To see the other types of publications on this topic, follow the link: Intrusion Prevention System.
Dissertations / Theses on the topic 'Intrusion Prevention System'
Create a spot-on reference in APA, MLA, Chicago, Harvard, and other styles
Consult the top 50 dissertations / theses for your research on the topic 'Intrusion Prevention System.'
Next to every source in the list of references, there is an 'Add to bibliography' button. Press on it, and we will generate automatically the bibliographic reference to the chosen work in the citation style you need: APA, MLA, Harvard, Chicago, Vancouver, etc.
You can also download the full text of the academic publication as pdf and read online its abstract whenever available in the metadata.
Browse dissertations / theses on a wide variety of disciplines and organise your bibliography correctly.
1
Tamagna-Darr, Lucas. "Evaluating the effectiveness of an intrusion prevention system-honeypot hybrid /." Online version of thesis, 2009. http://hdl.handle.net/1850/10837.
Full text
2
Dubell, Michael, and David Johansson. "Nätverkssäkerhet med IPS : Förbättrad nätverkssäkerhet med Intrusion Prevention Systems." Thesis, Högskolan i Halmstad, Sektionen för Informationsvetenskap, Data– och Elektroteknik (IDE), 2013. http://urn.kb.se/resolve?urn=urn:nbn:se:hh:diva-23347.
Full textAbstract:
Att skydda sin IT-miljö mot olika typer av intrång och attacker som till exempel trojaner,skadliga Java applets eller DoS attacker med hjälp av brandväggar och antivirusprogramär två viktiga lager i skalskyddet. I den här uppsatsen undersöks hur väl ett Intrusion Prevention System skulle kunna fungera som ett ytterligare lager i skalskyddet. Fokus ligger på hur väl IPS-systemet klarar av att avvärja attacker, hur mycket tid som går åt till konfigurering och drift för att få ett fungerande IPS samt hur prestandan i nätverket påverkas av implementationen. För att mäta hur väl IPS systemet klarar av att upptäcka och blockera attacker utförs två experiment där ett mindre nätverk attackeras på olika sätt. I det första experimentet skyddas infrastrukturen av en brandvägg och klienterna är utrustade med antivirusprogram. I det andra experimentet genomförs samma attacker igen fast med ett Snort IPS implementerat i nätverket. Resultatet av de genomförda experimenten visar att en IPS klarar att blockera ca 87% av attackerna, men nätverksprestandan påverkas negativt. Slutsatsen är att endast brandväggar och antivirusprogram inte ger ett fullgott skydd.
3
Strnad, Matěj. "Návrh zabezpečení průmyslového řídícího systému." Master's thesis, Vysoké učení technické v Brně. Fakulta podnikatelská, 2019. http://www.nusl.cz/ntk/nusl-399322.
Full textAbstract:
The subject of the master's thesis is a design of security measures for securing of an industrial control system. It includes an analysis of characteristics of communication environment and specifics of industrial communication systems, a comparison of available technological means and a design of a solution according to investor's requirements.
4
Pagna, Disso Jules F. "A novel intrusion detection system (IDS) architecture. Attack detection based on snort for multistage attack scenarios in a multi-cores environment." Thesis, University of Bradford, 2010. http://hdl.handle.net/10454/5248.
Full textAbstract:
Recent research has indicated that although security systems are developing,
illegal intrusion to computers is on the rise. The research conducted here
illustrates that improving intrusion detection and prevention methods is
fundamental for improving the overall security of systems.
This research includes the design of a novel Intrusion Detection System (IDS)
which identifies four levels of visibility of attacks. Two major areas of security
concern were identified: speed and volume of attacks; and complexity of
multistage attacks. Hence, the Multistage Intrusion Detection and Prevention
System (MIDaPS) that is designed here is made of two fundamental elements:
a multistage attack engine that heavily depends on attack trees and a Denial of
Service Engine. MIDaPS were tested and found to improve current intrusion
detection and processing performances.
After an intensive literature review, over 25 GB of data was collected on
honeynets. This was then used to analyse the complexity of attacks in a series
of experiments. Statistical and analytic methods were used to design the novel
MIDaPS.
Key findings indicate that an attack needs to be protected at 4 different levels.
Hence, MIDaPS is built with 4 levels of protection. As, recent attack vectors use
legitimate actions, MIDaPS uses a novel approach of attack trees to trace the
attacker¿s actions. MIDaPS was tested and results suggest an improvement to
current system performance by 84% whilst detecting DDOS attacks within 10
minutes.
5
Pagna, Disso Jules Ferdinand. "A novel intrusion detection system (IDS) architecture : attack detection based on snort for multistage attack scenarios in a multi-cores environment." Thesis, University of Bradford, 2010. http://hdl.handle.net/10454/5248.
Full textAbstract:
Recent research has indicated that although security systems are developing, illegal intrusion to computers is on the rise. The research conducted here illustrates that improving intrusion detection and prevention methods is fundamental for improving the overall security of systems. This research includes the design of a novel Intrusion Detection System (IDS) which identifies four levels of visibility of attacks. Two major areas of security concern were identified: speed and volume of attacks; and complexity of multistage attacks. Hence, the Multistage Intrusion Detection and Prevention System (MIDaPS) that is designed here is made of two fundamental elements: a multistage attack engine that heavily depends on attack trees and a Denial of Service Engine. MIDaPS were tested and found to improve current intrusion detection and processing performances. After an intensive literature review, over 25 GB of data was collected on honeynets. This was then used to analyse the complexity of attacks in a series of experiments. Statistical and analytic methods were used to design the novel MIDaPS. Key findings indicate that an attack needs to be protected at 4 different levels. Hence, MIDaPS is built with 4 levels of protection. As, recent attack vectors use legitimate actions, MIDaPS uses a novel approach of attack trees to trace the attacker's actions. MIDaPS was tested and results suggest an improvement to current system performance by 84% whilst detecting DDOS attacks within 10 minutes.
6
Ivvala, Avinash Kiran. "Assessment of Snort Intrusion Prevention System in Virtual Environment Against DoS and DDoS Attacks : An empirical evaluation between source mode and destination mode." Thesis, Blekinge Tekniska Högskola, Institutionen för datalogi och datorsystemteknik, 2017. http://urn.kb.se/resolve?urn=urn:nbn:se:bth-14056.
Full textAbstract:
Context. Cloud computing (CC) is developed as a Human-centered computing model to facilitate its users to access resources anywhere on the globe. The resources can be shared among any cloud user which mainly questions the security in cloud computing. There are Denial of Service and Distributed Denial of Service attacks which are generated by the attackers to challenge the security of CC. The Next-Generation Intrusion Prevention Systems (sometimes referred as Non-Traditional Intrusion Prevention Systems (NGIPS) are being used as a measure to protect users against these attacks. This research is concerned with the NGIPS techniques that are implemented in the cloud computing environment and their evaluation. Objectives. In this study, the main objective is to investigate the existing techniques of the NGIPS that can be deployed in the cloud environment and to provide an empirical comparison of source mode and destination mode in Snort IPS technique based on the metrics used for evaluation of the IPS systems. Methods. In this study, a systematic literature review is used to identify the existing NGIPS techniques. The library databases used to search the literature are Inspec, IEEE Xplore, ACM Digital Library, Wiley, Scopus and Google scholar. The articles are selected based on an inclusion and exclusion criteria. The experiment is selected as a research method for the empirical comparison of Source mode and destination mode of Snort NGIPS found through literature review. The testbed is designed and implemented with the Snort filter techniques deployed in the virtual machine. Results. Snort is one of the mostly used NGIPS against DoS and DDoS attacks in the cloud environment. Some common metrics used for evaluating the NGIPS techniques are CPU load, Memory usage, bandwidth availability, throughput, true positive rate, false positive rate, true negative rate, false negative rate, and accuracy. From the experiment, it was found that Destination mode performs better than source mode in Snort. When compared with the CPU load, Bandwidth, Latency, Memory Utilization and rate of packet loss metrics. Conclusions. It was concluded that many NGIPS of the cloud computing model are related to each other and use similar techniques to prevent the DoS and DDoS attacks. The author also concludes that using of source based and destination based intrusion detection modes in Snort has some difference in the performance measures.
7
Hanna, Johan. "Åtgärder för att motverka säkerhetsbrister i katalogtjänster." Thesis, Mälardalens högskola, Akademin för innovation, design och teknik, 2018. http://urn.kb.se/resolve?urn=urn:nbn:se:mdh:diva-39469.
