Requirements of Information Reductions for Cooperating Intrusion Detection Agents

  • Ulrich Flegel
  • Joachim Biskup
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3995)


We consider cooperating intrusion detection agents that limit the cooperation information flow with a focus on privacy and confidentiality. Generalizing our previous work on privacy respecting intrusion detection for centralized systems we propose an extended functional model for information reductions that is used for cooperation between intrusion detection agents. The reductions have the following goals: detective effectiveness of cooperation alliances, privacy of honest individuals, further organizational confidentiality requirements, and efficiency. For the reductions we outline the basic requirements, and derive the specific requirements imposed by the cooperation methods used for intrusion detection. It is shown, how our existing solutions could be adapted and what restrictions apply.


Intrusion Detection Audit Data Security Incident Analyze Agent Source Agent 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Flegel, U.: Pseudonymizing Audit Data for Privacy Respecting Misuse Detection. PhD thesis, University of Dortmund, Dept. of Computer Science (2005)Google Scholar
  2. 2.
    Flegel, U.: Pseudonymizing Unix Log Files. In: Davida, G.I., Frankel, Y., Rees, O. (eds.) InfraSec 2002. LNCS, vol. 2437, pp. 162–179. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  3. 3.
    Biskup, J., Flegel, U.: Threshold-based identity recovery for privacy enhanced applications. In: Jajodia, S., Samarati, P. (eds.) Proceedings of the 7th ACM Conference on Computer and Communications Security, Athens, Greece, pp. 71–79. ACM SIGSAC, ACM Press, New York (2000)Google Scholar
  4. 4.
    Shamir, A.: How to share a secret. Communications of the ACM 22, 612–613 (1979)MathSciNetCrossRefMATHGoogle Scholar
  5. 5.
    Vigna, G., Kemmerer, R.A., Blix, P.: Designing a web of highly-configurable intrusion detection sensors. In: Lee, et al. [32], pp. 69–84Google Scholar
  6. 6.
    Ning, P., Jajodia, S., Sean Wang, X.: Intrusion Detection in Distributed Systems. In: Advances in Information Security, vol. 9. Springer, Heidelberg (2004)Google Scholar
  7. 7.
    Krgel, C., Valeur, F., Vigna, G.: Intrusion Detection and Correlation. In: Advances in Information Security, vol. 14, Springer, Heidelberg (2005)Google Scholar
  8. 8.
    Huang, M.-Y., Jasper, R.J., Wicks, T.M.: A large scale distributed intrusion detection framework based on attack strategy analysis. Computer Networks 31(23–24), 2465–2475 (1999)CrossRefGoogle Scholar
  9. 9.
    Bass, T.: Intrusion detection systems and multisensor data fusion. Communications of the ACM 43(4), 99–105 (2000)CrossRefGoogle Scholar
  10. 10.
    Debar, H., Wespi, A.: Aggregation and correlation of intrusion-detection alerts. In: Lee et al. [32], pp. 85–103Google Scholar
  11. 11.
    Valdes, A., Skinner, K.: Probabilistic alert correlation. In: Lee et al. [32], pp. 54–68Google Scholar
  12. 12.
    Cuppens, F.: Managing alerts in a multi-intrusion detection environment. In: Proceedings of the 17th Annual Computer Security Applications Conference (ACSAC 2001), New Orleans, Louisiana, USA, pp. 22–31. IEEE Computer Society Press, Los Alamitos (2001)Google Scholar
  13. 13.
    Porras, P.A., Fong, M.W., Valdes, A.: A Mission-Impact-Based Approach to INFOSEC Alarm Correlation. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 95–114. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  14. 14.
    Xu, D., Ning, P.: Alert correlation through triggering events and common resources. In: Proceedings of the 20th Annual Computer Security Applications Conference (ACSAC 2004), pp. 360–369. IEEE Computer Society Press, Los Alamitos (2004)Google Scholar
  15. 15.
    Perrochon, L., Jang, E., Luckham, D.C.: Enlisting event patterns for cyber battlefield awareness. In: Proceedings of the DARPA Information Survivability Conference and Exposition (DISCEX 2000), Hilton Head, South Carolina, pp. 1411–1422. DARPA and the IEEE Computer Society, IEEE Press, Los Alamitos (2000)Google Scholar
