Catálogo de publicaciones - libros

Most network intruders launch their attacks through stepping-stones to reduce the risks of being discovered. To uncover such intrusions, one prevalent, challenging, and critical way is to detect a long interactive connection chain. TCP packet round-trip time (RTT) can be used to estimate the length of a connection chain. In this paper, we propose a Standard Deviation-Based Clustering (SDC) Algorithm to find RTTs. SDC takes advantage of the fact that the distribution of RTTs is concentrated on a small range to find RTTs. It outperforms other approaches in terms of packet matching-rate and matching-accuracy. We derive an upper-bound of the probability of making an incorrect selection of RTT through SDC. This paper includes some experimental results to compare SDC with other algorithms and discusses its restrictions as well.

The overall performance of an intrusion protection system depends not only on the packet header classification and pattern matching, but also on the post-operative determination of correlative patterns of matched rules. An increasing number of patterns associated with a rule heighten the importance of correlative pattern matching. This work proposes a TCAM-based smart architecture that supports both deep pattern-matching and correlative pattern-matching. The proposed architecture overcomes the difficulties in implementing TCAM when the patterns are very deep and the rules for packet payload involve many patterns whose positions lie within a range. A real case payload is simulated using a Snort 2.3 rule set and simulation results demonstrate the feasibility of the proposed architecture in supporting a high-speed and robust intrusion detection and prevention system.

The increasing complexity of various network threats has made the integration and cooperation of multiple security monitoring technologies necessary in network security defense. However, most existing works have focused on certain special monitoring technologies such as intrusion detection, and studies on integrated security monitoring system are quite insufficient. In this paper, a novel formal model called MCSM (Multi-agent Cooperation model for Security Monitoring based on knowledge) is proposed. In MCSM, the integrated security monitoring is modeled as a FSA (Finite State Automata) with multiple agents, and a general knowledge structure for multiple agents is constructed. We have successfully developed an IMS (Integrated Monitoring System) called ACT-BroSA (Broad-spectrum security Scan and Analysis system) based on MCSM. Results of experiments show that the integrated monitoring capability is significantly improved.

DDoS (Distributed Denial-of-Service) attacks detection system deployed in source-end network is superior in detection and prevention than that in victim network, because it can perceive and throttle attacks before data flow to Internet. However, the current existed works in source-end network lead to a high false-positive rate and false-negative rate for the reason that they are based on single-feature, and they couldn’t synthesize multi-features simultaneously. This paper proposes a novel approach using Multi-stream Fused Hidden Markov Model (MF-HMM) on source-end DDoS detection for integrating multi-features simultaneously. The multi-features include the S-D-P feature, TCP header Flags, and IP header ID field. Through experiments, we compared our original approach based on multiple detection feature with other main algorithms (such as CUSUM and HMM) based on single-feature. The results present that our approach effectively reduces false-positive rate and false-negative rate, and improve the precision of detection.

In order to enhance service survivability, an immune-based model for service survivability, referred to as ISSM, is presented. In the model, the concepts and formal definitions of self, nonself, immunocyte, diversity system, and etc., are given; the antibody concentration and the dynamic change process of host status are described. Building on the relationship between the antibody concentration and the state of an illness in the human immune system, the systemic service capability and the service risk are calculated quantitatively. Based on the differences of the immune system among individuals, a service survivability algorithm, dynamic service migration algorithm, is put forth. Simulation results show that the model is real-time and adaptive, thus providing an effective solution for service survivability.

Over the past few years, Peer-to-Peer (P2P) networks have grown extensively and dramatically changed large-scale file transfer. One of the most popular P2P network is the system. BitTorrent can efficiently distribute large files by optimizing the use of network bandwidth and providing scalability. Due to the open and anonymous nature of P2P systems BitTorrent also provides an ideal environment for distribution of malicious, low quality, or doctored information. A number of reputation systems, including P2PRep with its successors XRep and XRep, had been proposed to address security weaknesses of Gnutella P2P file sharing networks. Although it has been claimed that these methods are also applicable to the other file sharing networks, it is not clear how to achieve this task. Moreover, some of the shortcomings of these reputation systems such as online-polling only and cold-start may be exploited by malicious attackers. In this paper, we propose a reputation system, called XRep, which is an extension of the XRep and for BitTorrent network. We show that the proposed system improves the security and the quality of information distributed over P2P networks.