FSU ETD Logo

Title page for ETD etd-06052006-163912

Type of Document Dissertation
Author Long, Jidong
Author's Email Address jidolong@cs.fsu.edu
URN etd-06052006-163912
Title A Case-based Framework for Meta Intrusion Detection
Degree Doctor of Philosophy
Department Computer Science, Department of
Advisory Committee
Advisor Name Title
Daniel G. Schwartz Committee Chair
Jerry Magnan Committee Member
Lois Hawkes Committee Member
Mike Burmester Committee Member
Xiuwen Liu Committee Member
Keywords
  • Case-based Reasoning; Intrusion Detection; XM; Ale
Date of Defense 2006-05-18
Availability unrestricted
Abstract
Intrusion Detection has become an essential component of security mechanisms for information systems. Traditional Intrusion Detection Systems generally apply a single detection model and data source. Thus, they tend to suffer from large numbers of errors. To address this issue, the concept of meta intrusion detection was recently introduced. It suggests combining the results from multiple sensors with the aim of providing global decisions and avoiding errors.

This dissertation describes a novel case-based reasoning framework for meta intrusion detection, including its rationale, design, implementation, and evaluation. Briefly, a case consists of a problem-solution pair, where a problem is an attack and its solution is the type

of the attack. Attacks are represented as the collection of alerts arising from sensors. The alerts are encoded in an XML language.

Three experiments were conducted. The first used the 1998 DARPA data sets. Two sensors were employed. For each session, all alerts generated formed a pattern. These patterns were then clustered, and representatives from the clusters were chosen to build a case library. For this purpose an XML distance measure was created, to measure the distance between patterns in XML representation. The clustering very effectively distinguished normal sessions from attack sessions.

A key issue in meta intrusion detection is alert correlation, that is, determining which alerts are results of the same attack. The above employed what we have called explicit alert

correlation. This makes use of session information contained in the alerts.

The second experiment used the 2000 DARPA data sets containing denial of service attacks. Here the original contribution has been a new case-oriented approach to alert correlation which does not require the presence of session information. The experiment showed that this approach can be very effective in detecting new attacks.

The third experiment made use of the DARPA Grand Challenge Problem program. This experiment explored case-oriented alert correlation with two underlying methods, one based on the Hungarian algorithm and one employing dynamic programming. It was found that both methods are effective for attack detection, and produce almost identical results. However, the dynamic programming is significantly more efficient.
Files
  Filename       Size       Approximate Download Time (Hours:Minutes:Seconds) 
 
 28.8 Modem   56K Modem   ISDN (64 Kb)   ISDN (128 Kb)   Higher-speed Access 
  dissertation.pdf 2.51 Mb 00:11:36 00:05:58 00:05:13 00:02:36 00:00:13
Browse All Available ETDs by ( Author | Department )
If you have more questions or technical problems, please Contact the FSU Digital Library Center.