My Ph.D. dissertation is called Using Internal Sensors for Computer Intrusion Detection ( PostScript: 1.1MB, PDF: 519KB), and is the basis for the ESP project at CERIAS. Read on for a more detailed description (of course, read the dissertation for the full details).
Most of my research at CERIAS has been in the area of intrusion detection. I worked in the AAFID project, which showed the feasibility of using small independent components (called "autonomous agents" in AAFID) for performing intrusion detection.
However, AAFID also exposed some of the problems of the approach. One particularly limiting problem, shared by virtually every existing intrusion detection system, is that of using separate processes for the intrusion detection components. The use of separate processes means that the intrusion detection sytem imposes a constant overhead on the systems where the components are running (because of the overhead caused by the extra process(es)), that it is vulnerable to tampering or disabling by an attacker (if he manages to kill or otherwise disable the intrusion detection processes) and in some cases, that is scalability is limited (in the current implementation of AAFID each agent is implemented as a separate process, which limits the maximum number of agents that can be running on a single host).
This caused my work to shift towards lower-level components, which I now call internal sensors and embedded detectors. Briefly, they are defined as follows:
Internal sensors and embedded detectors have a number of advantages, including:
They also have some disadvantages, mainly that their implementation is completely dependent on the program in which they are implemented.
My thesis research is on showing that it is possible to build an intrusion detection system based on internal sensors and embedded detectors, on investigating the characteristics and limitations of such a system, and on the possibility that such a system could be used to detect new attacks without the need to constantly implement new sensors and detectors.
My thesis research is the base for the ESP project at CERIAS. ESP stands for "Embedded Sensors Project", because it was named before I developed the concept of embedded detectors as a different thing from internal sensors.
The ESP project is currently working in the implementation of sensors and detectors for a number of different attacks and intrusions, using OpenBSD as an implementation platform. We are also using this project as a platform for some other research ideas based on the concept of internal sensors.
We have currently around 50 detectors implemented. My goal is to reach approximately 100 detectors for the purposes of analysis in my thesis.
This is my final Ph.D. dissertation, defended on July 13, 2001.
This is my original thesis proposal, as defended before my committee on January, 2000. A few changes have occurred after I defended it, particularly the distinction between internal sensors and embedded detectors, which is not made in the original proposal.
This paper explores the different types of data collection methods for intrusion detection systems, and discusses their advantages and disadvantages. This is where we introduced the concepts of direct and indirect monitoring, internal and external sensors, and some others.
This paper describes the implementation of internal sensors and embedded detectors for detecting network attacks. It shows representative code for most of the sensors and discusses some of the issues encountered while implementing them.
This talk discussed some of the design and implementation issues for the network detectors described in the paper above.
This paper (under review right now, so no link, sorry) describes in detail the idea of internal sensors and embedded detectors, discusses their advantages and disadvantages, and presents two case studies and some performance results based on our current implementation.
If you have any question, comments, or simply want to talk about this work, feel free to drop me an email.