Abstract
Current attacks to distributed systems involve multiple steps, due to attackers usually taking multiple actions to achieve their goals. Such attacks are called multi-stage attacks and have the ultimate goal to compromise a critical asset for the victim. An example would be compromising a web server, then achieve a series of intermediary steps (such as compromising a developer’s box thanks to a vulnerable PHP module and connecting to a FTP server with gained credentials) to ultimately connect to a database where user credentials are stored. Current detection systems are not capable of analyzing the multi-step attack scenario. In this document we present a distributed detection framework based on a probabilistic reasoning engine that communicates to detection sensors and can achieve two goals: (1) protect the critical asset by detecting multi-stage attacks and (2) tune sensors according to the changing environment of the distributed system monitored by the distributed framework. As shown in the experiments, the framework reduces the number of false positives that it would otherwise report if it were only considering alerts from a single detector and the reconfiguration of sensors allows the framework to detect attacks that take advantage of the changing system environment.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Acohido, B.: Hackers breach Heartland Payment credit card system. USA Today (January 2009)
Addendum: Secure Configuration of Intrusion Detection Sensors, http://sites.google.com/site/securecomm11msa/
Forum of Incident Response and Security Teams: Common Vulnerability Scoring System (CVSS), http://www.first.org/cvss/
Foo, B., Wu, Y., Mao, Y., Bagchi, S., Spafford, E.: ADEPTS: Adaptive Intrusion Response Using Attack Graphs in an E-Commerce Environment. In: International Conference on Dependable Systems and Networks, pp. 508–517. IEEE Computer Society (2005)
Frigault, M., Wang, L., Singhal, A., Jajodia, S.: Measuring network security using dynamic bayesian network. In: 4th ACM Workshop on Quality of Protection, pp. 23–30. ACM, New York (2008)
Kreibich, C., Sommer, R.: Policy-controlled Event Management for Distributed Intrusion Detection. In: 4th Int. Workshop on Distributed Event Based Systems (2005)
Modelo-Howard, G., Bagchi, S., Lebanon, G.: Determining Placement of Intrusion Detectors for a Distributed Application through Bayesian Network Modeling. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 271–290. Springer, Heidelberg (2008)
Modelo-Howard, G., Bagchi, S., Lebanon, G.: Approximation Algorithms for Determining Placement of Intrusion Detectors. CERIAS Tech. Report 2011-01 (2011)
Noel, S., Robertson, E., Jajodia, S.: Correlating Intrusion Events and Building Attack Scenarios Through Attack Graph Distances. In: 20th Annual Computer Security Applications Conference, pp. 350–359. IEEE Computer Society, New York (2004)
Nowicka, E., Zawada, M.: Modeling Temporal Properties of Multi-event Attack Signatures in Interval Temporal Logic. In: IEEE/IST Workshop on Monitoring, Attack Detection and Mitigation (2006)
Ning, P., Cui, Y., Reeves, D.: Constructing attack scenarios through correlation of intrusion alerts. In: 9th ACM Conf. Computer and Communications Security, pp. 245–254. ACM Press, New York (2002)
Ning, P., Xu, D.: Learning attack strategies from intrusion alerts. In: 10th ACM Conf. Computer and Communications Security, pp. 200–209. ACM Press, New York (2003)
Ning, P., Xu, D., Healey, C., St. Amant, R.: Building Attack Scenarios through Integration of Complementary Alert Correlation Method. In: Network and Distributed System Security Symposium (2004)
OpenVAS. The Open Vulnerability Assessment System, http://www.openvas.org
Paxson, V.: Bro: a system for detecting network intruders in real-time. J. Comp. Net. 31, 2435–2463 (1999)
Pearl, J.: Probabilistic reasoning in intelligent systems: networks of plausible inference. Morgan Kaufmann Publishers Inc., San Francisco (1988)
Porras, P., Neumann, P.: EMERALD: Event monitoring enabling responses to anomalous live disturbances. In: 20th National Information Systems Security Conference, pp. 353–365 (1997)
Qin, X., Lee, W.: Statistical Causality Analysis of INFOSEC Alert Data. In: Vigna, G., Krügel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 73–93. Springer, Heidelberg (2003)
Roesch, M.: Snort: Lightweight Intrusion Detection for Networks. In: 13th Conference on Systems Administration, pp. 229–238. USENIX (1999)
Snapp, S., et al.: DIDS (Distributed Intrusion Detection System) - Motivation, Architecture, and An Early Prototype. In: 14th National Computer Security Conferenc, pp. 167–176 (1991)
Spafford, E., Zamboni, D.: Intrusion detection using autonomous agents. J. Comp. Net. 34, 547–570 (2000)
Swets, J.: The Relative Operating Characteristic in Psychology. Science 182, 990–1000 (1973)
U.S. Department of Commerce. National Vulnerability Database, http://nvd.nist.gov/
U.S. Department of Health & Human Services: Health Information Privacy: Breaches Affecting 500 or More Individuals, http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/postedbreaches.html
Valdes, A., Skinner, K.: Probabilistic Alert Correlation. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, pp. 54–68. Springer, Heidelberg (2001)
Vigna, G., Kemmerer, R.: NetSTAT: A Network-based Intrusion Detection System. J. Comp. Sec. 7, 37–71 (1999)
Wing, J.: Scenario graphs applied to network security. In: Qian, Y., Tipper, D., Krishnamurthy, P., Joshi, J. (eds.) Information Assurance: Dependability and Security in Networked Systems. Morgan Kaufmann, San Francisco (2007)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Modelo-Howard, G., Sweval, J., Bagchi, S. (2012). Secure Configuration of Intrusion Detection Sensors for Changing Enterprise Systems. In: Rajarajan, M., Piper, F., Wang, H., Kesidis, G. (eds) Security and Privacy in Communication Networks. SecureComm 2011. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 96. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-31909-9_3
Download citation
DOI: https://doi.org/10.1007/978-3-642-31909-9_3
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-31908-2
Online ISBN: 978-3-642-31909-9
eBook Packages: Computer ScienceComputer Science (R0)