ارائه مدل جامع نیمه نظارتی تشخیص نفوذ مشارکتی مبتنی بر نمایه‌سازی رفتار شبکه با استفاده از مفهوم یادگیری عمیق و همبسته‌سازی فازی هشدارها

نوع مقاله : مقاله پژوهشی

نویسندگان

1 استادیار، دانشگاه علم و صنعت، تهران، ایران

2 دانشیار، دانشگاه علم و صنعت، تهران، ایران

3 دنشجوی دکتری، گروه مدیریت فناوری اطلاعات، دانشکده مدیریت و اقتصاد، دانشگاه آزاد اسلامی واحد علوم و تحقیقات، تهران، ایران

4 استادیار، دانشگاه آزاد اسلامی واحد کرج، کرج، ایران

چکیده

امروزه سیستم‌های تشخیص نفوذ اهمیت فوق العاده ای در تامین امنیت رایانه‌ها و شبکه‌های رایانه ای بر عهده دارند سیستمهای همبسته ساز در کنار سیستمهای تشخیص نفوذ قرار گرفته و با تحلیل و ترکیب هشدار‌های دریافتی ازآن‌ها گزارش‌های مناسب برای بررسی و انجام اقدامات امنیتی تولید مینمایند یکی از مشکلاتی که سیستم‌های تشخیص نفوذ با آن روبرو هستند، تولید حجم زیادی از هشدارهای غلط است، بنابراین یکی از مهمترین مسائل در سیستمهای همبسته ساز، وارسی هشدارهای دریافت شده از سیستم تشخیص نفوذ به منظور تشخیص هشدارهای مثبت کاذب از هشدار‌های مثبت صحیح میباشد در این مقاله یک مدل جامع و کاربردی ارائه شده است که شامل یک سیستم تشخیص نفوذ ترکیبی برای وارسی جریان ترافیک بصورت برخط و یک سیستم همبسته ساز مبتنی بر یادگیری افزایشی برای وارسی هشدارها با کمک یادگیری فعال می باشد. تمرکز اصلی این پژوهش بر روی بهینه سازی کاربردی روشهای دسته‌بندی به منظور کاهش هزینه سازمانها و زمان متخصص امنیت برای در وارسی هشدارها می‌باشد. روش ارائه شده روی چند مجموعه داده تست معتبر آزمایش شده و نتایج حاصل بیانگر کارآمدی مدل پیشنهادی با دقت بالای 99 درصد و با نرخ مثبت کاذب بسیار پایین می‌باشد.

کلیدواژه‌ها

عنوان مقاله [English]

A Comprehensive Semi-Suprvised Model for Collaborative Intrusion Detection Based on Network Behavior Profiling Using The Concept of Deep Learning and Fuzzy Correlation of Alerts along

نویسندگان [English]

  • javad vahidi 1
  • b m 2
  • mohammad ahmadzadeh 3
  • a p 4
1 Assistant Professor, University of Science and Technology, Tehran, Iran
2 Associate Professor, University of Science and Technology, Tehran, Iran
3 PhD Student, Department of Information Technology Management, Faculty of Management and Economics, Islamic Azad University, Science and Research Branch, Tehran, Iran
4 Assistant Professor, Islamic Azad University, Karaj Branch, Karaj, Iran
چکیده [English]

Today, intrusion detection systems are extremely important in securing computers and computer networks. Correlated systems are next to intrusion detection systems by analyzing and combining the alarms received from them, appropriate reports for review and producing security measures. One of the problems face intrusion detection systems is generating a large volume of false alarms, so one of the most important issues in correlated systems is to check the alerts received by the intrusion detection system to distinguish true-positive alarms from false-positive alarms. The main focus of this research is on the applied optimization of classification methods to reduce the cost of organizations and security expert time in alert checking. The proposed Incrimental Intrusion Detetection Model using Correlator (IIDMC) is tested on a valid test dataset and the results show the efficiency of the proposed model and consequently its high accuracy.

