On Real-Time Intrusion Detection and Source Identification
| dc.contributor.advisor | Dr. Kuo-Chung Tai, Chair | en_US |
| dc.contributor.advisor | Dr. Shyhtsun Felix Wu, Co-Chair | en_US |
| dc.contributor.advisor | Dr. Arne A. Nilsson, Member | en_US |
| dc.contributor.advisor | Dr. Douglas S. Reeves, Member | en_US |
| dc.contributor.author | Chang, Ho-Yen | en_US |
| dc.date.accessioned | 2010-04-02T19:19:56Z | |
| dc.date.available | 2010-04-02T19:19:56Z | |
| dc.date.issued | 2001-01-08 | en_US |
| dc.degree.discipline | Electrical Engineering | en_US |
| dc.degree.level | PhD Dissertation | en_US |
| dc.degree.name | PhD | en_US |
| dc.description.abstract | This thesis work consists of two distinct parts: a study ofreal-time intrusion detection on network link-state routingprotocol attacks (Part I), and a study of source identification for spoofed IP packets (Part II). These two parts could be united into a common framework consisting of an intrusion detection system and an intrusion response system. However, in many ways they are distinct and self-contained. In Part I, a real-time knowledge-based network intrusiondetection model for a link-state routing protocol is presented to detect different attacks for the protocol. This model includes three layers: a to parse packets and dispatch data, an to abstract predefined real-time events for the link-state routing protocol, and an to express thereal-time behavior of the protocol engine and to detect the intrusions by pattern matching. The timed FSM named JiNao Finite State Machine (JFSM) is extended from the conventional FSM with timed states, multiple timers, and time constraints on statetransitions. The JFSM is implemented as a generator which can createany FSM according to a description in a configuration file. Theresults show that this approach is very effective for real-timeintrusion detection. This approach can be extended for use in othernetwork protocol intrusion detection systems, especially for thosewith known attacks.In Part II, a security management framework, the Decentralized Source Identification System (DECIDUOUS), is presentedto identify the "true'' sources of network-based intrusions. The premise of this approach is that if an attack packet has been correctly authenticated by a certain router, the attack packet must have been transmitted through that router. It utilizes security associations to dynamically deploy secure authentication tunnels in order to further trace down the possible attackers' locations. We present the algorithms to support the tracing of multiple attacks launched from different locations, even across several administrative domains. Our results show that the DECIDUOUS system is reasonably efficient, flexible and robust. Our approach could serve as the basis for future research on different tracing strategies for different types of attacks in large-scale networks. | en_US |
| dc.identifier.other | etd-20010107-210805 | en_US |
| dc.identifier.uri | http://www.lib.ncsu.edu/resolver/1840.16/5786 | |
| dc.rights | I hereby certify that, if appropriate, I have obtained and attached hereto a written permission statement from the owner(s) of each third party copyrighted matter to be included in my thesis, dissertation, or project report, allowing distribution as specified below. I certify that the version I submitted is the same as that approved by my advisory committee. I hereby grant to NC State University or its agents the non-exclusive license to archive and make accessible, under the conditions specified below, my thesis, dissertation, or project report in whole or in part in all forms of media, now or hereafter known. I retain all other ownership rights to the copyright of the thesis, dissertation or project report. I also retain the right to use in future works (such as articles or books) all or part of this thesis, dissertation, or project report. | en_US |
| dc.title | On Real-Time Intrusion Detection and Source Identification | en_US |
Files
Original bundle
1 - 1 of 1
