Approval Sheet TitleofDissertation: IntrusionDetection: ModelingSystemStatetoDetect andClassifyAberrantBehaviors NameofCandidate: JeffreyL.Undercoffer DoctorofPhilosophy,2004 ThesisandAbstractApproved: Dr. JohnPinkston Professor andChair DepartmentofComputerScience and ElectricalEngineering DateApproved: Curriculum Vitae Name: JeffreyL. Undercoffer. PermanentAddress: Degree anddate to be conferred: Doctorof Philosophy,2004. DateofBirth: PlaceofBirth: Collegiateinstitutionsattended: Universityof Maryland,UniversityCollege,Bachelor of Science, ComputerScience, 1984. Universityof Maryland,CollegePark, Master of Science, Software Engineering, 1999. Universityof Maryland,BaltimoreCounty,Doctor of Philosophy,ComputerScience, 2004. Major: ComputerScience. Professionalpublications: JeffreyUndercoffer,LalanaKagal,FilipPerich,AnupamJoshi,andTimFinin. (cid:147)Vigil: PolicyBased Access Controlfor PervasiveComputingEnvironments(cid:148),under review 9th EuropeanSymposiumonResearch inComputerSecurity, September, 2004. Filip Perich, Lalana Kagal,and JeffreyUndercoffer. (cid:147)UsingDistributedBelief to ImproveQuery ProcessingAccuracy in MobileA d-Hoc Networks(cid:148), underreview 23rd ACM SIGMOD InternationalConference onManagement ofData,June,2004. JamesParker,JeffreyUndercoffer,JohnPinkston,andAnupamJoshi. (cid:147)OnIntrusion DetectioninMobileAdHocNetworks(cid:148),inProceedings,23rdIEEEInternational PerformanceComputingandCommunicationsConference(cid:150)Workshopon InformationAssurance,April2004. JeffreyUndercoffer,AnupamJoshi,TimFinin,andJohnPinkston. (cid:147)ATargetCentric OntologyforIntrusionDetection: UsingDAML+OILtoClassifyIntrusive Behaviors(cid:148),in KnowledgeEngineeringReview,2004. SasikanthAvancha,JefferyUndercoffer,AnupamJoshiandJohnPinkston. (cid:147)Security forSensor Networks(cid:148)WirelessSensorNetworks,editedbyTaiebZnati,KrishnaM. SivalingamandCauligiRaghavendra. KluwerAcademicPublishers,2004. JeffreyUndercofferandAnupamJoshi. (cid:147)Data Mining,SemanticsandIntrusion Detection: WhattodigforandWhere to(cid:2)ndit(cid:148)In DataMining: NextGeneration ChallengesandFutureDirections,editedbyHillolKargupta,AnupamJoshi,K. Sivakumar,andYelenaYesha. MITPress,2004. SasikanthAvancha,JefferyUndercoffer,AnupamJoshiandJohnPinkston. (cid:147)Secure SensorNetworksforPerimeterProtection(cid:148),inInternationalJournalofComputerand TelecommunicationsNetworking,2003. JeffreyUndercoffer,AndrejCedilnik,FilipPerich,andLalanaKagal,andAnupam Joshi. (cid:147)ASecure InfrastructureForService DiscoveryAndManagementInPervasive Computing(cid:148)inJournalofMobileNetworks andApplications(MONET),2003. JeffreyUndercoffer,FilipPerich, AnupamJoshiandJohnPinkston. (cid:147)SHOMAR:A Secure FrameworkforDistributedIntrusionDetectionServices(cid:148) underreview,ACM TransactionsonInformationandSystemSecurity,2003. JeffreyUndercoffer,AnupamJoshi,andJohnPinkston. (cid:147)ModelingComputer Attacks: AnOntologyforIntrusionDetection(cid:148)in ProceedingsoftheSixth InternationalSymposiumonRecentAdvancesinIntrusionDetection,2003. HirenShah,JeffreyUndercofferandAnupamJoshi. (cid:147)Fuzzy ClusteringforIntrusion Detection(cid:148)inProceedingsofthe12thIEEEInternationalConference onFuzzy Systems,2003 LalanaKagal,JeffreyUndercoffer,AnupamJoshi,andTimFinin. (cid:147)ASecurity ArchitectureBased onTrustManagementforPervasiveComputingSystems(cid:148)in ProceedingsoftheGraceHopperCelebrationofWomeninComputing,2002. J.Undercoffer,S.Rajavaram,H.Shah,V.Shanbhag,andA.Joshi. (cid:147)Neighborhood Watch: AnIntrusionDetectionandResponseProtocolforMobileAd-hocNetworks(cid:148) at UMBCStudentResearchConference,2002. JeffreyUndercoffer,AnupamJoshi,TimFinin,andJohnPinkston. (cid:147)ATarget-Centric OntologyforIntrusionDetection(cid:148)in18thInternationalJointConferenceonArti(cid:2)cial IntelligenceWorkshoponOntologiesinDistributedSystems,2003. JamesButler,JeffreyUndercofferandJohnPinkston. (cid:147)HiddenProcesses: The ImplicationforIntrusionDetection(cid:148)inThe ProceedingsoftheIEEESystems,Man andCyberneticsSocietyInformationAssuranceWorkshop,2003. AnupamJoshiandJeffreyUndercoffer. (cid:147)OnWeb,Semantics,andDataMining: IntrusionDetectionasaCase Study(cid:148)inProceedingsoftheNSF WorkshoponNext GenerationDataMining,2003. SasikanthAvancha,JefferyUndercoffer,AnupamJoshiandJohnPinkston. (cid:147)A