The Triple Pot and techniques in distributed system call intrusion detection

Chu, Jonathan

Permalink

https://hdl.handle.net/2142/49411 Copy

Description

Title

The Triple Pot and techniques in distributed system call intrusion detection

Author(s)

Chu, Jonathan

Issue Date

2014-05-30T16:42:36Z

Director of Research (if dissertation) or Advisor (if thesis)

Campbell, Roy H.

Department of Study

Computer Science

Discipline

Computer Science

Degree Granting Institution

University of Illinois at Urbana-Champaign

Degree Name

M.S.

Degree Level

Thesis

Keyword(s)

• system call
• intrusion detection
• security
• computers

Abstract

In cyber security, engineers need to devise ways to protect their systems from hackers. One of the ways that they do this is through intrusion detection. Host based intrusion detection systems reside on the computer and perform internal diagnostics of a computer to detect malware and misuse. These HIDS use a variety of methods to detect and prevent attacks such as file integrity verification, log monitoring, file access patterns and etc. In this thesis, we look at the method of analyzing system calls for anomalous behavior. Programs use system calls to gain access to functions from an operating systems kernel. Therefore, it is theoretically possible to detect when a hacker may be exploiting a program by analyzing system call patterns of an application. However, despite previous work in this area, there remain many challenges to accurately detecting malicious exploits and intruders through system call analysis which have prevented it from being used in real systems. To help bridge the gap and address the challenges in making system call analysis a reality, we introduce a new method of system call analysis that we call the Triple Pot method. Our method utilizes three computers running concurrently on the same network to check for anomalous behavior of an application. The key idea is that by setting up a staged, fake network of computers we can get the hacker to identify their exploit for us. We will show how our method can be used to automatically identify zero day attacks that could not previously have been detected using previous system call analysis methods. In addition, we also introduce a method to aggregate and analyze system calls from distributed machines to use information from multiple computers to detect zero day attacks. We do this by creating a probabilistic model of the networked computer systems to determine the likelihood that an application is exhibiting anomalous behavior that is caused by a malicious hacker. Our methods can accurately locate malicious behavior with low false positives.

Graduation Semester

2014-05

Permalink

http://hdl.handle.net/2142/49411

Copyright and License Information

Copyright 2014 Jonathan Ming-Guy Chu

Owning Collections