Rajput, Saeed

Recent worms have used sophisticated propagation techniques to propagate faster than the patch distribution and have utilized previously unknown vulnerabilities. To mitigate repetition of such epidemics in future, active defense mechanisms are needed that not only identify malicious activity, but can also defend against widespread outbreak. We provide a framework capable of reacting quickly to quarantine infections. The fundamental components of our framework are detector and VLAN switch. We have provided a proof of concept implementation, where we use the Blaster worm as an example, and demonstrate that detection of worms is possible, and individual infected hosts can be isolated quickly. Furthermore, using Monte Carlo simulations, we show that such containment of future epidemics is possible. In addition, we also compute the overhead of detection and mitigation approaches and have shown that our approach has lower overhead compared to the others.

An un-supervised learning algorithm on application level intrusion detection, named Graph Sequence Learning Algorithm (GSLA), is proposed in this dissertation. Experiments prove its effectiveness. Similar to most intrusion detection algorithms, in GSLA, the normal profile needs to be learned first. The normal profile is built using a session learning method, which is combined with the one-way Analysis of Variance method (ANOVA) to determine the value of an anomaly threshold. In the proposed approach, a hash table is used to store a sparse data matrix in triple data format that is collected from a web transition log instead of an n-by-n dimension matrix. Furthermore, in GSLA, the sequence learning matrix can be dynamically changed according to a different volume of data sets. Therefore, this approach is more efficient, easy to manipulate, and saves memory space. To validate the effectiveness of the algorithm, extensive simulations have been conducted by applying the GSLA algorithm to the homework submission system at our computer science and engineering department. The performance of GSLA is evaluated and compared with traditional Markov Model (MM) and K-means algorithms. Specifically, three major experiments have been done: (1) A small data set is collected as a sample data, and is applied to GSLA, MM, and K-means algorithms to illustrate the operation of the proposed algorithm and demonstrate the detection of abnormal behaviors. (2) The Random Walk-Through sampling method is used to generate a larger sample data set, and the resultant anomaly score is classified into several clusters in order to visualize and demonstrate the normal and abnormal behaviors with K-means and GSLA algorithms. (3) Multiple professors' data sets are collected and used to build the normal profiles, and the ANOVA method is used to test the significant difference among professors' normal profiles. The GSLA algorithm can be made as a module and plugged into the IDS as an anomaly detection system.