Full textAbstract:
Katalogtjänster är och förblir en central och kritisk del i informationssystem. I katalogtjänsterna samlas stora mängder information om användare och behörigheter för respektive användare. I högriskmiljöer, där bland annat hemlig och annan skyddsvärd information samlas, är katalogtjänsterna i en utsatt situation. Om en katalogtjänst svarar fel på en resursförfrågan kan konsekvenserna vara stora. Arbetet grundade sig i att med hjälp av olika säkerhetshöjande åtgärder bygga upp ett mer robust system för att skydda katalogtjänsten mot att behörighetsprinciperna bryts och ger obehörig personal eller andra aktörer tillgång till skyddsvärda resurser. Arbetet syftade till att öka medvetenheten kring de hypotetiska sårbarheterna som finns i en katalogtjänst och baserat på detta resultera i hur de potentiella sårbarheterna i åtkomstprinciperna kan motverkas eller mildras. För att uppnå detta resonerades det fram två testfall varav ett teoretiskt. Dessa byggde på att ett Intrusion Prevention System (IPS) implementerades i ett av testfallen och en brandvägg i det andra teoretiska fallet. Båda åtgärderna implementerades i trafikflödets riktning i respektive nätverkssegment för att kontrollera användarnas behörigheter i realtid. Testfallen byggdes upp simulerat med hjälp av bland annat GNS3 och Virtualbox. Det experiment som upprättades med IPS:en som huvudkomponent gav ett positivt utfall där enheten med hjälp av en uppsättning regler kunde utläsa specifika trafikflöden till resurser som den avsedda användaren inte hade tillgång till och baserat på detta utföra olika typer av åtgärder. Experimentet med brandväggen gav däremot inte önskat resultat, detta berodde på att det inte fanns stöd för den eftersökta funktionaliteten i de brandväggar med öppen källkod som undersöktes för implementationen. Det resultat som genererades med hjälp av IPS:ens förmåga att analysera trafik i realtid och baserat på detta utföra fördefinierade åtgärder betyder att det effektivt kan byggas upp ytterligare en barriär av skydd utöver katalogtjänstens egna säkerhet. Vidare medför detta även att om en IPS implementeras krävs det att två av varandra oberoende säkerhetsåtgärder fallerar innan ett felsvar realiseras vilket är att användaren får tillgång till resursen.
8
Stefanova, Zheni Svetoslavova. "Machine Learning Methods for Network Intrusion Detection and Intrusion Prevention Systems." Scholar Commons, 2018. https://scholarcommons.usf.edu/etd/7367.
Full textAbstract:
Given the continuing advancement of networking applications and our increased dependence upon software-based systems, there is a pressing need to develop improved security techniques for defending modern information technology (IT) systems from malicious cyber-attacks. Indeed, anyone can be impacted by such activities, including individuals, corporations, and governments. Furthermore, the sustained expansion of the network user base and its associated set of applications is also introducing additional vulnerabilities which can lead to criminal breaches and loss of critical data. As a result, the broader cybersecurity problem area has emerged as a significant concern, with many solution strategies being proposed for both intrusion detection and prevention. Now in general, the cybersecurity dilemma can be treated as a conflict-resolution setup entailing a security system and minimum of two decision agents with competing goals (e.g., the attacker and the defender). Namely, on the one hand, the defender is focused on guaranteeing that the system operates at or above an adequate (specified) level. Conversely, the attacker is focused on trying to interrupt or corrupt the system’s operation.
In light of the above, this dissertation introduces novel methodologies to build appropriate strategies for system administrators (defenders). In particular, detailed mathematical models of security systems are developed to analyze overall performance and predict the likely behavior of the key decision makers influencing the protection structure. The initial objective here is to create a reliable intrusion detection mechanism to help identify malicious attacks at a very early stage, i.e., in order to minimize potentially critical consequences and damage to system privacy and stability. Furthermore, another key objective is also to develop effective intrusion prevention (response) mechanisms. Along these lines, a machine learning based solution framework is developed consisting of two modules. Specifically, the first module prepares the system for analysis and detects whether or not there is a cyber-attack. Meanwhile, the second module analyzes the type of the breach and formulates an adequate response. Namely, a decision agent is used in the latter module to investigate the environment and make appropriate decisions in the case of uncertainty. This agent starts by conducting its analysis in a completely unknown milieu but continually learns to adjust its decision making based upon the provided feedback. The overall system is designed to operate in an automated manner without any intervention from administrators or other cybersecurity personnel. Human input is essentially only required to modify some key model (system) parameters and settings. Overall, the framework developed in this dissertation provides a solid foundation from which to develop improved threat detection and protection mechanisms for static setups, with further extensibility for handling streaming data.
9
Cheng, Kah Wai. "Distributed deployment of Therminators in the network." Thesis, Monterey, Calif. : Springfield, Va. : Naval Postgraduate School ; Available from National Technical Information Service, 2004. http://library.nps.navy.mil/uhtbin/hyperion/04Dec%5FCheng%5Kah.pdf.
Full text
10
Labbe, Keith G. "Evaluation of two host-based intrusion prevention systems." Thesis, Monterey, Calif. : Springfield, Va. : Naval Postgraduate School ; Available from National Technical Information Service, 2005. http://library.nps.navy.mil/uhtbin/hyperion/05Jun%5FLabbe.pdf.
Full text
11
Smith, David C. "Preventing point-of-sale system intrusions." Thesis, Monterey, California: Naval Postgraduate School, 2014. http://hdl.handle.net/10945/42726.
Full textAbstract:
Approved for public release; distribution is unlimited<br>Several major United States retailers have suffered large-scale thefts of payment card information as the result of intrusions against point-of-sale systems (smart cash registers). Point-of-sale attacks present a growing threat and can constitute a homeland-security problem due to a trans-national cyber crime element. This thesis presents results of a survey of point-of-sale intrusions that reached at least the start of criminal investigation. The survey showed that attacks were generally quite simple, and predominantly involved guessing passwords and subsequent installation of keyboard loggers. That suggests that countermeasures can be relatively simple although they must overcome organizational inertia. Our analysis leads to several recommendations to improve point-of-sale system security.
12
Abdulazeez, M. B. "Intrusion detection and prevention systems in the cloud environment." Thesis, University of Liverpool, 2017. http://livrepository.liverpool.ac.uk/3009224/.
Full textAbstract:
Cloud computing provides users with computing resources on demand. Despite the recent boom in adoption of cloud services, security remains an important issue. The aim of this work is to study the structure of cloud systems and propose a new security architecture in protecting cloud against attacks. This work also investigates auto-scaling and how it affects cloud computing security. Finally, this thesis studies load balancing and scheduling in cloud computing particularly when some of the workload is faulty or malicious. The first original contribution proposes a hierarchical model for intrusion detection in the cloud environment. Finite state machines (FSM) of the model were produced and verified then analyzed using probabilistic model checker. Results indicate that given certain conditions the proposed model will be in a state that efficiently utilize resources despite the presence of attack. In this part of work how cloud handles failure and its relationship to auto-scaling mechanisms within the cloud has been investigated. The second original contribution proposes a lightweight robust scheduling algorithm for load balancing in the cloud. Here some of the traffic is not reliable. Formal analysis of the algorithm were conducted and results showed that given some arrival rates of both genuine and malicious traffic average queues will stabilize, i.e. they will not grow to infinity. Experimental results studied both queues and latency, and they showed that under the same conditions naive algorithms do not stabilize. The algorithm was then extended to decentralized settings where servers maintain separate queues. In this approach when a job arrives, a dispatching algorithm is used to decide which server to send it to. Different dispatching algorithms were proposed and experimental results indicate that the new algorithms perform better than some of the existing algorithms. The results were further extended to heterogeneous (servers with different configuration) settings and it was shown that some algorithms that were stable in homogeneous setting are not stable under this setting. Simulations monitoring queue sizes confirmed that some algorithms which are stable in homogeneous setting, are not stable under this setting. It is hoped that this study with inform and enlighten cloud service providers about new ways to improve the security of the cloud in the presence of failure/attacks.
13
Nalubowa, Vivian Gloria. "Smart Home Security Using Intrusion Detection and Prevention Systems." Thesis, Högskolan i Halmstad, Akademin för informationsteknologi, 2019. http://urn.kb.se/resolve?urn=urn:nbn:se:hh:diva-40995.
Full textAbstract:
As the connectivity of home devices elevates so does the volume and sophistication of cyber attacks consistently grow. Therefore, the need for network security and availability becomes more significant. Numerous sorts of countermeasures like firewalls and router-based packet filtering have been put in place, although these alone are not enough to brace the network from unauthorised access. One of the most efficient methods of stopping network adversaries is using Intrusion Detection and Prevention Systems (IDPS). The goal of an IDPS is to stop security attacks before they can be successfully carried out. In this paper, I looked at four network attacks namely; probing, denial of service, remote to user and user to root and improved their respective Snort rules to optimize processing time and capturing capacity using regular expressions and fast pattern. Snort with improved rules captured 100% of the attacks launched to the network while without the improved rules, Snort captured between 0% to 60% of the attacks launched to the network making an improvement of 40%.
14
Bul'ajoul, W. A. A. A. "Performance of network intrusion detection and prevention systems in highspeed environments." Thesis, Coventry University, 2017. http://curve.coventry.ac.uk/open/items/f3dfcb2a-df8a-4908-9202-e0ed758f86b2/1.
