Whitelisting IP addresses and hostnames allow organizations to employ a default-deny approach to network traffic.<br /> Organizations employing a default-deny approach can stop many malicious threats, even including zero-day attacks, because it only allows explicitly stated legitimate activities. <br /> However, creating a comprehensive whitelist for a default-deny approach is difficult due to user-supplied destinations that can only be known at the time of usage.<br /> Whitelists, therefore, interfere with user experience by denying network traffic to user-supplied legitimate destinations.<br /> In this thesis, we focus on creating dynamic whitelists that are capable of allowing user-supplied network activity.<br /> We designed and built a system called Harbinger, which leverages user interface activity to provide contextual information in which network activity took place.<br /> We built Harbinger for Microsoft Windows operating systems and have tested its usability and effectiveness on four popular Microsoft applications.<br /> We find that Harbinger can reduce false positives-positive detection rates from 44%-54% to 0%-0.4% in IP and DNS whitelists. Furthermore, while traditional whitelists failed to detect propagation attacks, Harbinger detected the same attacks 96% of the time. We find that our system only introduced six milliseconds of delay or less for 96% of network activity.<br />

Creator

• Chuluundorj, Zorigtbaatar

Colaboradores

• Walls, Robert Joseph
• Shue, Craig A.

Degree

• MS

Unit

• Computer Science

Publisher

• Worcester Polytechnic Institute

Identifier

• etd-3101

Palavra-chave

• Intrusion Detection System
• Dynamic Whitelists
• Cybersecurity

Advisor

• Shue, Craig A.

Defense date

• 2019-10-10

Year

• 2019

Date created

• 2019-12-12

Resource type

• Thesis

Rights statement

• In Copyright

Última modificação

• 2023-12-05