基於特徵檢測的入侵偵測系統在防護網路攻擊中扮演著十分重要的角色,然而針對已知特徵進行檢驗的做法,卻存在無法偵測零時差攻擊之缺陷,造成入侵偵測系統容易忽略新型惡意行為,進而無法有效地分辨正常與惡意流量,導致企業或個人資料外洩而造成極大的損失。在本篇論文中,我們結合AutoEncoder以及深層神經網路,提出可檢測未知攻擊的入侵偵測系統,不僅可檢驗已知的惡意行為,亦可改善無法抵禦零時差攻擊之缺點。在本系統架構中,零時差攻擊偵測模組負責辨別收集的流量是否有未知攻擊的出現;而已知攻擊分類方法則作為攻擊類型的分類器以進一步判斷流量具體屬於何種已知攻擊。接著,為使系統學習未知攻擊並將其轉換為已知攻擊,我們加入攻擊彙整機制,透過基於DBSCAN的具投票制度之分群法,將特徵相近的未知攻擊聚合成新型態的攻擊類別,使系統的攻擊偵測能力可隨著惡意攻擊的數量而不斷成長。實驗結果表明,本論文所提出的新型態入侵偵測系統能有效的偵測未知攻擊,並具備優良的分類結果。
Despite signature-based intrusion detection system(IDS) has played an important role in the field of cyber security, there remains a crucial challenge that the zero-day attack is hard to be solved. This drawback may bring a large amount of loss to an enterprise or an individual. In order to address above issue, we aim to propose a novel IDS framework which is able to conquer zero-day attacks. The framework consists of an AutoEncoder and a deep neural network(DNN), where AutoEncoder is applied to detect zero-day intrusion, and DNN is employed for classifying known attack, respectively. In particular, we have introduced aggregation mechanism based on DBSCAN algorithm and voting system for sorting the zero-day samples and retraining the IDS. The experimental results have demonstrated that the new method can solidly work in a zero-day attack detection and known attack classification.