한국산업정보학회논문지 (Journal of Korea Society of Industrial Information Systems)

한국산업정보학회 (Korea Society of Industrial Information Systems)
권호 표지
DOI QR코드

DOI QR Code

네트워크 패킷에 대한 연관 마이닝 기법을 적용한 네트워크 비정상 행위 탐지

Network Anomaly Detection using Association Rule Mining in Network Packets

  • 발행 : 2009.09.30
PDF 다운로드
⟨ 이전 논문 다음 논문 ⟩

초록

컴퓨터를 통해서 들어오는 다양한 형태의 침입을 효과적으로 탐지하기 위해서 이전에는 오용탐지 기법이 주로 이용되어 왔다. 오용탐지 기법은 이전에 알려지지 않은 침입 방법들을 효과적으로 탐지할 수 있기 때문이다. 하지만, 해당 기법에서는 정상적인 네트워크 접속 형태가 몇 가지 패턴으로 고정되어 있다고 가정한다. 이러한 이유 때문에 새로운 정상적인 네트워크 연결이 비정상행위로 탐지되기도 한다. 본 논문에서는 연관 마이닝 기법을 활용한 침입 탐지 방법을 제안한다. 논문에서 제안되는 방법은 패킷내 마이닝 단계와 패킷간 마이닝 두가지 단계로 구성된다. 제안된 방법의 성능은 대표적인 네트워크 침입 탐지 방법인 JAM과의 비교 실험을 통하여 평가하였다.

In previous work, anomaly-based intrusion detection techniques have been widely used to effectively detect various intrusions into a computer. This is because the anomaly-based detection techniques can effectively handle previously unknown intrusion methods. However, most of the previous work assumed that the normal network connections are fixed. For this reason, a new network connection may be regarded as an anomalous event. This paper proposes a new anomaly detection method based on an association-mining algorithm. The proposed method is composed of two phases: intra-packet association mining and inter-packet association mining. The performances of the proposed method are comparatively verified with JAM, which is a conventional representative intrusion detection method.

키워드

참고문헌

  1. HS. Javitz and A. Valdes, "The SRI IDES Statistical Anomaly Detector," Proc. of the 1991 IEEE Symposium on Research in Security and Privacy, May 1991.
  2. H.S. Javitz and A. Valdes, "The NIDES Statistical Component Description and Justification," Annual report, SRI International, 333 Ravenwood Avenue, Menlo Park, CA 94025, March 1994.
  3. P.A. Porras and P.G. Neumann, "EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances," 20th NISSC, October 1997.
  4. R. Agrawal and R. Srikant, "Fast Algorithms for Mining Association Rules," Proc. of the 20th Int'l Conference on Very Large Databases, Santiago, Chile, September 1994.
  5. R. Agrawal and R. Srikant, "Mining Sequential Patterns," Proc. of the Int'l Conference on Data Engineering (ICDE) , Taipei, Taiwan, March 1995.
  6. H.S. Teng, K. Chen, and S.C. Lu, "Security Audit Trail Analysis Using Inductively Generated Predictive Rules," Proc. of the Sixth Conf. on Artificial Intelligence Applications. pp. 24-29, Piscataway, New Jersey, March 1990.
  7. W. Lee and S. Stolfo, "Data Mining Approaches for Intrusion Detection," Proc. of the 7th USENIX Security Symposium, San Antonio, Texas, January 1998.
  8. S.J. Stolfo, A.L. Prodromidis, S. Tselepis, W. Lee, D. Fan and P.K. Chan, "JAM:Java agents for Meta-Learning over Distributed Databases," Proc. of the workshopon AI Methods in Fraud and Risk Management, 1997.
  9. H. Mannila, H. Toivonen, and I. Verkamo, "Discovery of frequent episodes in event sequences," Data Mining and Knowledge Discovery, 1(3), pp.259-289, 1997. https://doi.org/10.1023/A:1009748302351
  10. S.-H. Oh, J.-S. Kang, Y.-C. Byun, T. Jeong, and W. -S. Lee, "Anomaly Intrusion Detection Based on Clustering a Data Stream," Proc. of the ISC 2006, pp. 415-426, 2006.
  11. http://www.tcpdump.org/