Browsing by Author "Dr. Arne A. Nilsson, Member"

Filter results by typing the first few letters
Now showing 1 - 1 of 1
  • No Thumbnail Available
    On Real-Time Intrusion Detection and Source Identification
    (2001-01-08) Chang, Ho-Yen; Dr. Kuo-Chung Tai, Chair; Dr. Shyhtsun Felix Wu, Co-Chair; Dr. Arne A. Nilsson, Member; Dr. Douglas S. Reeves, Member
    This thesis work consists of two distinct parts: a study ofreal-time intrusion detection on network link-state routingprotocol attacks (Part I), and a study of source identification for spoofed IP packets (Part II). These two parts could be united into a common framework consisting of an intrusion detection system and an intrusion response system. However, in many ways they are distinct and self-contained. In Part I, a real-time knowledge-based network intrusiondetection model for a link-state routing protocol is presented to detect different attacks for the protocol. This model includes three layers: a to parse packets and dispatch data, an to abstract predefined real-time events for the link-state routing protocol, and an to express thereal-time behavior of the protocol engine and to detect the intrusions by pattern matching. The timed FSM named JiNao Finite State Machine (JFSM) is extended from the conventional FSM with timed states, multiple timers, and time constraints on statetransitions. The JFSM is implemented as a generator which can createany FSM according to a description in a configuration file. Theresults show that this approach is very effective for real-timeintrusion detection. This approach can be extended for use in othernetwork protocol intrusion detection systems, especially for thosewith known attacks.In Part II, a security management framework, the Decentralized Source Identification System (DECIDUOUS), is presentedto identify the "true'' sources of network-based intrusions. The premise of this approach is that if an attack packet has been correctly authenticated by a certain router, the attack packet must have been transmitted through that router. It utilizes security associations to dynamically deploy secure authentication tunnels in order to further trace down the possible attackers' locations. We present the algorithms to support the tracing of multiple attacks launched from different locations, even across several administrative domains. Our results show that the DECIDUOUS system is reasonably efficient, flexible and robust. Our approach could serve as the basis for future research on different tracing strategies for different types of attacks in large-scale networks.