| The main focus of the proposed design is the protection of huge networks against distributed multistep attacks. Current systems fall short in dealing with the immense data volume that is produced by the sensors that are deployed in these large network installations. Dedicated nodes such as centralized processors become vulnerable to faults or targeted denial-of-service attempts and often represent performance bottlenecks. A prototype system named DACIDS is designed for solving those problems. The detection process itself is realized by cooperative nodes that correlate and assemble the pieces of evidence, which are scattered over many hosts in the victim' s network, into a single and coherent picture of ongoing attacks.The dissertation standardizes the input data for DACIDS. The formats and content of alerts and information from different IDSs or sensors vary a lot, so the very first problem of DACIDS is to standardize these data. The dissertation introduces a modified data model which is also used by IDWG to standardize data in IDMEF. And this data model is described in XML DTD.The dissertation models distributed multistep intrusion (DMI) scenario. To decompose the scenario of DMI, Some steps of DMI will not bring direct threats to the protected hosts or sub-nets, and as a result they will not be monitored by sub-IDSs. So we decompose the scenerio of DMI into a series of events, which can be observed by sensors, or a series of sub-targets, which can be detected by sub-IDSs. We name them sub-tasks of detection (STD). DACIDS will check selected events and system status to capture the occurrence of STDs. DACIDS will detect the sequence of STDs and the relations among attributes of STD events . At last we describe our DMI model in ABNF. Complicated intrusion secenario can be conveniently modeled for recursion used in the modeling method.A language for describing the signature of distributed multistep intrusions is defined. Based on the DMI model, we define an XML-based language, named DMI Signature Language (DMISL), to describe DMI signatures. Format check of DMI signatures described by security administrators or DACIDS operator could be conducted with DMISL DTD. DMISL has all merits owned by XML.The decentralized algorithm to find events that satisfy an intrusion signature was implemented and exhibits superior scalability and fault tolerant properties when compared to existing solutions. This is achieved by restricting the detection to only those hosts that witness actual parts of the attack. We abandon the ideaof nodes with a dedicated task of correlating events used in traditional centralized or hierarchical approaches because they limit scalability and are vulnerable to faults or attacks. A special EFSM is utilized to implement the algorithm, and every intrusion signature coded in DMISL is transformed into a special EFSM, namely DEFSM.The efficiency of signature-based network sub-IDSs is also improved by replacing BM algorithm with AC Automaton Matching algorithm to conduct signature matching and using URL Cache. This dissertation introduces the theory of AC Automation Matching algorithm and the procedure of automata forming. By caching normal URL, most Web requests will not need to match with the patterns. Theory analysis shows those two algorithms will improve sub-IDS detection efficiency, and experiment results also prove it.Because of the large amount of alerts produced by IDSs will increase the pressure of the cooperative analyzer, which will lead to the problem of bottleneck. Therefore, we deal with the alerts produced by IDSs by alerts fusing so that we can reduce the amount of the data that the engine must deal with. This dissertation defines an invasion action pattern (IAP) which is based on time, and then fused the alarms by recognized the IAP. This method has been proved to address the problems concerned.
|
PDF Full Text Request