Abstract
Abstraction is an important issue in intrusion detection, since it not only hides the difference between heterogeneous systems, but also allows generic intrusion-detection models. However, abstraction is an error-prone process and is not well supported in current intrusion-detection systems (IDSs). This article presents a hierarchical model to support attack specification and event abstraction in distributed intrusion detection. The model involves three concepts: system view, signature, and view definition. A system view provides an abstract interface of a particular type of information; defined on the instances of system views, a signature specifies certain distributed attacks or events to be monitored; a view definition is then used to derive information from the matches of a signature and presents it through a system view. With the three elements, the model provides a hierarchical framework for maintaining signatures, system views, as well as event abstraction. As a benefit, the model allows generic signatures that can accommodate unknown variants of known attacks. Moreover, abstraction represented by a system view can be updated without changing either its specification or the signatures specified on its basis. This article then presents a decentralized method for autonomous but cooperative component systems to detect distributed attacks specified by signatures. Specifically, a signature is decomposed into finer units, called detection tasks, each of which represents the activity to be monitored on a component system. The component systems (involved in a signature) then perform the detection tasks cooperatively according to the "dependency" relationships among these tasks. An experimental system called CARDS has been implemented to test the feasibility of the proposed approach.
- ALLEN, J. F. 1983. Maintaining Knowledge about Temporal Intervals. Commun. ACM, 26, 11: 832-843, November 1983.]] Google Scholar
- ANDERSON, J. P. 1980. Computer security threat monitoring and surveillance. Tech. Rep. Anderson Co. Fort Washington, PA.]]Google Scholar
- BACE, R. G. 2000. Intrusion Detection. Macmillan Technology, 2000.]] Google Scholar
- BARBARA, D., WU,N.,AND JAJODIA, S. 2001. Detecting novel network intrusion using bayes estimators. In Proceedings of the First SIAM Conference on Data Mining, April 2001.]]Google Scholar
- BISHOP, M. 1990. A security analysis of the NTP protocol version 2. In Proceedings of the 6th Annual Computer Security Applications Conference, pp. 20-29.]]Google Scholar
- CHANG, H., WU,S.F.,AND JOU, Y. F. 2001. Real-time protocol analysis for detecting link-state routing protocol. ACM Trans. Inf. Syst. Secu, 4, 1, Feb. 2001.]] Google Scholar
- CHANG,H.Y.,NARAYAN, R., SARGOR, C., JOU, F., WU,S.F.,VETTER, B. M., GONG, F., WANG, X., BROWN, M., AND YUILL, J. J. 1999. DECIDUOUS: Decentralized source identification for networkbased intrusions. In Proceedings of the 6th IFIP/IEEE International Symposium on Integrated Network Management. IEEE.]]Google Scholar
- CHANG,H.Y.,WU,S.F.,SARGOR,C.,AND WU, X. 2000. Towards tracing hidden attackers on untrusted IP networks. submitted for publication, 2000.]]Google Scholar
- CURRY,D.AND DEBAR, H. 2001. Intrusion detection message exchange format data model and extensible markup language (xml) document type definition. Internet draft, draft-ietf-idwg-idmefxml- 03.txt, Feb.]]Google Scholar
- DEWITT,D.J.,KATZ, R. H., OLKEN, F., SHAPIRO,L.D.,STONEBRAKER,M.R.,AND WOOD, D. 1984. Implementation techniques for main memory database systems. SIGMOD Rec. 14, 2, 1-8.]] Google Scholar
