software und Theoretische Informatik.[31] Schiffmann, W., Joost, M., & Werner, R. (1993, April). Comparison of optimized backpropagation algorithms. In ESANN (Vol. 93, pp. 97-104).[32] Schmidhuber, J., Pfeifer, I. R., Schreter, Z., Fogelman, Z., & Steels, L. (1989). Accelerated learning in back-propagation nets.[33] SO, K. (2011). Cloud computing security issues and challenges. International Journal of Computer Networks, 11-14.[34] Tsai, C. F., & Lin, C. Y. (2010). A triangle area based nearest neighbors approach to intrusion detection. Pattern Recognition, 43(1), 222-229.[35] Tsaih, R. H., & Cheng, T. C. (2009). A resistant learning procedure for coping with outliers. Annals of Mathematics and Artificial Intelligence, 57(2), 161-180.[36] Yoo, I. (2004, October). Visualizing windows executable viruses using self-organizing maps. In Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security (pp. 82-89). ACM. 描述 碩士
國立政治大學
資訊管理研究所
102356045資料來源 http://thesis.lib.nccu.edu.tw/record/#G0102356045 資料類型 thesis dc.contributor.advisor 蔡瑞煌<br>郁方 zh_TW dc.contributor.advisor Tsaih, Rua Huan<br>Yu, Fang en_US dc.contributor.author (作者) 彭雅筠 zh_TW dc.contributor.author (作者) Peng, Ya Yun en_US dc.creator (作者) 彭雅筠 zh_TW dc.creator (作者) Peng, Ya Yun en_US dc.date (日期) 2015 en_US dc.date.accessioned 3-八月-2015 13:21:14 (UTC+8) - dc.date.available 3-八月-2015 13:21:14 (UTC+8) - dc.date.issued (上傳時間) 3-八月-2015 13:21:14 (UTC+8) - dc.identifier (其他 識別碼) G0102356045 en_US dc.identifier.uri (URI) http://nccur.lib.nccu.edu.tw/handle/140.119/77179 - dc.description (描述) 碩士 zh_TW dc.description (描述) 國立政治大學 zh_TW dc.description (描述) 資訊管理研究所 zh_TW dc.description (描述) 102356045 zh_TW dc.description.abstract (摘要) 未知的惡意行為對電腦安全機制造成很大的威脅,如果沒有有效的檢測規則,那些透過監控系統行為的工具可能無法識別未知攻擊,即使是那些配備了比傳統電腦系統還能收集更多更詳細資訊的虛擬機管理員的雲端系統仍然會受到其威脅,要能夠從大量資料中辨別出異常行為才能夠解決這個問題。因此,我們提出一個新的分散式異常值偵測演算法,利用倒傳導類神經網路與信封模組來找出大部份行為的模式,而那些沒有被歸類至此模式的行為則會被當作是異常值,具體而言,此演算法所產生的規則可以用來找出未知攻擊,因為那些不屬於已知攻擊與正常行為的樣本,會被當作是異常值。而透過分散式運算,我們可以加強演算法的效能,並處理大量資料。 zh_TW dc.description.abstract (摘要) Malicious behavior that has unknown patterns poses a great challenge to security mechanisms of computers. Without effective detection rules, tools via monitoring system behaviors may fail to identify unknown attacks. The threats continue to cloud systems, even for those equipped with VMMs that are capable of collecting much larger and more detailed online system and operation information in a virtualization environment than a traditional PC system. It is essential to be able to identify abnormal behavior out from a large data set to detect unknown attacks. To address this issue, we propose a new distributed outlier detection algorithm that characterizes the majority pattern of observations as a backpropagation neural network and derive detection rules to reveal abnormal samples that fail to fall into the majority. Specifically, the rules generated by the algorithm can be used to distinguish samples as outliers that violate patterns of known attacks and normal behaviors and hence to identify unknown attacks and reform their patterns. With distributed computing we can enhance the performance of the algorithm and handle huge amounts of data. en_US dc.description.tableofcontents Abstract iContents iiList of Figures iiiList of Tables ivChapter 1 Introduction 11.1 Background and Motivation 11.2 Research Method 21.3 Contribution 31.4 Content Organization 4Chapter 2 Related Works 52.1 Malware Detection: Common Detection Tools/Methods 52.2 Rule Synthesis 62.2.1 Self-Organizing Map and Growing Hierarchical Self-Organizing Map 62.2.2 k-Means 82.2.3 Other Clustering Algorithm 92.2.4 Support Vector Machines 92.3 