Cooperative Intrusion Detection Model Based on State Transition Analysis

Many intrusion behaviors can be characterized as the execution of a sequence of crucial commands that results in an unauthorized access. Lots of attack sequences can be derived by either exchanging properly orders of crucial commands or replacing crucial commands with the functionally similar commands, which have the same performance. Therefore, it is very difficult to detect such attacks. In this paper, we propose a cooperative intrusion detection model based on state transition analysis, in which the topological order and isomorphic transformation are adopted. For a given sequence of crucial commands of an intrusion, all the possible derived sequences as an intrusion scenario can be generated by means of the model. We may also use the model to detect the attacks from different cooperating attackers and the attacks from one attacker in different login sessions. Furthermore, a derived intrusion can be seen as an unknown intrusion, in this sense that the technique presented in this paper can detect some unknown intrusions.

[1]  Stephanie Forrest,et al.  Intrusion Detection Using Sequences of System Calls , 1998, J. Comput. Secur..

[2]  Koral Ilgun,et al.  USTAT: a real-time intrusion detection system for UNIX , 1993, Proceedings 1993 IEEE Computer Society Symposium on Research in Security and Privacy.

[3]  Zhang Wei Construction of Intrusion Detection Model for Scenario-based and State Transition Analysis , 2005 .

[4]  R. Sekar,et al.  A fast automaton-based method for detecting anomalous program behaviors , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[5]  Giovanni Vigna,et al.  The statl attack detection language , 2002 .

[6]  Li Jia Correlation Analysis for Distributed Intrusion Alert , 2004 .

[7]  Josef Pieprzyk,et al.  Case-based reasoning for intrusion detection , 1996, Proceedings 12th Annual Computer Security Applications Conference.

[8]  Stephen Northcutt,et al.  Network Intrusion Detection: An Analyst's Hand-book , 1999 .

[9]  Lian Yi A Study on Information Exchange and Cooperation in Distributed Intrusion Detection Systems , 2005 .

[10]  Simson L. Garfinkel,et al.  Practical Unix & Internet Security, 3rd Edition , 2003 .

[11]  Kishor S. Trivedi,et al.  Characterizing intrusion tolerant systems using a state transition model , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.