Método Heurístico para Rotular Grupos em Sistema de Detecção de Intrusão baseado em Anomalia
Resumo
Os sistemas de detecção de intrusão fazem parte de um ferramental de segurança necessário na proteção de ambientes que disponibilizam informações via Internet. Dentre esses sistemas vêm se destacando os de aprendizagem nãosupervisionada, pois são capazes de extrair modelos de comportamento do ambiente sem o conhecimento prévio de ataques dentre as informações coletadas. Uma técnica utilizada para criar esses modelos é a de agrupamento de dados, onde os grupos resultantes são rotulados como normais ou, no caso de anomalias, como ataques. Neste trabalho é proposto um método heurístico para rotular grupos que durante os experimentos resultou em taxas de falsos positivos significativamente menores em relação aos métodos de trabalhos relacionados.
Referências
Acunetix (2011). Acunetix Web Security Scanner (http://www.acunetix.com/ - acesso em 10/07/2011).
Celepar-Dataset (2011). Celepar - Dataset with web attacks for intrusion detection research (http://ids.celepar.pr.gov.br/dataset)).
Corona, I. and Giacinto, G. (2010). Detection of Server-side Web Attacks. Journal of Machine Learning Research - Proceedings Track, 11:160–166.
Criscione, C., Salvaneschi, G., Maggi, F., and Zanero, S. (2009). Integrated Detection of Attacks Against Browsers, Web Applications and Databases. In Proceedings of the 2009 European Conference on Computer Network Defense, EC2ND ’09, pages 37–45, Washington, DC, USA. IEEE Computer Society.
DARPA (1998). 1998 DARPA Intrusion Detection Evaluation Data Set ([link] - acesso em 10/07/2011).
DirBuster (2011). OWASP DirBuster Project ([link] - acesso em 10/07/2011).
Eskin, E., Arnold, A., Prerau, M., Portnoy, L., and Stolfo, S. (2002). A Geometric Framework for Unsupervised Anomaly Detection: Detecting Intrusions in Unlabeled Data. In Applications of Data Mining in Computer Security.
Fawcett, T. (2003). ROC Graphs: Notes and Practical Considerations for Researchers. Tech Report HPL-2003-4, HP Laboratories. Available: http://www.purl.org/NET/tfawcett/papers/ROC101.pdf.
Guan, Y., Ghorbani, A. A., and Belacel, N. (2003). Y-means: A Clustering Method for Intrusion Detection. In Proceedings of Canadian Conference on Electrical and Computer Engineering, pages 1083–1086.
iCTF (2008). The 2008 iCTF Data (http://ictf.cs.ucsb.edu/data/ictf2008/ - acesso em 10/07/2011).
KDD (1999). KDD Cup 1999 databases ([link] - acesso em 10/07/2011).
Leung, K. and Leckie, C. (2005). Unsupervised Anomaly Detection in Network Intrusion Detection using Clusters. In Proceedings of the Twenty-eighth Australasian conference on Computer Science - Volume 38, ACSC ’05, pages 333–342, Darlinghurst, Australia, Australia. Australian Computer Society, Inc.
Mahoney, M. V., Chan, P. K., and Arshad, M. H. (2003). A Machine Learning Approach to Anomaly Detection. Technical Report CS-2003-06, Department of Computer Science, Florida Institute of Technology, Melbourne, FL. Nessus (2011). Nessus Vulnerability Scanner (http://www.nessus.org/ - acesso em 10/07/2011).
Nikto (2011). Nikto Open Source web server scanner (http://www.cirt.net/nikto2 - acesso em 10/07/2011).
Pereira, H. (2011). Sistema de Detecção de Intrusão para Serviços Web baseado em Anomalias. Master’s thesis, PUCPR, Curitiba - PR.
Petrovic, S. (2006). A Comparison Between the Silhouette Index and the Davies-Bouldin Index in Labelling IDS Clusters. Proceedings of the 11th Nordic Workshop of Secure IT, pages 53–64.
Portnoy, L., Eskin, E., and Stolfo, S. (2001). Intrusion Detection with Unlabeled Data Using clustering. In Proceedings of ACM Workshop on Data Mining Applied to Security.
Robertson, W., Maggi, F., Kruegel, C., and Vigna, G. (2010). Effective Anomaly Detection with Scarce Training Data. In Proceedings of the Network and Distributed System Security Symposium (NDSS), San Diego, CA.
Singh, G., Masseglia, F., Fiot, C., Marascu, A., and Poncelet, P. (2009). Mining Common Outliers for Intrusion Detection. In EGC (best of volume), pages 217–234.
Zhang, Y.-F., Xiong, Z.-Y., and Wang, X.-Q. (2005). Distributed Intrusion Detection based on Clustering. Machine Learning and Cybernetics, 2005. Proceedings of 2005 International Conference on, 4:2379–2383 Vol. 4.
