Keywords
network security, intrusion detection, locality, working sets, network servers
Abstract
Keeping computer networks safe from attack requires ever-increasing vigilance. Our work on applying locality to network intrusion detection is presented in this dissertation. Network servers that allow connections from both the internal network and the Internet are vulnerable to attack from all sides. Analysis of the behavior of incoming connections for properties of locality can be used to create a normal profile for such network servers. Intrusions can then be detected due to their abnormal behavior. Data was collected from a typical network server both under normal conditions and under specific attacks. Experiments show that connections to the server do in fact exhibit locality, and attacks on the server can be detected through their violation of locality. Key to the detection of locality is a data structure called a working-set, which is a kind of cache of certain data related to network connections. Under real network conditions, we have demonstrated that the working-set behaves in a manner consistent with locality. Determining the reasons for this behavior is our next goal. A model that generates synthetic traffic based on actual network traffic allows us to study basic traffic characteristics. Simulation of working-set processing of the synthetic traffic shows that it behaves much like actual traffic. Attacks inserted into a replay of the synthetic traffic produce working-set responses similar to those produced in actual traffic. In the future, our model can be used to further the development of intrusion detection strategies.
Notes
If this is your thesis or dissertation, and want to learn how to access it or for more information about readership statistics, contact us at STARS@ucf.edu
Graduation Date
2009
Advisor
Lang, Sheau-Dong
Degree
Doctor of Philosophy (Ph.D.)
College
College of Engineering and Computer Science
Department
Electrical Engineering and Computer Science
Degree Program
Computer Science
Format
application/pdf
Identifier
CFE0002718
URL
http://purl.fcla.edu/fcla/etd/CFE0002718
Language
English
Release Date
September 2009
Length of Campus-only Access
None
Access Status
Doctoral Dissertation (Open Access)
STARS Citation
Lee, Robert, "On The Application Of Locality To Network Intrusion Detection: Working-set Analysis Of Real And Synthetic Network Server Traffic" (2009). Electronic Theses and Dissertations. 4000.
https://stars.library.ucf.edu/etd/4000