ClusteringApproachtoSecure SensorNetworks(cid:148)TechnicalReportTR-CS-03-19, DepartmentofComputerScience andElectricalEngineeringUniversityofMaryland BaltimoreCounty,2003. LalanaKagal,JeffreyUndercoffer,AnupamJoshi,andTimFinin. (cid:147)Vigil: Providing TrustforEnhancedSecurityinPervasiveSystems(cid:148)TechnicalReportTR-CS-02-19, DepartmentofComputerScience andElectricalEngineeringUniversityofMaryland BaltimoreCounty,2002. EdPerl,JeffreyUndercoffer,andDeepinderSidhu. (cid:147)APerspectiveontheScalability ofMPLSSignaling(cid:148) TechnicalReportTR-CS-02-07,DepartmentofComputer Science andElectricalEngineeringUniversityofMarylandBaltimoreCounty,2002. Professionalpositionsheld: Research Assistant(Sep. 2001- Jan. 2004). Department of ComputerScience andElectrical EngineeringUniversityofMaryland, Baltimore County SolutionsDirector (Jan. 1999 - Dec. 2001) World Wide Security Practice - UnisysCorporation Assistanttothe Special Agentin Charge. (Nov. 1977- Jan. 1999). Presidential ProtectiveDivision- UnitesStates Secret Service Abstract TitleofDissertation: IntrusionDetection: ModelingSystemStatetoDetectandClassify AberrantBehaviors Author: JeffreyL.Undercoffer, PhD,2004 Thesisdirectedby: Dr. JohnPinkston,ProfessorandChair DepartmentofComputerScienceand ElectricalEngineering Wepresentadual-phasehost-basedintrusiondetectionprocess. Wehavedemonstrated, through experimentalvalidation, that our process improvesthe current state of intrusionde- tection capabilities. The (cid:2)rst phase uses cluster analysis to compare samples of low-level operatingsystemdatatoanestablishedmodelofnormalcy. Thesecondphasetakesinstances ofnon-conformingdatafromphase-1,mapsthatdatatoinstancesofourtarget-centricontol- ogyandreasons overit. The reasoningprocessservestwopurposes: primarilyitisintended toclassifytheanomalousdata asa speci(cid:2)ctype,or class,ofattack. Itssecondarypurposeis toprovideanorthogonaltesttodifferentiatebetweentrueandfalsepositives. We developed a novel metric (self-distance) to quantify the streams of system calls generated by a process, and we have constructed a feature set from the low-level operating systemdata,whichissubsequentlyusedasinputtotheclusteringprocess. Weexperimented withdifferent clustering algorithms(Fuzzy c-Medoid, k-Means, and PrincipalDirection Di- visive Partitioning), distance measures (Euclidean and Mahalanobis), and the effects of z- normalizing the data set. Our experiments indicated that the Fuzzy c-Mediod algorithm us- ing the Mahalanobis metric as a distance measure was the optimal performer, yielding an F-Measure of .9822. The F-Measure is a common method for describing accuracy and is combinationofprecisionandrecall. We experimentally demonstrated the case for migrating from taxonomic classi(cid:2)cation systems and their syntactical representation languages to ontologies and semantically rich ontology speci(cid:2)cation languages. We created a data model of the relationships that hold between the low-level data and instances of attacks and intrusions. We used the DARPA AgentMarkupLanguage+OntologyInferenceLayertospecifythedatamodelasaontology and the Java Theorem Prover, a sound and complete First Order Logic theorem prover, to reason over and classify instances data that were deemed to be anomalous in the (cid:2)rst phase ofourprocess. Ourclassi(cid:2)cationmechanismachievedanF-Measureof.9776. TheoverallF-Measureofourdual-phaseprocesswas.9718. Ignoringthecharacteristics of the data population is a classic mistake that is made when evaluating intrusion systems. Thisisalsoreferredtoasthebase-ratefallacy. Whenevaluatingtheposteriorprobability(the probabilityofanalarmgivenanintrusion)ofourprocessweachievea scoreof.998. We also present two novel mechanisms to detect and mitigate aberrant behaviors en- countered in Mobile Ad Hoc and Wireless Sensor networks. Both of these networks consist ofresourceconstraineddevices. Accordingly,wepresentourintrusiondetectionmechanisms asprotocolsthatmonitornetworkstateratherthansystemstate. IntrusionDetection: ModelingSystemStatetoDetectandClassifyAnomalousBehaviors by JeffreyL.Undercoffer DissertationsubmittedtotheFacultyoftheGraduateSchool oftheUniversityofMarylandinpartialful(cid:2)llment oftherequirementsforthedegreeof DoctorofPhilosophy 2004 InmemoryofJosephJohnUndercoffer May5,1976(cid:151)December14,2001 ii