Automated intrusion prevention mechanism in enhancing network security / He Xiao Dong

Firewall, intrusion detection systems (IDS), and intrusion prevention system (IPS) are important tools used to secure networks against hackers' attacks. Ironically, these malicious attacks have brought more adverse impacts on the networks than before. At present, many existing IDS AND IPS work...

Full description

Saved in:
Bibliographic Details
Main Author: He , Xiao Dong
Format: Thesis
Published: 2008
Subjects:
Online Access:http://studentsrepo.um.edu.my/11772/1/He_Xiao_Dong.pdf
http://studentsrepo.um.edu.my/11772/
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Firewall, intrusion detection systems (IDS), and intrusion prevention system (IPS) are important tools used to secure networks against hackers' attacks. Ironically, these malicious attacks have brought more adverse impacts on the networks than before. At present, many existing IDS AND IPS work independently without the exchange of information. Hence, this deficit will lower the capability of these tools to protect increasingly vulnerable networks. In this thesis, an automated intrusion prevention mechanism (AIPM) which comprises the functionalities of IDS, IPS, and network devices is proposed to enhance network security. AIPM is a mechanism that includes automated intrusion prevention function and automated analysis of intrusion messages function. Additionally, the ability of automatically detecting and analyzing network traffic allows AIPM to detect malicious attacks almost in real time. Likewise, the ability of automatically analyzing intrusion messages and network configuration enables AIPM to build a topological view and locate the source of a malicious attack. Results of case studies show that AIPM imposes lower overhead than conventional method, which queries all pre-defined routers to block every interface irrespective of where the attack is launched. On the contrary, AIPM identifies the interface that is nearest to the source of the attack and sends a single query to the associated router to block only that particular interface, only 1 connection per attack is needed. AIPM can block malicious traffic in 2-5 seconds after an attack start because less pre-defined information is needed, the conventional method, on the other hand, needs about 5-10 seconds to finish block processing as more pre-defined information is needed. In summary, AIPM which incorporates the functionalities of IDS AND IPS offers network protection against potential malicious acts without incurring additional overheads as compare to the conventional method.