کلیدواژه‌ها [English]

  • : Intrusion etection
  • Fuzzy Correlator
  • Incremental Online Learning
  • Active Learnin

مراجع

[1]   H.-J. Liao, C.-H. R. Lin, Y.-C. Lin, and K.-Y. Tung, “Intrusion detection system: A comprehensive review,” Journal of Network and Computer Applications, vol. 36, no. 1, Art. no. 1, 2013.##
[2]   B. Morin and H. Debar, “Correlation of Intrusion Symptoms: An Application of Chronicles,” in Recent Advances in Intrusion Detection, Berlin, Heidelberg, 2003, pp. 94 112, doi: 10.1007/978-3-540-45248-5_6.##
[3]  A. A. Ghorbani, W. Lu, and M. Tavallaee, Network Intrusion Detection and Prevention: Concepts and Techniques. Springer Science & Business Media, 2010.##
[4]   C. V. Zhou, C. Leckie, and S. Karunasekera, “A survey of coordinated attacks and collaborative intrusion detection,” Computers & Security, vol. 29, no. 1, pp. 124–140, Feb. 2010, doi: 10.1016/j.cose.2009.06.008.##
[5]   Y. Bai and H. Kobayashi, “Intrusion Detection Systems: technology and development,” in 17th International Conference on Advanced Information Networking and Applications, 2003. AINA 2003., Mar. 2003, pp. 710–715, doi: 10.1109/AINA.2003.1192972.##
[6]   A. S. Sodiya, H. O. D. Longe, and A. T. Akinwale, “A new two‐ tiered strategy to intrusion detection,” Information Management & Computer Security, vol. 12, no. 1, Art. no. 1, Jan. 2004, doi: 10.1108/09685220410518810.##
[7]   S. Duque and Mohd. N. bin Omar, “Using Data Mining Algorithms for Developing a Model for Intrusion Detection System (IDS),” Procedia Computer Science, vol. 61, pp. 46– 51, Jan. 2015, doi: 10.1016/j.procs.2015.09.145.##
[8]   N. K. Kanakarajan and K. Muniasamy, “Improving the Accuracy of Intrusion Detection Using GAR-Forest with Feature Selection,” in Proceedings of the 4th International Conference on Frontiers in Intelligent Computing: Theory and Applications (FICTA) 2015, New Delhi, 2016, pp. 539–547, doi: 10.1007/978-81-322-2695-6_45.##
[9] J. A. Khan and N. Jain, “A survey on intrusion detection systems and classification techniques,” Int. J. Sci. Res. Sci., Eng. Technol., vol. 2, no. 5, pp. 202–208, 2016.##
[10] D. Gupta, S. Singhal, S. Malik, and A. Singh, “Network intrusion detection system using various data mining techniques,” in 2016 International Conference on Research Advances in Integrated Navigation Systems (RAINS), May 2016, pp. 1–6, doi: 10.1109/RAINS.2016.7764418.##
[11] W.-Y. Yu and H.-M. Lee, “An incremental-learning method for supervised anomaly detection by cascading service classifier and ITI decision tree methods,” in Pacific-Asia Workshop on Intelligence and Security Informatics, 2009, pp. 155–160.##
[12] Y. Yi, J. Wu, and W. Xu, “Incremental SVM based on reserved set for network intrusion detection,” Expert Systems with Applications, vol. 38, no. 6, pp. 7698–7707, 2011.##
[13] K. K. Gupta, B. Nath, and R. Kotagiri, “Layered Approach Using Conditional Random Fields for Intrusion Detection,” IEEE Transactions on Dependable and Secure Computing, vol. 7, no. 1, pp. 35–49, Jan. 2010, doi: 10.1109/TDSC.2008.20.##
[14] R. Sadoddin and A. A. Ghorbani, “An incremental frequent structure mining framework for real-time alert correlation,” Computers & Security, vol. 28, no. 3, pp. 153–173, 2010, doi: 10.1016/j.cose.2008.11.010.##
[15] G. P. Spathoulas and S. K. Katsikas, “Reducing false positives in intrusion detection systems,” Computers & Security, vol. 29, no. 1, pp. 35–44, Feb. 2010, doi: 10.1016/j.cose.2009.07.008.##
[16] B. Zhu and A. A. Ghorbani, “Alert correlation for extracting attack strategies,” IJ Network Security, vol. 3, no. 3, pp. 244– 258, 2006.##
