Cooperative intrusion detection for the next generation carrier: ethernet

Current OSI model layer 2 network elements (NEs, e.g., bridges, switches) are complex hardware and software boxes, often running an operating system, service and administration software, that can be vulnerable to attacks, including to remote code execution inside them. The purpose of this thesis is to present an architecture to protect the Carrier Ethernet network infrastructure from attacks performed by malicious NEs against the link management protocol, Spanning Tree Protocol, and its variations. This thesis proposes that NEs are equipped with an intrusion detection component. Each detector uses a specification-based intrusion detection mechanism in order to inspect the behaviour of other NEs through the analysis of the received messages. The correct behaviour of the NEs is crafted from the standard specification of the STP protocol. If there is a deviation between current and expected behaviour, then the NE is considered to be malicious. The specification is extended with temporal pattern annotations, in order to detect certain deviations from the protocol. The results of the local detection are then transmitted to the other NEs, in order to cooperatively establish a correlation between all the NEs, so that malicious NEs can be logically removed from the network (disconnecting the ports connected to them).

[1]  Radia J. Perlman,et al.  Network layer protocols with Byzantine robustness , 1988 .

[2]  Ulf Lindqvist,et al.  Detecting computer and network misuse through the production-based expert system toolset (P-BEST) , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[3]  Richard A. Kemmerer,et al.  State Transition Analysis: A Rule-Based Intrusion Detection Approach , 1995, IEEE Trans. Software Eng..

[4]  Hyong S. Kim,et al.  Secure Split Assignment Trajectory Sampling: A Malicious Router Detection System , 2006, International Conference on Dependable Systems and Networks (DSN'06).

[5]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[6]  Stefan Savage,et al.  Detecting and Isolating Malicious Routers , 2006, IEEE Transactions on Dependable and Secure Computing.

[7]  Karl N. Levitt,et al.  Using Specification-Based Intrusion Detection for Automated Response , 2003, RAID.

[8]  Karl N. Levitt,et al.  A Specification-Based Intrusion Detection Model for OLSR , 2005, RAID.

[9]  R. Sekar,et al.  Specification-based anomaly detection: a new approach for detecting network intrusions , 2002, CCS '02.

[10]  Karl N. Levitt,et al.  A specification-based intrusion detection system for AODV , 2003, SASN '03.

[11]  Christopher Krügel,et al.  Intrusion Detection and Correlation - Challenges and Solutions , 2004, Advances in Information Security.

[12]  Richard Lippmann,et al.  Analysis and Results of the 1999 DARPA Off-Line Intrusion Detection Evaluation , 2000, Recent Advances in Intrusion Detection.

[13]  R. Sekar,et al.  Experiences with Specification-Based Intrusion Detection , 2001, Recent Advances in Intrusion Detection.

[14]  Ana R. Cavalli,et al.  An EFSM-Based Intrusion Detection System for Ad Hoc Networks , 2005, ATVA.

[15]  Gordon Bell,et al.  Ethernet: Distributed Packet Switching for Local Computer Networks , 1976 .