入侵偵測是一個能辨識網路上可疑與惡意行為的機制，近年來已成為保護企業重要資產與網路交易不可或缺的技術。 儘管如此，隨著網路犯罪的遽增與惡意程式的演化，越來越多的新型變種惡意程式與犯罪工具層出不窮。然而，要應付網路上如此巨大數目的新型且未知的惡意行為是個非常艱鉅的任務，遑論受到攻擊後的應變措施。不僅如此，網路型入侵偵測系統有很高的誤判率，這使得網管與專業技術人員要耗費龐大的人力去做人工判讀。在本篇論文中，我們提出了一個預測機制，透過誘捕系統的日誌相似度與資料探勘技術，從可疑的流量中分析，而能在惡意程式發動攻擊前就先採行防禦措施。藉由誘捕系統裡的日誌資料與關聯分析來預測惡意行為可以改善入侵偵測系統誤判過高的問題，原因是誘捕系統所採集到的日誌一定皆為惡意流量。不僅如此，由於自動化的運作方式，這個預測系統能省下很多人力成本。實驗的初步結果顯示，我們所提出的預測系統在預防重要資產遭受網路攻擊非常受用。

Intrusion Detection is the mechanism to identify and recognize the suspicious and malicious activities and has recently become essential to protect the important assets of enterprise or E-commerce. However, with the dramatic increase of Cyber Crimes and evolution of malicious programs, more and more new variant malwares and guilty tools pop out. To cope with a tremendous number of unknown anomalous traffic is like threading the needle, let alone responds to the attacks. Additionally, Network-based Intrusion Detection Systems have very high rate of false alarms, and it will make the IT professionals or administrators involve in significant human efforts to decide whether the flows are malicious or not. In this thesis, we propose a mechanism that by means of honeypot logs’ similarity and data mining techniques, it can predict the suspicious flows and block them ahead of the attacks taking place. With honeypot logs and association rule mining, it can reduce the false alarm problem of Intrusion Detection System because there are no normal traffics in honeypots; namely, all the flows are suspicious. Furthermore, it can save lots of human efforts because the entire system can operate and tackle the data automatically. The result of preliminary experiments indicates that the prediction system with honeypots can be practical for preventing assets from attacks or misuse.

[1] Igure, V., & Williams, R. (2008). Taxonomies of attacks and vulnerabilities in computer systems. Communications Surveys & Tutorials, IEEE, 10(1), 6-19.ISO 690
[2] N. Weaver, V. Paxson, S. Staniford, and R. Cunningham, “A taxonomy of computer worms,” in Proc. of 2003 ACM workshop on Rapid malcode (WORM’03), 2003, pp. 11–18.
[3] S. Hansman and R. Hunt, “A taxonomy of network and computer attacks,” Computers & Security, vol. 24, no. 1, pp. 31–43, Feb. 2005.
[4] Brown, D. J., Suckow, B., & Wang, T. (2002). A Survey of Intrusion Detection Systems. Department of Computer Science, University of California, San Diego.
[5] Zou, C. C., Gong, W., & Towsley, D. (2002, November). Code red worm propagation modeling and analysis. In Proceedings of the 9th ACM conference on Computer and communications security (pp. 138-147). ACM.
[6] Chen, Z., Gao, L., & Kwiaty, K. (2003, March). Modeling the spread of active worms. In INFOCOM 2003. Twenty-Second Annual Joint Conference of the IEEE Computer and Communications. IEEE Societies (Vol. 3, pp. 1890-1900). IEEE.
[7] Kim, J., Radhakrishnan, S., & Dhall, S. K. (2004, October). Measurement and analysis of worm propagation on Internet network topology. In Computer Communications and Networks, 2004. ICCCN 2004. Proceedings. 13th International Conference on (pp. 495-500). IEEE.
[8] Zhang, D., & Wang, Y. (2010, June). SIRS: Internet worm propagation model and application. In Electrical and Control Engineering (ICECE), 2010 International Conference on (pp. 3029-3032). IEEE.
[9] Kephart, J. O., & White, S. R. (1993, May). Measuring and modeling computer virus prevalence. In Research in Security and Privacy, 1993. Proceedings., 1993 IEEE Computer Society Symposium on (pp. 2-15). IEEE.
