在軟體定義網路（Software-Defined Network，SDN）中容易受到傳統網路中大多數攻擊的影響。因此，將入侵檢測系統（Intrusion Detection System，IDS）融入SDN結構中來應對網絡攻擊提供對策是至關重要。現有SDN異常檢測系統的研究中，他們的分類器皆為採用監督學習的方法去訓練分類器。在IDS實際應用當中，所接收到的數據是不會有標籤存在的，而IDS必須經由舊有的攻擊模式嘗試辨識出未知攻擊。而使用監督學習的方法只會使用標籤樣本進行訓練，無法在應用當中使用線上的數據重新訓練。所以不能使用監督學習的訓練機制應用在應用中異常檢測系統上，因為它無法應用線上數據使系統自行適應新種類攻擊。根據線上訓練的問題，半監督式學習的訓練方法是個達成線上訓練異常檢測系統的分類器的解決辦法。現有半監督式學習法有自我學習(Self-Learning)與自我訓練(Self-Training)等方法。              
 本文中我們提出使用自我訓練混合主動學習(Active Learning)的機制。對高信心權值的樣本集當中被分類為惡意的樣本以隨機挑選加入訓練集當中。加入主動學習的訓練機制其原因是有主動學習之後能對低信心權值的樣本進行標籤並引入至訓練集當中訓練，使分類器有更高的準確率，不會有錯誤識別為攻擊率(False positive rate, FPR)大量上升的情況發生。為了加快訓練機制，我們使用較快的聚類方法，以降低主動學習部分所需要的運作時間。在重新訓練分類器上，我們採取並行訓練分類器，不停擺正在服役中的分類器，以無縫隙的方式使分類器替換。並且在偵測到攻擊時能即時對應防範。
我們在模擬階段證實此訓練方法能有效的提升未知攻擊的辨識能力。在時間方面，此訓練方法不會占用檢測系統的運作時間，因為訓練部分與檢測系統是屬於並行處理，分類器更換時也不會導致分類器停止運作。在實作階段，我們證實此方法對於實際運作上能有效的對未知攻擊作防範，就算一開始沒辨識出也會依照訓練法更新，學會未知攻擊的辨識並成功防範，達成即時檢測攻擊。

Software-defined networks (SDN) are susceptible to most of the attacks found in traditional networks. Therefore, Intrusion Detection System (IDS) integrated into the SDN structure to provide Intrusion countermeasures is important. In the study of existing SDN anomaly detection system, their classifiers all adopt the method of supervised learning to train the classifiers. In the practical application of IDS, there is no tag for the received data, and IDS must try to identify unknown attacks through the old attack mode. However, the method of supervised learning only uses labeled samples for training, and cannot use online data for retraining in application. Therefore, the training mechanism of supervised learning cannot be applied to the practical anomaly detection system, because it cannot apply online data to make the system adapt to new types of attacks. According to the problem of online training, the training method of semi-supervised learning is a solution to achieve the classifier of online training anomaly detection system. The existing semi-supervised Learning methods include self-learning and self-training.
  In this paper, we propose the mechanism of using self-training mixed Active Learning. For the samples with high confidence weights were classified as malicious samples, we add them to the training set by random selection. The reason for using the training mechanism of active learning is that after active learning, samples with low confidence weights can be labeled and added to the training set for training, so that the classifier has a higher accuracy rate, and there will not be a large increase in false positive rate(FPR). In order to speed up the training mechanism, we use a faster clustering method to reduce the operation time of the active learning part. On the retraining classifier, we adopt the parallel training classifier, keep the classifier in service, and replace the classifier in an uninterrupted way. And when an attack is detected, it can be immediately defended. 
  We proved in the simulation stage that this training method can effectively improve the identification ability of unknown attacks. In terms of time, this training method will not occupy the operation time of the detection system, because the training part and the detection system are processed in parallel, and the classifier will not stop when the classifier is replaced. In the implementation stage, we proved that this method can effectively prevent unknown attacks in practical operation. Even if it is not identified at the beginning, it will be updated according to the training method to learn how to identify unknown attacks and successfully prevent them, so as to achieve real-time detection attacks.

