入侵檢測系統(Intrusion Detection System, IDS)[1]是最普遍的網路安全設備，可以檢查進入系統的流量中是否有可疑、有威脅性的封包，偵測到時會發出警報。入侵檢測系統最重要的是威脅封包的特徵資料集，入侵檢測系統需要透過這樣的一個資料集對未知的封包做檢測，所以入侵檢測系統需要事先知道攻擊的特徵才能做防禦。
KDD CUP 1999[2]是一個公開的已知流量資料集，包含正常流量與各種類型的攻擊流量，攻擊流量包括DoS、Probe、U2R、R2L這四種最常見的攻擊型態。為了從KDD CUP 1999[2]資料集中整理出各種攻擊的特徵。機器學習(Machine Learning)是一個常見的做法，機器學習能將資料集經過訓練後準確的找出各種攻擊型態的特徵，但是每一種機器學習演算法都會有一些小缺失。例如，K-means演算法[3]，演算過程簡單複雜度低，所以演算的速度快，但準確率卻稍嫌不足。
為了改進機器學習演算法，有一部分的研究採用混合式機器學習演算法(Hybrid Machine Learning Algorithm)，利用不同種機器學習演算法的優點來彌補各自的缺點。我們參考了三種的混合式機器學習演算法，三種方法各自運用在不同的研究方向，而我們會將三種參考方法都使用入侵檢測系統實現並且加入我們的方法一起評估與比較，以常見的機器學習演算法評比指標加以評價。
在本論文中，我們提出了以改善演算時間為目的的改進方法，因為對於入侵檢測系統來說，提高準確率固然可以增加整體的安全性，但網路攻擊的種類日新月異，若是入侵檢測系統花費太多的時間在資料集的訓練上，那麼很可能會遇到主機已經受到攻擊了，入侵檢測系統才檢測出攻擊的窘境。因此我們認為加速檢測時間也是入侵檢測系統中非常重要的一環。
實驗結果證實，我們的改進方法不僅可以大幅改善檢測的時間，在準確率上也有著很優秀的表現，而且不只在傳統網路的環境中可以得到改善，在軟體定義網路的環境中我們的方法甚至可以表現的優異，另外，我們的方法在不同的環境中，也有著非常不錯的穩定性，這些都是我們的方法表現的比參考方法更優秀的地方。

Intrusion Detection System (IDS) [1] is the most common network security device. It can check whether there are suspicious and threatening packets in the traffic entering the system. When IDS detect it, IDS will send an alarm to user. The most important part of the Intrusion Detection System is the feature data set of the threat packet. The Intrusion Detection System needs to detect the unknown packet through such a data set, so the Intrusion Detection System needs to know the characteristics of the attack in advance to defend.
	KDD CUP 1999 [2] is a publicly known data set of traffic data, including normal traffic and various types of attack traffic. Attack traffic includes the four most common types of attacks: DoS, Probe, U2R, and R2L. In order to sort out the characteristics of various attacks from the KDD CUP 1999 [2] data set. Machine Learning is a common practice. Machine learning can train data sets to accurately identify the characteristics of various attack patterns, but each machine learning algorithm will have some minor defects. For example, the K-means algorithm [3], the calculation process is simple and complex, so the calculation speed is fast, but the accuracy is slightly insufficient.
	To improve the machine learning algorithms, some studies using Hybrid Machine Learning Algorithm, take advantage of various kinds of machine learning algorithms to compensate for respective disadvantages. We refer to three hybrid machine learning algorithms, each of the three hybrid algorithms used in different research direction, we will use three kinds of reference hybrid algorithms to achieve Intrusion Detection System and improve our hybrid algorithm. To assess together with comparison with common machine learning algorithm evaluation indicators are evaluated.
	In this paper, we propose an improved hybrid algorithm for improving the calculation time. For the Intrusion Detection System, improving the accuracy can increase the overall security, but the type of network attack is changing with each passing day. If the Intrusion Detection System cost too much time in training, It is very likely that the host has been attacked, and then the Intrusion Detection System detects the attack, such a dilemma. Therefore, we believe that decreasing detection time is also a very important part of the Intrusion Detection System.
	The experimental results confirm that our improved hybrid algorithm not only improve the detection time, but also has excellent performance in accuracy, and can not only be improved in the traditional network environment, in the environment of Software Defined Networks, our hybrid algorithm can even perform well. In addition, our hybrid algorithm has very good stability in different environments, which can prove that our hybrid algorithm performs better than the reference hybrid algorithm.

