Skip to main content
SpringerLink
Log in

Determining Placement of Intrusion Detectors for a Distributed Application through Bayesian Network Modeling

  • Conference paper
Recent Advances in Intrusion Detection (RAID 2008)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 5230))

Included in the following conference series:

Abstract

To secure today’s computer systems, it is critical to have different intrusion detection sensors embedded in them. The complexity of distributed computer systems makes it difficult to determine the appropriate configuration of these detectors, i.e., their choice and placement. In this paper, we describe a method to evaluate the effect of the detector configuration on the accuracy and precision of determining security goals in the system. For this, we develop a Bayesian network model for the distributed system, from an attack graph representation of multi-stage attacks in the system. We use Bayesian inference to solve the problem of determining the likelihood that an attack goal has been achieved, given a certain set of detector alerts. We quantify the overall detection performance in the system for different detector settings, namely, choice and placement of the detectors, their quality, and levels of uncertainty of adversarial behavior. These observations lead us to a greedy algorithm for determining the optimal detector settings in a large-scale distributed system. We present the results of experiments on Bayesian networks representing two real distributed systems and real attacks on them.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 89.00
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Anjum, F., Subhadrabandhu, D., Sarkar, S., Shetty, R.: On Optimal Placement of Intrusion Detection Modules in Sensor Networks. In: 1st IEEE International Conference on Broadband Networks, pp. 690–699. IEEE Press, New York (2004)

    Google Scholar 

  2. Axelsson, S.: The base-rate fallacy and the difficulty of intrusion detection. ACM Trans. Inf. Syst. Secur. 3-3, 186–205 (2000)

    Article  Google Scholar 

  3. Bayes Net Toolbox for Matlab, http://www.cs.ubc.ca/~murphyk/Software

  4. Ben Amor, N., Benferhat, S., Elouedi, Z.: Naive Bayes vs decision trees in intrusion detection systems. In: 19th ACM Symposium on Applied computing, pp. 420–424. ACM Press, New York (2004)

    Google Scholar 

  5. Berger-Wolf, T., Hart, W., Saia, J.: Discrete Sensor Placement Problems in Distribution Networks. J. Math. and Comp. Model. 42, 1385–1396 (2005)

    Article  MATH  MathSciNet  Google Scholar 

  6. Bugtraq Vulnerability Database, http://www.securityfocus.com/vulnerabilities

  7. Cardenas, A., Baras, J., Seamon, K.: A Framework for the Evaluation of Intrusion Detection Systems. In: 27th IEEE Symposium on Security and Privacy, p. 15. IEEE Press, New York (2006)

    Google Scholar 

  8. Dacier, M. (ed.): Design of an Intrusion-Tolerant Intrusion Detection System. Research Report, Maftia Project (2002)

    Google Scholar 

  9. Foo, B., Wu, Y., Mao, Y., Bagchi, S., Spafford, E.: ADEPTS: Adaptive Intrusion Response using Attack Graphs in an E-Commerce Environment. In: International Conference on Dependable Systems and Networks, pp. 508–517 (2005)

    Google Scholar 

  10. Gu, G., Fogla, P., Dagon, D., Lee, W., Skoric, B.: Measuring Intrusion Detection Capability: An Information-Theoretic Approach. In: 1st ACM Symposium on Information, Computer and Communications Security, pp. 90–101. ACM Press, New York (2006)

    Chapter  Google Scholar 

  11. Ingols, K., Lippmann, R., Piwowarski, K.: Practical Attack Graph Generation for Network Defense. In: 22nd Annual Computer Security Applications Conference, pp. 121–130. IEEE Press, New York (2006)

    Google Scholar 

  12. IPTables Firewall, http://www.netfilters.org/projects/iptables

  13. Jensen, F.: Bayesian Networks and Decision Graphs. Springer, Heidelberg (2001)

    MATH  Google Scholar 

  14. Jha, S., Sheyner, O., Wing, J.: Two Formal Analyses of Attack Graphs. In: 15th IEEE Computer Security Foundations Workshop, pp. 49–63. IEEE Press, New York (2002)

    Google Scholar 

  15. Jones, D., Davis, C., Turnquist, M., Nozick, L.: Physical Security and Vulnerability Modeling for Infrastructure Facilities. Technical Report, Sandia National Laboratories (2006)

    Google Scholar 

  16. Krause, A., Guestrin, C., Gupta, A., Kleinberg, J.: Near-optimal Sensor Placements: Maximizing Information while Minimizing Communication Cost. In: 5th International Conference on Information Processing in Sensor Networks, pp. 2–10. ACM Press, New York (2006)

    Google Scholar 

  17. Krügel, C., Mutz, D., Robertson, W., Valeyr, F.: Bayesian Event Classification for Intrusion Detection. In: 19th Annual Computer Security Applications Conference, pp. 14–23. IEEE Press, New York (2003)

    Chapter  Google Scholar 

  18. Kuhn, D., Walsh, T., Fires, S.: Security Considerations for Voice Over IP Systems. Special Publication 800-58, National Institute of Standards and Technology (2005)

    Google Scholar 

  19. Lemmer, J., Gossink, D.: Recursive Noisy OR - A Rule for Estimating Complex Probabilistic Interactions. IEEE Trans. Syst. Man. Cybern. B. 34, 2252–2261 (2004)

    Article  Google Scholar 

  20. Lippmann, R., et al.: Evaluating Intrusion Detection Systems: The 1998 DARPA Off-line Intrusion Detection Evaluation. In: 1st DARPA Information Survivability Conference and Exposition, pp. 81–89 (2000)

    Google Scholar 

  21. Mehta, V., