Implementing a patternless intrusion detection system a methodology for Zippo

Abstract

A methodology for the implementation of Zippo, a patternless intrusion detection system is presented in this thesis. This methodology approaches the implementation in a holistic manner to include the administrative and operational tasks necessary for ensuring proper preparation for Zippo's use. Prior to implementing and using Zippo, a basic understanding of TCP/IP and intrusion detection systems is needed and these topics are presented in broad detail. The origin of Zippo starts with the creation of Therminator, which is discussed in detail. The architecture and configuration of Zippo are based on those of Therminator and understanding the ideas of buckets and balls, thermal canyons and towers, decision trees, slidelength and windowlength and initial and boundary conditions are paramount to understanding the Zippo application. To successfully implement Zippo, other network factors must be attended to including the topology, organizational policies and the security plan. Once these factors are addressed, Zippo can be optimally configured to successfully be installed on a network. Finally, previous research done on Zippo yielded decision trees and thermal canyons pertaining to protocol specific threats that are presented to familiarize the reader with Zippo's visual representation of malicious or anomalous behavior.