- 期刊
基於卷積神經網路與特徵機制之整合式網路入侵偵測告警系統
Integrated Network Intrusion Detection and Alarm System based on Convolutional Neural Networks and Feature Mechanisms
摘要
隨著網際網路的蓬勃發展,人們的日常活動幾乎無一不與網際網路扯上關係,科技雖然帶給人們方便,卻也造成資安事件數量劇增。因此,為了有效防範惡意網路攻擊,在本論文中,我們提出了一個基於卷積神經網路(Convolutional Neural Network, CNN)與基於特徵(Signature-based)之整合式網路入侵偵測告警系統(Network-based Intrusion Detection and Alarm System)。在系統中,我們使用開源軟體Snort作為基礎的特徵式入侵偵測系統,然而這種基於特徵的偵測技術往往會受到變形多變的攻擊手法而無法有效偵測出攻擊封包,因此我們使用卷積神經網路訓練網路流量分類器來改善Snort對於未知攻擊不易偵測之缺陷。在一般的情況之下,Snort針對於已知攻擊具有良好的偵測效果;而卷積神經網路的分類器則善於偵測未知攻擊,我們得以透過兩種基於不同原理的入侵偵測機制互相配合,以有效地提升網路之安全性,因此我們將兩種機制的入侵偵測系統進行整合,並透過Elastic Stack(ELK)進行日誌管理。在實驗結果中,我們使用入侵偵測的標竿資料集CICIDS-2017 Dataset進行模型的訓練與測試,從實驗數據中,顯示了本論文的研究方法能夠達到99.04%的預測準確率,同時,我們能夠透過分類器的預測結果來修改與新增Snort規則,以提高Snort的偵測率與降低誤報率,基於實驗結果得以說明利用本論文之方法能夠建立一個更加可靠的入侵偵測系統。
並列摘要
With the rapid growth of the Internet, people's daily activities are closely tied to it. While technology brings convenience, it also leads to a significant increase in cybersecurity incidents. To effectively prevent malicious cyber-attacks, this paper presents an Integrated Network Intrusion Detection and Alarm System (Network-based Intrusion Detection and Alarm System) that combines Convolutional Neural Networks (CNN) and signature-based feature mechanisms. In this system, we employ the open-source software Snort as the foundation for a signature-based intrusion detection system. However, such feature-based detection techniques often struggle to identify attack packets due to the diversity of evolving attack methods. To address this limitation, we utilize Convolutional Neural Networks to train a network traffic classifier, enhancing Snort's capability to detect previously unknown attacks. In typical scenarios, Snort performs well at detecting known attacks, whereas the CNN classifier excels at identifying unknown attacks. By integrating these two intrusion detection mechanisms based on different principles, we enhance network security. The two mechanisms are integrated and managed using the Elastic Stack (ELK) for log management. Experimental results using the benchmark CICIDS-2017 Dataset for training and testing demonstrate a predictive accuracy of 99.04% using the proposed research approach. Furthermore, we leverage the classifier's predictions to modify and add Snort rules, thereby increasing detection rates and reducing false positives. The experimental results substantiate that this paper's methodology enables the establishment of a more reliable intrusion detection system.