In Partial
Fulfillment of the Requirements for the Degree of
Doctor of Philosophy
Will defend his dissertation
Most computer
intruders chain several previously compromised computers so as
to hide themselves before launching attacks on a target computer. One way to
stop such intruders is to detect the
intrusions and prevent them from using compromised computers; another way is to
trace them back. The former one is called stepping-stone detection, and the
latter one is called connection traceback.
We propose three
approaches to detect stepping-stone intrusion: Request-Response-based detection approach; Step-Function approach; Network Fluctuation-based approach, as well as two
approaches to trace intrusions back: Temporal Thumbprint and Round-trip time
thumbprint. The experiment results and theoretical analysis show that those approaches can perform better than existing
stepping-stone intrusion detection and prevention approaches in terms of false
positive rate, false negative rate, and the resistibility to intruders’
evasion, such as time jittering and chaff perturbation.
One common issue
of the approaches proposed by us is to match TCP/IP packets. Matching packets
is critical to stepping-stone intrusion detection and connection traceback. We
formally model and study this problem and propose three approaches to match
TCP/IP packets of an interactive session: TCP/IP protocol-based matching
approach; clustering-partitioning matching approach; standard deviation-based
matching approach.
Date: Monday, July 20, 2006
Time: 1:00 PM
Place: 550-PGH
Faculty,
students, and the general public are invited.
Advisor: Prof. Stephen S.H. Huang