Full textAbstract:
Due to the numerous and increasingly malicious attacks on computer networks and systems, current security tools are often not enough to resolve the issues related to illegal users, reliability, and to provide robust network security. Recent research has indicated that although network security has developed, a major concern about an increase in illegal intrusions is still occurring. Addressing security on every occasion or in every place is a really important and sensitive matter for many users, businesses, governments and enterprises. A Network Intrusion Detection and Prevention System (NIDPS) is one of the most tested, reliable, and strongest forms of technology used to sniff out network packets, monitor incoming and outgoing network traffic, and identify the unauthorised usage and mishandling of computer system networks. It can provide a better understanding of the things that are really happening on the network. In addition, an NIDPS has the potential to detect, prevent, and report any evidence of attacks and malicious traffic. It is critical to implement an NIDPS in a computer network that has high traffic and high-speed connectivity. This thesis presents an investigation, involving literature review and intensive experiments, which shows that current NIDPSs have several shortcomings such as they are incapable to detect or prevent the rising attacks and threats to high-speed environments, such as flood attacks (UDP, TCP, ICMP and HTTP) or Denial and Distributed Denial of Service attacks (DoS/DDoS), because the main purpose of these types of attacks is basically to send heavy traffic to systems at high-speed to stop or slow down performance. To investigate the status of NIDPS performance and test the capability of NIDPS analysis, detection, and prevention modes when exposed to malicious attacks that come through highload and high-speed traffic, a prototype network has been designed. The prototype consisted of virtual and physical stations including six (6) PCs and three (3) switches (i.e two layer 2 switches and 1 layer 3 switch). Several tools were used to carry out the research experiments, implementation and evaluation. The research presents a study using Snort NIDPS open source software. It shows that NIDPS performance can be weak in the face of high-speed and high-load traffic in terms of packet drops, and outstanding packets without analysis and failing to detect/prevent unwanted traffic. The research has designed a novel QoS architecture to increase the analytical, detection, and prevention performance of NIDPS when deployed in high-speed networks. It has proposed and evaluated a solution using a novel QoS configuration in a multi-layer switch to organise and improve network traffic performance in order to reduce the packets dropped and then uses parallel techniques to increase packet processing speed. The novel architecture was tested under different traffic speeds, types, and tasks. The experimental results show that the novel architecture improves network and NIDPS performance.
15
Tevemark, Jonas. "Intrusion Detection and Prevention in IP Based Mobile Networks." Thesis, Linköping University, Department of Electrical Engineering, 2008. http://urn.kb.se/resolve?urn=urn:nbn:se:liu:diva-12015.
Full textAbstract:
<p>Ericsson’s Packet Radio Access Network (PRAN) is a network solution for packet transport in mobile networks, which utilizes the Internet Protocol (IP). The IP protocol offers benefits in responsiveness and performance adaptation to data bursts when compared to Asynchronous Transfer Mode (ATM), which is still often used. There are many manufacturers / operators providing IP services, which reduce costs. The IP’s use on the Internet brings greater end-user knowledge, wider user community and more programs designed for use in IP environments. Because of this, the spectrum of possible attacks against PRAN broadens. This thesis provides information on what protection an Intrusion Prevention System (IPS) can add to the current PRAN solution.</p><p>A risk analysis is performed to identify assets in and threats against PRAN, and to discover attacks that can be mitigated by the use of an IPS. Information regarding placement of an IPS in the PRAN network is given and tests of a candidate system are performed. IPS features in hardware currently used by Ericsson as well as missing features are pinpointed . Finally, requirements for an IPS intended for use in PRAN are concluded.</p>
16
Martins, Daniel MourÃo. "A Strategy for Detection Systems and Intrusion Prevention Based on Free Software." Universidade Federal do CearÃ, 2012. http://www.teses.ufc.br/tde_busca/arquivo.php?codArquivo=8923.
Full textAbstract:
nÃo hÃ<br>Due to the constant increase of the use of information systems and the potential impact
that these intrusions can cause in all spheres of society a Intrusion Detection and Prevention
System (IDPS) has become a necessity for network ans services security from various world organizations.
These systems usually depends of prior knowledge of the patterns of attacks in order to
detect them. This work presents an strategy to scenarios with computational and financial resources
limited, using only opensource software for intrusion detection. This proposal is the creation
of one flexible and scalable IDPS, with software integration, implementation of alerts correlation
rules and a signatures generator module for Snort, that can increase its efficiency enabling it to
produce knowledge for preventing the recurrence of some intrusion attacks not constant in original
database, thus minimizing the detection problem for these attacks. To validate this proposal, a testing
scenario was implemented with three server machines, one with the solution manager module
and one with Snort. The results confirmed that this strategy meets the proposed requisites in a
satisfactorily way being an important contribution to researchs about the theme.<br>Devido ao aumento constante da utilizaÃÃo dos sistemas de informaÃÃo em todas as esferas da sociedade e o potencial impacto que intrusÃes a esses sistemas podem causar, um Sistema de DetecÃÃo e PrevenÃÃo de IntrusÃo (IDPS) tornou-se uma necessidade para seguranÃa da infraestrutura de rede e serviÃos das mais diversas organizaÃÃes. Normalmente, esses sistemas dependem de conhecimento prÃvio dos padrÃes dos ataques para poder detectÃ-los. Este trabalho apresenta uma estratÃgia adequada, utilizando exclusivamente software livre, para a detecÃÃo de intrusÃes em cenÃrios com escassez de recursos computacionais e financeiros. Esta proposta consiste na criaÃÃo de um IDPS flexÃvel e escalÃvel que, com a integraÃÃo de sistemas, implementaÃÃo de regras de correlaÃÃo de alertas e um mÃdulo gerador de assinaturas para o Snort, pode-se aumentar a sua eficÃcia habilitando-o a produzir conhecimento para a prevenÃÃo da repetiÃÃo de ataques intrusivos nÃo constantes de sua base de dados original. Assim, minimiza-se a problemÃtica de detecÃÃo desses ataques. Para validar essa proposta, implementou-se um cenÃrio de testes com trÃs mÃquinas servidoras, uma com o mÃdulo gerenciador da soluÃÃo e outra com o Snort. Os resultados obtidos confirmaram que a estratÃgia atende aos quesitos propostos de maneira satisfatÃria sendo uma importante contribuiÃÃo para as pesquisas sobre o tema.
17
Sahin, Umit Burak. "A New Approach For The Scalable Intrusion Detection In High-speed Networks." Master's thesis, METU, 2007. http://etd.lib.metu.edu.tr/upload/12609053/index.pdf.
Full textAbstract:
As the networks become faster and faster, the emerging requirement is to improve the performance of the Intrusion Detection and Prevention Systems (IDPS) to keep up with the increased network throughput. In high speed networks, it is very difficult for the IDPS to process all the packets. Since the throughput of IDPS is not improved as fast as the throughput of the switches and routers, it is necessary to develop new detection techniques other than traditional techniques. In this thesis we propose a rule-based IDPS technique to detect Layer 2-4 attacks by just examining the flow data without inspecting packet payload. Our approach is designed to work as an additional component to existing IDPS as we acknowledge that the attacks at Layer 5 and above require payload inspection. The rule set is constructed and tested on a real network to evaluate the performance of the system.
18
Idrissi, Hind. "Contributions to the security of mobile agent systems." Thesis, La Rochelle, 2016. http://www.theses.fr/2016LAROS022/document.