Zhong, S., Khoshgoftaar, T., and Seliya, N. (2007). Clustering-based Network Intrusion Detection. International Journal of Reliability, Quality and Safety Engineering, 14(2):169–187.
Celepar-Dataset (2011). Celepar - Dataset with web attacks for intrusion detection research (http://ids.celepar.pr.gov.br/dataset)).
Corona, I. and Giacinto, G. (2010). Detection of Server-side Web Attacks. Journal of Machine Learning Research - Proceedings Track, 11:160–166.
Criscione, C., Salvaneschi, G., Maggi, F., and Zanero, S. (2009). Integrated Detection of Attacks Against Browsers, Web Applications and Databases. In Proceedings of the 2009 European Conference on Computer Network Defense, EC2ND ’09, pages 37–45, Washington, DC, USA. IEEE Computer Society.
DARPA (1998). 1998 DARPA Intrusion Detection Evaluation Data Set ([link] - acesso em 10/07/2011).
DirBuster (2011). OWASP DirBuster Project ([link] - acesso em 10/07/2011).
Eskin, E., Arnold, A., Prerau, M., Portnoy, L., and Stolfo, S. (2002). A Geometric Framework for Unsupervised Anomaly Detection: Detecting Intrusions in Unlabeled Data. In Applications of Data Mining in Computer Security.
Fawcett, T. (2003). ROC Graphs: Notes and Practical Considerations for Researchers. Tech Report HPL-2003-4, HP Laboratories. Available: http://www.purl.org/NET/tfawcett/papers/ROC101.pdf.
Guan, Y., Ghorbani, A. A., and Belacel, N. (2003). Y-means: A Clustering Method for Intrusion Detection. In Proceedings of Canadian Conference on Electrical and Computer Engineering, pages 1083–1086.
iCTF (2008). The 2008 iCTF Data (http://ictf.cs.ucsb.edu/data/ictf2008/ - acesso em 10/07/2011).
KDD (1999). KDD Cup 1999 databases ([link] - acesso em 10/07/2011).
Leung, K. and Leckie, C. (2005). Unsupervised Anomaly Detection in Network Intrusion Detection using Clusters. In Proceedings of the Twenty-eighth Australasian conference on Computer Science - Volume 38, ACSC ’05, pages 333–342, Darlinghurst, Australia, Australia. Australian Computer Society, Inc.
Mahoney, M. V., Chan, P. K., and Arshad, M. H. (2003). A Machine Learning Approach to Anomaly Detection. Technical Report CS-2003-06, Department of Computer Science, Florida Institute of Technology, Melbourne, FL. Nessus (2011). Nessus Vulnerability Scanner (http://www.nessus.org/ - acesso em 10/07/2011).
Nikto (2011). Nikto Open Source web server scanner (http://www.cirt.net/nikto2 - acesso em 10/07/2011).
Pereira, H. (2011). Sistema de Detecção de Intrusão para Serviços Web baseado em Anomalias. Master’s thesis, PUCPR, Curitiba - PR.
Petrovic, S. (2006). A Comparison Between the Silhouette Index and the Davies-Bouldin Index in Labelling IDS Clusters. Proceedings of the 11th Nordic Workshop of Secure IT, pages 53–64.
Portnoy, L., Eskin, E., and Stolfo, S. (2001). Intrusion Detection with Unlabeled Data Using clustering. In Proceedings of ACM Workshop on Data Mining Applied to Security.
Robertson, W., Maggi, F., Kruegel, C., and Vigna, G. (2010). Effective Anomaly Detection with Scarce Training Data. In Proceedings of the Network and Distributed System Security Symposium (NDSS), San Diego, CA.
Singh, G., Masseglia, F., Fiot, C., Marascu, A., and Poncelet, P. (2009). Mining Common Outliers for Intrusion Detection. In EGC (best of volume), pages 217–234.
Zhang, Y.-F., Xiong, Z.-Y., and Wang, X.-Q. (2005). Distributed Intrusion Detection based on Clustering. Machine Learning and Cybernetics, 2005. Proceedings of 2005 International Conference on, 4:2379–2383 Vol. 4.
Zhong, S., Khoshgoftaar, T., and Seliya, N. (2007). Clustering-based Network Intrusion Detection. International Journal of Reliability, Quality and Safety Engineering, 14(2):169–187.
Publicado
06/11/2011
Como Citar
PEREIRA, Hermano; JAMHOUR, Edgard.
Método Heurístico para Rotular Grupos em Sistema de Detecção de Intrusão baseado em Anomalia. In: SIMPÓSIO BRASILEIRO DE SEGURANÇA DA INFORMAÇÃO E DE SISTEMAS COMPUTACIONAIS (SBSEG), 11. , 2011, Brasília.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2011
.
p. 183-196.
DOI: https://doi.org/10.5753/sbseg.2011.20572.
