現今網際網路環境的蓬勃發展，系統安全漏洞頻傳，駭客入侵事件時有所聞，突顯出網路資訊安全領域的重要性，而入侵偵測系統(Intrusion Detection System)已經成為重要的研究領域。過去文獻常著重在於提升入侵偵測預測準確率，但實際應用上，由於網路封包傳輸量大且持續成長的特性，傳統的法則庫模式與特徵比對技術，常出現誤判的狀況，當誤判率過高，管理人員疲於調查追蹤錯誤的警訊，而造成安全設備與安全管理人員的效率降低。另外，傳統模式並未考量不同類型的誤判會造成不同的影響，因為成功入侵和誤擋正常封包造成的影響不同，一般而言，企業對於錯誤拒絕(False Negative)較錯誤接受(False Positive)須要付出更大的代價。

　　因此，本研究以UCI KDD’99(Knowledge Discovery in Databases Archive) 入侵偵測資料集，透過資料精簡方法來減少資料量，選取具有代表性的資料樣本，並應用支援向量機進行分類，並以基因演算法(Genetic Algorithm)透過估計誤判成本調整放射(Radial Basis Function, RBF)核心支援向量機參數γ及c，以降低入侵偵測系統之不對稱型誤判成本(Asymmetric Error Cost)。

　　研究結果顯示，在入侵偵測的領域中，採用基因演算法修正支援向量機參數相較於傳統網格搜尋法及普通支援向量機模式在多數情形下可有效降低不對稱型誤判成本，並可透過權重的設定以符合企業實務上的需求，以降低發生攻擊的可能性。

Owing to the development of Internet, system security problems and intrusion of hacker happened frequently. People begin to notice the importance of Internet information security gradually. Besides, intrusion detection system has also become main research field. In the past, most literature only focused on improving the accuracy of predicting intrusion detection. However, in practice, because of the hugeness and continuous growing of network packet, traditional rule bases and feature matching skills still couldn’t decrease the error rate. What’s more, managers are tired of investigating and tracking error signals, and it caused low efficiency of security equipment and information workers. Seeing that the situation of successful intrusion and wrong rejecting normal packet may lead to different influences, the business has to pay more for False Negative (FN) than False Positive (FP).

Therefore, in the study, the intrusion detection dataset of UCI KDD’99 (Knowledge Discovery in Databases Archive) was used to choose meaningful features and representative instances with a view to reducing attribute dimensions. Then, Support Vector Machine (SVM) was applied to perform classification. Finally, use genetic algorithm (GA) by evaluating error cost to adjust SVM parameters with Radial Basis Function (RBF) as the kernel function. By doing so, it could reduce asymmetric error cost of intrusion detection system.

The study reached major conclusion that it could effectively reduce the asymmetric error cost of intrusion detection, and meet business’ demand by setting weights.

一、中文部分
曾憲雄、蔡秀滿、蘇東興、曾秋蓉、王慶堯，資料探勘，旗標出版，民94。
陳至哲，資通訊安全關鍵技術發展藍圖，資策會出版，頁31-46，民93。
吳志聰，「以特徵探勘提升入侵偵測系統效率」，私立中原大學，民92。
李駿偉，「入侵偵測系統分析方法效能之定量評估」，私立中原大學，民91。

二、英文部分
Balajinath, B. and Raghavan, S.V.(2001), “Intrusion detection through learning behavior model” Computer Communications 24, pp.1202-1212

Beghdad, R.(2004), “Modelling and solving the intrusion detection problem in computer networks”, Computers & Security 23, pp.687-696

Biermann, E., Cloete, E.and Venter, L.M.(2001), “"A comparison of Intrusion Detection systems”, Computers & Security 20, pp. 676-683

Chen, W.H., Hsu, S.H. and Shen, H.P.(2005), “Application of SVM & ANN for intrusion detection”, Computer and Operations Research 32, pp.2617-2634

Cristianini, N., and Shawe-Taylor J.(2000), “An Introduction to Support Vector Machines and Other Kernel-based Learning Methods”, Cambridge University Press

Dash, M. and Liu, H.(1997), “Feature selection for classification”, Intelligent Data Analysis 1, pp.131-156.

Han, S.J and Cho, S.B.(2003), “Detecting intrusion with rule-based integration of multiple models”, Computers & Security 22, pp.613-623

Indurkhya, N. and Weiss, Sholom M.(1998),”Estimating Performance Gains for Voted Decision Trees”, Intelligent Data Analysis 2, pp.303-310

Joo, D., Hong, T. and Han, I.(2003), “The neural network models for IDS based on the asymmetric cost of false negative errors and false positive errors”, Expert Systems with Applications 25, pp.69-75

Kantardzic M.(2003), “Data mining concepts, models, methods, and algorithms”, IEEE Press

Kim, H.S. and Cha, S.D.(2005), “Empirical evaluation of SVM-based masquerade detection using UNIX commands” Computers & Security 24, pp.160-168

Li, F., Guan, X.H., Gao Y. and Liu, P.(2004), “Predicting the intrusion intensions by observing system call sequences”, Computers & Security, pp.241-252

Lippmann, R.P. and Cunningham, R.K.(2000), “Improving intrusion detection performance using keyword selection and neural networks”, Computer Networks 34, pp. 597-603

Mukkamala, S., Sung, A.H. and Abraham, A.(2005), “Intrusion detection using an ensemble of intelligent paradigms”, Journal of Network and Computer Applications 28, pp.167-182

Ning, P., Jajodia, S. and Wang, X.S.(2002), “Design and implementation of a decentralized prototype system for detecting distributed attacks”, Computer Communications 25, pp. 1374-1391

Rohrmair, G.T. and Lowe, G.(2005), “Using data-independence in the analysis of intrusion detection systems”, Theoretical Computer Science 340, pp.82-101

Roiger, J.R. and Geatz, W.M. ,”Data Mining : A Tutorial Based Primer”, Addison Wesley

Sebban, M. and Nock, R. (2002), "A hybrid filter/wrapper approach of feature selection using information theory", Pattern Recognition 35, pp. 835-846

Samata, B.(2004), “Gear fault detection using artificial neural networks and support vector machines with genetic algorithms”, Mechanical Systems and Signal Process 18, pp.625-644

Verwoerd, T. and Hunt, R.(2002), “Intrusion detection techniques and approaches”, Computer Communications 25, pp.1356-1365

Zhang, Z. and Shen, H.(2005). “Application of online-training SVMs for real-time intrusion detection with different considerations”, Computer Communications 28, pp.1428-1442

Zorkadis, V., Karras, D.A. and Panayotou, M.(2005), “Efficient information theoretic strategies for classifier combination, feature extraction and performance evaluation in improving false positive and false negative for spam e-mail filtering”, Neural Networks 18, pp.799-807

三、網站部分
UCI KDD Archive
http://kdd.ics.uci.edu/

CERT/CC Statistics 1995-2006
http://www.cert.org/stats/cert_stats.html

LibSVM
http://www.csie.ntu.edu.tw/~cjlin/libsvm/

Bioweka
http://bioweka.sourceforge.net/