Full textAbstract:
Récemment, l’informatique distribuée a connu une grande évolution en raison de l’utilisation du paradigme des agents mobiles, doté d’innovantes capacités, au lieu du système client-serveur où les applications sont liées à des nœuds particuliers dans les réseaux. Ayant capturé l’intérêt des chercheurs et de l’industrie, les agents mobiles sont capables de migrer de manière autonome d’un nœud à un autre à travers le réseau, en transférant de leur code et leurs données, ce qui leur permet d’effectuer efficacement des calculs, de recueillir des informations et d’accomplir des tâches. Cependant, en dépit de ses avantages significatifs, ce paradigme souffre encore de certaines limitations qui font obstacle à son expansion, principalement dans le domaine de la sécurité. Selon les efforts actuellement déployés pour évaluer la sécurité des agents mobiles, deux catégories de menaces sont considérées. La première catégorie concerne les attaques menées sur l’agent mobile lors de son voyage à travers des hôtes ou des entités malveillantes, tandis que la seconde catégorie traite les attaques effectuées par un agent mobile illicite afin d’affecter la plate-forme d’hébergement et de consommer ses ressources. Ainsi, il est substantiellement nécessaire de concevoir une infrastructure de sécurité complète pour les systèmes d’agents mobiles, qui comprend la méthodologie, les techniques et la validation. L’objectif de cette thèse est de proposer des approches qui fournissent cette technologie avec des fonctionnalités de sécurité, qui correspondent à sa structure globale sans compromettre ses capacités de mobilité, l’interopérabilité et l’autonomie. Notre première approche est basée sur la sérialisation XML et des primitives cryptographiques, afin d’assurer une mobilité persistante de l’agent ainsi qu’une communication sécurisée avec les plates-formes d’hébergement. Dans la seconde approche, nous avons conçu une alternative à la première approche en utilisant la sérialisation binaire et la cryptographie à base de l’identité. Notre troisième approche introduit l’aspect d’anonymat à l’agent mobile, et lui fournit un mécanisme de traçage pour détecter les intrusions le long de son voyage. La quatrième approche a été développée dans le but de restreindre l’accès aux ressources de la plate-forme de l’agent, en utilisant une politique de contrôle d’accès bien définie à base la cryptographie à seuil. A ce stade, on s’est intéressé à expérimenter l’utilité des agents mobiles avec des fonctionnalités de sécurité, dans la préservation de la sécurité des autres technologies, telles que le Cloud Computing. Ainsi, nous avons proposé une architecture innovante du Cloud, en utilisant des agents mobiles dotés de traces cryptographiques pour la détection d’intrusion et d’un protocole de révocation à base de seuil de confiance pour la prévention<br>Recently, the distributed computing has witnessed a great evolution due to the use of mobile agent paradigm, endowed with innovative capabilities, instead of the client-server system where the applications are bound to particular nodes in networks. Having captured the interest of researchers and industry, the mobile agents areable to autonomously migrate from one node to another across the network, transferring their code and data, which allows them to efficiently perform computations, gather information and accomplish tasks. However, despite its significant benefits, this paradigm still suffering from some limitations that obstruct its expansion, primarily in the area of security. According to the current efforts to investigate the security of mobile agents, two categories of threats are considered. The first one concerns the attacks carried out on the mobile agent during its travel or stay by malicious hosts or entities, while the second one deals the attacks performed by a malicious mobile agent in order to affect the hosting platform and consume its resources. Thus, it is substantially needed to conceive a complete security infrastructure for mobile agent systems, which includes methodology, techniques and validation. The aim of this thesis is to propose approaches which provide this technology with security features, that meet with its overall structure without compromising its mobility, interoperbility and autonomy capabilities. Our first approach was based on XML serialization and cryptographic primitives, in order to ensure a persistent mobility of agent as well as a secure communication with hosting platforms. In the second approach, we have conceived an alternative to the first approach using binary serialization and Identity-based cryptography. Our third approach was proposed to introduce anonymity aspect to the mobile agent, and provide him with a tracing mechanism to detect intrusions along its trip. The fourth approach was developed in order to restrict the access to the resources of the agent platform, using a well-defined access control policy based on threshold cryptography. At this stage, we find it interesting to experiment the utility of mobile agents with security features in preserving the security of other technologies such as cloud computing. Thus, we have developed an innovative cloud architecture using mobile agents endowed with cryptographic traces for intrusion detection and a revocation protocol based on trust threshold for prevention
19
Sikora, Marek. "Detekce slow-rate DDoS útoků." Master's thesis, Vysoké učení technické v Brně. Fakulta elektrotechniky a komunikačních technologií, 2017. http://www.nusl.cz/ntk/nusl-317019.
Full textAbstract:
This diploma thesis is focused on the detection and protection against Slow DoS and DDoS attacks using computer network traffic analysis. The reader is introduced to the basic issues of this specific category of sophisticated attacks, and the characteristics of several specific attacks are clarified. There is also a set of methods for detecting and protecting against these attacks. The proposed methods are used to implement custom intrusion prevention system that is deployed on the border filtering server of computer network in order to protect Web servers against attacks from the Internet. Then created system is tested in the laboratory network. Presented results of the testing show that the system is able to detect attacks Slow GET, Slow POST, Slow Read and Apache Range Header and then protect Web servers from affecting provided services.
20
Chen, Yen-hung, and 陳彥宏. "Intrusion Prevention System." Thesis, 2007. http://ndltd.ncl.edu.tw/handle/98833068955685901827.
Full textAbstract:
碩士<br>國立雲林科技大學<br>電子與資訊工程研究所<br>95<br>The most often seen and hardest to prevent the type of attack from hacker is the distributed denial of service (DDoS). DDoS will take up server’s bandwidth, system resource and reduce process efficiency. Although many scholars proposed source-end defense to stop attack traffics before they enter Internet backbone router, if attacker used highly distributed denial of service (HDDoS) will give rise false-positive rate when souce-end defense can’t differentiate between normal traffic and attack traffic.
In this paper we will make up an intrusion prevention system, not only realize source-end defense but also divide packet to three types: normal packet, suspicious packet and attack packet. The suspicious packet will be stamped by edge router before they into Internet and utilize the throttle of traffic control module to limit its traffic. By way of the stamped information from suspicious packet, we can find the edge router location through verifying the signature and announce block request to edge router when victim confirmed the suspicious packet had attack behavior. After the edge router receives block request, edge router will verify the accuracy of signature from victim and notify firewall to block attack packet, actively stop attack traffic at source-end.
21
Zhi-Yang, Li, and 李志揚. "Intrusion Prevention and Remote Protection System." Thesis, 2009. http://ndltd.ncl.edu.tw/handle/53847743162522627998.
Full textAbstract:
碩士<br>東海大學<br>資訊工程與科學系<br>97<br>In recent years, networks are essential particularly for our daily life. More and more people access useful information, receive e-mail, purchase high-tech products, etc., through websites. However, when we enjoy network convenience, networks on the contrary also conduct threats for us, like Denial of Service (DoS) and Distributed Denial of Service (DDoS), resulting in bringing us inconvenience or financial loss, e.g., enterprises or companies’ huge amount of financial loss or missing their business opportunities. IDSs can protect network systems. But they often suffer from losing their detection effectiveness and capabilities when processing enormous network traffic. In this article, we proposed an intrusion prevention system, named Cumulative-Sum-based Intrusion Prevention System (CSIPS) which detects malicious behaviors, attacks and distributed attacks launched to local and remote servers/hosts based on intrusion detection techniques and Cumulative Sum (CUSUM) algorithm. Experimental results show that CSIPSs can carry out a higher security level for a united defense environment.
22
Cheng, Kuang Hung, and 鄭光宏. "An Intrusion Prevention System against Mimicry Attacks." Thesis, 2005. http://ndltd.ncl.edu.tw/handle/96619060232523725015.
Full textAbstract:
碩士<br>國立交通大學<br>資訊工程系所<br>93<br>With the development of the hardware and Internet technologies, there are lots of applications available on the Internet. However, there are always hostile assailants in the open network environment. Though many different intrusion detection techniques had been developed, assailants can always attack against the weakness on these techniques, and try to evade from IDS detection.
Based on system call interception technique, we develop a real-time intrusion detection and prevention system, called AMA-IPS (An Intrusion Prevention System against Mimicry Attacks). In this system, users can describe the model of attacking, through a GUI interface, in the form of state changes. We integrated the immunity-based techniques into the state-based IPS to detect mimicry attacks and thus improve the detection accuracy of the IPS. In addition, we examine penetration pattern's accuracy with the human immune system model, and thus reduce false positive. This system intercepts every system call invoked by an application program and tries to match any penetration pattern. Once there is an evidence showing some penetration is undertaking, the system can terminate the penetration process before injury.
23
Yeh, Zhi-Cheng, and 葉志成. "Design and Implementation of ASIC forSMTP Intrusion Prevention System." Thesis, 2007. http://ndltd.ncl.edu.tw/handle/61526623483072497087.
Full textAbstract:
碩士<br>國立中正大學<br>電機工程所<br>96<br>In the fast-growing internet applications, email becomes more and more important in communication. SMTP attacks and spam mails have become one of the most serious problems. Above 50% of all email in the internet are spam mails. Particularly, the SMTP attacks and spam mails varies on email, for example spoofing address, illegal characters, sending in bulk, too many SMTP commands and so on. A single security technique is not enough to protect the system from these attacks and spam mails.
In this thesis, we propose an ASIC for SMTP Intrusion Prevention System (SIPS) which bases on the concept of Stateful Protocol Anomaly Detection and Flow-based Inspection and implemented by a finite state machine to inspect all coming email flows.
24
Chien, Kuan-Ping, and 錢冠評. "Parallel SMTP Intrusion Prevention System with Virus Detection Engine." Thesis, 2008. http://ndltd.ncl.edu.tw/handle/28942454696308254793.
Full textAbstract:
碩士<br>國立中正大學<br>電機工程所<br>96<br>With flourishing development, network, in recent years, E-mail is a very important communicate tool for user of network. Because of the convenience and importance of the communication protocol, assailant will launch SMTP attack and spam mail to mail server. In addition, the assailant has made use of convenient transmission way of the E-mail to carry offensive Malicious Code, so we need to detect the virus by data flow, to make a full defense for mail server and user.
In order to defend SMTP attack and virus efficiently, in our page, we have proposed an integrated method. First we use the principle with the communication protocol, this principle will be realized with parallel finite state machine, will make use of finite state machine to measure that E-mail will comply with normal behavior, and can solve the bottleneck problem of the finite state machine effectively. In addition, we incorporate the virus detection system when transmitting packet loading ,that will make full defense for mail server.
25
KAO, WEN-YU, and 高玟瑜. "An Extensible and Modularized Kernel-level Intrusion Prevention System." Thesis, 2017. http://ndltd.ncl.edu.tw/handle/39079225736011830552.
Full textAbstract:
碩士<br>國立暨南國際大學<br>資訊管理學系<br>105<br>As the popularity of computer applications and the rapid development of Internet technology, more and more users transmit or store important information through the internet. However, with the increase in the users, accompanied by hacker attacks, hacking techniques are diverse and constantly updated. Many of the tools to detect network attacks have been developed in succession, in which the Intrusion Detection System (IDS) is most commonly used to protect the system security.
