Abstract
Intrusion detection systems are one of the most important security devices that are deployed by organizations to secure their private network from the network attacks. Such attacks are launched through the Internet by hackers and malicious users outside of the organization. When an attacker successfully penetrates through a firewall, intrusion detection systems detect any such intrusive activity and alert the systems administrator. Some of the most common network attacks launched through the Internet are port scan attacks, SYN Flood attacks, Buffer Overflow attacks and session hijacking attacks. The numbers of reported intrusions, computer security issues and problems have increased rapidly during the past decade. This has highlighted the need to design and test new models and methodologies for intrusion detection. This thesis proposes an approach in intrusion detection that is based on computation and communication characterization of network attacks. In this approach, both network traffic and host-based data is monitored at the victim's site for sequences of computation and communication processes representing signs of network intrusion.

This thesis proposes the CCCAS Model for intrusion detection. The CCCAS model is subdivided into three sub-models named the Physical Model, the Computation Communication Intrusion Model and the State Transition Model. These sub-models deal with three different aspects of an attack scenario. An attack scenario is defined as a sequence of computation and communication operations whose successful execution leads to a network intrusion. The Physical Model characterizes the minimum software and hardware components required to launch a successful network attack. The Computation Communication Intrusion Model characterizes an attack scenario into sequences of computation and communication processes which could be monitored, detected and verified. The State Transition Model defines the change of states on the source machine and on the victim's machine which occur as a result of the execution of computation and communication processes involved in an attack scenario. All these three sub-models are integrated into the PM and CCIM implementation of STM. A simulation experiment is conducted based upon a specific PM and CCIM implementation of the STM; this experiment simulates an attack environment primarily consisting of a probe attack. The usefulness of the proposed CCCAS model is demonstrated in this simulation.