- FEIERTAG, R., KAHN, C., PORRAS, P., SCHNACKENBERG, D., STANIFORD-CHEN,S.,AND TUNG, B. 2000. A common intrusion specification language. http://www.gidos.org/drafts/language.txt.]]Google Scholar
- FEIERTAG, R., RHO, S., BENZINGER, L., WU, S., REDMOND, T., ZHANG, C., LEVITT, K., PETICOLAS, D., HECKMAN, M., STANIFORD,S.,AND MCALERNEY, J. Intrusion detection inter-component adaptive negotiation. Comput. Netw. 34, 605-621.]] Google Scholar
- FEINSTEIN, B. S., MATTHEWS, G. A., AND WHITE, J. C. C. 2001. The intrusion detection exchange protocol (IDXP). Internet Draft. draft-ietf-idwg-beep-idxp-02.txt. March.]]Google Scholar
- FREKSA, C. 1992. Temporal reasoning based on semi-intervals. Artifi. Intell. 54, 199-227.]] Google Scholar
- FRINCKE, D., TOBIN, D., MCCONNELL, J., MARCONI,J.,AND POLLA, D. 1998. A framework for cooperative intrusion detection. In Proceedings of the 21st National Information Systems Security Conference (Crystal City, VA, Oct).]]Google Scholar
- HEBERLEIN,L.T.,MUKHERJEE,B.,AND LEVITT, K. N. 1992. Internetwork security monitor: An intrusion-detection system for large-scale networks. In Proceedings of 15th National Computer Security Conference (Baltimore, MD, Oct.), 262-271.]]Google Scholar
- FRINCKE, Y., HO.D.,AND TOBIN,D.JR. 1998. Planning, petri nets, and intrusion detection. In Proceedings of the 21st National Information Systems Security Conference (Crystal City, VA, Oct.).]]Google Scholar
- HOCHBERG, J., JACKSON, K., STALLINGS, C., MCCLARY,J.F.,DUBOIS,D.,AND FORD, J. NADIR: An automated system for detecting network intrusion and misuse. Computers & Security, 12, 3, (May), 235-48.]] Google Scholar
- IETF, 2001. Secure network time protocol (stime). http://www.ietf.org/html.charters/stimecharter. html.]]Google Scholar
- ILGUN, K. 1993. USTAT: A real-time intrusion detection system for UNIX. In Proceedings of the IEEE Symposium on Security and Privacy (Oakland, CA, May), 16-28.]] Google Scholar
- ILGUN, K., KEMMERER,R.A.,AND PORRAS, P. A. 1995. State transition analysis: A rule-based intrusion detection approach. IEEE Trans. Soft. Eng. 21, 3, 181-199.]] Google Scholar
- JAVITS,H.S.AND VALDES, A. 1993. The NIDES statistical component: Description and justification. Technical Rep. SRI International, Computer Science Laboratory.]]Google Scholar
- JOU,Y.F.,GONG, F., SARGOR, C., WU, X., WU, S. F., CHANG,H.C.,AND WANG, F. 2000. Design and implementation of a scalable intrusion detection system for the protection of network infrastructure. In DARPA Information Survivability Conference and Exposition.]]Google Scholar
- KAHN, C., BOLINGER,D.,AND SCHNACKENBERG, D. 1998 Communication in the common intrusion detection framework. http://www.gidos.org/drafts/communication.txt.]]Google Scholar
- KAHN, C., PORRAS, P. A., STANIFORD-CHEN,S.,AND TUNG, B. 1998 A common intrusion detection framework. Submitted to Journal of Computer Security.]]Google Scholar
- KEMMERER, R. A. 1997 NSTAT: A model-based real-time network intrusion detection system. Tech. Rep. TRCS97-18, Reliable Software Group, Dept. of Computer Science, University of California at Santa Barbara.]] Google Scholar
- KENDALL, K. 1999 A database of computer attacks for the evaluation of intrusion detection systems. Master's thesis, Dept. EECS, MIT, June.]]Google Scholar
- KERSCHBAUM, F., SPAFFORD,E.H.,AND ZAMBONI, D. 2000 Using embedded sensors for detecting network attacks. In Proceedings of the 1st ACM Workshop on Intrusion Detection Systems (Nov.), ACM Press, New York, NY.]]Google Scholar
- KUMAR, S. 1995 Classification and detection of computer intrusions. Ph.D. dissertation, Purdue University, Aug.]] Google Scholar
- KUMAR,S.AND SPAFFORD, E. H. 1994 A pattern matching model for misuse intrusion detection. In Proceedings of the 17th National Computer Security Conference (Oct.), 11-21.]]Google Scholar
