Runtime Monitoring and Dynamic Reconfiguration for Intrusion Detection Systems

  • Martin Rehák
  • Eugen Staab
  • Volker Fusenig
  • Michal Pěchouček
  • Martin Grill
  • Jan Stiborek
  • Karel Bartoš
  • Thomas Engel
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5758)

Abstract

Our work proposes a generic architecture for runtime monitoring and optimization of IDS based on the challenge insertion. The challenges, known instances of malicious or legitimate behavior, are inserted into the network traffic represented by NetFlow records, processed with the current traffic and the system’s response to the challenges is used to determine its effectiveness and to fine-tune its parameters. The insertion of challenges is based on the threat models expressed as attack trees with attached risk/loss values. The use of threat model allows the system to measure the expected undetected loss and to improve its performance with respect to the relevant threats, as we have verified in the experiments performed on live network traffic.

Keywords

Entropy Posit 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Denning, D.E.: An intrusion-detection model. IEEE Trans. Softw. Eng. 13, 222–232 (1987)CrossRefGoogle Scholar
  2. 2.
    Staab, E., Fusenig, V., Engel, T.: Towards trust-based acquisition of unverifiable information. In: Klusch, M., Pěchouček, M., Polleres, A. (eds.) CIA 2008. LNCS (LNAI), vol. 5180, pp. 41–54. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  3. 3.
    Rehák, M., Pechoucek, M., Grill, M., Bartos, K.: Trust-based classifier combination for network anomaly detection. In: Klusch, M., Pěchouček, M., Polleres, A. (eds.) CIA 2008. LNCS (LNAI), vol. 5180, pp. 116–130. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  4. 4.
    Rehák, M., Pechoucek, M., Bartos, K., Grill, M., Celeda, P., Krmicek, V.: Improving anomaly detection error rate by collective trust modeling. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 398–399. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  5. 5.
    Cisco Systems: Cisco IOS NetFlow (2007), http://www.cisco.com/go/netflow
  6. 6.
    Scarfone, K., Mell, P.: Guide to intrusion detection and prevention systems (idps). Technical Report 800-94, NIST, US Dept. of Commerce (2007)Google Scholar
  7. 7.
    Xu, K., Zhang, Z.L., Bhattacharrya, S.: Reducing Unwanted Traffic in a Backbone Network. In: USENIX Workshop on Steps to Reduce Unwanted Traffic in the Internet (SRUTI), Boston, MA (2005)Google Scholar
  8. 8.
    Lakhina, A., Crovella, M., Diot, C.: Mining Anomalies using Traffic Feature Distributions. In: ACM SIGCOMM, Philadelphia, PA, pp. 217–228. ACM Press, New York (2005)Google Scholar
  9. 9.
    Lakhina, A., Crovella, M., Diot, C.: Diagnosis Network-Wide Traffic Anomalies. In: ACM SIGCOMM 2004, pp. 219–230. ACM Press, New York (2004)Google Scholar
  10. 10.
    Ertoz, L., Eilertson, E., Lazarevic, A., Tan, P.N., Kumar, V., Srivastava, J., Dokas, P.: Minds - minnesota intrusion detection system. In: Next Generation Data Mining. MIT Press, Cambridge (2004)Google Scholar
  11. 11.
    Sridharan, A., Ye, T., Bhattacharyya, S.: Connectionless port scan detection on the backbone, Phoenix, AZ, USA (2006)Google Scholar
  12. 12.
    Yager, R.: On ordered weighted averaging aggregation operators in multicriteria decision making. IEEE Transactions on Systems, Man, and Cybernetics 18, 183–190 (1988)MathSciNetCrossRefMATHGoogle Scholar
  13. 13.
    Rubinstein, B.I.P., Nelson, B., Huang, L., Joseph, A.D., Lau, S.-h., Taft, N., Tygar, J.D.: Evading anomaly detection through variance injection attacks on PCA. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 394–395. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  14. 14.
    Moore, A.P., Ellison, R.J., Linger, R.C.: Attack modeling for information security and survivability. Technical Report CMU/SEI-2001-TN-001, CMU Software Engineering Institute (2001)Google Scholar
  15. 15.
    Quine, W.: A way to simplify truth functions. American Mathematical Monthly 62, 627–631 (1955)MathSciNetCrossRefMATHGoogle Scholar
  16. 16.
    Moore, D.S.: The Basic Practice of Statistics, 4th edn. W. H. Freeman & Co., New York (2007)Google Scholar
  17. 17.
    Polikar, R.: Esemble based systems in decision making. IEEE Circuits and Systems Mag. 6, 21–45 (2006)CrossRefGoogle Scholar
  18. 18.
    Sheyner, O., Haines, J., Jha, S., Lippmann, R., Wing, J.M.: Automated generation and analysis of attack graphs. In: SP 2002: Proceedings of the 2002 IEEE Symposium on Security and Privacy, Washington, DC, USA, p. 273. IEEE Computer Society, Los Alamitos (2002)Google Scholar
  19. 19.
    Zhang, Y., Fan, X., Wang, Y., Xue, Z.: Attack grammar: A new approach to modeling and analyzing network attack sequences. In: Proc. of the Annual Computer Security Applications Conference (ACSAC 2008), pp. 215–224 (2008)Google Scholar
  20. 20.
    Sarmenta, L.F.G.: Sabotage-tolerance mechanisms for volunteer computing systems. In: CCGRID 2001: Proc. of the 1st Int. Symposium on Cluster Computing and the Grid, Washington, DC, USA, p. 337. IEEE Computer Society, Los Alamitos (2001)Google Scholar
  21. 21.
    Zhao, S., Lo, V., GauthierDickey, C.: Result verification and trust-based scheduling in peerto- peer grids. In: P2P 2005: Proc. of the 5th IEEE Int. Conf. on Peer-to-Peer Computing, Washington, DC, USA, pp. 31–38. IEEE Computer Society, Los Alamitos (2005)Google Scholar
  22. 22.
    Giacinto, G., Perdisci, R., Rio, M.D., Roli, F.: Intrusion detection in computer networks by a modular ensemble of one-class classifiers. Information Fusion 9, 69–82 (2008)CrossRefGoogle Scholar
  23. 23.
    Ghanbari, S., Amza, C.: Semantic-driven model composition for accurate anomaly diagnosis. In: ICAC 2008: Proceedings of the 2008 International Conference on Autonomic Computing, Washington, DC, USA, pp. 35–44. IEEE Computer Society, Los Alamitos (2008)Google Scholar
  24. 24.
    Dietterich, T.G.: Ensemble methods in machine learning. In: Kittler, J., Roli, F. (eds.) MCS 2000. LNCS, vol. 1857, pp. 1–15. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  25. 25.
    Morin, B., Mé, L., Debar, H., Ducassé, M.: M2D2: A formal data model for IDS alert correlation. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 115–137. Springer, Heidelberg (2002)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Martin Rehák
    • 1
  • Eugen Staab
    • 2
  • Volker Fusenig
    • 2
  • Michal Pěchouček
    • 1
  • Martin Grill
    • 3
    • 1
  • Jan Stiborek
    • 1
  • Karel Bartoš
    • 3
    • 1
  • Thomas Engel
    • 2
  1. 1.Department of CyberneticsCzech Technical UniversityPragueCzech Republic
  2. 2.Faculty of Science, Technology and CommunicationUniversity of LuxembourgLuxembourg
  3. 3.CESNET, z. s. p. o.PragueCzech Republic

Personalised recommendations