目錄
第一章、緒論	1
1.1、研究動機	2
1.2、問題描述與解決方案	3
1.3、論文架構	4
第二章、相關研究背景	5
2.1、軟體定義網路	5
2.1.1、OpenFlow協定	6
2.1.2、Ryu控制器	11
2.1.3、Mininet	12
2.2、機器學習	13
2.3、入侵檢測系統	17
2.3.1、主機型入侵檢測系統	18
2.3.2、網路型入侵檢測系統	20
2.4、KDD CUP 1999資料集	21
2.5、問題討論	28
2.5.1、混合式入侵檢測演算法	28
2.5.2、現有策略比較	29
2.5.2.1、K-means & C4.5	30
2.5.2.2、K-means & SPC	36
2.5.2.3、PSO & KNN	41
第三章、提出之新方法	46
3.1、新方法策略	47
3.2、新方法架構	49
3.3、新方法演算流程	53
3.4、新方法之改進	57
第四章、實驗環境架構與模擬結果	63
4.1、模擬環境的架構	65
4.1.1、不同流量的產生	66
4.1.2、mininet環境建置	68
4.1.3、軟體定義網路封包特徵	70
4.1.4、軟體定義網路之訓練集與測試集	71
4.1.5、機器學習評比指標	73
4.2、實驗一	76
4.3、實驗二	82
4.4、實驗結果討論	90
4.5、實驗結果總結	99
第五章、結論與未來工作	101
第六章、參考資料	104

圖目錄
圖2.1、SDN分層架構圖	6
圖2.2、OpenFlow Switch架構	7
圖2.3、機器學習訓練流程	14
圖2.4、機器學習訓練後調整模型參數	15
圖2.5、入侵檢測系統	17
圖2.6、主機型入侵檢測系統	18
圖2.7、網路型入侵檢測系統	20
圖2.8、K-means & C4.5混合式演算法演算流程	30
圖2.9、K-means & C4.5演算流程圖	33
圖2.10、K-means & C4.5虛擬碼	35
圖2.11、K-means & SPC混合式演算法演算流程	36
圖2.12、K-means & SPC演算流程圖	38
圖2.13、K-means & SPC虛擬碼	40
圖2.14、PSO & KNN混合式演算法演算流程	41
圖2.15、PSO & KNN演算流程圖	43
圖2.16、PSO & KNN虛擬碼	45
圖3.1、新方法架構	49
圖3.2、兩種演算法間的演算流程	50
圖3.3、演算結束後的模型收集	51
圖3.4、新方法演算流程圖	53
圖3.5、Naive Bayes & C4.5虛擬碼	56
圖3.6、有無提取閥值之準確率差異	60
圖3.7、有無提取閥值之檢測時間差異	61
圖4.1、模擬網路攻擊環境	65
圖4.2、mininet模擬環境	68
圖4.3、各方法對KDD99預測之準確率比較	77
圖4.4、各方法對KDD99預測之精確率比較	77
圖4.5、各方法對KDD99預測之召回率比較	78
圖4.6、各方法對KDD99預測之F1-score比較	78
圖4.7、各方法在KDD99資料集之整體演算時間比較	80
圖4.8、各方法對我們的資料集預測之準確率比較	84
圖4.9、各方法對我們的資料集預測之精確率比較	84
圖4.10、各方法對我們的資料集預測之召回率比較	85
圖4.11、各方法對我們的資料集預測之F1-score比較	85
圖4.12、各方法在我們的資料集之整體演算時間比較	88
圖4.13、各方法在我們的資料集之訓練時間比較	90
圖4.14、各方法在我們的資料集之測試時間比較	90
圖4.15、將我們的資料集攻擊種類增加之各方法準確率比較	92
圖4.16、各方法調整正常封包數量比例之準確率趨勢	94
圖4.17、不同資料集下normal檢測率之比較圖	95
圖4.18、調整我們的資料集正常封包比例後之各方法準確率	96
圖4.19、我們的資料集下各方法之封包種類細項準確率	97

表目錄
表2.1、Flow Entry的主要欄位	7
表2.2、Flow Entry中的Match Fields欄位	9
表2.3、OpenFlow Switch計數器	10
表2.4、KDD99之詳細攻擊種類	22
表4.1、各種類流量產生工具與封包數量	67
表4.2、轉化為軟體定義網路之封包數量	70
表4.3、軟體定義網路之封包特徵欄位	70
表4.4、軟體定義網路訓練集封包種類與數量	72
表4.5、模型樣本分類	73
表4.6、調整資料比例後之封包數量	93

