In the field of computer security, one aims to protect users and services from attackers in cyberspace. One method of improving the security of a computer system is through the use of an intrusion detection system (IDS). This paper will present a new form of “Diagnosis-based” intrusion detection (DBID), inspired by the intuitions found in medical diagnosis.
In DBID, relevant system features are monitored, referred to as observables. Symptoms use the value of observables to compute a belief in the current state of the protected system. Binary symptoms, a particular class of symptoms, use change detection algorithms, such as thresholding or CUSUM, to determine their computed belief, and can be used to form unique attack signatures. Dempster-Shafer Theory (DST) is used to characterize these beliefs, using basic belief assignments, as well as combine them, using fusion operators. Diagnosis is then performed by analyzing the belief-plausibility probability bounds of various state sets of the frame of discernment on the combined symptom evidence to traverse a diagnosis tree, represented by a specificity tree, to determine, as accurately as possible, the state of the protected system. Through this process, DBID combines aspects of signature and anomaly detection systems, and is capable of detecting both previously known attacks, as well as zero-day attacks of a similar class.
To verify its capabilities, an implementation of DBID was constructed to protect a system against TCP DoS attacks. The IDS was configured to diagnose a system exposed to the Synflood, Sockstress, and Slowloris attacks in a set of experiments performed in DeterLab. Additionally, a pseudo-new attack, synthesized from configured attacks, was launched against the protected system. Promising results display that DBID is capable of correctly diagnosing both the previously seen and unseen attacks.
|Advisor:||Levitt, Karl N.|
|Commitee:||Bishop, Matthew A., Wu, Shyhtsun F.|
|School:||University of California, Davis|
|School Location:||United States -- California|
|Source:||MAI 55/04M(E), Masters Abstracts International|
|Keywords:||Change detection algorithms, Dempster-shafer theory, Thresholding|
Copyright in each Dissertation and Thesis is retained by the author. All Rights Reserved
The supplemental file or files you are about to download were provided to ProQuest by the author as part of a
dissertation or thesis. The supplemental files are provided "AS IS" without warranty. ProQuest is not responsible for the
content, format or impact on the supplemental file(s) on our system. in some cases, the file type may be unknown or
may be a .exe file. We recommend caution as you open such files.
Copyright of the original materials contained in the supplemental file is retained by the author and your access to the
supplemental files is subject to the ProQuest Terms and Conditions of use.
Depending on the size of the file(s) you are downloading, the system may take some time to download them. Please be