[17] P. Ning, Y. Cui, and D. S. Reeves, “Constructing attack scenarios through correlation of intrusion alerts,” in Proceedings of the 9th ACM conference on Computer and communications security, Washington, DC, USA, Nov. 2002, pp. 245–254, doi: 10.1145/586110.586144.##
[18] P. Ning, Y. Cui, D. S. Reeves, and D. Xu, “Techniques and tools for analyzing intrusion alerts,” ACM Trans. Inf. Syst. Secur., vol. 7, no. 2, pp. 274–318, May 2004, doi: 10.1145/996943.996947.##
[19] S. O. Al-Mamory and H. L. Zhang, “Building Scenario Graph Using Clustering,” in 2007 International Conference on Convergence Information Technology (ICCIT 2007), Nov. 2007, pp. 799–804, doi: 10.1109/ICCIT.2007.51.##
[20] S. O. Al-Mamory and H. L. Zhang, “Scenario Discovery Using Abstracted Correlation Graph,” in 2007 International Conference on Computational Intelligence and Security (CIS 2007) , Dec. 2007, pp. 702–706, doi: 10.1109/CIS.2007.21##
[21] A. Milenkoski, M. Vieira, S. Kounev, A. Avritzer, and B. D. Payne, “Evaluating Computer Intrusion Detection Systems: A Survey of Common Practices,” ACM Comput. Surv., vol. 48, no. 1, p. 12:1–12:41, Sep. 2015, doi: 10.1145/2808691.##
 [22] R. Kandhari, V. Chandola, A. Banerjee, V. Kumar, and R. Kandhari, “Anomaly detection,” ACM Comput. Surv, vol. 41, no. 3, pp. 1–6, 2009.##
[23] J. Arshad, P. Townend, and J. Xu, “A novel intrusion severity analysis approach for Clouds,” Future Generation Computer Systems, vol. 29, no. 1, pp. 416–428, Jan. 2013, doi: 10.1016/j.future.2011.08.009.##
[24] F. Shen and O. Hasegawa, “A fast nearest neighbor classifier based on self-organizing incremental neural network,” Neural Networks, vol. 21, no. 10, pp. 1537–1547, Dec. 2008, doi: 10.1016/j.neunet.2008.07.001.##
[25] F. A. Gers, J. Schmidhuber, and F. Cummins, “Learning to forget: Continual prediction with LSTM,” 1999.##
[26] A. Valdes and K. Skinner, “Probabilistic Alert Correlation,” in Recent Advances in Intrusion Detection, Berlin, Heidelberg, 2001, pp. 54–68, doi: 10.1007/3-540-45474-8_4.##
[27] K. Polat and S. Güneş, “Principles component analysis, fuzzy weighting pre-processing and artificial immune recognition system based diagnostic system for diagnosis of lung cancer,” Expert Systems with Applications, vol. 34, no. 1, pp. 214–221, Jan. 2008, doi: 10.1016/j.eswa.2006.09.001.##
[28] “DARPA 2000 Intrusion Detection Scenario Specific Datasets | MIT Lincoln Laboratory.” https://www.ll.mit.edu/rd/ datasets/2000-darpa-intrusion-detection-scenario-specificdatasets (accessed Aug. 07, 2020).##
[29] “KDD Cup 1999 Data.” http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html (accessed Aug. 07, 2020).##
[30] “Learning to Forget: Continual Prediction with LSTM | Neural Computation | MIT Press Journals.” https://www.mitpressjournals.org/doi/abs/10.1162/089976600  300015015 (accessed Aug. 28, 2020).##
[31] W.-Y. Yu and H.-M. Lee, “An incremental-learning method for supervised anomaly detection by cascading service classifier and ITI decision tree methods,” in Pacific-Asia Workshop on Intelligence and Security Informatics, 2009, pp. 155–160.##
[32] S. T. Sarasamma and Q. A. Zhu, “Min-max hyperellipsoidal clustering for anomaly detection in network security,” IEEE Transactions on Systems, Man, and Cybernetics, Part B (Cybernetics), vol. 36, no. 4, pp. 887–901, Aug. 2006, doi: 10.1109/TSMCB.2006.870629.##
پدافند الکترونیکی و سایبری
دوره 9، شماره 3 - شماره پیاپی 35
شماره پیاپی 35، فصلنامه پاییز
آذر 1400
صفحه 165-186

فایل ها

سابقه مقاله

  • تاریخ دریافت: 21 اسفند 1399
  • تاریخ بازنگری: 17 اردیبهشت 1400
  • تاریخ پذیرش: 18 خرداد 1400
  • تاریخ انتشار: 01 آذر 1400

هم رسانی

ارجاع به این مقاله

آمار