Algorithm Optimization 10Chapter 3 Methodology 123.1 Detection strategy 153.2 Parallel Computation 173.3 Distributed Computation 23Chapter 4 Experiment 264.1 Evaluation with nonlinear function 264.2 Real-world experiment and analysis 284.3 Discussion 36Chapter 5 Conclusion 38References 39 zh_TW dc.format.extent 2106106 bytes - dc.format.mimetype application/pdf - dc.source.uri (資料來源) http://thesis.lib.nccu.edu.tw/record/#G0102356045 en_US dc.subject (關鍵詞) 惡意行為 zh_TW dc.subject (關鍵詞) 離群值 zh_TW dc.subject (關鍵詞) 分散式運算 zh_TW dc.subject (關鍵詞) 學習演算法 zh_TW dc.subject (關鍵詞) 異常偵測 zh_TW dc.subject (關鍵詞) Malicious behavior en_US dc.subject (關鍵詞) Outliers en_US dc.subject (關鍵詞) Distributed computing en_US dc.subject (關鍵詞) Learning algorithm en_US dc.subject (關鍵詞) Anomaly detection en_US dc.title (題名) 惡意行為檢測規則生成之研究 zh_TW dc.title (題名) Rule Synthesis for Malicious Behavior Detection en_US dc.type (資料類型) thesis en dc.relation.reference (參考文獻) [1] Almeida, L., & Silva, F. (1990). Speeding up backpropagation. Adv Neural Comput, 151-158.[2] Bayer, U., Comparetti, P. M., Hlauschek, C., Kruegel, C., & Kirda, E. (2009, February). Scalable, Behavior-Based Malware Clustering. In NDSS (Vol. 9, pp. 8-11).[3] Cortes, C., & Vapnik, V. (1995). Support-vector networks. Machine learning,20(3), 273-297.[4] Faour, A., Leray, P., & Bassam, E. T. E. R. (2007). Growing hierarchical self-organizing map for alarm filtering in network intrusion detection systems. InNew Technologies, Mobility and Security (pp. 631-631). Springer Netherlands.[5] Faour, A., Leray, P., & Eter, B. (2006). A SOM and Bayesian network architecture for alert filtering in network intrusion detection systems. InInformation and Communication Technologies, 2006. ICTTA`06. 2nd (Vol. 2, pp. 3175-3180). IEEE.[6] Feyereisl, J., & Aickelin, U. (2009). Self-Organising Maps in Computer Security.Computer Security: Intrusion, Detection and Prevention, Ed. Ronald D. Hopkins, Wesley P. Tokere, 1-30.[7] Figueroa-Nazuno, J. Neural Networks: A Comprehensive Foundation.Computación y Sistemas, 4(2), 188-190.[8] Garfinkel, T., & Rosenblum, M. (2003, February). A Virtual Machine Introspection Based Architecture for Intrusion Detection. In NDSS (Vol. 3, pp. 191-206).[9] Hodge, V. J., & Austin, J. (2004). A survey of outlier detection methodologies. Artificial Intelligence Review, 22(2), 85-126.[10] Hofmeyr, S. A., Forrest, S., & Somayaji, A. (1998). Intrusion detection using sequences of system calls. Journal of computer security, 6(3), 151-180.[11] Huang, S. Y., Yu, F., Tsaih, R. H., & Huang, Y. (2014, July). Resistant learning on the envelope bulk for identifying anomalous patterns. In Neural Networks (IJCNN), 2014 International Joint Conference on (pp. 3303-3310). IEEE.[12] Jianliang, M., Haikun, S., & Ling, B. (2009, May). The application on intrusion detection based on -means cluster algorithm. In Information Technology and Applications, 2009. IFITA`09. International Forum on (Vol. 1, pp. 150-152). IEEE.[13] Kosoresow, A. P., & Hofmeyr, S. A. (1997). Intrusion detection via system call traces. IEEE software, 14(5), 35-42.[14] Kramer, A. H., & Sangiovanni-Vincentelli, A. (1989). Efficient parallel learning algorithms for neural networks. In Advances in neural information processing systems (pp. 40-48).[15] Lee, S. W., & Yu, F. (2014, January). Securing KVM-Based Cloud Systems via Virtualization Introspection. In System Sciences (HICSS), 2014 47th Hawaii International Conference on (pp. 5028-5037). IEEE.[16] Leonard, J., & Kramer, M. A. (1990). Improvement of the backpropagation algorithm for training neural networks. Computers & Chemical Engineering, 14(3), 337-341.