You are here

Case-Based Framework for Meta Intrusion Detection

Title: A Case-Based Framework for Meta Intrusion Detection.
35 views
10 downloads
Name(s): Long, Jidong, author
Schwartz, Daniel G., professor directing dissertation
Magnan, Jerry, outside committee member
Burmester, Mike, committee member
Hawkes, Lois, committee member
Liu, Xiuwen, committee member
Department of Computer Science, degree granting department
Florida State University, degree granting institution
Type of Resource: text
Genre: Text
Issuance: monographic
Date Issued: 2006
Publisher: Florida State University
Place of Publication: Tallahassee, Florida
Physical Form: computer
online resource
Extent: 1 online resource
Language(s): English
Abstract/Description: Intrusion Detection has become an essential component of security mechanisms for information systems. Traditional Intrusion Detection Systems generally apply a single detection model and data source. Thus, they tend to suffer from large numbers of errors. To address this issue, the concept of meta intrusion detection was recently introduced. It suggests combining the results from multiple sensors with the aim of providing global decisions and avoiding errors. This dissertation describes a novel case-based reasoning framework for meta intrusion detection, including its rationale, design, implementation, and evaluation. Briefly, a case consists of a problem-solution pair, where a problem is an attack and its solution is the type of the attack. Attacks are represented as the collection of alerts arising from sensors. The alerts are encoded in an XML language. Three experiments were conducted. The first used the 1998 DARPA data sets. Two sensors were employed. For each session, all alerts generated formed a pattern. These patterns were then clustered, and representatives from the clusters were chosen to build a case library. For this purpose an XML distance measure was created, to measure the distance between patterns in XML representation. The clustering very effectively distinguished normal sessions from attack sessions. A key issue in meta intrusion detection is alert correlation, that is, determining which alerts are results of the same attack. The above employed what we have called explicit alert correlation. This makes use of session information contained in the alerts. The second experiment used the 2000 DARPA data sets containing denial of service attacks. Here the original contribution has been a new case-oriented approach to alert correlation which does not require the presence of session information. The experiment showed that this approach can be very effective in detecting new attacks. The third experiment made use of the DARPA Grand Challenge Problem program. This experiment explored case-oriented alert correlation with two underlying methods, one based on the Hungarian algorithm and one employing dynamic programming. It was found that both methods are effective for attack detection, and produce almost identical results. However, the dynamic programming is significantly more efficient.
Identifier: FSU_migr_etd-1081 (IID)
Submitted Note: A Dissertation Submitted to the Department of Computer Science in Partial FulfiLlment of the Requirements for the Degree of Doctor of Philosophy.
Degree Awarded: Summer Semester, 2006.
Date of Defense: May 18, 2006.
Keywords: Case-based Reasoning, Intrusion Detection; XM, Ale
Bibliography Note: Includes bibliographical references.
Advisory committee: Daniel G. Schwartz, Professor Directing Dissertation; Jerry Magnan, Outside Committee Member; Mike Burmester, Committee Member; Lois Hawkes, Committee Member; Xiuwen Liu, Committee Member.
Subject(s): Computer science
Persistent Link to This Record: http://purl.flvc.org/fsu/fd/FSU_migr_etd-1081
Owner Institution: FSU

Choose the citation style.
Long, J. (2006). A Case-Based Framework for Meta Intrusion Detection. Retrieved from http://purl.flvc.org/fsu/fd/FSU_migr_etd-1081