Theses and Dissertations
Issuing Body
Mississippi State University
Advisor
Bridges, Susan
Committee Member
Boggess, Julian E.
Committee Member
Vaughn, Rayford
Date of Degree
8-2-2002
Document Type
Graduate Thesis - Open Access
Major
Computer Science
Degree Name
Master of Science
College
James Worth Bagley College of Engineering
Department
Department of Computer Science and Engineering
Abstract
As clusters of Linux workstations have gained in popularity, security in this environment has become increasingly important. While prevention methods such as access control can enhance the security level of a cluster system, intrusions are still possible and therefore intrusion detection and recovery methods are necessary. In this thesis, a system architecture for an intrusion detection system in a cluster environment is presented. A prototype system called pShield based on this architecture for a Linux cluster environment is described and its capability to detect unique attacks on MPI programs is demonstrated. The pShield system was implemented as a loadable kernel module that uses a neural network classifier to model normal behavior of processes. A new method for generating artificial anomalous data is described that uses a limited amount of attack data in training the neural network. Experimental results demonstrate that using this method rather than randomly generated anomalies reduces the false positive rate without compromising the ability to detect novel attacks. A neural network with a simple activation function is used in order to facilitate fast classification of new instances after training and to ease implementation in kernel space. Our goal is to classify the entire trace of a program¡¯s execution based on neural network classification of short sequences in the trace. Therefore, the effect of anomalous sequences in a trace must be accumulated. Several trace classification methods were compared. The results demonstrate that methods that use information about locality of anomalies are more effective than those that only look at the number of anomalies. The impact of pShield on system performance was evaluated on an 8-node cluster. Although pShield adds some overhead for each API for MPI communication, the experimental results show that a real world parallel computing benchmark was slowed only slightly by the intrusion detection system. The results demonstrate the effectiveness of pShield as a light-weight intrusion detection system in a cluster environment. This work is part of the Intelligent Intrusion Detection project of the Center for Computer Security Research at Mississippi State University.
URI
https://hdl.handle.net/11668/19428
Recommended Citation
Liu, Zhen, "A Lightweight Intrusion Detection System for the Cluster Environment" (2002). Theses and Dissertations. 162.
https://scholarsjunction.msstate.edu/td/162