目錄
第一章、	緒論	1
1.1、研究動機	1
1.2、問題描述與解決方案	1
1.3、論文架構	3
第二章、相關研究背景	4
2.1、軟體定義網路	4
2.1.1、OpenFlow協定	5
2.1.2、OpenFlow交換器	7
2.1.3、Ryu 控制器	13
2.1.4、Open vSwitch	13
2.1.5、Mininet	14
2.2、IDS與IPS	16
2.2.1、SDN架構下的flow base IDS	17
2.2.2、SDN架構下的IPS	19
2.3、監督式學習與非監督式學習	21
2.4、半監督式學習	23
2.4.1、Self-Training	24
2.4.2、Self-Learning	26
2.4.3、ALIDS	28
2.5、問題定義	31
第三章、我們的策略	32
3.1、提出的架構	32
3.2、提出之學習策略	33
3.3、提出之防禦機制	36
第四章、實驗環境架構與結果	38
4.1、模擬環境與測試工具	38
4.1.1、Dataset	38
4.1.2、擷取封包工具WireShark	39
4.2、比較策略	40
4.3、IDS 模型的性能評比指標	41
4.4、實驗模擬說明	43
4.4.1、第一部分實驗	45
4.4.2、第二部分實驗	45
4.5、模擬結果	47
4.5.1、第一部分實驗	47
4.5.2、第二部分實驗	50
4.5.2.1、Oracle系統對學習效能之影響	54
4.5.3、模擬結果討論	56
4.6、實作	58
4.6.1、實作環境與流程說明	58
4.6.2、實作結果討論	61
第五章、結論與未來工作	65
參考文獻	67
圖目錄
圖2.1、SDN分層架構圖	5
圖2.2、OpenFlow Switch架構	7
圖2.3、Flow entry主要組成部分[5]。	8
圖2.4、OpenFlow switch處理packet流程[8]	11
圖2.5、Open vSwitch[10]	14
圖2.6、IDS架構	16
圖2.7、IPS架構	17
圖2.8、Flow-based anomaly detection system運作流程圖[15]	19
圖2.9、SDN下IPS架構圖[21]	20
圖2.10、監督式學習與非監督式學習示意圖	22
圖2.11、半監督式學習示意圖	23
圖2.12、Self-Training示意圖	25
圖2.13、Co-Training示意圖	26
圖2.14、Self-Learning示意圖	27
圖2.15、自我學習不同回合所產生的分類器之分類效能圖[27]	27
圖2.16、ALIDS演算流程[28]	29
圖2.17、ALIDS模擬運作時，每日貯列大小與累積類別量[28]	30
圖3.1、架構圖	32
圖3.2、學習策略流程圖	36
圖3.3、防禦機制流程圖	37
圖4.1、混淆矩陣	41
圖4.2、運作執行圖	44
圖4.3、第一部分實驗提升量比較圖	48
圖4.4、第一部分實驗之數據圖	49
圖4.5、第一部分實驗訓練需時	49
圖4.6、第二部分實驗提升量比較圖	51
圖4.7、第二部分實驗之數據圖	52
圖4.8、第二部分實驗訓練需時與最終訓練樣本數	53
圖4.9、更新次數與系統準確率之折線圖	54
圖4.10、專家能力之影響	55
圖4.11、低信心數據不分種類取樣之效果	56
圖4.12、環境差異中決策樹效能比較圖	57
圖4.13、環境差異中隨機樹效能比較圖	57
圖4.14、環境差異中隨機森林效能比較圖	57
圖4.15、實作環境架構	58
圖4.16、實作運作流程	60
圖4.17、防禦之基礎規則	61
圖4.18、SYN flood之防禦規則	62
圖4.19、未知攻擊檢測率比較圖	63
圖4.20、防禦反應時間比較圖	64



表目錄
表2.1、Flow entry的Match fields欄位	7
表2.2、Flow entry說明	8
表2.3、OpenFlow1.3的match fields參數	9
表2.4、OpenFlow Switch計數器	12
表3.1 樣本挑選率	35
表3.2 各攻擊防禦規則	37
表4.1、分類法參數	44
表4.2、第二部分實驗選用特徵	46
表4.3、測試流量資訊	59
表4.4、檢測特徵	59

[1] N. McKeown, T. Anderson, H. Balakrishnan, G. Parulkar, L. Peterson, J. Rexford, S. Shenker, and J. Turner, “OpenFlow,” ACM SIGCOMM Comput. Commun. Rev., vol. 38, no. 2, Mar. 2008, p. 69.
[2] 王協源, 鄭力維, 張華婷, “軟體定義網路技術簡介及發展趨勢,” NCP Newsletter, no.57, November .2013.
[3] “ONF White Paper.” [Online]. Available: https://www.opennetworking.org/images/stories/downloads/sdn-resources/white-papers/wp-sdn-newnorm.pdf. 
[4] 廖振宇, “以軟體定義網路改善Hadoop叢集之運作效能,” June.2015
[5] “OpenFlow Switch Specification, version 1.3.4.” [Online]. Available: https://www.opennetworking.org/images/stories/downloads/sdn-resources/onf-specifications/openflow/openflow-switch-v1.3.4.pdf.