[10] Chen, T. M., & Robert, J. M. (2004). Worm epidemics in high-speed networks. Computer, 37(6), 48-53.
[11] Rohloff, K. R., & Basar, T. (2005, October). Stochastic behavior of random constant scanning worms. In Computer Communications and Networks, 2005. ICCCN 2005. Proceedings. 14th International Conference on (pp. 339-344). IEEE.
[12] Nekovee, M. (2007). Worm epidemics in wireless ad hoc networks. New Journal of Physics, 9(6), 189.
[13] Hansman, S., & Hunt, R. (2005). A taxonomy of network and computer attacks. Computers & Security, 24(1), 31-43.
[14] Lee, W., Wang, C., & Dagon, D. (2007). Botnet detection: countering the largest security threat. Springer.
[15] Kreibich, C., Kanich, C., Levchenko, K., Enright, B., Voelker, G. M., Paxson, V., & Savage, S. (2008). On the Spam Campaign Trail. LEET, 8, 1-9.
[16] Schluessler, T., Goglin, S., & Johnson, E. (2007, September). Is a bot at the controls?: Detecting input data attacks. In Proceedings of the 6th ACM SIGCOMM workshop on Network and system support for games (pp. 1-6). ACM.
[17] Alomari, E., Manickam, S., Gupta, B. B., Karuppayah, S., & Alfaris, R. (2012). Botnet-based distributed denial of service (DDoS) attacks on web servers: classification and art. arXiv preprint arXiv:1208.0403.
[18] Moore, D., Paxson, V., Savage, S., Shannon, C., Staniford, S., & Weaver, N. (2003). Inside the slammer worm. IEEE Security & Privacy, 1(4), 33-39.
[19] Kind, A., Stoecklin, M. P., & Dimitropoulos, X. (2009). Histogram-based traffic anomaly detection. Network and Service Management, IEEE Transactions on, 6(2), 110-121.
[20] Brauckhoff, D., Dimitropoulos, X., Wagner, A., & Salamatian, K. (2012). Anomaly extraction in backbone networks using association rules. IEEE/ACM Transactions on Networking (TON), 20(6), 1788-1799.
[21] Warrender, C., Forrest, S., & Pearlmutter, B. (1999). Detecting intrusions using system calls: Alternative data models. In Security and Privacy, 1999. Proceedings of the 1999 IEEE Symposium on (pp. 133-145). IEEE.
[22] Forrest, S., Hofmeyr, S. A., Somayaji, A., & Longstaff, T. A. (1996, May). A sense of self for unix processes. In Security and Privacy, 1996. Proceedings., 1996 IEEE Symposium on (pp. 120-128). IEEE.
[23] Hofmeyr, S. A., Forrest, S., & Somayaji, A. (1998). Intrusion detection using sequences of system calls. Journal of computer security, 6(3), 151-180.
[24] Helman, P., & Bhangoo, J. (1997). A statistically based system for prioritizing information exploration under uncertainty. Systems, Man and Cybernetics, Part A: Systems and Humans, IEEE Transactions on, 27(4), 449-466.
[25] Lee, W., & Stolfo, S. J. (1998, January). Data mining approaches for intrusion detection. In Usenix Security.
[26] Lee, W., Stolfo, S. J., & Mok, K. W. (1999). A data mining framework for building intrusion detection models. In Security and Privacy, 1999. Proceedings of the 1999 IEEE Symposium on (pp. 120-132). IEEE.
[27] Ghosh, A. K., & Schwartzbard, A. (1999, August). A Study in Using Neural Networks for Anomaly and Misuse Detection. In USENIX Security.
[28] Tian, Z. H., Fang, B. X., & Yun, X. C. (2003, November). An architecture for intrusion detection using honey pot. In Machine Learning and Cybernetics, 2003 International Conference on (Vol. 4, pp. 2096-2100). IEEE.
[29] Kreibich, C., & Crowcroft, J. (2004). Honeycomb: creating intrusion detection signatures using honeypots. ACM SIGCOMM Computer Communication Review, 34(1), 51-56.
[30] Thakar, U., Varma, S., & Ramani, A. K. (2005, September). HoneyAnalyzer–analysis and extraction of intrusion detection patterns & signatures using honeypot. In Proceedings of the Second International Conference on Innovations in Information Technology.
