Files in this item



application/pdfJonathan_Chu.pdf (503kB)
(no description provided)PDF


Title:The Triple Pot and techniques in distributed system call intrusion detection
Author(s):Chu, Jonathan
Advisor(s):Campbell, Roy H.
Department / Program:Computer Science
Discipline:Computer Science
Degree Granting Institution:University of Illinois at Urbana-Champaign
Subject(s):system call
intrusion detection
Abstract:In cyber security, engineers need to devise ways to protect their systems from hackers. One of the ways that they do this is through intrusion detection. Host based intrusion detection systems reside on the computer and perform internal diagnostics of a computer to detect malware and misuse. These HIDS use a variety of methods to detect and prevent attacks such as file integrity verification, log monitoring, file access patterns and etc. In this thesis, we look at the method of analyzing system calls for anomalous behavior. Programs use system calls to gain access to functions from an operating systems kernel. Therefore, it is theoretically possible to detect when a hacker may be exploiting a program by analyzing system call patterns of an application. However, despite previous work in this area, there remain many challenges to accurately detecting malicious exploits and intruders through system call analysis which have prevented it from being used in real systems. To help bridge the gap and address the challenges in making system call analysis a reality, we introduce a new method of system call analysis that we call the Triple Pot method. Our method utilizes three computers running concurrently on the same network to check for anomalous behavior of an application. The key idea is that by setting up a staged, fake network of computers we can get the hacker to identify their exploit for us. We will show how our method can be used to automatically identify zero day attacks that could not previously have been detected using previous system call analysis methods. In addition, we also introduce a method to aggregate and analyze system calls from distributed machines to use information from multiple computers to detect zero day attacks. We do this by creating a probabilistic model of the networked computer systems to determine the likelihood that an application is exhibiting anomalous behavior that is caused by a malicious hacker. Our methods can accurately locate malicious behavior with low false positives.
Issue Date:2014-05-30
Rights Information:Copyright 2014 Jonathan Ming-Guy Chu
Date Available in IDEALS:2014-05-30
Date Deposited:2014-05

This item appears in the following Collection(s)

Item Statistics