近年來，網路的蓬勃發展，在許多方面提供了便捷的服務，但是伴隨而來卻是各種病毒與入侵攻擊，常常造成嚴重的傷害與損失。除了防火牆的第一道防線外，入侵偵測系統也拌演著重要的防線之一。
　　目前的入侵偵測系統主要採用signature-base的方式，這種方式雖能有效偵測攻擊行為，但是需要經常更新signature以偵測新型態的攻擊行為。也有許多研究採用人工智慧的技術來達到更佳的偵測效果。但是植基於人工智慧的偵測系統是需要事先訓練學習，而一旦不適用時，便需要重新訓練。而如何判定不適用，如何決定重新訓練的時機就顯得很重要。
　　在本論文中我們提出一個機制，可以獨立於人工智慧型偵測引擎，當偵測引擎不符現況時，本系統會發出警訊告訴管理者需重新訓練。我們採用類神經演算法中的自組織映射圖網路(Self-Organizing Map)。我們充份利用它聚類的特性來達到我們的目的。對於每個網路連結，我們萃取出六個參數，當做訓練的依據。本機制以圖型化表示來輔助說明重新訓練的時機。最後以ftp、mail server、http三大常見服務來測試我們的系統。測試的結果如預期，本系統可以聚類未知的攻擊，同時提出重新訓練的時機。

　　With more and more computer users connecting to the Internet today, the Internet is becoming a home for private and commercial communication, commerce, medicine, and public service. In the meantime, the risk of unauthorized access and destruction of service by outsiders is increasing. Malicious usage, attacks, and sabotage have been on the rise as more and more computers are put into use. Thus, a robust and flexible defense strategy is required to allow adaptation to the changing environment, well-defined policies and procedures, use of robust tools, and constant vigilance. Efforts in this direction led to the development of intrusion detection systems.
　　Nowadays, most of the common and popular pre-training intrusion detection systems employ pattern-based or signature-based detection. This method is effective in detecting many of well-known attacks by previous noticeable intrusion signatures. However, it may fail to detect the intrusions that new attacks or patterns that are slightly different to the noticeable ones. Furthermore, many researches apply artificial intelligence (AI) or data mining techniques to intrusion detection.
　　However, these AI intrusion detection systems should undergo frequent retraining to incorporate new examples periodically into the training data. Therefore, how to determine the frequency of retraining is very important. Furthermore, not every attack behavior would happen in the whole world. Maybe some the specific intrusion happens in specific places or systems. So we propose the self-diagnosing intrusion detection system mechanism. This mechanism is based on Self-Organizing Maps algorithm (SOM). We have found the SOM to be a good mechanism for profiling genuine network traffic.
　　We presented the motives behind using SOM for this purpose, our data collection and preprocessing procedures, how we represented technique for displaying the clustering results. We discussed the structure of our SD-IDSM and how we conducted the testing. The results were showed that we were able to cluster simulated ftp, mail server and http network attacks graphically as opposed to normal traffic by showing that the clustering of neurons was very different between the defined and undefined patterns.

[1] ANDERSON, J. Computer Security Threat Monitoring and Surveillance. Technical
Report Contract 79F26400, James P.Anderson Co., Box 42, fort Washington, PA,
19034, USA, April 1980.

[2] Anderson, D., Frivold, T., and Valdes, A. Next-generation Intrusion Detection
Expert System (NIDES). Tech. Rep. SRI-CSL-95-07, SRI International, Computer Science Laboratory, SRI International, Menlo Park, CA 940253493, May 1995.

[3] A. J. Hoglund et al. ”A Computer Host-Based User Anomaly Detection System
using Self-Organizing Map,” Proc. Of the IEEE-INNS-ENNS International Joint
Conference on Neural Networks, Vol. 5, pp. 411-416, 2000.

[4] Beres-Lee, T., Fielding, R., and Frystyk, H. Hypertest Transfer Protocol –
HTTP/1.0, May 1996. RFC 1945.

[5] Cristoph, G.., Jackson, K., Neumann, M., Siciliano, C., Ch, L., Simmonds, D., and
Stallings, C. “UNICORN: Misuse Detection for UNICOS” . In Proceedings of Supercomputing 1995.