[1] children16, “IDS (Intrusion Detection System, 入侵偵測系統)” [Online]. Available: http://sls.weco.net/node/10693.
[2] “KDD CUP 1999 Data” [Online]. Available: http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html.
[3] 陳鍾誠, “K-Means分群演算法” [Online]. Available: http://ccckmit.wikidot.com/ai:kmeans.
[4] “Open Networking Foundation.” [Online]. Available: https://www.opennetworking.org/about/onf-overview.
[5] “機器學習：使用Python” [Online]. Available: https://machine-learning-python.kspax.io.
[6] Akanksha Ahlawat, “Improving classification in data mining using hybrid algorithm,” 2016 1st India International Conference on Information Processing (IICIP), Aug. 2016, pp.1-4
[7] Osama Ismael, “A new hybrid approach for document clustering,” 2017 13th International Computer Engineering Conference (ICENCO), Dec. 2017, pp.291-296
[8] Arief Rama Syarif, “Intrusion detection system using hybrid binary PSO and K-nearest neighborhood algorithm,” 2017 11th International Conference on Information & Communication Technology and System (ICTS), Oct. 2017, pp.181-186.
[9] “OpenFlow Switch Specification, Version 1.3.4.” [Online]. Available: https://www.opennetworking.org/images/stories/downloads/sdn-resources/onf-specifications/openflow/openflow-switch-v1.3.4.pdf.
[10] “Ryu.” [Online]. Available: http://osrg.github.io/ryu/
[11] “Mininet.” [Online]. Available: http://mininet.org/.
[12] “The 7 Steps of Machine Learning (AI Adventures)” [Online]. Available: https://youtu.be/nKW8Ndu7Mjw.
[13] com_stu_zhang, “KDD CUP 99數據集” [Online]. Available: https://blog.csdn.net/com_stu_zhang/article/details/6987632.
[14] “NSL-KDD dataset” [Online]. Available: https://www.unb.ca/cic/datasets/nsl.html.
[15] “The UNSW-NB15 Dataset Description” [Online]. Available: https://www.unsw.adfa.edu.au/unsw-canberra-cyber/cybersecurity/ADFA-NB15-Datasets/.
[16] Saeid Soheily-Khah, “Intrusion Detection in Network Systems Through Hybrid Supervised and Unsupervised Machine Learning Process: A Case Study on the ISCX Dataset”, 2018 1st International Conference on Data Intelligence and Security (ICDIS), 8-10 April 2018, pp.219-226
[17] Luciano D. S. Pacifico, “Hybrid K-Means and Improved Group Search optimization Methods for Data Clustering”, 2018 International Joint Conference on Neural Networks (IJCNN), 8-13 July 2018, pp.1-8
[18] Deruo Cheng, “Hybrid K-Means Clustering and Support Vector Machine Method for via and Metal Line Detections in Delayered IC Images”, IEEE Transactions on Circuits and Systems II: Express Briefs, 16 April 2018, pp.1849-1853
[19] “C4.5演算法的分析和實現” [Online]. Available: https://read01.com/zh-tw/xAdmx.html#.XB5QLFUzaCh.
[20] “Example of Single Pass Clustering Technique” [Online]. Available: http://facweb.cs.depaul.edu/mobasher/classes/csc575/assignments/single-pass.html.
[21] “粒子群最佳化法(Particle Swarm Optimization)” [Online]. Available: https://blog.xuite.net/metafun/life/58295146-%E7%B2%92%E5%AD%90%E7%BE%A4%E6%9C%80%E4%BD%B3%E5%8C%96%E6%B3%95(Particle+Swarm+Optimization).
[22] 白昌永, “KNN分類演算法” [Online]. Available: http://enginebai.logdown.com/posts/241676/knn.
[23] 白昌永, “Bayes貝氏分類演算法” [Online]. Available: http://enginebai.logdown.com/posts/241677/bayes-classification.
[24] “Wireshark” [Online]. Available: https://www.wireshark.org/.
[25] “hping3” [Online]. Available: https://linux.die.net/man/8/hping3.
[26] “Tcpreplay” [Online]. Available: https://tcpreplay.appneta.com/.
[27] “thc-hydra” [Online]. Available: https://github.com/vanhauser-thc/thc-hydra.
[28] “nmap” [Online]. Available: https://nmap.org/.
[29] –柚子皮-, “機器學習模型的評價指標和方法” [Online]. Available: https://blog.csdn.net/pipisorry/article/details/52574156.