[31] Dressler, F., Jaegers, W., & German, R. (2007, February). Flow-based worm detection using correlated honeypot logs. In Communication in Distributed Systems (KiVS), 2007 ITG-GI Conference (pp. 1-6). VDE.
[32] Conti, G., & Abdullah, K. (2004, October). Passive visual fingerprinting of network attack tools. In Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security (pp. 45-54). ACM.
[33] Thonnard, O., & Dacier, M. (2008). A framework for attack patterns' discovery in honeynet data. digital investigation, 5, S128-S139.
[34] Lin, J., Keogh, E., Lonardi, S., & Chiu, B. (2003, June). A symbolic representation of time series, with implications for streaming algorithms. In Proceedings of the 8th ACM SIGMOD workshop on Research issues in data mining and knowledge discovery (pp. 2-11). ACM.
[35] Ghourabi, A., Abbes, T., & Bouhoula, A. (2010, May). Data analyzer based on data mining for honeypot router. In Computer Systems and Applications (AICCSA), 2010 IEEE/ACS International Conference on (pp. 1-6). IEEE.
[36] Ester, M., Kriegel, H. P., Sander, J., & Xu, X. (1996, August). A density-based algorithm for discovering clusters in large spatial databases with noise. In Kdd (Vol. 96, pp. 226-231).
[37] Patel Tushar S., Panchal M, Ladumor D, Kapadiya J, Desai P, Prajapati A & Prajapati R. (2013, January). An analytical study of various frequent itemset mining algorithms. In International Science Congress Association on Research Journal of Computer and Information Technology Sciences (Vol. 1(1), pp. 6-9). ISCA.
[38] Agrawal, R., Imieliński, T., & Swami, A. (1993, June). Mining association rules between sets of items in large databases. In ACM SIGMOD Record (Vol. 22, No. 2, pp. 207-216). ACM.
[39] Spitzner, L. (2003). Honeypots: tracking hackers (Vol. 1). Reading: Addison-Wesley.
[40] Cheswick, B. (1992, January). An Evening with Berferd in which a cracker is Lured, Endured, and Studied. In Proc. Winter USENIX Conference, San Francisco.
[41] Han, J., Pei, J., & Yin, Y. (2000, May). Mining frequent patterns without candidate generation. In ACM SIGMOD Record (Vol. 29, No. 2, pp. 1-12). ACM.
[42] Borgelt, C. (2005, August). Keeping things simple: Finding frequent item sets by recursive elimination. In Proceedings of the 1st international workshop on open source data mining: frequent pattern mining implementations (pp. 66-70). ACM.
[43] Borgelt, C. (2003, November). Efficient implementations of apriori and eclat. In FIMI’03: Proceedings of the IEEE ICDM workshop on frequent itemset mining implementations.
[44] Boicea, A; Radulescu, F.; Agapin, L.I, "MongoDB vs Oracle -- Database Comparison," Emerging Intelligent Data and Web Technologies (EIDWT), 2012 Third International Conference on , vol., no., pp.330,335, 19-21 Sept. 2012
[45] Stonebraker, Michael. "SQL databases v. NoSQL databases." Communications of the ACM 53.4 (2010): 10-11.
[46] Leavitt, N. (2010). Will NoSQL databases live up to their promise?. Computer, 43(2), 12-14.
[47] Tudorica, B. G., & Bucur, C. (2011, June). A comparison between several NoSQL databases with comments and notes. In Roedunet International Conference (RoEduNet), 2011 10th (pp. 1-5). IEEE.
[48] Soldo, F., & Metwally, A. (2012, March). Traffic anomaly detection based on the IP size distribution. In INFOCOM, 2012 Proceedings IEEE (pp. 2005-2013). IEEE.
[49] The Honeynet Project, https://www.honeynet.org
[50] The Honeynet Project Taiwan Chapter, https://www.honeynet.org/chapters/taiwan
[51] VirusTotal, https://www.virustotal.com
[52] Metasploit, http://www.metasploit.com/
[53] Wireshark, http://www.wireshark.org/
[54] MaxMind, https://github.com/maxmind
[55] MaxMind GeoIP Lite databases, http://dev.maxmind.com/geoip/legacy/geolite/
[56] UCI Machine Learning Repository, http://archive.ics.uci.edu/ml/