[6] Cannady, J., “Artificial Neural Network for Misuse Detection,” Proceedings,
National Information Systems Security Conference (NISSC’98), October, Arlington, Arlington, VA, pp. 443-456 1998.

[7] DENNING, D. “An Intrusion-Detection Model”. IEEE Transactions on Software
Engineering SE-13, 2 , 222-232, February 1987.

[8] E.ALHONIEMI, J. HOLLMEN, O.SIMULA, AND J.VESANTO. Integrated
Computer Aided Engineering 6, 3, 1999.

[9] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., and
Berners-Lee, T. Hypertext Transfer Protocol – HTTP/1.1, June 1999. RFC 2616.

[10] Ghosh, A., Schwartzbard, A., and Shatz, M., 1999, “Learning Program Behavior
Profiles for Intrusion Detection,” in Proceedings First USENIX workshop on Intrusion Detection and Network Monitoring, Santa Clara, California, April 1999.

[11] General Accounting Office. “Information Security-Computer Attacks at
Department of Defense Pose Increasing Risks”. GAO Executive Report, May
1996.

[12] Heberlein, L. et al, “A network Security Monitor.” Proceedings of the IEEE
Computer Society Symposium, Research in Security and Privacy, May 1990, pp.
296-303.

[13] HEADY, R., LUGER, G., MACCABE, A., AND SERVILLA, M. The Architecture
of a Network Level Intrusion Detection System. Tech. Rep., University of New
Mexico, August 1990.

[14] J.M. Bonifacio et al., “Neural Networks applied in Intrusion Detection Systems,”
Proc. of IEEE Joint Conference on Neural Network, Vol. 1, pp. 205-201, 1998.

[15] J. Cannady and J. Mahaffey, “The Application of Artificial Intelligence to Misuse
Detection,” Proceedings of the First Recent Advances in Intrusion Detection Conference, pp. 31-47, 1998.

[16] J. Frank, “Artificial Intelligence and Intrusion Detection: Current and future
Directions,” Proceedings of the 17th National Computer Security Conference, Oct. 1994.

[17] J. Klensin. Simple Mail Transfer Protocol, April 2001. RFC 2821.

[18] J. Postel, J. Reynolds, File Transfer Protocol, October 1985. RFC 959.

[19] J. Sun, H. Jin, H. Chen, Z. Han and D. Zou, “A Data Mining Based Intrusion
Detection Model,” IDEAL 2003, LNCS 2690, pp. 677-684, 2003.

[20] K. GOSER, U. HILLERINGMANN, U. RUECKERT, AND K. SCHUMACHER.
IEEE Micro 9, 28 (1989).

[21] KOHONEN, T. In In Proc, 6ICPR, Int. Conf. On Pattern Recognition (IEEE Computer Soc. Press, Washington, D. C. 1982, p. 114.

[22] KOHONEN, T. Self-Organizing Maps, 3rd ed. Springer, 2001.

[23] K. Moore. MIME (Multipurpose Internet Mail Extensions) Part Three: Message
Header Extensions for Non-ASCII Text, November 1996. RFC 2047.

[24] L. Girardin, “An eye for Network Intruder-Administrator Shootouts,” Proc. Of the
1st USENIX Workshop on Intrusion Detection and Network Monitoring, 1999.

[25] LUNT, T., JAGANNATHAN, R., LEE, R., LISTGARTEN, S., EDWARDS, D.,
NEUMANN, P., JAVITZ, H., AND VALDES, A. IDES:The Enhanced Prototype, A
Real-time Intrusion Detection System. Tech. Rep. SRI Project 4185-010,
SRI-CSL-88-12, CSL SRI International, Computer Science Laboratory, STI Intel.
333 Ravenswood Ave., Menlo Park, CA 94925-3493, USA, October 1988.

[26] Lippmann, R., and Cunningham, R., 1999 “Improveing Intrusion Detection
performance using Keyword selection and Neural Networks,” RAID Proceedings,
Sept, West Lafayette, Indiana.

