On Real-Time Intrusion Detection and Source Identification

Show full item record

Title: On Real-Time Intrusion Detection and Source Identification
Author: Chang, Ho-Yen
Advisors: Dr. Kuo-Chung Tai, Chair
Dr. Shyhtsun Felix Wu, Co-Chair
Dr. Arne A. Nilsson, Member
Dr. Douglas S. Reeves, Member
Abstract: This thesis work consists of two distinct parts: a study ofreal-time intrusion detection on network link-state routingprotocol attacks (Part I), and a study of source identification for spoofed IP packets (Part II). These two parts could be united into a common framework consisting of an intrusion detection system and an intrusion response system. However, in many ways they are distinct and self-contained. In Part I, a real-time knowledge-based network intrusiondetection model for a link-state routing protocol is presented to detect different attacks for the protocol. This model includes three layers: a to parse packets and dispatch data, an to abstract predefined real-time events for the link-state routing protocol, and an to express thereal-time behavior of the protocol engine and to detect the intrusions by pattern matching. The timed FSM named JiNao Finite State Machine (JFSM) is extended from the conventional FSM with timed states, multiple timers, and time constraints on statetransitions. The JFSM is implemented as a generator which can createany FSM according to a description in a configuration file. Theresults show that this approach is very effective for real-timeintrusion detection. This approach can be extended for use in othernetwork protocol intrusion detection systems, especially for thosewith known attacks.In Part II, a security management framework, the Decentralized Source Identification System (DECIDUOUS), is presentedto identify the "true'' sources of network-based intrusions. The premise of this approach is that if an attack packet has been correctly authenticated by a certain router, the attack packet must have been transmitted through that router. It utilizes security associations to dynamically deploy secure authentication tunnels in order to further trace down the possible attackers' locations. We present the algorithms to support the tracing of multiple attacks launched from different locations, even across several administrative domains. Our results show that the DECIDUOUS system is reasonably efficient, flexible and robust. Our approach could serve as the basis for future research on different tracing strategies for different types of attacks in large-scale networks.
Date: 2001-01-08
Degree: PhD
Discipline: Electrical Engineering
URI: http://www.lib.ncsu.edu/resolver/1840.16/5786

Files in this item

Files Size Format View
etd.pdf 1.105Mb PDF View/Open

This item appears in the following Collection(s)

Show full item record