This thesis is based on the research, the Virtual Machine Monitor Based Extensible Intrusion Prevention System (VMM-EIPS), which adopts the modular architecture and is developed with dynamic plug-in functionality. VMM-EIPS provides several hook points, allowing users to dynamically add or remove functional components. VMM-EIPS is implemented as a Linux kernel module, and is mounted on the PREROUTING hook point of the network packet filtering subsystem, i.e. Net-Filter. Therefore, it can intercept and examine all packets entering into the system.
We have expanded the dynamic plug-in architecture of the VMM-EIPS, so that it can use the misuse detection and the abnormal detection to examine network packets. Besides, we have designed and implemented three new functional components. Two of them are used for the detection of IDS evasion attacks and one for TCP SYN flood attack with non-forged IPs. The system is then renamed to EIPS+. Moreover, we also add the flexible reaction mechanism into the EIPS+, making the functionalities of intrusion detection, prevention, and reaction of the EIPS+ more complete.
The experimental results show that our newly developed detecting components can effectively detect the associated IDS evasion attacks, and detect whether the system is under TCP SYN flood attack with non-forged IPs. Compared with the default Snort which is an open-source famous IDS, EIPS+ can detect more attack packets using IDS evasion technology, and incur relatively less overhead on the system performance. Therefore, the system operating with EIPS+ has better performance. We also found that when there are a large number of incoming network packets, EIPS+ still can efficiently handle each packet. Whereas, as the number of packets increases, packet drop rate for Snort substantially increases, which impacts the ability to protect the system.
26
Jui-Wen, Chen, and 陳瑞文. "WIPS: A Practical Intrusion Prevention System for Web Application." Thesis, 2005. http://ndltd.ncl.edu.tw/handle/01304939181165262996.
Full textAbstract:
碩士<br>國立中正大學<br>通訊工程研究所<br>93<br>For governments and company firms, system and internet security nowadays play more important roles than before. If organizations do not have solid security policies and strategies, hackers could compromise network and perform unauthorized access. Web application portal with single sign on (SSO) feature provides an integrated E-Business solution such that web application becomes an essential building block for business operations. Gartner Group report indicates that 75% of malicious attacks targeting the application layer, and the traditional security devices (such as firewall and intrusion detection system) are not able to protect web-based applications any more. Implementing a solid web application security protection shield is top-of-mind of security researchers. Extending the finite state machine theory and coupling with stateful session inspection, we propose Web Intrusion Prevention System (WIPS) to solve web application security issues listed in the OWASP Top Ten project. WIPS works as the last defense line to separate web browsers and web servers by examining network traffic, maintaining every session’s state information and allowing only specific web behaviors defined by web finite state machine to pass through. With embedded Snort capability, WIPS also provides negative security models to resist the lower layer attacks. A WIPS prototype has been implemented on Intel Network Processor (IXP425) running with MontaVista Linux. In our study, the functionality and performance has been assessed to show WIPS providing a key answer for advancing the state-of-the-art in web application security in a realistic environment.
27
Chen, Meng-Jhih, and 陳孟志. "Network Intrusion Detection and Prevention System by Parallel Matching." Thesis, 2013. http://ndltd.ncl.edu.tw/handle/17697990647085652914.
Full textAbstract:
碩士<br>國立中正大學<br>電機工程研究所<br>101<br>The development of network is growing up quickly that accompanied by the many applications and many attacks. For the reason, it is necessary to establish the intrusion detection and prevention systems on the router or switch that can detect and prevent the network intrusions in the large scale institutions. With the increase network bandwidth and the variety of the attack from Internet hacker, the request of the intrusion detection is becoming heavier. Therefore, it is a crucial topic of how to create high efficient intrusion detection and prevention. We design a system that integrate Snort rule content matching and parallelized the architecture of the content matching, focus on the speed up、high accuracy hardware processor. The frequency of our chip design can reach to 435MHz and matching for 5272 Snort rules, the speed and efficiency has significantly improved compared to the software implementation.
28
Fu, Yuan Chia, and 傅遠佳. "Research on the Performance Improvement of an Intrusion Prevention System." Thesis, 2009. http://ndltd.ncl.edu.tw/handle/96339055901237597577.
Full textAbstract:
碩士<br>長庚大學<br>資訊工程學研究所<br>97<br>With the recent rapid development of Internet, network security research and related products increased rapidly, especially intrusion detection systems are very much concern.
At present, the majority of intrusion detection systems use specialized software and hardware, it is very expensive. Because free and open properties, Open Source Software gradually be taken seriously, especially the Linux special attention. If the effective use of free software that can save a lot of software costs. Because of the rapid development of Internet, the backbone of the network bandwidth increased significantly. With the increase in network bandwidth, intrusion detection and prevention has become increasingly difficult. How to enhance the effectiveness of intrusion detection systems and reduce system cost as a system development challenges.
In recent years, because the performance of processor becomes slow growth, manufacturers turn to the development of multi-core processors. However, many studies have shown that multi-core processors in the Linux system can not enhance the performance of network processing.
In this paper, we focused on how to improve the Linux-based intrusion prevention system performance to study. On the one hand, we improved the Pattern Match Module of the algorithm, on the other hand, we focused on multi-core processors to improve the network process flow in Linux. Use of these methods to improve the intrusion prevention system to enhance the overall performance. Experimental results show that the improvement of the Pattern Match Module algorithm, it will be 91 percent faster than Snort. Improved processing network of Linux will be able to effectively spread the load of all CPUs, the system can therefore increase the processing capacity. Both integrated can upto 1.8GBit/s speed in the 2GB network environment.
29
Nan, Lin Chun, and 林俊男. "Method and Implementation of Performance Evaluation for Intrusion Prevention System." Thesis, 2009. http://ndltd.ncl.edu.tw/handle/97977755786805801128.
Full textAbstract:
碩士<br>長庚大學<br>資訊管理學研究所<br>97<br>With the increasing prevalence of information technology, both enterprises and individuals have more and more reliance on the Internet. Protection of information security has thus become more important than ever. This study aimed to investigate how to evaluate the performance of intrusion prevention systems (IPS) at defending DDOS attacks and how to implement the evaluation method. Its result was expected to be a reference for information security staff on introduction of an IPS.
To achieve the above objective, a review and analysis of literature was conducted to build the research framework. Based on RFC 3511 Benchmarking Methodology for Firewall Performance set up by IETF (Internet Engineering Task Force) and the testing method provided in Network and Content Security Appliance by NBL (Network Benchmarking Lab), an anti-DDOS attack performance evaluation method for IPSs was proposed. Three IPSs from well-known brands were selected. Their performances at defending three types of DDOS attacks (Syn Flood, UDP Flood, and Ping Flood) at varying strengths (5M, 10M, 15M, 20M, and 50M per second) were tested using Smartbit 600 network performance analysis system and WebSuite network packet testing software. Finally, the proposed evaluation method was also applied to test specific hardware facilities.
30
Wang, Chuang, and 王闖. "An OpenFlow-based Collaborative Intrusion Prevention System for Cloud Networking." Thesis, 2014. http://ndltd.ncl.edu.tw/handle/50189198588330414977.
Full textAbstract:
碩士<br>國立清華大學<br>資訊工程學系<br>102<br>Software-Defined Networking (SDN) is an emerging architecture that is ideal for the high-bandwidth, dynamic nature of today's network environments. In this architecture, the control and data planes are decoupled. Although much research has been done about how SDN can resolve some of traditional networking's most-glaring security issues, less has touched the cloud security threats, especially the issues of botnet/malware detection and in-cloud attacks. In this thesis, an intrusion prevention system for cloud networking with SDN solutions is proposed.
The proposed system benefits from the key attributes of logically centralized intelligence, programmability, and abstraction of SDN architecture. The system consists of two distinct phases that are accessible through pre-defined Application Programming Interfaces (APIs). Within the detection phase, the detector can be whether existing detection software like the open-source Snort IDS or the designed lightweight scan-filtering program. The control phase is composed of the controller (the control plane) and the OpenFlow-based switch (the data plane), which deals with the flow insertion proactively according to the defined application module.
In order to achieve collaborative defense, the mechanisms of botnet/malware blocking, scan filtering and honeypot are implemented. Malicious traffic is isolated with in-depth incident reporting information designed to remove bot-infected VMs from the private cloud effectively and efficiently. The scanning behavior can be filtered at very early stage which makes the VMs less exploitable. A honeypot mechanism is also deployed to trap the attackers. Experimental results show the high detection rate, exact prevention accuracy and low vulnerability of the proposed system.
31
Le, Anh. "On Optimizing Traffic Distribution for Clusters of Network Intrusion Detection and Prevention Systems." Thesis, 2008. http://hdl.handle.net/10012/3949.
