INBOUNDS: The Integrated Network-Based Ohio University Network Detective Service

INBOUNDS：基于网络的综合俄亥俄大学网络侦探服务

• 批准号: 0086642
• 负责人: Shawn Ostermann
• 金额: $ 29.08万
• 依托单位: Ohio University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2001
• 资助国家: 美国
• 起止时间: 2001-09-15 至 2004-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=0086642&HistoricalAwards=false
• 关键词: INBOUNDS; Integrated; Network; Based; Ohio

This document describes a proposed software system, called INBOUNDS (IntegratedNetwork-Based Ohio University Network Detective Service), that will address thedifficult research problem of security in the dynamic real-time Internet environmentpopulated by both legitimate users and hostile intruders. Internet security is becoming more critical by the day. Successful attacks on banks,schools, government agencies, and corporations that do business online are becomingmore and more common, and the frequency of these attacks and the amount of damagedone is rising rapidly. Commercially available firewalls and intrusion detection systemsare currently the only weapons with which to defend against the threat, but they areobviously not capable of keeping up with the ever-changing attack strategies of hackers. Thus, we propose INBOUNDS a real-time network based intrusion detection andresponse system under development at Ohio University's Laboratory for Real-Time,Secure Systems and Applications. INBOUNDS detects and responds to suspiciousbehavior by using TCPTrace (a network traffic analysis tool) and DeSiDeRaTa (dynamic,real-time resource management middleware). INBOUNDS is intended to function in aheterogeneous environment with fault tolerance, very low overhead, and a high degree ofscalability. A prototype of INBOUNDS is currently being used for around-the-clockintrusion detection and response at Ohio University and we propose to add functionalitythat will enable INBOUNDS to deal with the following important types of attacks: Large-scale, distributed denial-of-service attacks Abnormal network protocol behavior including SYN and RESET attacks Suspicious keywords in interactive sessions/email Suspicious patterns of data, such as the fan-out patterns commonly seen with email viruses Communication over unusual network ports, which are common when attackers target seldom used and insecure servers Connections from unknown/unusual hosts Abnormal data patterns for a particular time of day Unusual data patterns on known ports, such as would be seen when at attacker installs programs using the fingerd port as in the Morris Worm

本文介绍了一个被称为INBOUNDS（IntegratedNetwork-Based俄亥俄州大学网络侦探服务）的软件系统，它将解决由合法用户和恶意入侵者组成的动态实时Internet环境中的安全性研究难题。 互联网安全日益重要。对银行、学校、政府机构和在网上开展业务的公司的成功攻击越来越普遍，这些攻击的频率和破坏的数量正在迅速上升。商用防火墙和入侵检测系统是目前防御威胁的唯一武器，但它们显然无法跟上黑客不断变化的攻击策略。 因此，我们建议INBOUNDS的实时网络为基础的入侵检测和响应系统正在开发中的俄亥俄州大学的实时，安全系统和应用实验室。INBOUNDS通过使用TCPTrace（网络流量分析工具）和DeSiDeRaTa（动态实时资源管理中间件）来检测和响应可疑行为。INBOUNDS旨在在具有容错性、非常低的开销和高度可伸缩性的异构环境中运行。INBOUNDS的原型目前正在俄亥俄州大学用于全天候的入侵检测和响应，我们建议增加功能，使INBOUNDS能够处理以下重要类型的攻击： 大规模分布式拒绝服务攻击 异常网络协议行为，包括SYN和RESET攻击 互动会话/电子邮件中的可疑关键字 可疑的数据模式，例如通常在 电子邮件病毒 通过不寻常的网络端口进行通信，当攻击者 针对很少使用和不安全的服务器 来自未知/异常主机的连接 一天中特定时间的异常数据模式 已知端口上的异常数据模式，例如在攻击者 使用fingerd端口安装程序，如Morris Worm