Μοντέλα ασυνήθους δικτυακής κυκλοφορίας σε TCP/IP δικτυακά υπολογιστικά περιβάλλοντα

Abstract

In this PhD Thesis we developed models for the abnormal network traffic based on TCP/IP communication protocol of computer systems, and the behavior of systems and users under viruses and worms attacks. For the development we combined mathematical formalism on real attributes that characterize almost all attacking efforts of hackers, virus and worms against comput-ers and networking systems. Our main goal was based upon the theoretic models we proposed, to provide a use-ful tool to deal with intrusions. Thus we developed a Software Tool for Distributed Intrusion Detection in Computer Networks (PODC-2004, 23rd ACM SIGART-SIGOPS, Canada, Best presentation award). Based on an improved model we produced a real time distributed detection system of network attacks (International Journal of Com-puter Science and Network Security, VOL.6, No.7, July 2006) that is installed in West-ern Greece Region as a peripheral distributed system for early warning administra-tors of worm and virus propagation and hackers’ attacks. This work is funded by the Greek General Secretariat of Research and Technology under the Regional Program of Innovative Actions. Also in this work we propose a discrete worm rapid propagation model based on so-cial networks that are built using the address book of e-mail and instant messaging clients using the mathematic formalism of Constraint Satisfaction Problems (CSP). The address book, which reflects the acquaintance profiles of people, is used as a “hit-list”, to which the worm can send itself in order to spread fast. We also model user reaction against infected email as well as the rate at which antivirus software is installed. We then propose a worm propagation formulation based on a token prop-agation algorithm, further analyzed with a use of a system of continuous differential equations, as dictated by Wormald’s theorem on approximating “well-behaving” random processes with deterministic functions. Finally in this work we present a virus propagation and elimination model that takes into account the traffic and server characteristics of the network computers. This model partitions the network nodes into perimeter and non-perimeter nodes. In-coming/outgoing traffic of the network passes through the perimeter of the net-work, where the perimeter is defined as the set of the servers which are connected directly to the internet. All network nodes are assumed to process tasks based on the M/M/1 queuing model. We study burst intrusions (e.g. Denial of Service Attacks) at the network perimeter and we propose a kind of interaction between these agents that results using the formalism of distribution of network tasks for Jackson open networks of queues