Theses and Dissertations from UMD

Permanent URI for this communityhttp://hdl.handle.net/1903/2

New submissions to the thesis/dissertation collections are added automatically as they are received from the Graduate School. Currently, the Graduate School deposits all theses and dissertations from a given semester after the official graduation date. This means that there may be up to a 4 month delay in the appearance of a give thesis/dissertation in DRUM

More information is available at Theses and Dissertations at University of Maryland Libraries.

Browse

Subject: search.filters.subject.intrusion detection

Search Results

Now showing 1 - 3 of 3
  • Thumbnail Image
    Item
    User Behavioral Modeling of Web-based Systems for Continuous User Authentication
    (2015) Milton, Leslie Carrie; Memon, Atif; Computer Science; Digital Repository at the University of Maryland; University of Maryland (College Park, Md.)
    Authentication plays an important role in how we interact with computers, mobile devices, the web, etc. The idea of authentication is to uniquely identify a user before granting access to system privileges. For example, in recent years more corporate information and applications have been accessible via the Internet and Intranet. Many employees are working from remote locations and need access to secure corporate files. During this time, it is possible for malicious or unauthorized users to gain access to the system. For this reason, it is logical to have some mechanism in place to detect whether the logged-in user is the same user in control of the user's session. Therefore, highly secure authentication methods must be used. We posit that each of us is unique in our use of computer systems. It is this uniqueness that is leveraged to "continuously authenticate users" while they use web software. To monitor user behavior, n-gram models are used to capture user interactions with web-based software. This statistical language model essentially captures sequences and sub-sequences of user actions, their orderings, and temporal relationships that make them unique by providing a model of how each user typically behaves. Users are then continuously monitored during software operations. Large deviations from "normal behavior" can possibly indicate malicious or unintended behavior. This approach is implemented in a system called Intruder Detector (ID) that models user actions as embodied in web logs generated in response to a user's actions. User identification through web logs is cost-effective and non-intrusive. We perform experiments on a large fielded system with web logs of approximately 4000 users. For these experiments, we use two classification techniques; binary and multi-class classification. We evaluate model-specific differences of user behavior based on coarse-grain (i.e., role) and fine-grain (i.e., individual) analysis. A specific set of metrics are used to provide valuable insight into how each model performs. Intruder Detector achieves accurate results when identifying legitimate users and user types. This tool is also able to detect outliers in role-based user behavior with optimal performance. In addition to web applications, this continuous monitoring technique can be used with other user-based systems such as mobile devices and the analysis of network traffic.
  • Thumbnail Image
    Item
    PROPERTY-BASED INTEGRITY MONITORING OF OPERATING SYSTEM KERNELS
    (2008-04-03) Petroni, Jr., Nick Louis; Hicks, Michael; Computer Science; Digital Repository at the University of Maryland; University of Maryland (College Park, Md.)
    As the foundation of the trusted computing base, the operating system kernel is a valuable target for attackers of a computer system seeking maximum control and privilege. Furthermore, because the majority of modern security solutions rely on the correctness of at least some portion of the operating system kernel, skilled attackers who successfully infiltrate kernel memory can remain undetected indefinitely. In this dissertation, we present an approach for detecting attacks against the kernel's integrity (commonly referred to as "rootkits"). Our approach, which we call property-based integrity monitoring, works by monitoring and analyzing the kernel's state at runtime. Unlike traditional security solutions, our monitor operates in isolation of, and independently from, the protected operating system and has direct access to the kernel's runtime state. The basic strategy behind property-based monitoring is to identify a set of properties that are practical to check, yet are effective at detecting the types of changes an attacker might make - both known and yet-to-be-discovered. In this work, we describe a practical and effective property for detecting persistent control-flow modifications in running kernels, called state-based control-flow integrity (SBCFI). Furthermore, to address those data-only attacks that do not violate the kernel's control-flow, we introduce a high-level policy language system for enforcing semantic integrity constraints in runtime kernel data. To evaluate the feasibility and effectiveness of our system, we have implemented two property-based integrity monitors for the Linux kernel - one using a virtual machine monitor and the other using a PCI-based coprocessor. We demonstrate that property-based monitoring is capable of detecting all publicly-available kernel integrity threats while imposing less than 1% overhead on the protected system. We conclude that property-based kernel integrity monitoring can be both practical and effective.
  • Thumbnail Image
    Item
    Evaluating Host Intrusion Detection Systems
    (2007-11-28) Molina, Jesus; Cukier, Michel; Electrical Engineering; Digital Repository at the University of Maryland; University of Maryland (College Park, Md.)
    Host Intrusion Detection Systems (HIDSs) are critical tools needed to provide in-depth security to computer systems. Quantitative metrics for HIDSs are necessary for comparing HIDSs or determining the optimal operational point of a HIDS. While HIDSs and Network Intrusion Detection Systems (NIDSs) greatly differ, similar evaluations have been performed on both types of IDSs by assessing metrics associated with the classification algorithm (e.g., true positives, false positives). This dissertation motivates the necessity of additional characteristics to better describe the performance and effectiveness of HIDSs. The proposed additional characteristics are the ability to collect data where an attack manifests (visibility), the ability of the HIDS to resist attacks in the event of an intrusion (attack resiliency), the ability to timely detect attacks (efficiency), and the ability of the HIDS to avoid interfering with the normal functioning of the system under supervision (transparency). For each characteristic, we propose corresponding quantitative evaluation metrics. To measure the effect of visibility on the detection of attacks, we introduce the probability of attack manifestation and metrics related to data quality (i.e., relevance of the data regarding the attack to be detected). The metrics were applied empirically to evaluate filesystem data, which is the data source for many HIDSs. To evaluate attack resiliency we introduce the probability of subversion, which we estimate by measuring the isolation between the HIDS and the system under supervision. Additionally, we provide methods to evaluate time delays for efficiency, and performance overhead for transparency. The proposed evaluation methods are then applied to compare two HIDSs. Finally, we show how to integrate the proposed measurements into a cost framework. First, mapping functions are established to link operational costs of the HIDS with the metrics proposed for efficiency and transparency. Then we show how the number of attacks detected by the HIDS not only depends on detection accuracy, but also on the evaluation results of visibility and attack resiliency.