並列タイトル等機械学習及び視覚化を用いた実用的なIDSの運用手法
一般注記type:Thesis
Detecting cyber-attacks plays a crucial role in the modern network society. Intrusion Detection System (IDS) monitors a network activity consisting many protocols, and reports several alerts to an administrator when some anomaly alerts are caused. After receiving the alerts, the administrator can perform more detailed investigation to identify anomalies. However, IDS generates a large number of alerts. Although many researches to reduce a large number of alerts have been actively studied, developing the practical and useful operation for IDS is expected.In this thesis, we explore the practical operating method for IDS by using machine learning and visualization approaches. We found that many IDS alerts have three features : (1) Steady, (2) Periodicity, (3) Sudden mass detection. Utilizing these features, we first developed the visualization system emphasizing the anomaly alerts using past tendency, which allows the administrator to intuitively identify the network status and anomaly alerts. In addition, we developed the method for forecasting the alerts with high accuracy using the periodicity, which enables the administrator to identify the future trend of IDS alerts without analyzing the logs manually. Furthermore, we developed the method for forecasting Domain Name System (DNS) packets and detecting DNS attacks to identify the cause of anomaly at early stage with IDS alerts. These proposed methods that can be adopted to IDS alerts and DNS packets allow the administrator to identify the network status and the anomaly without analyzing the logs manually, in which we will greatly contribute to promote practical operating for IDS.
連携機関・データベース国立情報学研究所 : 学術機関リポジトリデータベース(IRDB)(機関リポジトリ)