Browsing by Author "Dr. Douglas S. Reeves, Member"

Filter results by typing the first few letters
Now showing 1 - 3 of 3
  • No Thumbnail Available
    Anomaly Detection for Wireless Ad-Hoc Routing Protocols
    (2001-07-06) Huang, Yi-an; Dr. Wenke Lee, Chair; Dr. Harry G. Perros, Member; Dr. Douglas S. Reeves, Member
    Mobile Ad-hoc networking (MANET) is an important emergingtechnology. As recent several security incidents remind us, noopen computer system is immune from intrusions. The routing protocolsin ad-hoc networks are key components yet vulnerable and presentspecial challenges to intrusion detection. In this thesis, we propose an anomaly detection scheme for existingad-hoc routing protocols. Our approach relies on information from localrouting data and other reliable local sources. Our approach models thetemporal/sequential characteristics of observations and uses entropyanalysis for feature selection. Classification algorithms are used tocompute anomaly detection models. We present case studies on DSR andDSDV protocols using the ns-2 simulator. The overall results thusfar are very encouraging. We discuss how the available information from arouting protocol influences anomaly detection performance and attemptto provide guidelines on what features we need for anomaly detection. Finally, we also discuss several challenging issues and propose ourfuture work.
  • No Thumbnail Available
    Intrusion Tolerant Systems Characterization and Acceptance Monitor Design
    (2001-06-27) Wang, Rong; Dr. Gregory T. Byrd, Chair; Dr. Y. Frank Jou, Member; Dr. Douglas S. Reeves, Member
    Intrusion detection research has been so far mostly concentrated on techniques that effectively identify the malicious behaviors. No assurance can be assumed once a system is compromised. Intrusion tolerance, on the other hand, focuses on providing the desired services even when some components have been compromised. A DARPA-funded research project named SITAR (A Scalable Intrusion-Tolerant Architecture for Distributed Services) investigates the intrusion tolerance further in distributed systems to provide reliable services. Two specific challenges are addressed in this project: the first is how to take advantage of fault tolerant techniques in intrusion tolerant systems; the second is how to deal with possible attacks and compromised components so as to continue providing the service. This thesis represents part of the on-going development of the SITAR project. First, a state transition model is developed to describe the dynamic behavior of an intrusion tolerant system. Second, the Acceptance Monitor is designed to detect the system compromises from the request-response stream. Third, various kinds of vulnerabilities on Web-based COTS services are investigated and one specific design of the Acceptance Monitor is proposed and implemented for a Web-based COTS service to show the effectiveness of the proposed approach. We hope by utilizing the fault tolerance methodologies on the intrusion tolerance system we can solve the problem of providing reliable distributed services that are invulnerable to both known and unknown intrusions.
  • No Thumbnail Available
    On Real-Time Intrusion Detection and Source Identification
    (2001-01-08) Chang, Ho-Yen; Dr. Kuo-Chung Tai, Chair; Dr. Shyhtsun Felix Wu, Co-Chair; Dr. Arne A. Nilsson, Member; Dr. Douglas S. Reeves, Member
    This thesis work consists of two distinct parts: a study ofreal-time intrusion detection on network link-state routingprotocol attacks (Part I), and a study of source identification for spoofed IP packets (Part II). These two parts could be united into a common framework consisting of an intrusion detection system and an intrusion response system. However, in many ways they are distinct and self-contained. In Part I, a real-time knowledge-based network intrusiondetection model for a link-state routing protocol is presented to detect different attacks for the protocol. This model includes three layers: a to parse packets and dispatch data, an to abstract predefined real-time events for the link-state routing protocol, and an to express thereal-time behavior of the protocol engine and to detect the intrusions by pattern matching. The timed FSM named JiNao Finite State Machine (JFSM) is extended from the conventional FSM with timed states, multiple timers, and time constraints on statetransitions. The JFSM is implemented as a generator which can createany FSM according to a description in a configuration file. Theresults show that this approach is very effective for real-timeintrusion detection. This approach can be extended for use in othernetwork protocol intrusion detection systems, especially for thosewith known attacks.In Part II, a security management framework, the Decentralized Source Identification System (DECIDUOUS), is presentedto identify the "true'' sources of network-based intrusions. The premise of this approach is that if an attack packet has been correctly authenticated by a certain router, the attack packet must have been transmitted through that router. It utilizes security associations to dynamically deploy secure authentication tunnels in order to further trace down the possible attackers' locations. We present the algorithms to support the tracing of multiple attacks launched from different locations, even across several administrative domains. Our results show that the DECIDUOUS system is reasonably efficient, flexible and robust. Our approach could serve as the basis for future research on different tracing strategies for different types of attacks in large-scale networks.