An Anomaly Behavior Analysis Methodology for Network Centric Systems

Persistent Link:
http://hdl.handle.net/10150/305804
Title:
An Anomaly Behavior Analysis Methodology for Network Centric Systems
Author:
Alipour, Hamid Reza
Issue Date:
2013
Publisher:
The University of Arizona.
Rights:
Copyright © is held by the author. Digital access to this material is made possible by the University Libraries, University of Arizona. Further transmission, reproduction or presentation (such as public display or performance) of protected items is prohibited except with permission of the author.
Abstract:
Information systems and their services (referred to as cyberspace) are ubiquitous and touch all aspects of our life. With the exponential growth in cyberspace activities, the number and complexity of cyber-attacks have increased significantly due to an increase in the number of applications with vulnerabilities and the number of attackers. Consequently, it becomes extremely critical to develop efficient network Intrusion Detection Systems (IDS) that can mitigate and protect cyberspace resources and services against cyber-attacks. On the other hand, since each network system and application has its own specification as defined in its protocol, it is hard to develop a single IDS which works properly for all network protocols. The keener approach is to design customized detection engines for each protocol and then aggregate the reports from these engines to define the final security state of the system. In this dissertation, we developed a general methodology based on data mining, statistical analysis and protocol semantics to perform anomaly behavior analysis and detection for network-centric systems and their protocols. In our approach, we develop runtime models of protocol's state transitions during a time interval ΔΤ. We consider any n consecutive messages in a session during the time interval ΔΤ as an n-transition pattern called n-gram. By applying statistical analysis over these n-gram patterns we can accurately model the normal behavior of any protocol. Then we use the amount of the deviation from this normal model to quantify the anomaly score of the protocol activities. If this anomaly score is higher than a well-defined threshold the system marks that activity as a malicious activity. To validate our methodology, we have applied it to two different protocols: DNS (Domain Name System) at the application layer and the IEEE 802.11(WiFi) at the data link layer, where we have achieved good detection results (>95%) with low detection errors (<0.1%).
Type:
text; Electronic Dissertation
Keywords:
Computer Networks; Domain Name System; IEEE 802.11; Intrusion Detection Systems; Security; Electrical & Computer Engineering; Anomaly Detection
Degree Name:
Ph.D.
Degree Level:
doctoral
Degree Program:
Graduate College; Electrical & Computer Engineering
Degree Grantor:
University of Arizona
Advisor:
Hariri, Salim

Full metadata record

DC FieldValue Language
dc.language.isoen_USen_US
dc.titleAn Anomaly Behavior Analysis Methodology for Network Centric Systemsen_US
dc.creatorAlipour, Hamid Rezaen_US
dc.contributor.authorAlipour, Hamid Rezaen_US
dc.date.issued2013-
dc.publisherThe University of Arizona.en_US
dc.rightsCopyright © is held by the author. Digital access to this material is made possible by the University Libraries, University of Arizona. Further transmission, reproduction or presentation (such as public display or performance) of protected items is prohibited except with permission of the author.en_US
dc.description.abstractInformation systems and their services (referred to as cyberspace) are ubiquitous and touch all aspects of our life. With the exponential growth in cyberspace activities, the number and complexity of cyber-attacks have increased significantly due to an increase in the number of applications with vulnerabilities and the number of attackers. Consequently, it becomes extremely critical to develop efficient network Intrusion Detection Systems (IDS) that can mitigate and protect cyberspace resources and services against cyber-attacks. On the other hand, since each network system and application has its own specification as defined in its protocol, it is hard to develop a single IDS which works properly for all network protocols. The keener approach is to design customized detection engines for each protocol and then aggregate the reports from these engines to define the final security state of the system. In this dissertation, we developed a general methodology based on data mining, statistical analysis and protocol semantics to perform anomaly behavior analysis and detection for network-centric systems and their protocols. In our approach, we develop runtime models of protocol's state transitions during a time interval ΔΤ. We consider any n consecutive messages in a session during the time interval ΔΤ as an n-transition pattern called n-gram. By applying statistical analysis over these n-gram patterns we can accurately model the normal behavior of any protocol. Then we use the amount of the deviation from this normal model to quantify the anomaly score of the protocol activities. If this anomaly score is higher than a well-defined threshold the system marks that activity as a malicious activity. To validate our methodology, we have applied it to two different protocols: DNS (Domain Name System) at the application layer and the IEEE 802.11(WiFi) at the data link layer, where we have achieved good detection results (>95%) with low detection errors (<0.1%).en_US
dc.typetexten_US
dc.typeElectronic Dissertationen_US
dc.subjectComputer Networksen_US
dc.subjectDomain Name Systemen_US
dc.subjectIEEE 802.11en_US
dc.subjectIntrusion Detection Systemsen_US
dc.subjectSecurityen_US
dc.subjectElectrical & Computer Engineeringen_US
dc.subjectAnomaly Detectionen_US
thesis.degree.namePh.D.en_US
thesis.degree.leveldoctoralen_US
thesis.degree.disciplineGraduate Collegeen_US
thesis.degree.disciplineElectrical & Computer Engineeringen_US
thesis.degree.grantorUniversity of Arizonaen_US
dc.contributor.advisorHariri, Salimen_US
dc.contributor.committeememberAkoglu, Alien_US
dc.contributor.committeememberWang Roveda, Janeten_US
dc.contributor.committeememberHariri, Salimen_US
dc.contributor.committeememberRozenblit, Jerzyen_US
dc.contributor.committeememberLysecky, Romanen_US
All Items in UA Campus Repository are protected by copyright, with all rights reserved, unless otherwise indicated.