Real-time protocol analysis for detecting link-state routing protocol attacks

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

Real-time protocol analysis for detecting link-state routing protocol attacks

Full text

Pdf (252 KB)

Source

ACM Transactions on Information and System Security (TISSEC) archive
Volume 4 , Issue 1 (February 2001) table of contents

Pages: 1 - 36

Year of Publication: 2001

ISSN:1094-9224

Authors

Ho-Yen Chang	Ericsson IP Infrastructure, Raleigh, NC
S. Felix Wu	Univ. of California at Davis, Davis
Y. Frank Jou	Advanced Networking Research, MCNC, RTP, NC

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 14, Downloads (12 Months): 128, Citation Count: 4

Additional Information:

abstract references cited by index terms collaborative colleagues

Tools and Actions:	Request Permissions Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/383775.383776 What is a DOI?

ABSTRACT

A real-time knowledge-based network intrusion-detection model for a link-state routing protocol is presented for the OSPF protocol. This model includes three layers: a data process layer to parse packets and dispatch data; and event abstractor to abstract predefined real-time events for the link-state routing protocol; and an extended timed finite state machine to express the real-time behavior of the protocol engine and to detect intrusions by pattern matching. The timed FSM, called the JiNao Finite State Machine (JFSM) is extended from the conventional FSM with timed states, multiple timers, and time constraints on state transitions. The JFSM is implemented as a generator that can create and FSM by constructing the configuration file only. The results show that this approach is very effective for detecting real-time intrusions. Our approach can be extended for use in other network protocol intrusion-detection systems, especially for those with known attacks.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	ALUR, R. 1998. Timed automata. http://www.cis.upenn.edu/ alur/onlinepub.html.
	2	Rajeev Alur , David L. Dill, A theory of timed automata, Theoretical Computer Science, v.126 n.2, p.183-235, April 25, 1994 [doi>10.1016/0304-3975(94)90010-8]
	3	ANDERSON, D., FRIVOLD, T., AND VALDE, A. 1995. Next generation intrusion detection expert system (NIDES): A summary. Tech. Rep.. Computer Science Laboratory, SRI International, Menlo Park, CA. http://www2.csl.sri.com/nides/index5.html.
	4	BRADLEY,K.A,CHEUNG, S., PUKETZA, N., MUKHERJEE, B., AND OLSSON, O. 1998. Detecting disruptive routers: A distributed network monitoring approach. In Proceedings of the 1998 IEEE Symposium on Computer Security and Privacy (Oakland, CA, May). IEEE Computer Society Press, Los Alamitos, CA. http://seclab.cs.ucdavis.edu/cheung.
	5	CANNADY,J.AND HARRELL, J. 1996. A comparative analysis of current intrusion detection technologies. In Proceedings of the Fourth Conference on Technology for Information Security (ISC'96, May).
	6	CHANG, H., JOU, Y., AND WU, S. 1998. Real-time protocol analysis for link-state routing. Tech. Rep. CDRL A007. Computer Science Department, NC State, Raleigh, NC.
	7	DEBAR, H., DACIER, M., AND WESPI, A. 1998. Towards a taxonomy of intrusion-detection systems. Tech. Rep. IBM Zurich Laboratory, Zurich, Switzerland. http://domino.watson. ibm.com/library/cyberdig.nsf/.
	8	Dorothy E. Denning, An intrusion-detection model, IEEE Transactions on Software Engineering, v.13 n.2, p.222-232, Feb. 1987 [doi>10.1109/TSE.1987.232894]
	9	Patrik D'haeseleer , Stephanie Forrest , Paul Helman, An Immunological Approach to Change Detection: Algorithms, Analysis and Implications, Proceedings of the 1996 IEEE Symposium on Security and Privacy, p.110, May 06-08, 1996
	10	Edsger W. Dijkstra, Self-stabilizing systems in spite of distributed control, Communications of the ACM, v.17 n.11, p.643-644, Nov. 1974 [doi>10.1145/361179.361202]
	11	FRANK, J. 1994. Artificial intelligence and intrusion detection: Current and future directions. In Proceedings of the 17th National Conference on Computer Security (Oct.). http://seclab.cs.ucdavis.edu/papers.html.
	12	GARVEY,T.AND LUNT, T. F. 1991. Model-based intrusion detection. In Proceedings of the 14th NIST-NCSC National Conference on Computer Security (Washington, DC, Oct.).
	13	Mohamed G. Gouda, Protocol verification made simple: a tutorial, Computer Networks and ISDN Systems, v.25 n.9, p.969-980, April 1993 [doi>10.1016/0169-7552(93)90094-K]
