Detecting Concurrent Intrusions

1
Detecting Concurrent Intrusions by Comparing
Lattices
Sule Simsek and Supervisor Dr. Bruce
McMillin simsek, ff _at_umr.edu Computer Science
Department
Funded in part through NSF grant CNS-0420869 and
UMR Intelligent Systems Center
The Problem

• Existing intrusion detection techniques focus on
  intrusions caused by individual processors
• Intrusions are also formed from processors
  interactions
• Need a tool to view the distributed system
  globally

Intrusion Signatures
Distributed System Data

• Library of
• intrusion signature
• lattices

Objectives

• Create a library of intrusion signatures
• Construct distributed system scenarios which
  include these intrusions and represent them as
  distributive lattices
• Collect distributed system trace and represent it
  as a test lattice
• Compare online the test lattice with each
  intrusion signature gathered from intrusion
  signature library
• Find a quantitative metric (set of edit
  operations with associated costs) which
  transforms test lattice into intrusion lattice
• Based on the quantitative metric, reason about
  the existence of intrusion within the test lattice

• MIDDLEWARE
• (MATCH ?)

Test Lattice
Yes
No
STOP Intrusion
Access the next intrusion signature
Proposed Framework
Intrusion Signature Lattice
Edit Operations
Test Lattice

• Delete Delete extra node(s)
• Update Update the timestamps
• Move Up Move up the node(s) to the nearest
  related node(s)
• Re-build Re-build the lattice
• Challenges
• Exponential growth of the lattice
• Series of transformations and their costs

P1 P2 P3
P4
P1 P2 P3
P4
(a) 1000

(b) 2020 (a) 3020
(a) 4020
1010 (f) 1020 (e) 1030 (e) 1040 (e)
3120 (d) 3230 (d) 3330 (c)

1041 (h) 3342 (h) 4343 (h)

Transform Test Lattice into Intrusion Signature
Lattice by using the edit operations.