- LEE, W., NIMBALKAR, R. A., YEE, K. K., PATIL,S.B.,DESAI, P. H., TRAN,T.T.,AND STOLFO, S. J. 2000. A data mining and CIDF based approach for detecting novel and distributed intrusions. In Proceedings of the 3rd International Workshop on the Recent Advances in Intrusion Detection (Oct.).]] Google Scholar
- LEE, W., STOLFO,S.J.,AND MOK, K. W. 1999 A data mining framework for building intrusion detection models. In Proceedings of the 1999 IEEE Symposium on Security and Privacy (Oakland, CA, May). To appear.]]Google Scholar
- LEE,W.AND STOLFO, S. J. 2000. A framework for constructing features and models for intrusion detection systems. ACM Trans. Info. Syst. Secu. 3, 4 (Nov.), 227-261.]] Google Scholar
- LIN, J. 1998 Abstraction-based misuse detection: High-level specifications and adaptable strategies. Ph.D. dissertation, George Mason University, Fairfax VA. Dec.]] Google Scholar
- LIN, J., WANG,X.S.,AND JAJODIA, S. 1998. Abstraction-based misuse detection: High-level specifications and adaptable strategies. In Proceedings of the 11th Computer Security Foundations Workshop (Rockport, MA, June), 190-201.]] Google Scholar
- LINDQVIST,U.AND PORRAS, P. A. 1999 Detecting computer and network misuse through the production-based expert system toolset (P-BEST). In Proceedings of the 1999 IEEE Symposium on Security and Privacy (Oakland, CA, May), IEEE, 146-161.]]Google Scholar
- MOUNJI, A. 1997 Languages and tools for rule-based distributed intrusion detection. Ph.D. dissertation, University of (Namur, Belgium, Sept.).]]Google Scholar
- MOUNJI, A., CHARLIER, B. L., ZAMPUNIERIS,D.,AND HABRA, N. 1995. Distributed audit trail analysis. In Proceedings of the ISOC '95 Symposium on Network and Distributed System Security. 102-112.]] Google Scholar
- MUKHERJEE, B., HEBERLEIN,L.T.,AND LEVITT, K. N. 1994. Network intrusion detection. IEEE Network, 8, 3 (May), 26-41.]]Google Scholar
- NEUFELDT, V. Ed. 1988 Webster's New World Dictionary of American English. Webster's New World, 3rd college Ed.]]Google Scholar
- NEW, D. 2001. The TUNNEL Profile. Internet draft. draft-ietf-idwg-beep-tunnel-01.txt, Feb.]] Google Scholar
- NING, P., WANG,X.S.,AND JAJODIA, S. 2000a. Modeling requests among cooperating intrusion detection systems. Comput. Commun. 23, 17, 1702-1716.]]Google Scholar
- NING, P., WANG,X.S.,AND JAJODIA, S. 2000b. A query facility for common intrusion detection framework. In Proceedings of the 23rd National Information Systems Security Conference (Baltimore, MD), 317-328.]]Google Scholar
- NORTHCUTT, S. 1999. Network Intrusion Detection: An Analyst's Handbook. New Riders.]] Google Scholar
- PORRAS, P., SCHNACKENBERG, D., STANIFORD-CHEN, S., STILLMAN, M., AND WU, F. 1998. The common intrusion detection framework architecture. http://www.gidos.org/drafts/architecture.txt.]]Google Scholar
- PORRAS,P.A.AND NEUMANN, P. G. 1997. EMERALD: Event monitoring enabling response to anomalous live disturbances. In Proceedings of the 20th National Information Systems Security Conference, National Institute of Standards and Technology, Galthersburg, MD.]]Google Scholar
- ROSE, M. 2001. The blocks extensible exchange protocol core. IETF RFC 3080. March.]] Google Scholar
- SCHUBA, C. L., KRSUL,I.V.,KUHN, M. G., SPAFFORD, E. H., SUNDARAM, A., AND ZAMBONI, D. 1997. Analysis of a denial of service attack on TCP. In Proceeding of the 1997 IEEE Symposium on Security and Privacy (Oakland, CA, May), 208-223.]] Google Scholar
- SMAHA, S. E. 1988. Haystack: An intrusion detection system. In Proceedings of the Fourth Aerospace Computer Security Applications Conference (Dec.).]]Google Scholar