	14	R. Hauser , T. Przygienda , G. Tsudik, Reducing The Cost Of Security In Link-State Routing, Proceedings of the 1997 Symposium on Network and Distributed System Security, p.93, February 10-11, 1997
	15	HERMAN, T. 2001. Stabilization research at Iowa. http://www.cs.uiowa.edu/ftp/selfstab/ main.html.
	16	John E. Hopcroft , Jeffrey D. Ullman, Introduction To Automata Theory, Languages, And Computation, Addison-Wesley Longman Publishing Co., Inc., Boston, MA, 1990
	17	Christian Huitema, Routing in the Internet, Prentice-Hall, Inc., Upper Saddle River, NJ, 1995
	18	Koral Ilgun , R. A. Kemmerer , Phillip A. Porras, State Transition Analysis: A Rule-Based Intrusion Detection Approach, IEEE Transactions on Software Engineering, v.21 n.3, p.181-199, March 1995 [doi>10.1109/32.372146]
	19	JAVITZ,H.S.AND VALDEST, A. 1991. The SRI IDES statistical anomaly detector. In Proceedings of the 1991 IEEE Symposium on Research in Security and Privacy (May). IEEE Computer Society Press, Los Alamitos, CA, 316-326.
	20	JOU, Y., GONG, F., SARGOR, C., WU, S., AND CLEAVELAND, W. 1997. Architecture design for a scalable intrusion detection for the emerging network infrastructure. Tech. Rep. Computer Science Department, NC State, Raleigh, NC. http://www.mcnc.org/HTML/ITD/ANR/ JiNao.html.
	21	KUMAR,S.AND SPAFFORD, E. H. 1994. A pattern-matching model for instrusion detection. In Proceedings of the 17th National Conference on Computer Security (Baltimore, MD). 11-21.
	22	Nancy A. Lynch, Distributed Algorithms, Morgan Kaufmann Publishers Inc., San Francisco, CA, 1996
	23	LYNCH,N.A.AND TUTTLE, M. R. 1989. An introduction to input/output automata. CWI Q. 2, 3, 219-246.
	24	MOY, J. 1998a. RFC 2328: OSPF version 2. ftp://ftp.isi.edu/in-notes/rfc2328.txt.
	25	John T. Moy, OSPF: Anatomy of an Internet Routing Protocol, Addison-Wesley Longman Publishing Co., Inc., Boston, MA, 1998
	26	MUKHERJEE, B., HEBERLEIN,L.T.,AND LEVITT, K. N. 1994. Network intrusion detection. IEEE Network 8, 1 (Jan.).
	27	I. Rouvellou , G. W. Hart, Automatic alarm correlation for fault identification, Proceedings of the Fourteenth Annual Joint Conference of the IEEE Computer and Communication Societies (Vol. 2)-Volume, p.553, April 02-06, 1995
	28	SHANKAR, A. 1992. A simple assertional proof system for real-time systems. In Proceedings of the 13th IEEE Symposium on Real-Time Systems (Dec.). IEEE Computer Society Press, Los Alamitos, CA.
	29	SHANKAR, A. 1994. Reasoning assertionally about real-time systems. Proc. IEEE 82, 1 (Jan.).
	30	SHUKLA, S. K. 2001. Home page on self-stabilization. http://www.cs.albany.edu/ sandeep/ README.html.
	31	SOBIREY, D.-I. M. 1997. Intrusion detection systems bibliography. http://www-rnks.informatik. tu-cottbus.de/ sobirey/idsbibl.html.
	32	B. Vetter , F. Wang , S. F. Wu, An experimental study of insider attacks for OSPF routing protocol, Proceedings of the 1997 International Conference on Network Protocols (ICNP '97), p.293, October 28-31, 1997
	33	WANG, F., GONG, F., AND WU, F. 2000. Design and implementation of a new intrusion detection approach: Property-oriented detection. Tech. Rep. MCNC, Research Triangle Park, NC. http://worf.mcnc.org/ fwang2.
	34	WANG, F., VETTER, B., AND WU, S. 1998. Secure routing protocols: Theory and practice. Tech. Rep. Computer Science Department, NC State, Raleigh, NC. http://shang.csc.ncsu.edu/ pubs.html/.
	35	WANG, J. 1998. Timed Petri Net. Kluwer Academic Publishers, Hingham, MA.
	36	WU, S., WANG, F., VETTER, B., CLEAVELAND, R., JOU, Y., GONG, F., AND SARGOR, C. 1997. Intrusion detection for link-state routing protocols. In Proceedings of the 1997 IEEE Computer Society Symposium on Research in Security and Privacy (Oakland, CA, May). IEEE Computer Society Press, Los Alamitos, CA.

CITED BY 4

	Raj Kumar Rajendran , Vishal Misra , Dan Rubenstein, Theoretical bounds on control-plane self-monitoring in routing protocols, ACM SIGMETRICS Performance Evaluation Review, v.35 n.1, June 2007
	Dijiang Huang , Qing Cao , Amit Sinha , Marc J. Schniederjans , Cory Beard , Lein Harn , Deep Medhi, New architecture for intra-domain network security issues, Communications of the ACM, v.49 n.11, p.64-72, November 2006
	Peng Ning , Sushil Jajodia , Xiaoyang Sean Wang, Abstraction-based intrusion detection in distributed environments, ACM Transactions on Information and System Security (TISSEC), v.4 n.4, p.407-452, November 2001
	Antonio Pescapè , Giorgio Ventre, Experimental analysis of attacks against intradomain routing protocols, Journal of Computer Security, v.13 n.6, p.877-903, December 2005