There has been a constant growing security concern with insider attacks on network accessible computer systems. Users with power credentials can do almost anything they want with the systems they own with very little control or oversight. Most breaches occurring nowadays by power users are considered legitimate access and not necessarily intrusions. Developing a solution for such problems is challenging because power users need flexible requirements to administer or maintain their systems. The increased usage of virtual environments, virtual systems, teleworking, and remote usage has made network access the preferred method for system administration.
This dissertation describes the design and implementation of a network Autonomic Violation Prevention System (AVPS) framework that is intended to defeat the insider threat in organizations. The AVPS sits between privileged users and applications. It monitors traffic that traverses the network and takes actions as needed. A proof of concept prototype for the system was developed in a virtualized environment. FTP and Telnet were part of the application testbed. Rules that pertain to privileged user administration were applied. Actions that were tested successfully included traffic monitoring, replacement, blocking, and dropping.
This work also examined the scalability of the AVPS design. An experimental testbed was built to obtain performance measures of the AVPS overhead, throughput, and response time. FTP, Database and Web servers were used in the application testbed. A variety of tests were performed including automated simultaneous transactions and manual simultaneous transactions. An M/M/N//M analytic queuing model was used to assess how well the AVPS system would perform for a finite population where the number of applications, users and AVPS engines vary under different load levels. The results showed that the AVPS exhibits a very low overhead and is therefore scalable.
The AVPS architecture design was further enhanced to automate how signatures are created. Autonomic self-protection capabilities were added into the framework by implementing high level rules that set the goal for how violations are detected and signatures are created. Supervised self-learning capabilities were added via the use of Support Vector Machines (SVM) in order to classify the raw data and make final decisions on what is considered a violation and what is considered normal insider behavior.
|Advisor:||Menasce, Daniel A.|
|Commitee:||Gaj, Kruis, Kerschberg, Larry, Wijesekera, Duminda|
|School:||George Mason University|
|School Location:||United States -- Virginia|
|Source:||DAI-B 73/08(E), Dissertation Abstracts International|
|Subjects:||Information Technology, Computer science|
|Keywords:||Autonomic computing, Insider threats, Network security, Security, Self-learning, Self-protection|
Copyright in each Dissertation and Thesis is retained by the author. All Rights Reserved
The supplemental file or files you are about to download were provided to ProQuest by the author as part of a
dissertation or thesis. The supplemental files are provided "AS IS" without warranty. ProQuest is not responsible for the
content, format or impact on the supplemental file(s) on our system. in some cases, the file type may be unknown or
may be a .exe file. We recommend caution as you open such files.
Copyright of the original materials contained in the supplemental file is retained by the author and your access to the
supplemental files is subject to the ProQuest Terms and Conditions of use.
Depending on the size of the file(s) you are downloading, the system may take some time to download them. Please be