A security framework for detecting enterprise-wide attacks in computer networks

Onwubiko, Cyril (2008) A security framework for detecting enterprise-wide attacks in computer networks. (PhD thesis), Kingston University, .

Abstract

An integrated security framework is proposed for detecting enterprise-wide network attacks. The proposed framework defines three types of components, namely, sensor, analysis and response. Sensor components gather evidence about security attacks. Analysis components correlate and combine pieces of attack evidence gathered by sensors, in order to detect attacks perceived on the network. Response components execute recommended responses and can be configured to assist humans in executing security countermeasures. Both schematic and formal descriptions of the framework and its components are provided and discussed. General and specific requirements of each component are outlined. To integrate components of the framework together, a lightweight signalling mechanism referred to as "security spaces" is proposed. A security space is a type of "tuple space" that allows sensor, analysis and response components to connect, contribute and communicate security related information. Its application to distributed sensor, and federated sensor environments is described. The detection of enterprise-wide attacks targeting computer networks is accomplished by distributing sensors across the network to collate evidence of perceived attacks, which are communicated to the analysis component for further investigation. In the analysis, a novel approach in data fusion is applied. This approach is underpinned by the Dempster-Shafer theory of evidence that is utilised to collectively combine pieces of attack evidence gathered by the sensors. The fusion of sensor evidence assists to provide accurate detection of attacks perceived on the entire network. Further, to assist security administrators to visualise and mitigate perceived attacks, graph theory and graph matching algorithms are employed in the analysis. Hence, a graph model - pattern activity graph - is proposed and investigated in representing security attacks perceived on the network. Both graph isomorphism and subgraph iso-morphism are used to compare attack graph templates to data graphs obtained from security events. To validate the objectives of this research, a series of experiments were conducted on a testbed network, where live network traffic was monitored. A dataset comprising background data and attack data was gathered. Background data is normal data obtained by monitoring the testbed network. Attack data was generated through the attacks conducted on the monitored testbed LAN. The attacks were primarily network scans, network worms, web attacks, policy violations, and stealthy network scans attacks.

Actions (Repository Editors)

Item Control Page Item Control Page