Calendar - University of Houston
Skip to main content

[Defense] Intrusion Detection Based on Network Packet Latency and Hacker’s Behavior

Monday, November 23, 2020

10:00 am - 11:30 am

In Partial Fulfillment of the Requirements for the Degree of Doctor of Philosophy
Zechun Cao
will defend his dissertation


Our society is facing a growing threat from data breaches, where confidential information is stolen from computer servers. To steal data, hackers must first gain entry into the targeted systems. Commercial off-the-shelf intrusion detection systems are unable to defend against the intruders effectively. This dissertation addresses the issues of detecting intruders from hiding behind privacy-protecting anonymity networks and intruders in the file system. The freely available Tor and the SOCKS proxy services have been popular tools that provide circuit-based anonymous connections to network users. However, recent security breaches reveal that SSH and HTTPS have been used to launch attacks by malicious users by taking advantage of these services to hide their identities. This dissertation investigates strategies to detect SSH and HTTPS connections via the circuit-based anonymity networks, to help servers and websites defend against anonymous intruders.

We evaluate our approaches with SSH and HTTPS connections and show that they achieve high performance for both applications. Our detection algorithms are based on the extra latency delays introduced by the presence of the anonymity networks. The detection rates for all four combinations of SSH/HTTPS applications via Tor/SOCKS networks were very high, with a low false-positive rate. To demonstrate the robustness of our approach in the Tor case, we tested our method in multiple Tor circuit node selection strategies. The approach can be applied to other applications meeting the same criteria.

Additionally, to detect intruders in the system based on their behavior, we present two approaches to model users’ file access behavior. The first approach comprises a set of behavioral features of the user’s file access patterns in a file system. In contrast, the second approach defines a trace and graph model to capture the user’s behavior. We validate the effectiveness of our approaches by conducting experiments on an existing file system dataset.

We find both of our proposed approaches achieve very high performance in detecting intruders in the file system with various experiment settings.

 Monday, November 23, 2020
10:00AM - 11:30AM CT
Online via Zoom (click link)

Dr. Stephen Huang, dissertation advisor

Faculty, students and the general public are invited.

Online via Zoom