Browse Theses

Intrusion detection plays a surveillant role by identifying attacks and protecting information systems from unauthorized access, misuse, or disruption. In this dissertation, the research topics are related to stepping-stones and masquerader intrusions and are investigated to detect attacks from either external hackers or internal perpetrators.

When intruders log into a target machine through an interactive network connection, they usually constructs a long connection chain via intermediary hosts, called stepping-stones, in order to hide their real identities. More sophisticated intruders even add extra superfluous chaff perturbation in the traffic to evade detection. Two detection approaches, namely size-fluctuation and random walk with transformation, are presented to identify stepping-stones. The experimental results demonstrate that both approaches are able to detect the stepping-stones effectively under a larger number of chaff perturbation and with fewer monitored packets than the existing methods.

Once a target user's machine is invaded by intruders, the interlopers may steal or impersonate legitimate user's account to gain access to computer systems that they are not authorized to enter. This is called a masquerade problem. One way to detect this kind of security breach is to study the user's behavior within a host, and to equip computer systems with the ability to differentiate a legitimate user from a masquerader. Two anomaly detection models to detect masquerader attacks are developed in terms of the computer command set. The first one is the high frequency command approach that profiles the behavior of a user on a computer system according to the most frequently used commands. The second one is the command prediction with association rule mining approach that builds user's behavior pattern in order to predict a masquerader's next command. The two approaches perform well when compared to the existing methods used as benchmarks for this type of detection. Furthermore, because many prior studies encounter the problem of low hit rates and high false alarm rates, the next study in this dissertation is to explore a method to quantify a user's behavior in order to investigate the relationship between the masquerade detection results and users' behaviors.