Çѱ¹Á¤º¸Åë½ÅÇÐȸ ³í¹®Áö (Journal of the Korea Institute of Information and Communication Engineering)
Current Result Document :
| ÇѱÛÁ¦¸ñ(Korean Title) |
½Ã°£ ±â¹ÝÀÇ ºñÁ¤»ó ÇàÀ§ ħÀÔŽÁö ¸ðµ¨ ¼³°è |
| ¿µ¹®Á¦¸ñ(English Title) |
A Design of Time-based Anomaly Intrusion Detection Model |
| ÀúÀÚ(Author) |
½Å¹Ì¿¹
Á¤À±¼ö
ÀÌ»óÈ£
Mi-Yea Shin
Yoon-Su jeong
Sang-Ho Lee
|
| ¿ø¹®¼ö·Ïó(Citation) |
VOL 15 NO. 05 PP. 1066 ~ 1072 (2011. 05) |
Çѱ۳»¿ë
(Korean Abstract) |
½Ã½ºÅÛ È£Ãâ ¼ø¼¿¡ ´ëÇÑ °ü°è¸¦ ºÐ¼®ÇÏ´Â ¹æ¹ýÀº Á¤»óÀûÀÎ ½Ã½ºÅÛ È£Ãâ ¼ø¼¸¦ ÀÏÁ¤ÇÑ Å©±â·Î ½Ã½ºÅÛ È£Ãâ ¼ø¼¸¦ ºÐÇÒÇÏ¿© ÁøÀ» »ý¼ºÇÏ¿© ŽÁöÀÚ·Î »ç¿ëÇÑ´Ù. ½Ã½ºÅÛ È£ÃâÀÇ ¸Å°³º¯¼ö¸¦ °í·ÁÇÏ´Â ¹æ¹ýÀº ¸Å°³º¯¼öÀÇ ±æÀÌ¿¡ ´ëÇÑ Æò±Õ°ú Ç¥ÁØÆíÂ÷¸¦ ÀÌ¿ëÇÏ¿© ŽÁöÀÚ·Î »ç¿ëÇÑ´Ù. ½Ã½ºÅÛ È£Ãâ ¼ø¼¸¸À» °í·ÁÇÑ ¸ðµ¨Àº ½Ã½ºÅÛ È£Ãâ ¼ø¼´Â Á¤»óÀÌÁö¸¸ Æ÷¸Ë ½ºÆ®¸µ °ø°Ý°ú °°ÀÌ ¸Å°³º¯¼öÀÇ °ª¸¸ º¯ÇÏ´Â °ø°ÝÀ» ŽÁöÇÒ ¼ö ¾øÀ¸¸ç, ½Ã½ºÅÛ È£Ã⠸Ű³º¯¼ö¸¸À» °í·ÁÇÑ ¸ðµ¨Àº ¸Å°³º¯¼ö °¢°¢À» °í·ÁÇϹǷΠ°ø°ÝÀÌ ½ÃÀÛµÇÁö ¾ÊÀº ±¸°£¿¡¼ ȹµæÇÑ Á¤º¸¿¡ ÀÇÇØ ±àÁ¤Àû °áÇÔ·üÀÌ ³ô°Ô ³ªÅ¸³ª´Â ¹®Á¦Á¡ÀÌ ÀÖ´Ù. ÀÌ·¯ÇÑ ¹®Á¦Á¡À» ÇØ°áÇϱâ À§ÇØ °ø°Ý°ú °ü·ÃµÈ ½Ã½ºÅÛ È£ÃâÀÇ ¿©·¯ ¼Ó¼ºµéÀ» µ¿½Ã¿¡ °í·ÁÇÏ´Â Á¢±Ù ¹æ¹ýÀ¸·Î¼ ¿¬¼ÓÀûÀÎ ½Ã½ºÅÛ È£Ãâ ¼ø¼ ¹× ¸Å°³º¯¼ö¸¦ ±×·ì(Group)ÈÇÏ¿© º¸´Ù È¿À²ÀûÀ¸·Î ÇнÀ ¹× ŽÁöÇÏ´Â ¹æ¹ýÀÌ ÇÊ¿äÇÏ´Ù. ÀÌ ³í¹®¿¡¼´Â ºñÁ¤»óÀûÀÎ ÇàÀ§¸¦ Á¤»óÀûÀÎ ÇàÀ§·Î ÆÇ´ÜÇÏ´Â ±àÁ¤Àû °áÇÔ·üÀ» °³¼±Çϱâ À§ÇÏ¿© ½Ã½ºÅÛ È£Ãâ ¼ø¼ ¹× ¸Å°³º¯¼ö¿¡ ½Ã°£ °³³äÀ» Àû¿ëÇÏ¿© ½Ã½ºÅÛ È£Ãâ ¼ø¼ ¹× ¸Å°³º¯¼öÀÇ ºñÁ¤»óÇàÀ§¸¦ ŽÁöÇÑ´Ù. ½ÇÇè °á°ú Á¦¾È ±â¹ýÀº DARPA µ¥ÀÌÅÍ ¼ÂÀ» »ç¿ëÇÑ ½ÇÇè¿¡¼ ½Ã½ºÅÛ È£ÃâÀÇ ±àÁ¤Àû °áÇÔ·üÀº ½Ã°£À» °í·ÁÇÏÁö ¾ÊÀº ½Ã½ºÅÛ È£Ãâ ¼ø¼ ¸ðµ¨º¸´Ù ½Ã°£À» °í·ÁÇÑ ½Ã½ºÅÛ È£Ãâ ¼ø¼ ¸ðµ¨ÀÇ ±àÁ¤Àû °áÇÔ·üÀÌ 13% Çâ»óµÇ¾ú´Ù.
|
¿µ¹®³»¿ë
(English Abstract) |
In the method to analyze the relationship in the system call orders, the normal system call orders are divided into a certain size of system call orders to generates gene and use them as the detectors. In the method to consider the system call parameters, the mean and standard deviation of the parameter lengths are used as the detectors. The attack of which system call order is normal but the parameter values are changed, such as the format string attack, cannot be detected by the method that considers only the system call orders, whereas the model that considers only the system call parameters has the drawback of high positive defect rate because of the information obtained from the interval where the attack has not been initiated, since the parameters are considered individually. To solve these problems, it is necessary to develop a more efficient learning and detecting method that groups the continuous system call orders and parameters as the approach that considers various characteristics of system call related to attacking simultaneously. In this article, we detected the anomaly of the system call orders and parameters by applying the temporal concept to the system call orders and parameters in order to improve the rate of positive defect, that is, the misjudgment of anomaly as normality. The result of the experiment where the DARPA data set was employed showed that the proposed method improved the positive defect rate by 13% in the system call order model where time was considered in comparison with that of the model where time was not considered.
|
| Å°¿öµå(Keyword) |
È£½ºÆ®±â¹Ý ħÀÔŽÁö
½Ã½ºÅÛ È£Ãâ ¼ø¼
½Ã½ºÅÛ È£Ã⠸Ű³º¯¼ö
±àÁ¤Àû °áÇÔ
ºÎÁ¤Àû °áÇÔ
Host based IDS
System call sequence
System call argument
false-positive
false-negative
|
| ÆÄÀÏ÷ºÎ |
PDF ´Ù¿î·Îµå
|
