Design of a security testing and attack detection system for IP network

Pao Yue-kong Library Electronic Theses Database

Design of a security testing and attack detection system for IP network

 

Author: You, Kam-ho Timothy
Title: Design of a security testing and attack detection system for IP network
Degree: M.Sc.
Year: 1999
Subject: Computer networks -- Security measures
Computer security
Hong Kong Polytechnic University -- Dissertations
Department: Multi-disciplinary Studies
Dept. of Computing
Pages: vi, 82, [28] leaves : ill. ; 30 cm
Language: English
InnoPac Record: http://library.polyu.edu.hk/record=b1460533
URI: http://theses.lib.polyu.edu.hk/handle/200/2362
Abstract: Intrusion detection is a missing component in modern firewall architecture. Unlike firewalls or filtering devices, which provide first line of defense and passive protection, an intrusion detector forms the last line of defense against security threats and allows active protection by incorporating anti-intrusion functions. It does not replace the responsibility of the elements in modern firewall architecture but cooperate with them to strengthen the overall protection structure. Although intrusion detection method has been studied for years, most of the detection techniques developed are confined within a single host and are based on the analysis of the system logs. With the emergence of network layer attacks which do not always show up in the system log and the popularity of network operating systems (NOS) which do not have adequate logging ability, the detection techniques developed so far do not provide an effective solution to the intrusion detection problem. In this dissertation, we propose a new intrusion detection model. Our detection method is based on the vulnerability exploitation signatures. We derive the procedure of exploitation from the network flows and represent it as an intrusion 'signature'. We do not handle network packets directly but use flows to encapsulate the underlying details. The use of flow not only provides simpler but intuitive signatures, the derived signatures are also portable across different network. Furthermore, through the network flow monitoring, network layer attacks can be detected without replying on the system logging. To detect intrusive activities, we employ pattern-matching technique just like most of anti-virus software does today. Like virus signature, an intrusion signature is the specification of features, conditions and arrangements among items that signify an attack. As a result, intrusion detection is reduced to a pattern-matching problem, which is to match between the signatures and the real-time traffic flow captured by the detector. This technique has the benefit of high portability, source independent, implementation independent, hierarchy and modular structure. We define four categories or layer hierarchies for the signatures in this dissertation, and every upper layer subsumes the lower one in terms of the signatures to be represented. The partitioning explores the common features during the matching process and hence allows different implementations at different layers to achieve maximum efficiency. The use of intrusion signatures gives signature writers the freedom of how intrusions can be detected and the flexibility of how to implement them. To realize our model, we use extended CP-net to represent the intrusion signatures and build a prototype to serve as a proof of concept. The CP-net is selected as it is a well-developed concurrent language and has been used as a modeling language in many disciplines. The CP-net provides intuitive and flexible graphical representation. The space-transition nature of CP-net is very similar to the state transition diagrams used in network protocols. In addition, graphical editors, compilers and simulators are available for fast development and easy verification of intrusion signatures. In conclusion, we have proposed and successfully demonstrated a new way of intrusion classification and a new class of intrusion detection techniques. This method has the potential to cover more intrusion cases, more freedom on detection and more effective and efficient in implementation.

Files in this item

Files Size Format
b14605338.pdf 3.892Mb PDF
Copyright Undertaking
As a bona fide Library user, I declare that:
  1. I will abide by the rules and legal ordinances governing copyright regarding the use of the Database.
  2. I will use the Database for the purpose of my research or private study only and not for circulation or further reproduction or any other purpose.
  3. I agree to indemnify and hold the University harmless from and against any loss, damage, cost, liability or expenses arising from copyright infringement or unauthorized usage.
By downloading any item(s) listed above, you acknowledge that you have read and understood the copyright undertaking as stated above, and agree to be bound by all of its terms.

     

Quick Search

Browse

More Information