- SNAPP, S. R., BRENTANO, J., DIAS, G. V., GOAN, T. L., HEBERLEIN,L.T.,HO, C., LEVITT, K. N., MUKHERJEE, B., SMAHA, S. E., GRANCE, T., TEAL,D.M.,AND MANSUR, D. 1991. DIDS (distributed intrusion detection system) motivation, architecture, and an early prototype. In Proceedings of the 14th National Computer Security Conference (Washington, D.C., Oct.), 167-176.]]Google Scholar
- TIMESTEN PERFORMANCE SOFTWARE 2001. Architecture for real-time data management: Timesten's core in-memory database technology. White paper.]]Google Scholar
- SPAFFORD,E.H.AND ZAMBONI, D. 2000. Intrusion detection using autonomous agents. Comput. Netw. 34, 547-570.]] Google Scholar
- STANIFORD-CHEN, S., CHEUNG, S., CRAWFORD, R., DILGER, M., FRANK, J., HOAGLAND, J., LEVITT, K., WEE, C., YIP, R., AND ZERKLE, D. 1996. GrIDSA graph based intrusion detection system for large networks. In Proceedings of the 19th National Information Systems Security Conference, vol. 1 (Oct.), 361-370.]]Google Scholar
- STANIFORD-CHEN,S.AND HEBERLEIN, L. 1995. Holding intruders accountable on the internet. In Proceedings of the 1995 IEEE Symposium on Security and Privacy (Oakland, May), IEEE, 39- 49.]] Google Scholar
- SMITH,S.W.AND TYGAR, J. D. 1994. Security and privacy for partial order time. In ISCA Seventh International Conference on Parallel and Distributed Computing Systems (Oct.).]]Google Scholar
- ULLMAN,J.AND WIDOM, J. 1997. A First Course in Database Systems. Prentice Hall, Englewood Cliffs, NJ.]] Google Scholar
- VIGNA,G.AND KEMMERER, R. A. 1999. NetSTAT: A Network-based intrusion detection system. Comput. Secur. 7, 1, 37-71.]] Google Scholar
- VIGNA,G.AND KERMMERER, R. A. 1998. NetSTAT: A Network-based intrusion detection approach. In Proceedings of the 14th Annual Security Applications Conference (Dec.).]] Google Scholar
- WHITE,G.B.,FISCH,E.A.,AND POOCH, U. W. 1996. Cooperating security managers: A peer-based intrusion detection system. IEEE Network (Jan.), 20-23.]]Google Scholar
- WU,S.F.,CHANG, H. C., JOU, F., WANG, F., GONG, F., SARGOR, C., QU,D.,AND CLEAVELAND, R. 2001. JiNao: Design and implementation of a scalable intrusion detection system for the OSPF routing protocol. To appear in Journal of Computer Networks and ISDN Systems.]]Google Scholar
- YANG, J., NING, P., WANG,X.S.,AND JAJODIA, S. 2000. CARDS: A distributed system for detecting coordinated attacks. In Proceedings of IFIP TC11 Sixteenth Annual Working Conference on Information Security (SEC 2000), Sihan Qing and J. H. P. Elof, editors. Kluwer Academic Publishers, August 2000.]] Google Scholar
Index Terms
- Abstraction-based intrusion detection in distributed environments
Recommendations
Misuse-based intrusion detection using Bayesian networks
This paper presents an application of Bayesian networks to the process of intrusion detection in computer networks. The presented system, called Bayesian system for intrusion detection (Basset) extends functionality of Snort, an open-source network ...
An intelligent intrusion detection system (IDS) for anomaly and misuse detection in computer networks
In this paper, we propose a novel Intrusion Detection System (IDS) architecture utilizing both anomaly and misuse detection approaches. This hybrid Intrusion Detection System architecture consists of an anomaly detection module, a misuse detection ...
Building intrusion pattern miner for Snort network intrusion detection system
In this paper, we enhance the functionalities of Snort network-based intrusion detection system to automatically generate patterns of misuse from attack data, and the ability of detecting sequential intrusion behaviors. To that, we implement an ...
Comments