Intrusion Detection and Protection of Application Servers

Licentiatavhandling, 2005

The protection of application servers using intrusion detection and other related techniques is studied in this thesis. A thorough review is first made of taxonomies for intrusion detection systems (IDSs) and how these can help to understand the basic functionality and problems of intrusion detection. A lightweight IDS with a number of interesting features has been developed and tested in real-life situations. I have also studied the consequences of letting such a tool be integrated into an application server rather than keeping it separate from the monitored application, as is common in traditional host-based or network-based systems. Integration enables several advantages, such as the ability to monitor encrypted transactions, an Achilles' heel in traditional systems. I also studied a number of extensions and further developments to intrusion detection. I have developed an intrusion tolerant architecture that not only detects intrusions but also provides a means to tolerate them with a graceful degradation of the offered service. The intrusion tolerance is achieved by leveraging methods from the fault-tolerant community. Finally, I suggest a method for facilitating the set-up and training of IDSs based on active learning algorithms. Considerable performance improvements can be achieved in this way, as shown in the experiments done in this work.