  • 學位論文

以環境相依之防禦網為基礎 提升網路入侵偵測系統之效能

Environment Dependent Performance Tuning for Network Intrusion Detection System

指導教授 : 田筱榮


隨著網路入侵攻擊事件日益增加,以及網路攻擊技術的不斷進 步,現今的網路攻擊型態,已經從以前針對單一目標進行試探,逐漸 轉變為放出大量封包試探網路上所有的電腦,這些封包並不會特別針 對某一個單一的目標,若網路環境中沒有提供相關的服務或是不存在 該種軟體的漏洞,而我們的網路環境中佈置了入侵偵測系統,其特徵 資料庫亦包含了此種封包的特徵,面對這些大量的封包,必定產生大 量警報,進而對入侵偵測系統的效能造成影響;所以我們提出ㄧ個方 法將事先掌握的網路環境資訊,運用在調整入侵偵測系統的特徵資料 庫上,藉著,客製化、特定化的特徵資料庫,使入侵偵測系統輕量化, 在面對大量的封包時,減少比對次數及減少因產生不必要的警報所付 出的額外的代價,讓入侵偵測系統把計算資源運用在檢查所有環境上 的最可能受害的資源上,來提升其效能。


With the Internet seeing more and more attacks, and attacking skills evolving. Internet attack model has changed from sending intrusion packets to specific target system to arbitrarily sending packets to intrude any vulnerable computers on Internet. In case that our network environment does not provide the service or does not have the software vulnerability certain intrusion packet targeted. But the detection rule database of the intrusion detection system deployed in our network environment has these signatures, these attacking packets can easily cause a large amount of alerts to be generated and degrade the performance of the IDS. Therefore, we proposed a method to apply the knowledge about the network environment in tuning intrusion detection system, By customizing the detection rule base, the size of the detection rule database can be reduced, which leads to decreased amount of signature comparison and less unnecessary alerts. In this way, the intrusion detection system can save computing resources and concentrate on the more vulnerable parts of the system and improve its performance.


[1] P. Innella, O. McMillan, “An Introduction to Intrusion Detection
detection?", Intrusion Detection FAQ,
[4] Marcus J. Ranum , ”False Positives: A User’s Guide to Making Sense
of IDS Alarms”, White paper, ICSA Labs Intrusion Detection
Systems Consortium (IDSC), February 2003 ,