[17] Leung, K., & Leckie, C. (2005, January). Unsupervised anomaly detection in network intrusion detection using clusters. In Proceedings of the Twenty-eighth Australasian conference on Computer Science-Volume 38 (pp. 333-342). Australian Computer Society, Inc..[18] Muda, Z., Yassin, W., Sulaiman, M. N., & Udzir, N. I. (2011, July). Intrusion detection based on K-Means clustering and Naïve Bayes classification. InInformation Technology in Asia (CITA 11), 2011 7th International Conference on (pp. 1-6). IEEE.[19] Mukkamala, S., Janoski, G., & Sung, A. (2002). Intrusion detection using neural networks and support vector machines. In Neural Networks, 2002. IJCNN`02. Proceedings of the 2002 International Joint Conference on (Vol. 2, pp. 1702-1707). IEEE.[20] Om, H., & Kundu, A. (2012, March). A hybrid system for reducing the false alarm rate of anomaly intrusion detection system. In Recent Advances in Information Technology (RAIT), 2012 1st International Conference on (pp. 131-136). IEEE.[21] Payne, B. D. (2012). Simplifying virtual machine introspection using libvmi.Sandia Report.[22] Pethick, M., Liddle, M., Werstein, P., & Huang, Z. (2003, November). Parallelization of a backpropagation neural network on a cluster computer. InInternational conference on parallel and distributed computing and systems (PDCS 2003).[23] Portnoy, L. (2000). Intrusion detection with unlabeled data using clustering.[24] Rauber, A., Merkl, D., & Dittenbach, M. (2002). The growing hierarchical self-organizing map: exploratory analysis of high-dimensional data. Neural Networks, IEEE Transactions on, 13(6), 1331-1341.[25] Rieck, K., Holz, T., Willems, C., Düssel, P., & Laskov, P. (2008). Learning and classification of malware behavior. In Detection of Intrusions and Malware, and Vulnerability Assessment (pp. 108-125). Springer Berlin Heidelberg.[26] Rieck, K., Trinius, P., Willems, C., & Holz, T. (2011). Automatic analysis of malware behavior using machine learning. Journal of Computer Security, 19(4), 639-668.[27] Riedmiller, M., & Braun, H. (1993). A direct adaptive method for faster backpropagation learning: The RPROP algorithm. In Neural Networks, 1993., IEEE International Conference on (pp. 586-591). IEEE.[28] Rumelhart, D. E., Hinton, G. E., & Williams, R. J. (1985). Learning internal representations by error propagation (No. ICS-8506). CALIFORNIA UNIV SAN DIEGO LA JOLLA INST FOR COGNITIVE SCIENCE.[29] Sahs, J., & Khan, L. (2012, August). A machine learning approach to android malware detection. In Intelligence and Security Informatics Conference (EISIC), 2012 European (pp. 141-147). IEEE.[30] Salomon, R. (1989). Adaptive Regelung der Lernrate bei back-propagation. Technische Universität Berlin. FB 20. Institut für Software und Theoretische Informatik.[31] Schiffmann, W., Joost, M., & Werner, R. (1993, April). Comparison of optimized backpropagation algorithms. In ESANN (Vol. 93, pp. 97-104).[32] Schmidhuber, J., Pfeifer, I. R., Schreter, Z., Fogelman, Z., & Steels, L. (1989). Accelerated learning in back-propagation nets.[33] SO, K. (2011). Cloud computing security issues and challenges. International Journal of Computer Networks, 11-14.[34] Tsai, C. F., & Lin, C. Y. (2010). A triangle area based nearest neighbors approach to intrusion detection. Pattern Recognition, 43(1), 222-229.[35] Tsaih, R. H., & Cheng, T. C. (2009). A resistant learning procedure for coping with outliers. Annals of Mathematics and Artificial Intelligence, 57(2), 161-180.[36] Yoo, I. (2004, October). Visualizing windows executable viruses using self-organizing maps. In Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security (pp. 82-89). ACM. zh_TW