[6] “Open Networking Foundation.” [Online]. Available: https://www.opennetworking.org/about/onf-overview.
[7] J.-R. Jiang, H.-W. Huang, J.-H. Liao, and S.-Y. Chen, “Extending Dijkstra’s shortest path algorithm for software defined networking,” in The 16th Asia-Pacific Network Operations and Management Symposium, 2014, pp. 1–4.
[8] “Ryu.” [Online]. Available: http://osrg.github.io/ryu/.
[9] “Open vSwitch.” [Online]. Available: http://openvswitch.org/.
[10]	 “Iperf.” [Online]. Available: https://iperf.fr/.
[11] “Mininet.” [Online]. Available: http://mininet.org/.
[12] M. Gao, K. Zhang, J. Lu, "Efficient packet matching for gigabit network intrusion detection using teams," 20th Inter. Conf. on Advanced Information Networking and Applications (AINA), 2006, pp. 249-254.
[13] P. Owezarski, J. Mazel, Y. Labit,"0day anomaly detection made possible thanks to machine learning," 8th Inter. Conf. on Wired/Wireless Internet Communications (WWIC) , 2010, pp. 327-338.
[14] Y Z Li, "Key techniques of intrusion prevention with immune response ability [D] ," Yanshan University, 2013.
[15]	 Georgi A. Ajaeiya ,“Flow-based Intrusion Detection System for SDN”, Computers and Communications (ISCC), 2017 IEEE Symposium, July 2017,pp. 787 - 793
[16] Atiku Abubakar ,“Machine Learning Based Intrusion Detection System for Software Defined Networks,” Emerging Security Technologies (EST), 2017 Seventh International Conference , Sept. 2017, pp. 138 - 143
[17] SCHUELLER, Quentin, “ A Hierarchical Intrusion Detection System using Support Vector Machine for SDN Network in Cloud Data Center,” in 2018 28th International Telecommunication Networks and Applications Conference (ITNAC). IEEE, 2018, p.1-6.
[18] M. Hanaoka, K. Kono, T. Hirotsu, "Brownie: Collaboration of Network Intrusion Detection Systems," IPSJ SIG Notes 2009-OS-111, April 2009, pp. 1-8.
[19] “Trema Full-Stack OpenFlow Framework in Ruby and C.” [online]. Available: https://github.com/trema/trema.
[20] Charles V. Neu, “Lightweight IPS for port scan in OpenFlow SDN networks,” NOMS 2018 - 2018 IEEE/IFIP Network Operations and Management Symposium, April 2018, pp. 1-6
[21] “A dynamic IPS allocation scheme using openflow for economical secure networking,” 2015 10th Asia-Pacific Symposium on Information and Telecommunication Technologies (APSITT), Aug. 2015, pp. 1-3
[22] J. R. Quinlan, “Induction of Decision Trees,” Mach. Learn., vol. 1, no. 1, 1986, pp. 81–106.
[23] L. Breiman, “Random Forests,” Machine Learning, Vol. 45, No.1, 2001, pp. 5-32.
[24] N. S. Altman, “An introduction to kernel and nearest-neighbor nonparametric regression,” Am. Stat., vol.46, no. 3, 1992, pp. 175–185.
[25] A.Blum, T. Mitchell, “combining Labled and Unlabeled Data with Co-Training,” COLT’ 98 Proceedings of the eleventh annual conference on Computational leraning theory, 1998, pp.92-100 
[26] Jun Zhang, Chao Chen, Yang Xiang, Wanlei Zhou, “Robust network traffic identification with unknown applications,” in ASIA CCS '13 Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security, May. 2013, pp. 405-414
[27] 蔡秉任,曾文貴, “針對未知攻擊辨識之混合式入侵偵測系統,” 國立交通大學機構典藏, September 2014
[28] Steven McElwee, “Active Learning Intrusion Detection using k-Means Clustering Selection,” SoutheastCon 2017, April 2017, pp. 1-7
[29] XUE, Yongjian; BEAUSEROY, Pierre, “ Constant False Alarm Rate for Online one Class Svm Learning,” In: 2018 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), 2018. p. 2821-2825.
[30]	 M.Tavallaee, E.Bagheri, W.Lu, andA. A.Ghorbani, “A Detailed Analysis of the KDD CUP 99 Data Set,” in Proceedings of the Second IEEE International Conference on Computational Intelligence for Security and Defense Applications, 2009, pp. 53–58.
[31] “Wireshark.” [Online]. Available: http://www.wireshark.org.
[32] L. Breiman, “Bagging predictors,” Mach. Learn., vol.
24, no. 2, 1996, pp. 123–140.