Skip to main content
SpringerLink
Log in

Secure Configuration of Intrusion Detection Sensors for Changing Enterprise Systems

  • Conference paper
Security and Privacy in Communication Networks (SecureComm 2011)

Abstract

Current attacks to distributed systems involve multiple steps, due to attackers usually taking multiple actions to achieve their goals. Such attacks are called multi-stage attacks and have the ultimate goal to compromise a critical asset for the victim. An example would be compromising a web server, then achieve a series of intermediary steps (such as compromising a developer’s box thanks to a vulnerable PHP module and connecting to a FTP server with gained credentials) to ultimately connect to a database where user credentials are stored. Current detection systems are not capable of analyzing the multi-step attack scenario. In this document we present a distributed detection framework based on a probabilistic reasoning engine that communicates to detection sensors and can achieve two goals: (1) protect the critical asset by detecting multi-stage attacks and (2) tune sensors according to the changing environment of the distributed system monitored by the distributed framework. As shown in the experiments, the framework reduces the number of false positives that it would otherwise report if it were only considering alerts from a single detector and the reconfiguration of sensors allows the framework to detect attacks that take advantage of the changing system environment.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Acohido, B.: Hackers breach Heartland Payment credit card system. USA Today (January 2009)

    Google Scholar 

  2. Addendum: Secure Configuration of Intrusion Detection Sensors, http://sites.google.com/site/securecomm11msa/

  3. Forum of Incident Response and Security Teams: Common Vulnerability Scoring System (CVSS), http://www.first.org/cvss/

  4. Foo, B., Wu, Y., Mao, Y., Bagchi, S., Spafford, E.: ADEPTS: Adaptive Intrusion Response Using Attack Graphs in an E-Commerce Environment. In: International Conference on Dependable Systems and Networks, pp. 508–517. IEEE Computer Society (2005)

    Google Scholar 

  5. Frigault, M., Wang, L., Singhal, A., Jajodia, S.: Measuring network security using dynamic bayesian network. In: 4th ACM Workshop on Quality of Protection, pp. 23–30. ACM, New York (2008)

    Google Scholar 

  6. Kreibich, C., Sommer, R.: Policy-controlled Event Management for Distributed Intrusion Detection. In: 4th Int. Workshop on Distributed Event Based Systems (2005)

    Google Scholar 

  7. Modelo-Howard, G., Bagchi, S., Lebanon, G.: Determining Placement of Intrusion Detectors for a Distributed Application through Bayesian Network Modeling. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 271–290. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  8. Modelo-Howard, G., Bagchi, S., Lebanon, G.: Approximation Algorithms for Determining Placement of Intrusion Detectors. CERIAS Tech. Report 2011-01 (2011)

    Google Scholar 

  9. Noel, S., Robertson, E., Jajodia, S.: Correlating Intrusion Events and Building Attack Scenarios Through Attack Graph Distances. In: 20th Annual Computer Security Applications Conference, pp. 350–359. IEEE Computer Society, New York (2004)

    Chapter  Google Scholar 

  10. Nowicka, E., Zawada, M.: Modeling Temporal Properties of Multi-event Attack Signatures in Interval Temporal Logic. In: IEEE/IST Workshop on Monitoring, Attack Detection and Mitigation (2006)

    Google Scholar 

  11. Ning, P., Cui, Y., Reeves, D.: Constructing attack scenarios through correlation of intrusion alerts. In: 9th ACM Conf. Computer and Communications Security, pp. 245–254. ACM Press, New York (2002)

    Google Scholar 

  12. Ning, P., Xu, D.: Learning attack strategies from intrusion alerts. In: 10th ACM Conf. Computer and Communications Security, pp. 200–209. ACM Press, New York (2003)

    Google Scholar 

  13. Ning, P., Xu, D., Healey, C., St. Amant, R.: Building Attack Scenarios through Integration of Complementary Alert Correlation Method. In: Network and Distributed System Security Symposium (2004)

    Google Scholar 

  14. OpenVAS. The Open Vulnerability Assessment System, http://www.openvas.org

  15. Paxson, V.: Bro: a system for detecting network intruders in real-time. J. Comp. Net. 31, 2435–2463 (1999)

    Article  Google Scholar 

  16. Pearl, J.: Probabilistic reasoning in intelligent systems: networks of plausible inference. Morgan Kaufmann Publishers Inc., San Francisco (1988)

    MATH  Google Scholar 

  17. Porras, P., Neumann, P.: EMERALD: Event monitoring enabling responses to anomalous live disturbances. In: 20th National Information Systems Security Conference, pp. 353–365 (1997)

    Google Scholar 

  18. Qin, X., Lee, W.: Statistical Causality Analysis of INFOSEC Alert Data. In: Vigna, G., Krügel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 73–93. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  19. Roesch, M.: Snort: Lightweight Intrusion Detection for Networks. In: 13th Conference on Systems Administration, pp. 229–238. USENIX (1999)

    Google Scholar 

  20. Snapp, S., et al.: DIDS (Distributed Intrusion Detection System) - Motivation, Architecture, and An Early Prototype. In: 14th National Computer Security Conferenc, pp. 167–176 (1991)

    Google Scholar 

  21. Spafford, E., Zamboni, D.: Intrusion detection using autonomous agents. J. Comp. Net. 34, 547–570 (2000)

    Article  Google Scholar 

  22. Swets, J.: The Relative Operating Characteristic in Psychology. Science 182, 990–1000 (1973)

    Article  Google Scholar 

  23. U.S. Department of Commerce. National Vulnerability Database, http://nvd.nist.gov/

  24. U.S. Department of Health & Human Services: Health Information Privacy: Breaches Affecting 500 or More Individuals, http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/postedbreaches.html

  25. Valdes, A., Skinner, K.: Probabilistic Alert Correlation. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, pp. 54–68. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  26. Vigna, G., Kemmerer, R.: NetSTAT: A Network-based Intrusion Detection System. J. Comp. Sec. 7, 37–71 (1999)

    Google Scholar 

  27. Wing, J.: Scenario graphs applied to network security. In: Qian, Y., Tipper, D., Krishnamurthy, P., Joshi, J. (eds.) Information Assurance: Dependability and Security in Networked Systems. Morgan Kaufmann, San Francisco (2007)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Dependable Computing Systems Laboratory, Purdue University, 465 Northwestern Avenue, West Lafayette, IN, 47907, USA

    Gaspar Modelo-Howard, Jevin Sweval & Saurabh Bagchi

Authors
  1. Gaspar Modelo-Howard
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jevin Sweval
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Saurabh Bagchi
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. City University London, 10 Northampton Square, EC1V 0HB, London, UK

    Muttukrishnan Rajarajan

  2. Royal Holloway University of London, TW20 0EX, Egham Hill, UK

    Fred Piper

  3. College of William and Mary, P.O. Box 8795, 23187, Williamsburg, VA, USA

    Haining Wang

  4. Pennsylvania State University, 338J IST Buillding, 16802, University Park, PA, USA

    George Kesidis

Rights and permissions

Reprints and permissions

Copyright information

© 2012 ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering

About this paper

Cite this paper

Modelo-Howard, G., Sweval, J., Bagchi, S. (2012). Secure Configuration of Intrusion Detection Sensors for Changing Enterprise Systems. In: Rajarajan, M., Piper, F., Wang, H., Kesidis, G. (eds) Security and Privacy in Communication Networks. SecureComm 2011. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 96. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-31909-9_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-31909-9_3

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-31908-2

  • Online ISBN: 978-3-642-31909-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation