Type of Document Dissertation Author Long, Jidong Author's Email Address email@example.com URN etd-06052006-163912 Title A Case-based Framework for Meta Intrusion Detection Degree Doctor of Philosophy Department Computer Science, Department of Advisory Committee
Advisor Name Title Daniel G. Schwartz Committee Chair Jerry Magnan Committee Member Lois Hawkes Committee Member Mike Burmester Committee Member Xiuwen Liu Committee Member Keywords
- Case-based Reasoning; Intrusion Detection; XM; Ale
Date of Defense 2006-05-18 Availability unrestricted AbstractIntrusion Detection has become an essential component of security mechanisms for information systems. Traditional Intrusion Detection Systems generally apply a single detection model and data source. Thus, they tend to suffer from large numbers of errors. To address this issue, the concept of meta intrusion detection was recently introduced. It suggests combining the results from multiple sensors with the aim of providing global decisions and avoiding errors.
This dissertation describes a novel case-based reasoning framework for meta intrusion detection, including its rationale, design, implementation, and evaluation. Briefly, a case consists of a problem-solution pair, where a problem is an attack and its solution is the type
of the attack. Attacks are represented as the collection of alerts arising from sensors. The alerts are encoded in an XML language.
Three experiments were conducted. The first used the 1998 DARPA data sets. Two sensors were employed. For each session, all alerts generated formed a pattern. These patterns were then clustered, and representatives from the clusters were chosen to build a case library. For this purpose an XML distance measure was created, to measure the distance between patterns in XML representation. The clustering very effectively distinguished normal sessions from attack sessions.
A key issue in meta intrusion detection is alert correlation, that is, determining which alerts are results of the same attack. The above employed what we have called explicit alert
correlation. This makes use of session information contained in the alerts.
The second experiment used the 2000 DARPA data sets containing denial of service attacks. Here the original contribution has been a new case-oriented approach to alert correlation which does not require the presence of session information. The experiment showed that this approach can be very effective in detecting new attacks.
The third experiment made use of the DARPA Grand Challenge Problem program. This experiment explored case-oriented alert correlation with two underlying methods, one based on the Hungarian algorithm and one employing dynamic programming. It was found that both methods are effective for attack detection, and produce almost identical results. However, the dynamic programming is significantly more efficient.
Filename Size Approximate Download Time (Hours:Minutes:Seconds)
28.8 Modem 56K Modem ISDN (64 Kb) ISDN (128 Kb) Higher-speed Access dissertation.pdf 2.51 Mb 00:11:36 00:05:58 00:05:13 00:02:36 00:00:13