Online network intrusion detection system using temporal logic and stream data processing

Ahmed, Abdulbasit
Online network intrusion detection system using temporal logic and stream data processing. Doctor of Philosophy thesis, University of Liverpool.

[img] PDF
AbdulbasitAhmed_June2013_12153.pdf - Author Accepted Manuscript
Available under License Creative Commons Attribution Non-commercial No Derivatives.

Download (5MB)


These days, the world are becoming more interconnected, and the Internet has dominated the ways to communicate or to do business. Network security measures must be taken to protect the organization environment. Among these security measures are the intrusion detection systems. These systems aim to detect the actions that attempt to compromise the confidentiality, availability, and integrity of a resource by monitoring the events occurring in computer systems and/or networks. The increasing amounts of data that are transmitted at higher and higher speed networks created a challenging problem for the current intrusion detection systems. Once the traffic exceeds the operational boundaries of these systems, packets are dropped. This means that some attacks will not be detected. In this thesis, we propose developing an online network based intrusion detection system by the combined use of temporal logic and stream data processing. Temporal Logic formalisms allow us to represent attack patterns or normal behaviour. Stream data processing is a recent database technology applied to flows of data. It is designed with high performance features for data intensive applications processing. In this work we develop a system where temporal logic specifications are automatically translated into stream queries that run on the stream database server and are continuously evaluated against the traffic to detect intrusions. The experimental results show that this combination was efficient in using the resources of the running machines and was able to detect all the attacks in the test data. Additionally, the proposed solution provides a concise and unambiguous way to formally represent attack signatures and it is extensible allowing attacks to be added. Also, it is scalable as the system can benefit from using more CPUs and additional memory on the same machine, or using distributed servers.

Item Type: Thesis (Doctor of Philosophy)
Additional Information: Date: 2013-06 (completed)
Subjects: ?? QA75 ??
Divisions: Faculty of Science and Engineering > School of Electrical Engineering, Electronics and Computer Science
Depositing User: Symplectic Admin
Date Deposited: 06 Aug 2013 09:14
Last Modified: 16 Dec 2022 04:39
DOI: 10.17638/00012153
  • Lisitsa, Alexei