  16. 16.
    Carey, N., Clark, A., Mohay, G.: IDS Interoperability and Correlation Using IDMEF and Commodity Systems. In: Deng, R.H., Qing, S., Bao, F., Zhou, J. (eds.) ICICS 2002. LNCS, vol. 2513, pp. 252–264. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  17. 17.
    Morin, B., Debar, H.: Correlation of Intrusion Symptoms: An Application of Chronicles. In: Vigna, G., Krügel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 94–112. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  18. 18.
    Dain, O.M., Cunningham, R.K.: Fusing Heterogeneous Alert Streams into Scenarios. In: Applications of Data Mining in Computer Security, Kluwer, Boston (2002)Google Scholar
  19. 19.
    Templeton, S.J., Levitt, K.: A requires/provides model for computer attacks. In: Proceedings of the New Security Paradigms Workshop, Cork, Ireland, pp. 31–38. ACM Press, New York (2000)Google Scholar
  20. 20.
    Cuppens, F., Miège, A.: Alert correlation in a cooperative intrusion detection framework. In: Proceedings of the IEEE Symposium on Research in Security and Privacy, Berkeley, California, USA, pp. 202–215. IEEE Press, Los Alamitos (2002)Google Scholar
  21. 21.
    Ning, P., Cui, Y., Reeves, D.S., Xu, D.: Techniques and tools for analyzing intrusion alerts. ACM Transactions on Information and System Security 7(2), 274–318 (2004)CrossRefGoogle Scholar
  22. 22.
    Ning, P., Xu, D.: Learning attack strategies from intrusion alerts. In: Jajodia, S., Atluri, V., Jaeger, T. (eds.) Proceedings of the 10th ACM Conference on Computer and Communications Security, Washington, D.C., USA, pp. 200–209. ACM SIGSAC, ACM Press, New York (2003)Google Scholar
  23. 23.
    Denning, D.E.: Cryptography and Data Security. Addison-Wesley, Reading (1982)MATHGoogle Scholar
  24. 24.
    Farkas, C., Jajodia, S.: The inference problem: a survey. ACM SIGKDD Explorations Newsletter 4(2), 6–11 (2002)CrossRefGoogle Scholar
  25. 25.
    Biskup, J., Bonatti, P.A.: Controlled query evaluation for enforcing confidentiality in complete information systems. International Journal of Information Security 3(1), 14–27 (2004)CrossRefGoogle Scholar
  26. 26.
    Xu, J., Fan, J., Ammar, M., Moon, S.B.: Prefix-preserving IP address anonymization: Measurement-based security evaluation and a new cryptography-based scheme. In: Proceedings of the 10th IEEE International Conference on Network Protocols (ICNP), pp. 280–289 (2002)Google Scholar
  27. 27.
    Li, Y., Slagell, A., Luo, K., Yurcik, W.: CANINE: A combined converter and anonymizer tool for processing netflows for security. In: Proceedings of the international Conference on Telecommunication Systems - Modeling and Analysis (ICTSM 2005), Dallas, Texas, USA (November 2005)Google Scholar
  28. 28.
    Lincoln, P., Porras, P., Shmatikov, V.: Privacy-preserving sharing and correlation of security alerts. In: Proceedings of the 13th USENIX Security Symposium, San Diego, California, USA, pp. 239–254 (August 2004)Google Scholar
  29. 29.
    Xu, D., Ning, P.: Privacy-preserving alert correlation: A concept hierarchy based approach. In: Proceedings of the 21st Annual Computer Security Applications Conference (ACSAC 2005), pp. 537–546. IEEE Computer Society Press, Los Alamitos (2005)Google Scholar
  30. 30.
    Slagell, A., Yurcik, W.: Sharing computer network logs for security and privacy: A motivation for new methodologies of anonymization. In: Workshop on the Value of Security through Collaboration (SECOVAL) (2005)Google Scholar
  31. 31.
    Pang, R., Paxson, V.: A high-level programming environment for packet trace anonymization and transformation. In: Proceedings of the 2003 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications (SIGCOMM 2003), Karlsruhe, Germany, August 2003, pp. 339–351. ACM Press, New York (2003)Google Scholar
  32. 32.
    Lee, W., Mé, L., Wespi, A. (eds.): RAID 2001. LNCS, vol. 2212. Springer, Heidelberg (2001)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Ulrich Flegel
    • 1
  • Joachim Biskup
    • 1
  1. 1.University of DortmundDortmundGermany

Personalised recommendations