Full textAbstract:
To address the overload conditions caused by the increasing network traffic volume, recent literature in the network intrusion detection and prevention field has proposed the use of clusters of network intrusion detection and prevention systems (NIDPSs). We observe that simple traffic distribution schemes are usually used for NIDPS clusters. These schemes have two major drawbacks: (1) the loss of correlation information caused by the traffic distribution because correlated flows are not sent to the same NIDPS and (2) the unbalanced loads of the NIDPSs. The first drawback severely affects the ability to detect intrusions that require analysis of correlated flows. The second drawback greatly increases the chance of overloading an NIDPS even when loads of the others are low.
In this thesis, we address these two drawbacks. In particular, we propose two novel traffic distribution systems: the Correlation-Based Load Balancer and the Correlation-Based Load Manager as two different solutions to the NIDPS traffic distribution problem. On the one hand, the Load Balancer and the Load Manager both consider the current loads of the NIDPSs while distributing traffic to provide fine-grained load balancing and dynamic load distribution, respectively. On the other hand, both systems take into account traffic correlation in their distributions, thereby significantly reducing the loss of correlation information during their distribution of traffic.
We have implemented prototypes of both systems and evaluated them using extensive simulations and real traffic traces. Overall, the evaluation results show that both systems have low overhead in terms of the delays introduced to the packets. More importantly, compared to the naive hash-based distribution, the Load Balancer significantly improves the anomaly-based detection accuracy of DDoS attacks and port scans -- the two major attacks that require the analysis of correlated flows -- meanwhile, the Load Manager successfully maintains the anomaly-based detection accuracy of these two major attacks of the NIDPSs.
32
Chen, Chih-Di, and 陳智迪. "A Stateful and Flow-Based Intrusion Prevention System for Email Applications." Thesis, 2006. http://ndltd.ncl.edu.tw/handle/34303100233263168494.
Full textAbstract:
碩士<br>國立中正大學<br>電機工程所<br>95<br>Recently years, an email has become more important communication for most users over Internet. As this popularity for emails, there are many email attackers who abuse emails to launch SMTP attacks and Spam mails to receivers.Although some technical countermeasures against SMTP attacks and Spam mails are proposed respectively, there is not an approach to prevent Spam mails as well as SMTP attack effectively. These proposed security technologies usually aim at signal threat so that it lack for an integral security technology to defend these problems.
In order to prevent both Spam mails and SMTP attacks more effectively, in this thesis, we propose an integral approach which bases on the concept of PAD (Protocol Anomaly Detection) , adopting this concept implemented by finite state machine to inspect statefully whether email flows deviate from the normal behavior. We integrated the porposed approach with Snort to make it possess not only positive approach but also negative approach. Finally, we would hope the study that it can be a soulution for researchers who strong Snort more and more.
33
Lin, Jung-Feng, and 林峻鋒. "A High-Performance Dependable Network Intrusion Prevention System with Adaptive Clustering." Thesis, 2007. http://ndltd.ncl.edu.tw/handle/04439448434922383884.
Full textAbstract:
碩士<br>國立臺灣大學<br>電機工程學研究所<br>95<br>Security has become a big issue for all organizations in today''s network environ-ment. More and more systems have been developed to secure the network infrastructure and communication over the Internet. Network intrusion prevention system (NIPS) is a kind of security system which can perform deeply content inspection and block the sus-pected packets. The demand for high performance NIPS is driven by the growing bandwidth available and the more complex packet inspection. In this thesis, we propose a clustering scheme by aggregating several devices to provide high throughput and im-plement the network intrusion prevention system over a cluster. The proposed scheme makes incoming traffic self-dispatched and applies traffic redistribution to keep the load of devices balanced. Base on the cluster scheme, we design a dynamic migration ap-proach to fast achieve the state of load balance with the variance of network. This clus-tering scheme also supports the fault tolerance and dynamic expansion without shutting down the system. Based on the designed architecture, we deploy Snort, which is a well-known and popular NIPS, on each device of the cluster and implement all the pro-posed mechanisms as kernel modules over embedded Linux. According to the results of performance evaluation, we can successfully build a high performance, dependable NIPS by means of the proposed schemes over the designed in-line device cluster.
34
Chen, Ming-Jen, and 陳明仁. "Architecture Design of Multi-layer Intrusion Prevention System for Internet Applications." Thesis, 2015. http://ndltd.ncl.edu.tw/handle/34550072115568782502.
Full textAbstract:
博士<br>國立中正大學<br>電機工程研究所<br>103<br>The popularity of mobile device makes the management of information security a blind spot and more complexity. Traditional firewall is not applicable against wide variety of cyber attacks. Intrusion Prevention System (IPS) is used to supports both diversity attack detection and high processing performance. There are three major intrusion detection methodologies: Signature-based Detection (SD), Statistical Anomaly-based Detection (SAD) and Stateful Protocol Anomaly Detection (SPAD). Each of methodologies has its own advantages, but it only detects a single type attack. In this thesis, Multi-layer Intrusion Prevention Architecture (MIPA) is proposed to integrate SD, SAD, and SPAD methodologies (modules) for preventing multiple type attack. Four IPS systems are implemented to make up for shortage of traditional SD, SAD and SPAD module base on MIPA architecture. First, VoIP IPS with hierarchical architecture of SAD and SPAD modules is proposed. SAD is used to offload SPAD loading to increase VoIP IPS processing performance. And Profile Analysis (PA) module is proposed to decrease SAD false positive ratio by updating SAD profile threshold based on SPAD results. If the attack traffic rate is 20% of all traffics, the processing speed of VoIP IPS system will increases 8.89% than the system without SAD module. And 60% attack traffic rate will increase about 50% processing speed. VoIP IPS throughput is up to 2.66Gbps. And an Email IPS integrated with SAD and SPAD modules to protect both email attack and spam mail is proposed. The detection accuracy of email attack and spam mail is 95.4% and 91.1% respectively. Then, Email IPS integrated with Virus Detection Engine to support full protection in detecting both behavior-based attack and content-based attack. The throughput of Email IPS is up to 4.12Gbps. Final, a Snort Rule Accelerator (SRA) integrated with SAD and SD is proposed. SAD is used to offload the loading of SD and increases the processing speed of SRA. The throughput of SRS is up to 13.9Gbps and is available to support intrusion prevention in 10Gbps core network. After all, the proposed MIPA architecture is a foundation of Unified Threat Management (UTM) solution. Each module is deployed to support fully multi-layer network protection. The proposed architecture improves the deficiencies of each intrusion detection method and enhances the advantages of each method. It is able to balance the strengths and the weaknesses of each method in MIPA architecture.
35
Lin, Jung-Feng. "A High-Performance Dependable Network Intrusion Prevention System with Adaptive Clustering." 2007. http://www.cetd.com.tw/ec/thesisdetail.aspx?etdun=U0001-1907200716052000.
Full text
36
LIN, JHIH-REN, and 林志仁. "Deep Learning Approach for SDN-based Intrusion Detection and Prevention System." Thesis, 2018. http://ndltd.ncl.edu.tw/handle/td4888.
Full textAbstract:
碩士<br>國立臺中教育大學<br>資訊工程學系<br>106<br>In recent years, Software Defined Network (SDN) has been widely used in cloud computing and will be adopted in 5G. In the past, when the traditional network needs to change settings, it is necessary to modify the network deviece individually and quite time-consuming. SDN separate the control plane and the data plane in the network and it uses a centralized management method to mange network devices. Through the SDN Controller, network administrator can easily managent network and settings network devices.
In the SDN, OpenFlow Controller focuses on the operation of the network. OpenFlow Controller used the OpenFlow Protocol to define flow table, and decision packets how to forward. The detection of network attacks is less of a concern. In this paper, an intrusion detection and prevention system based on software-defined network architecture and deep learning have been proposed. By modifying the SDN mechanism and the OpenFlow Protocol, made OpenFlow Controller and OpenFlow switch both can detect metwork attacks. When the suspected network traffic detected, OpenFlow Controller extract the feature and deep learning model uses it to identify network traffic. When the detection result is an attack, the OpenFlow Controller will send command to prevent the attack.
37
Soares, João Pedro dos Santos. "Implementation of a distributed intrusion detection and reaction system." Master's thesis, 2016. http://hdl.handle.net/10316/99196.
Full textAbstract:
Relatório Final Estágio do Mestrado Engenharia Informática apresentado à Faculdade de Ciências e Tecnologia da Universidade de Coimbra.<br>Security was not always an important aspect in terms of networking and hosts. Nowadays,
it is absolutely mandatory. Security measures must make an e ort to evolve at the
same rate, or even at a higher rate, than threats, which is proving to be the most di cult
of tasks. In this report we will detail the process of the implementation of a real distributed
intrusion detection and reaction system, that will be responsible for securing a core set of
networks already in production, comprising of thousands of servers, users and their respective
con dential information.
38
Chao, Pao-Yin, and 趙伯尹. "Distributed Intrusion Detection and Prevention System- A Case Study on XSS Attacks." Thesis, 2008. http://ndltd.ncl.edu.tw/handle/02464494693925971053.
