Show simple item record

dc.contributor.authorFink, Glenn Allenen_US

Much computer communications activity is invisible to the user, happening without explicit permission. When system administrators investigate network communications activities, they have difficulty tracing them back to the processes that cause them. The strictly layered TCP/IP networking model that underlies all widely used, general-purpose operating systems makes it impossible to trace a packet seen on the network back to the processes that are responsible for generating and receiving it. The TCP/IP model separates the concerns of network routing and process ownership so that the layers cannot share the information needed to correlate packets to processes. But knowing what processes are responsible for communications activities can be a great help in determining whether that activity is benign or malicious.

My solution combines a visualization tool, a kernel-level correlation engine, and middleware that ties the two together. My research enables security personnel to visually correlate packets to the processes they belong to helping users determine whether communications are benign or malicious. I present my discoveries about the system administrator community and relate how I created a new correlation technology. I conducted a series of initial interviews with system administrators to clarify the problem, researched available solutions in the literature, identified what was missing, and worked with users to build it. The users were my co-designers as I built a series of prototypes of increasing fidelity and conducted usability evaluations on them. I hope that my work will demonstrate how well the participatory design approach works.

My work has implications for the kernel structure of all operating system kernels with a TCP/IP protocol stack and network model. In light of my research, I hope security personnel will more clearly see sets of communicating processes on a network as basic computational units rather than the individual host computers. If kernel designers incorporate my findings into their work, it will enable much better security monitoring than is possible today making the Internet safer for all.

dc.publisherVirginia Techen_US
dc.rightsI hereby certify that, if appropriate, I have obtained and attached hereto a written permission statement from the owner(s) of each third party copyrighted matter to be included in my thesis, dissertation, or project report, allowing distribution as specified below. I certify that the version I submitted is the same as that approved by my advisory committee. I hereby grant to Virginia Tech or its agents the non-exclusive license to archive and make accessible, under the conditions specified below, my thesis, dissertation, or project report in whole or in part in all forms of media, now or hereafter known. I retain all other ownership rights to the copyright of the thesis, dissertation or project report. I also retain the right to use in future works (such as articles or books) all or part of this thesis, dissertation, or project report.en_US
dc.subjectInsight-Based Methoden_US
dc.subjectComputer Securityen_US
dc.subjectSoftware Architectureen_US
dc.subjectSoftware Designen_US
dc.subjectInformation Visualizationen_US
dc.subjectHuman-Computer Interactionen_US
dc.titleVisual Correlation of Network Traffic and Host Processes for Computer Securityen_US
dc.contributor.departmentComputer Scienceen_US
dc.description.degreePh. D.en_US D.en_US Polytechnic Institute and State Universityen_US Scienceen_US
dc.contributor.committeechairNorth, Christopher L.en_US
dc.contributor.committeememberMidkiff, Scott F.en_US
dc.contributor.committeememberArthur, James D.en_US
dc.contributor.committeememberTatar, Deborah Gailen_US
dc.contributor.committeememberMarchany, Randolph C.en_US

Files in this item


This item appears in the following Collection(s)

Show simple item record