Intrusion Resilient and Real-Time Forensics

Abstract

Intrusion to corporate network and unauthorized access to sensitive information can cause huge damage and intellectual property loss. In addition to intrusion, Denial of service (DoS)/Distributed DoS (DDoS) attack is also an eminent threat to an authentication server, which is used to guard access to firewalls, virtual private networks and resources connected by wired/wireless networks. Currently, most of the work has focused either on Intrusion Detection Systems (IDS)/Intrusion Prevention Systems (IPS), Anti-Malware, Network Access Control (NAC)/Network Access Protection (NAP), Firewall, or their combinations. However, either one has some weaknesses and cannot protect the network against intrusion thoroughly. In this dissertation, we proposed two security systems to protect network infrastructure against intrusion and data theft The first approach adopts distributing two-factor user secrets and authentication servers. A queueing model is utilized to analyze the performance of the proposed system. We also propose another innovative space-time evolving authentication scheme that includes users, processes, parent processes, applications and behaviors, as well as guarded information resources. This systems oriented methodology employs security agents to proactively acquire and guard logs, and reconstruct the space-time events of logs. A violation of ACL triggers a correlation engine to trace back related events in real-time to identify the attack, the attacker and the damage, including lost information in servers, hosts and devices. To test the performance, we first develop the system model, which includes Client, Security Agent, Super Security Agent, Authentication Server, and Database Server, using Java with JDK 1.6 against SQL injection attack and cross-site scripting attack. Later on, we simulate the system with Matlab and OPNET in large scale. The simulation results suggest that our proposed schemes are fast and effective against intrusion and data theft.