Full textAbstract:
碩士<br>國防管理學院<br>國防資訊研究所<br>96<br>As Internet grown rapid popularity, both government agencies and private companies have set up web sites to provide information or Q&A on its Web site. Because personal website in order to highlight its characteristics and their personal styles then the kind of site has continued increase. Some web design has not only been done in accordance with the principles of safety certification but also in order to make their own service program open that makes malicious users have the opportunity to tamper with the page. Cross-site scripting draw the most attention according to OWASP published by the top 10 Internet security issues.
The main purpose of this study is how to make IDPS useful, which includes HIDS and NIDS to help network security management and analyze cross-site scripting attack mode to enhance the ability to identify acts of invasion. HIDS could achieve the purpose of monitoring and management, and check client or server’s files of integrity, and Windows registry, when the page was tampering, or client be attacked by XSS and implanted malicious code, at this time HIDS will have warned information in the invasion of management center. At the same time take the initiative to respond to the domain name server, for attempting to implant malicious programs to the client's site, to block client connections after the attack the opportunity to avoid the expansion of network security loopholes. Organizations can also use HIDS be the web server as honey pot for cross-site scripting attacks. By record the XSS’s behavior and use the records of attack mode, so that security managers could understand what the XSS target is, and generate new defense rules. The NIDS detect XSS attack by the set of syntax rules to upload network packet sent to the web server content analysis, found that be informed the invasion triggered the rules of safety management staff, take the initiative to respond to firewall, then make firewall prevent from the malicious request, promote security of the system, a web server to avoid the sensitive information being tampering and theft. Final, we will compare the research of structure with the existing practice of protection for analysis and build a security network application’s environments.
39
Liu, Jiamn-Der, and 劉建德. "The Design and Implementation of Peer to Peer Network Intrusion Prevention System." Thesis, 2009. http://ndltd.ncl.edu.tw/handle/93150005233765452414.
Full textAbstract:
碩士<br>國立交通大學<br>理學院碩士在職專班網路學習學程<br>97<br>P2P(Peer to Peer)applications have emerged since late 1990s. However, the widespread adoption of P2P applications lately have accounted for some concerns about information security, such as copyright、bandwidth、virus、individual privacy and so on. In 2008, Ministry of Education in Taiwan composed an official document, which stated schools at all levels should forbid the illegal usage of P2P file transfer. However, since P2P applications used dynamic ports in a large amount and thus the traditional Layer3 firewalls were unable to block them.
To resolve this problem, we designed an IPS based on transport layer inspection to drop P2P traffic.We named our IPS as T4-terminator(T4 for Transport Layer4).We also studied two other IPS,L7-filter and IPP2P,which are baesd on Open Source software . Furthermore, we also established a benchmarking environment with freeware, which is used to evaluate the performance of these approaches. The conclusions could offer a reference to MIS people for managing P2P network.
40
Su, Yanlin, and 蘇延麟. "Pipelined Pattern Matching Chip Design for Network Intrusion Detection and Prevention System." Thesis, 2011. http://ndltd.ncl.edu.tw/handle/75270057616839466661.
Full textAbstract:
碩士<br>國立中正大學<br>電機工程研究所<br>99<br>The development of network is growing up quickly that accompanied by the many applications and many attacks. For the reason, it is necessary to establish the intrusion detection and prevention systems on the router or switch that can detect and prevent the network intrusions in the large scale institutions. If the speed of intrusion detection and prevention system is not faster than or equal to line rate, it is become to the bottleneck of network bandwidth. In this thesis, we proposed an intrusion detection and prevention system. It is a hardware software co-design implementation with NetFPGA and Snort. With this feature, it is high flexibility and high detection efficiency. The core of hardware architecture is the pipelined Bloom Filters with separation of rule sets, so it can be avoid the high density of rule spaces that reduce the accuracy of matching. In the practical design, we also implement the chip with ASIC flow. In the APR stage, it can run up to 495 MHz. Our proposed design can deal with the needs of high speed without the bottleneck of network bandwidth.
41
Wang, Jian-Kai, and 王建凱. "Design and Implementation of an Intrusion Prevention System for Virtual Execution Environment." Thesis, 2014. http://ndltd.ncl.edu.tw/handle/20456052203047062080.
Full textAbstract:
碩士<br>長庚大學<br>資訊工程學系<br>102<br>With the progress of computer and internet technology, more persons and companies tend to store important information and files in remote computer servers. The information security issue has become increasingly important as well. As network attack events occur often around the world in recent years, the intrusion detection system has also become an important research topic in information security technology.
The virtualization technology allows a physical machine to run multiple operating systems concurrently, each in its own virtual machine (VM). The virtual machine monitor (VMM) is responsible for managing hardware resources of the actual machine and monitoring the activity of each VM. More and more data centers take advantage of virtualization technology and make their actual hosts virtualized.
This thesis focuses on the research and implementation of an intrusion detection and prevention system for virtual machine execution environment. We have designed and implemented a light-weight Intrusion Prevention System (IPS) named VMM-IPS in VMM. It will intercept all incoming packets that will be forwarded to VMs and detect them. Our system also has the ability of multi-packet detection and can protect the system against the attack using the concept of packet reassembly. Once malicious packets are detected, VMM-IPS will drop them and notify administrator this event. The implementation of our VMM-IPS employs the technology of Net-Filter which is a Linux kernel subsystem for packets filtering. Our VMM-IPS can not only detect packets forwarded to each VM but also packets passing through the host. Therefore, our system can ensure system safety of each VM and host system at the same time.
Our experiments have evaluated the effectiveness of single-packet detection and multi-packet detection of VMM-IPS. Besides, the performance degradation, packet detection rate, and detection time are also measured. The experimental results demonstrate that VMM-IPS can provide system safety effectively and its performance is better than the famous Snort intrusion detection system. Compared with the function of Snort, our system has the additional ability of multi-packet detection. All experimentation results demonstrate that VMM-IPS can protect the whole system while providing efficient system performance.
42
Wang, You Chi, and 王宥棋. "A Kernel-Level Intrusion Detection and Prevention System With High Flexibility and Extensibility." Thesis, 2015. http://ndltd.ncl.edu.tw/handle/88659851957458447441.
Full text
43
Chen, Yang-Sheng, and 陳陽昇. "The Study on the Reaction Mechanisms of a Kernel-level Intrusion Prevention System." Thesis, 2016. http://ndltd.ncl.edu.tw/handle/29836626895994574831.
Full textAbstract:
碩士<br>國立暨南國際大學<br>資訊管理學系<br>104<br>The progress of the network technology makes our life more convenient. More and more enterprises transmit information or data through the network. Information security thus has become an important issue. As the advance of the network technology, the hackers also expand their hacking skills so that they attack servers or systems in multiple ways. To protect computer systems from hackers’ intrusion, the common way is to deploy the Intrusion Detection System (IDS) which is a network-based security detection system for detecting network attacks. Based on IDS, the Intrusion Prevention System (IPS) can respond to detected attacks and actively protect the systems.
As the rapid growth of server performance and virtualization technology, more and more companies tend to adopt virtualization technology to deploy their servers. The benefits include the decreased implementation cost, the easier system management and data backup. Nowadays, hackers apply more aggressive techniques and form a threat to the virtual machine users. Some researches indicate the Virtual Machine Monitor (VMM) is the most suitable layer for implementing security mechanisms. The VMM is implemented as the software abstraction layer between hardware and operating system layer. It mainly manages the hardware resources of virtual machines and physical machines.
This study is based on the VMM-Based Intrusion Prevention System (VMM-IPS) [1], and we have enhanced it with new reaction mechanisms. The VMM-IPS utilizes the Net-Filter subsystem in the Linux kernel to intercept and examine packets. When the VMM-IPS detects malicious packets, originally it only drops them. We have implemented a reset connection mechanism which disconnects the connection with the attacker to prevent the attacker from retransmitting malicious packets. We have also implemented an elastic reaction mechanism to perform the reaction more flexibly. Besides, when the VMM-IPS receives malicious packets, it displays the connection information on screen and logs the event to a system file. Our implementation completes the reaction mechanisms of VMM-IPS and also increases the system performance.
The VMM-IPS is implemented as a Linux kernel module which can be dynamically loaded into the Linux kernel at the runtime. We have measured the detection rate and the accuracy of the reaction mechanisms. We have also evaluated the performance of a Web server using the Apache Bench benchmark. The purpose is to measure the performance impact when an IPS is deployed. The result shows that the VMM-IPS and the Snort, a well-known and open-sourced intrusion detection system, have the same detection rate in detecting malicious packets. We obtain the screenshots from the Wireshark software and the server. The experiment results show that our VMM-IPS performs the reaction mechanisms and outputs the log file correctly. In the stress test, the performance of the system when deployed with our VMM-IPS is higher than the one deployed with the Snort. VMM-IPS also incurs less system overhead than Snort.
44
Huang, Guo rui, and 黃國睿. "On the design of Network Intrusion Prevention System based on Multi-core Platform." Thesis, 2007. http://ndltd.ncl.edu.tw/handle/30922947630389186445.
Full textAbstract:
碩士<br>國立清華大學<br>通訊工程研究所<br>95<br>As the types of attacks have increased noticeably, network security devices are more and more important in recent years. However, the growth rate of network bandwidth has been greater than that of processors’ performance. Even the most powerful general processors are not able to process packets at multiple gigabit wire speed. Consequently, it is desired to design next generation network systems for processing packets in parallel based on multi-processor platforms.
