The prosperity of the Internet has made it attractive to hackers and malicious attackers. Distributed attacks, such as: DDoS attacks and Internet worms have become major threats towards the network infrastructure. Collaborating existent single-point-deployed security applications over multi-domains for distributed defense is promising. Taking advantage of the small-world network model, a three-layered network modeling platform was developed for exploring behaviors of collaborative defense under the scope of a complex system. Using this platform, a comparison study between two major collaborative defense schemes was conducted. Their performance and eectiveness against signature-embedded worm attacks were evaluated accordingly.
Given the rapid evolution of attack methods and toolkits, software-based solutions to secure the network infrastructure have become overburdened. The performance gap between the execution speed of security software and the amount of data to be processed is ever widening. A common solution to close this performance gap is through hardware implementation of security functions. After a comprehensive survey on major recongurable hardware-based approaches application on network infrastructure security area, an optimized design of FPGA-based Power Spectral Density (PSD) data converter for online Shrew DDoS attack detection was proposed and prototyped. Combining an innovative component-reusable Auto-Correlation (AC) algorithm and the adapted 2N-point real-valued Discrete Fourier Transform (DFT) algorithm, a maximum reduction of 61.8% processing time from 27471.4 us to 10504.8 us was achieved. These ecient hardware realization enabled the implementation of this design to a Xilinx Virtex2 Pro FGPA.
The scalability issue against continuously expanding signature databases is another major impediment aecting hardware application for network intrusion detection. With the observation that signature patterns are constructed from combinations of a limited number of primary patterns, a two-stage decomposition approach was developed to solve this issue. The evaluation results show that a reduction in size of over 77% can be achieved on top of signature patterns extracted from the Snort rule database after decomposition.
|Commitee:||Jin, Zhanpeng, Lewis, Michael, Polunchenko, Aleksey S., Summerville, Douglas H.|
|School:||State University of New York at Binghamton|
|Department:||Electrical and Computer Engineering|
|School Location:||United States -- New York|
|Source:||DAI-B 76/11(E), Dissertation Abstracts International|
|Keywords:||Collaborative defense, Network infrastructure security, Network intrusion detection, Pattern decomposition, Power spectral density data converter, Reconfigurable hardware application|
Copyright in each Dissertation and Thesis is retained by the author. All Rights Reserved
The supplemental file or files you are about to download were provided to ProQuest by the author as part of a
dissertation or thesis. The supplemental files are provided "AS IS" without warranty. ProQuest is not responsible for the
content, format or impact on the supplemental file(s) on our system. in some cases, the file type may be unknown or
may be a .exe file. We recommend caution as you open such files.
Copyright of the original materials contained in the supplemental file is retained by the author and your access to the
supplemental files is subject to the ProQuest Terms and Conditions of use.
Depending on the size of the file(s) you are downloading, the system may take some time to download them. Please be