Daniel Fava

Abstract

The increase in bandwidth, the emergence of wireless technologies, and the spread of the Internet throughout the world have created new forms of communication with effects on areas such as business, entertainment, and education. This pervasion of computer networks into human activity has amplified the importance of cyber security. Network security relies heavily on Intrusion Detection Systems (IDS), whose objective is to detect malicious network traffic and computer usage. IDS data can be correlated into cyber attack tracks, which consist of ordered collections of alerts triggered during a single multi-stage attack. The objective of this research is to enhance the current knowledge of attack behavior by developing a model that captures the sequential properties of attack tracks. Two sequence characterization models are discussed: Variable Length Markov Models (VLMMs), which are a type of finite-context models, and Hidden Markov Models (HMMs), which are also known as finite-state models. A VLMM is implemented based on attack sequences s = {x1, x2, ...xn} where xi 2 and is a set of possible values of one or more fields in an alert message. This work shows how the proposed model can be used to predict future attack actions (xj+1) belonging to a newly observed and unfolding attack sequence s = {x1, x2, ..., xj}. It also presents a metric that measures the variability in attack actions based on information entropy and a method for classifying attack tracks as sophisticated or simple based on average log-loss. In addition, insights into the analysis of attack target machines are discussed.

Library of Congress Subject Headings

Computer crimes--Mathematical models; Markov processes; Computer networks--Security measures

Publication Date

7-1-2007

Document Type

Thesis

Department, Program, or Center

Computer Engineering (KGCOE)

Advisor

Cockburn, Juan

Advisor/Committee Member

Reznik, Leonid

Comments

Note: imported from RIT’s Digital Media Library running on DSpace to RIT Scholar Works. Physical copy available through RIT's The Wallace Library at: HV6773 .F38 2007

Campus

RIT – Main Campus

Download

Share

COinS