The Development and Analysis of Intrusion Detection Algorithms

This thesis presents three new low-complexity intrusion detection algorithms tested on sniffing data from 80,000 real Internet sessions. A Password Guessing Detector scans telnet connections containing only failed logins and identifies password guessing attacks based on the number of connection between each host pair and the usernames and passwords tried. By extracting the plaintext password, this algorithm is able to run much faster than conventional cracking programs, which must encrypt each guess. A neural network based keyword weighting system substantially improves the performance of a baseline intrusion detection system. It uses counts of forty keywords, also found in the sniffing data, to identify attacks in telnet connections. Finally, a real-time Shell Tracker monitors BSM audit data and finds users who illegally become root and start a command shell regardless of the attack or back door used. Two intrusion prevention algorithms, a Banner Finder and a Password Checker, were also developed. The Banner Finder uses a binary decision tree and five keyword counts to identify the presence of a valid warning banner in telnet sessions. The Password Checker extracts usernames and passwords from network sniffing data and scores the passwords based on how succeptable they would be to a password guessing attack. Thesis Supervisor: Dr. Richard P. Lippmann Title: Senior Staff MIT Lincoln Laboratory