In this thesis, a novel software architecture is proposed to enhance the performance of Network Intrusion Detection and Prevention Systems (NIPS). It’s beneficial for NIPS to run on platforms with large cache memory if frequently accessed data structures can be found in the cache memory. Although the processor is unlikely to equip with large cache memory, the performance can still be enhanced by reducing L2 cache missing rate. Another performance bottleneck is interrupt. It affects system performance in a negative way. Therefore, offloading interrupt handling is also helpful to improve performance. This thesis presents a mechanism to design an NIPS in multi-core platform based on processor affinity, interrupt affinity and stream affinity. The experimental results show that the proposed architecture really enhances the NIPS performance dramatically.
45
Lin, Kai-Hsun, and 林楷勛. "Intrusion Prevention System Suitable for Protecting Application Servers from Distributed Denial of Service Attacks." Thesis, 2004. http://ndltd.ncl.edu.tw/handle/03795956180412960338.
Full textAbstract:
碩士<br>國立清華大學<br>資訊系統與應用研究所<br>92<br>Dos means that the hacker attempts to degrade the service offered to normal end users. In general, The Dos can be separated in three main types. 1) Exploiting the loophole of system to destroy the whole System. 2) Exploiting the weakness of protocol to block normal users. 3) Using large throughput to make the server hard to service normal users’ request. Above three types, exploiting the weakness of protocol is the hardest to defense. TCP SYN flooding attack is a well-known denial of service (DoS) attack that exploits TCP three-way handshake vulnerability. Recently many famous web sites face a stronger of denial of service attack known as Distributed Denial of Service attack (DDoS). Organizations deploying security measures such as firewalls, and intrusion detection systems (IDS) could face the traditional DoS attack. There is no complete solution neither for protection from SYN Flooding DDoS attack. This paper analyzes a TCP SYN Flooding attack and presents a protection method to protect from SYN Flooding attacks launched by DoS/DDoS tool. It protects the server by generating a legal access database; monitor the backlog queue entries of server and IP filtering. The main advantages are its strong ability to defense TCP SYN Flooding attack, and minimal the delay for legal user access. We also analyze application layer Dos Attack method called TCP keep alive in this paper, and test its attack method. The protect system we proposed also can protect from this attack.
46
Tseng, Tsan-Yi, and 曾寁逸. "A study on the key factors of the Intrusion Prevention System based on AHP." Thesis, 2018. http://ndltd.ncl.edu.tw/handle/h322mn.
Full textAbstract:
碩士<br>國立屏東科技大學<br>資訊管理系所<br>106<br>To confront the present network environmental development and the growing threat of hacking skills, enterprises usually set up an Intrusion Prevention System (IPS) to enhance their protection capabilities.However, which functions and effectiveness are the truly important and necessary reference values, enterprises often make difficult choices in terms of evaluation and selection. Therefore, the purpose of this research is to approach the key factors of Intrusion Prevention System.
In this research we make an approach to the key factors of IPS and the structure of indicative functions by AHP (Analytic Hierarchy Process) which divided into five factors: "Data Collection Module", "Detection Module", "Defense Module", "Events Recording Module",and "Alert Module", and fifteen indicative functions for making appraisal: "Throughput", "Connection Processing Speed","Network ModuleExtendibility","Detection Mode Elasticity", "Network Layer Detection", "Application Layer Detection","Zero-Day Attach Repairing Capability", "Rules or Condition Codes Customization", "Condition Code Database Updating Speed","Report Data Accuracy", "Events Record Preservation","Centralized Management System Analysis", "E-mail Notification","Mobile Phone SMS Notification", and "Message Content Customization".
After analyzing the questionnaires from experts, the first thing we discovered was "Defense Module" as the primary key factor for IPS.
The second discovery was"Zero-Day Attach Repairing Capability" as the most important indicative function for IPS. This function was also in the range of primary key factor. Then, "Network Layer Detection" and "Application Layer Detection" are the second and the third important indicative functions which both belong to the second key factor (Detection Module).
The third finding was "Network Module Extendibility" to be the last consideration for IPS. However, this function is a part of the third key factor.
In this research, the expert representatives believe "Zero-Day Attach Repairing Capability", "Network Layer Detection", "Application Layer Detection","Throughput", and “Connection Processing Speed" these top five indicative functions are also covered by 2017 Next Generation Intrusion Prevention Systems (NGIPS) of NSS LAB.
47
Tzeng-Yu, Chen. "An Effective Intrusion Prevention System to Protect Multi-Services against TCP SYN Flooding DDoS Attacks." 2006. http://www.cetd.com.tw/ec/thesisdetail.aspx?etdun=U0016-1303200709313176.
Full text
48
Tsao, Er-Kai, and 曹爾凱. "The Design and Implementation of a SIP-Aware Intrusion Prevention System on IXP Network Processor." Thesis, 2005. http://ndltd.ncl.edu.tw/handle/71163787738480819203.
Full textAbstract:
碩士<br>國立中正大學<br>通訊工程研究所<br>93<br>With the advantage of scalability, extensibility and interoperability, SIP not only can provide VoIP service but also provide integrated multimedia communication services. Though SIP-based Peer-to-Peer (P2P) applications (such as Instant Message, Real-Time Presence and IP Telephony) are getting more popular than before and become critical to businesses, they face serious security problems. According to the report of Gartner Group, over 75% of hackers’ attacks occur on the application layer (the seventh layer of OSI model) and each successful invasion results in tremendous damages.
The traditional network security device such as firewall and IDS is unable to provide 100% security on SIP-based applications. Recently, with high programmable, high performance and low cost, network processor becomes popular for network security appliance designer to accelerate the product developing. To provide a strong protect mechanism for SIP-based applications, this paper presents a SIP-Aware
Intrusion Prevention System (SAPS) which is designed and implemented based on Intel IXP425 Network Processor.
49
Chen, Tzeng-Yu, and 陳宗右. "An Effective Intrusion Prevention System to Protect Multi-Services against TCP SYN Flooding DDoS Attacks." Thesis, 2006. http://ndltd.ncl.edu.tw/handle/36453050738828817765.
Full textAbstract:
碩士<br>國立清華大學<br>資訊工程學系<br>94<br>In recent years, DDoS attacks occur frequently and cause a great deal of damage to enterprises that provide network services. With the growth of the network, almost every enterprise provides more and more services on the network, like Web service, Mail service, Ftp service, and so on. If these services suffer the DDoS attack, it will cause great losses to the enterprise. The famous type of the DDoS attack is TCP SYN flooding attack and it is based on the vulnerability of the TCP three-way handshake. The firewall and intrusion detection system are not effectively to defend this type of attack. There is still not a completed solution to defend this attack.
In this thesis, we collect the legitimate IP addresses in the databases for each service and protect these services according to these databases. We also create a backlog queue for each service that we can detect the attack by checking it. When attack is detected, the packet filtering mechanism will be activated to protect the victim services.
There are five characteristics in our system: (1) Protecting multi-service without knowing any information about these services. (2) Detecting the attack and activate the packet filter instantly. (3) The complexity of IP searching algorithm is only O (n), where n is the number of the under-attack service. It will reduce the delay of the legitimate users. (4) We can instantly find that the attacker uses the legitimate IP address to do the attack and then we filter out this IP address. (5) The system can be built in edge router, NAT server or the protected server.
With our proposed mechanism, we can effectively defend the TCP SYN flooding attack and successfully provide the service for legitimate users. Finally, we will do the experiment to evaluate this mechanism and analyze the system performance, effectiveness and influence of the legitimate users. We will show that this mechanism is effectively to protect multi-service against TCP SYN flooding attack.
50
SYU, CHAO-WEI, and 許朝瑋. "A Deep Learning Based Real-Time Intrusion Detection and Prevention System for Software Defined Networks." Thesis, 2019. http://ndltd.ncl.edu.tw/handle/2puu8a.
Full textAbstract:
碩士<br>國立臺中教育大學<br>資訊工程學系<br>107<br>Software Defined Networks (SDN) is the current network trend. It will become the main network architecture in the future. SDN divides the network into the control plane and data plane. SDN can flexibly adjust the network topology with controller by centralized management, but also brings on new network threats. The SDN Switches and Contoller cannot provide service because of the SDN switches sends the SDN Contoller a large number of packets that use to establish routes when Distributed Denial-of-Service attack occured. The SDN cannot prevent an attacker from stealing SSH server information due to the packets of Brute-force attacks and dictionary attacks in SSH are encrypted. Therefore, this paper proposed a deep learning based real-time intrusion detection and prevention system that can use deep learning to identify network attacks in SDN. The SDN controller can immediately notify the SDN switch to block the forwarding of attack packets when detecting an attack. This paper also compares multilayer perceptron (MLP), convolutional neural network (CNN), long-term and short-term memory (LSTM) and stacked auto-encoder (SAE) deep learning models. The experimental results proved the proposed method can reduce the impact of real-time attacks.