Active Response Using Host-Based Intrusion Detection System and Software-Defined Networking

Author

Jonathon S. Goodgion

Date of Award

3-23-2017

Document Type

Thesis

Degree Name

Master of Science

Department

Department of Electrical and Computer Engineering

First Advisor

Barry E. Mullins, PhD.

Abstract

This research proposes AHNSR: Active Host-based Network Security Response by utilizing Host-based Intrusion Detection Systems (HIDS) with Software-Defined Networking (SDN) to enhance system security by allowing dynamic active response and reconstruction from a global network topology perspective. Responses include traffic redirection, host quarantining, filtering, and more. A testable SDN-controlled network is constructed with multiple hosts, OpenFlow enabled switches, and a Floodlight controller, all linked to a custom, novel interface for the Open-Source SECurity (OSSEC) HIDS framework. OSSEC is implemented in a server-agent architecture, allowing scalability and OS independence. System effectiveness is evaluated against the following factors: alert density and a selective Floodlight module response types. At the expected operational load of 500 events per second (EPS), results reveal a mean system response time of 0.5564 seconds from log generation to flow table update via Floodlights Access Control List module. Load testing further assesses performance at 10 - 10000 EPS for all tested response modules.

AFIT Designator

AFIT-ENG-MS-17-M-032

DTIC Accession Number

AD1054650

Recommended Citation

Goodgion, Jonathon S., "Active Response Using Host-Based Intrusion Detection System and Software-Defined Networking" (2017). Theses and Dissertations. 1575.
https://scholar.afit.edu/etd/1575