Prototype Multi-level Attack Tree-based Intrusion Detection On Linux

With the development of comPuter tecbnology and the explosion of Internet,comPuter security becomes more and more importan. Annual reports from theComputer Emergency ResPonse Team (CERT) indicate a significan increase in thenumber of comPuter security incidellts each year According to CERT the Nu-mber ofincidents rePorted increase shmply from 252 in l990 to 21,756 in 2000.A narrower definition of comPuter security (or infOrmation security) is based on therealization of confidentiality integrity availability and controllability in a computersystem. There are many measures for computer security such as access control,encryPtion, auditing, authefltication, etc. However, comPletely prevellting breaches ofsecurity aPpeap at present, unrea1istic. We can, howevef, try to detect these intrusionthempts so that edion may be taken tO rePair the damage later. This fie1d of researchis called lntfusion DetCction. An inirusion is defined as any set of actions that attemptto compromise the integrity confidentiality, availability, or controllabi1ity of aresource. Intrusion detection is defined as "the problem of identifying individuals Whoattempt to use a comPllter system withoot authorization and those who have legitimateaccess to the system but are abusing their privileges". An ifiAnsion detection system(IDS) is a computer system that attempts to perform irtion detection. Multistageintrusion detections give emPhasis on the finding the relations axnong the intrusionevents, which may are initiated by different attackers from different hosts at differenttime.In ChaPter 1, related term and related concepts are introduced, such as ComPuterSecurity Network Security and Intrusion Detection.In ChaPter 2, the classification of inirusion detect is intfOduced in detail. Thenthe work done by some standardized organization (CIDF and IDWG) is introduced. lnthe end, we discuss the distributed IDS and divide it inio two categories.ln ChaPter 3, the concept of attack trees is introduced first. Then Based on theattack tree model, an attack sPecification language is consmicted and an example ofIP-Spoofing theck is given. Moreovef, Z language is adopted to define the dekmodel. In addition, we aPPly attack tree model to evaluating the likelihood of beingcompromised beforehand.ln ChaPter 4, a SPecification of Attack-tree based Centralized Intrusion DetectionSystem (ACIDS) is given and a prototype is implemented based on Linux.In ChaPter 5, we discuss the research and technical trend of IDS.The overall inteni of this disseYtation is to develop a methodology fOr theconsmiction of multi-stage inirusion detection systems. The fOlloWng researchobjectives accomPlish this intent'. An attack specification language based on enhanced attack tree model isconstfucted. Using this language, we define attack templatC library. We takeIP--Spoofing anck for example. Attack tree also is aPplied to evaluating thesecurity of host beforehand.. Z language (with Object-Z extension), a fOrmal langUage, is emPloyed to depictthe attack tIee model. The represefltations of nodes and relations among nodes aregiven. Then, a constfuction of IP--Spoofing attack schemas exemplifies thismethod. Last, how to detect intrusions using attack models is discussed.. The specification of central inirusion detection is given and a prototyPe calledAttack-tree based Intrusion Detection System (ACIDS) is imPlemented in Linuxenvirorunent to demonstrate the feasibility of this method. ln the system, someadvanced technical skills such as Raw Packet, Socket, Out of Band Data and Pipeare employed.