[27] MUKHERJEE, B., HEBERLEIN, T., AND LEVITT, K. “Network Intrusion
Detection”. IEEE Network (May/June 1994).

[28] Manikantan Ramadas, Shawn Osterman, Brett Tjaden, "Detecting Anomalous
Network Traffic with Self-Organizing Maps", accepted for publication in the
Proceedings of 6th International Symposium on Recent Advances in Intrusion
Detection, RAID 2003, Pittsburgh, PA, USA, September 8-10 2003.

[29] N. Freed, J. Klensin, and J. Postel. Multipurpose Internet Mail Extensions (MIME)
Part Four: Registration Procedures, November 1996 RFC 2048.

[30] N. Freed, and N. Borrenstein. Multipurpose. Internet Mail Extensions (MIME) Part
Five: Conformance Criteria and Examples, November 1996. RFC 2049.

[31] N. Freed, and N. Borenstein. Multipurpose Internet Mail Extensions (MIME) Part
One: Format of Internet Message Bodies, November 1996. RFC 2045.

[32] N. Freed, and N. Borenstein. Multipurpose Internet Mail Extensions (MIME) Part
Two: Media Types, November 1996. RFC 2046.

[33] Postel, J. Simple Mail Transfer Protocol, August 1982. RFC 821.

[34] Proctor, P. “Audit Reduction and Misuse Detection in Heterogeneous
Environments: Framework and Applications”. In Proceedings of the 15th National
Computer Security Conference (December 1994), pp. 117-125.

[35] Ryan, J., Lin, M., and Mikkulainen, R., 1998, “Intrusion Detection with Neural
Networks,” Advances in Neural Information Processing Systems, vol. 10, MIT
Press.

[36] S. C. Lee and D. V. Heinbuch, “Training a Neural Network Based Intrusion
Detector to Recognize Novel Attacks,” Information Assurance and Security,
pp.40-46, 2000.

[37] SEBRING, M., SHELLHOUSE, E., HANNA, M., AND WHITEHURST, R.
“Expert Systems in Intrusion Detection: A Case Study”. In Proceedings of the 11th National Computer Security Conference (Baltimore, Maryland, October 1988),
National Institute of Standards and Technology, pp. 74-81.

[38] Smaha, S., and Winslow, I. “Misuse Detection Tools”. Computer Security Journal
10 (1994), 39-49.

[39] Winkler, J., and Landry, L. “Intrusion and Anomaly Detection, ISOA update”. In
Proceedings of the 15th National Computer Security Conference (October 1992), pp.
272-281.

[40] White, G., and Pooch, V. “Cooperating Security Managers: Distributed Intrusion
Detection Systems”. Computer and Security 15, 5 (1996), 441-450.

[41] Z. Zhang and H. Shen, “Online training of SVMs for Real-time Intrusion
Detection” IEEE conference AINA 2004.

[42] Sobirey, M. The Intrusion Detection System AID, December 1996.
http://www-rnks.informatik.tu-cottbus.de/sobirey/aid.e.htm.l.

[43] http://www.securityfocus.com/infocus/1514

[44] Naval surface Warfare Center (NSWC). Cider Documents, October 2000.
http://www.nswc.navy.mil/ISSEC/CID/.

[45] Network Associates Inc. CyberCop Monitor, December 1999.
http://www.pgp.com/asp_set/products/tns/ccmonitor_intro.asp.

[46] Internet Security Systems. The RealSecure Network Protection, March 2002.
http://www.iss.net/products_services/enterprise_protection/rsnetwork/index.php.

[47] Touch Technologies Inc. INTOUCH INSA – Network Security Agent, December
1996. http://www.ttinet.com/tti/nsa_www.html.

[48] Network Associates Inc. TNV, December 1997.
http://www.nai.com/asp_set/products/tnv /intro.asp.

[49] SOM_PAK. URL: http://www.cis.hut.fi/research/som_lvq_pak.shtml.

[50] http://www.ll.mit.edu/IST/ideval/index.htm.

[51] http://www.microsoft.com.

[52] http://www.cve.mitre.org .