On real-time intrusion detection and source identification

This thesis work consists of two distinct parts: a study of real-time intrusion detection on network link-state routing protocol attacks (Part I), and a study of source identification for spoofed IP packets (Part II). These two parts could be united into a common framework consisting of an intrusion detection system and an intrusion response system. However, in many ways they are distinct and self-contained.; In Part I, a real-time knowledge-based network intrusion detection model for a link-state routing protocol is presented to detect different attacks for the OSPF protocol. This model includes three layers: a data process layer to parse packets and dispatch data, for the link-state routing protocol, and an extended timed finite state machine (FSM) to express the real-time behavior of the protocol engine and to detect the intrusions by pattern matching. The timed FSM named JiNao Finite State Machine (JFSM) is extended from the conventional FSM with timed states, multiple timers, and time constraints on state transitions. The JFSM is implemented as a generator which can create any FSM according to a description in a configuration file. The results show that this approach is very effective for real-time intrusion detection. This approach can be extended for use in other network protocol intrusion detection systems, especially for those with known attacks.; In Part II, a security management framework, the Decentralized Source Identification System (DECIDUOUS), is presented to identify the “true” sources of network-based intrusions. The premise of this approach is that if an attack packet has been correctly authenticated by a certain router, the attack packet must have been transmitted through that router. It utilizes IPSec security associations to dynamically deploy secure authentication tunnels in order to further trace down the possible attackers' locations. We present the algorithms to support the tracing of multiple attacks launched from different locations, even across several administrative domains. Our results show that the DECIDUOUS system is reasonably efficient, flexible and robust. Our approach could serve as the basis for future research on different tracing strategies for different types of attacks in large-scale networks.