- 學位論文
以成本效益模型評估入侵偵測系統
Evaluating Intrusion Detection System with Cost-Benefit Trade-off Model
摘要
現階段的入侵偵測系統皆以高偵測率與低誤報率為訴求,但是偵測率與誤報率會因為所制定的偵測規則(detection rules)的嚴謹或寬鬆而變動。而入侵偵測系統的偵測規則並不能適合於所有的環境,因為所要偵測的門檻(threshold)會因所要防護的目標不同而不同,通常偵測規則制定不恰當,會造成入侵偵測系統的效能不能有效彰顯。 為了使入侵偵測系統依環境特性建置,採用風險分析(risk analysis)的觀念,由所要防護的目標主機決定監測的偵測規則。於是將實驗環境的流量流經建構在該環境中的入侵偵測系統,將得到的偵測結果報表拿來做分析[7],採用維度(dimension)的觀念,將未偵測到與錯過的攻擊流量為橫軸,主機型態與該主機所提供之服務為縱軸,建立“相對”成本評估表,計算出環境特性成本值總合。基於成本利益交換(cost benefit trade-off)模型的觀念,決定是否要將該類的偵測規則加入入侵偵測系統中,或是刪除該偵測規則,如此就能依環境特性調整偵測規則的嚴謹程度。 此外,並從“相對”成本評估表中找出相對應的損害成本、回應成本、操作成本,參照成本利益交換模型的觀念,決定系統與管理者是否需要作出相對應的處理機制,因為某些類型的主機對於某些類型的攻擊行為的回應成本大於損害成本,因此對於該攻擊行為入侵偵測系統與系統安全管理員就不需要採取回應措施。如此就可以讓入侵偵測系統達到依環境建構的偵測條件,以及系統跟人員對攻擊行為所做出的反應機制成本降到最低。
並列摘要
It is very important for high detection rate and low false alarm rate in present intrusion detection system, but detection rate and false alarm rate make an alteration by instituting the detection rules. Detection rules of intrusion detection system are not fit any and all environment, because detection threshold must be different according to protecting targets. The detection rules instituted not well will cause the performance of intrusion detection system poor. In order to construct the intrusion detection system according to environment, we take the concept of risk analysis to construct the detection rules about the protected target hosts. Therefore, we inject the traffic of experimented environment into the intrusion detection system established in the environment, and then analyze the report from the detection result[7]. We add the concept of the dimension, and then we take the attack type as horizontal axle and host type with service as vertical axle to establish a related cost evaluating table. We compute the sum of cost about environment. The administrator bases on the concept of the cost benefit trade-off model to determinate if or not to add detection rules into intrusion detection system or delete the detection rules from intrusion detection system. After these step, we can adjust the strict degree of detection rules dependent on the characteristic of environment. Besides, we can base on the related cost evaluating table to find the damage cost, response cost, operation cost and penalty cost. We consult these factors and the concept of cost benefit trade-off model to determinate the system administrators if or not to take some related response mechanism. Because response cost is greater than damage cost on some type of hosts with regards to some type attack, the administrator is needless to take any response to this attack. Therefore, we can construct the intrusion detection system according to the environment to help administrator to reduce the response mechanism cost as low as possible.