Interactive Assistance for Anomaly-Based Intrusion Detection

Show full item record

Title: Interactive Assistance for Anomaly-Based Intrusion Detection
Author: Zheng, Erkang
Advisors: Dr. Mladen A. Vouk, Committee Chair
Dr. Ana I. Antón, Committee Member
Dr. Peng Ning, Committee Member
Abstract: Network and information security is of increasing concern as intruders utilize more advanced technologies, and attacks are occurring much more frequently. A simple intrusion can cause an enterprise financial disaster, a threat to national safety, or loss of human life. Network-based and computer-based intrusion detection systems (IDS's) started appearing some twenty years ago. Now, there are various synchronous and asynchronous tools for external and internal network and host intrusion detection using models ranging from signature scanning and pattern matching, to statistical anomaly detection. Although modern IDS systems are much more advanced, they still have many limitations, shortcomings, and open issues. This includes a) inability of some to handle high speed network traffic, b) poor ability to detect new or first-time intrusions, c) high false alarm rate, d) deception -- such systems may have problems detecting "below noise" level intrusions, e) overload -- IDS, like any other system, may be vulnerable to the same attacks it is trying to detect, including Denial of Service (DoS) attacks, f) customization and end-user integration - unless the system is open-source, customization and integrations options may be limited – including how to properly augment and integrate human anomaly detection experiences and tool detection capabilities, g) automation of the processes, and h) privacy issues. This work is concerned with exploration of items b) and f) above, specifically on development of a prototype module for assisting human intrusion detection personnel in recognition of new threats. The work builds on system called Resource Usage Monitor (RUM) developed at NC State by developing its IDS assistance module. The intrusion detection module utilizes RUM as its statistical packet capturing and basic analysis engine, utilizes it to cross check its problem detection abilities, and adds to its resource risk assessment ability a facility for intrusion risk assessment using a suite of behavior description measures and intrusion threshold indicators. The RUM IDS module is an exploratory engine designed to set the tableaux for a more complete investigation of a) pro-active anomaly detection, and b) smoother integration of human intrusion detection experiences and a real-time IDS tool. The approach involves analysis of end-host databases for anomalies based on a suite of statistical change metrics. There are two principal "views" of a host and two groups of associated metrics. How it behaves with respect to a set of peers, i.e., network-relative behavior, and how it behaves with respect to itself, i.e., how its behavior changes from sample to sample. According to the behavior during the analyses, each host accumulates an anomaly index value, where a higher number represents a higher potential for misbehavior. Currently, the prototype anomaly index is based on a linear additive model. This may change as the research continues. The idea is that this index, once properly tuned, would correlate better with intuitive problem detection processes of network administrators, than does plain display of, for example, "high talkers". The primary goal of this work is to develop and test a RUM IDS module and its initial set of metrics. , While full investigation of the assistant index idea is beyond the scope of this project, formative results indicate that a subset of the metrics under investigation does indeed provide better high-speed problem detection, when combined with a human analyst, than do some other readily available tools.
Date: 2004-04-16
Degree: MS
Discipline: Computer Science

Files in this item

Files Size Format View
etd.pdf 10.84Mb PDF View/Open

This item appears in the following Collection(s)

Show full item record