Dissertation/Thesis Abstract

Diagnosis-based Intrusion Detection
by Jackson, Conner Patrick Stearns, M.S., University of California, Davis, 2016, 97; 10124452
Abstract (Summary)

In the field of computer security, one aims to protect users and services from attackers in cyberspace. One method of improving the security of a computer system is through the use of an intrusion detection system (IDS). This paper will present a new form of “Diagnosis-based” intrusion detection (DBID), inspired by the intuitions found in medical diagnosis.

In DBID, relevant system features are monitored, referred to as observables. Symptoms use the value of observables to compute a belief in the current state of the protected system. Binary symptoms, a particular class of symptoms, use change detection algorithms, such as thresholding or CUSUM, to determine their computed belief, and can be used to form unique attack signatures. Dempster-Shafer Theory (DST) is used to characterize these beliefs, using basic belief assignments, as well as combine them, using fusion operators. Diagnosis is then performed by analyzing the belief-plausibility probability bounds of various state sets of the frame of discernment on the combined symptom evidence to traverse a diagnosis tree, represented by a specificity tree, to determine, as accurately as possible, the state of the protected system. Through this process, DBID combines aspects of signature and anomaly detection systems, and is capable of detecting both previously known attacks, as well as zero-day attacks of a similar class.

To verify its capabilities, an implementation of DBID was constructed to protect a system against TCP DoS attacks. The IDS was configured to diagnose a system exposed to the Synflood, Sockstress, and Slowloris attacks in a set of experiments performed in DeterLab. Additionally, a pseudo-new attack, synthesized from configured attacks, was launched against the protected system. Promising results display that DBID is capable of correctly diagnosing both the previously seen and unseen attacks.

Indexing (document details)
Advisor: Levitt, Karl N.
Commitee: Bishop, Matthew A., Wu, Shyhtsun F.
School: University of California, Davis
Department: Computer Science
School Location: United States -- California
Source: MAI 55/04M(E), Masters Abstracts International
Subjects: Computer science
Keywords: Change detection algorithms, Dempster-shafer theory, Thresholding
Publication Number: 10124452
ISBN: 978-1-339-82560-1
Copyright © 2020 ProQuest LLC. All rights reserved. Terms and Conditions Privacy Policy Cookie Policy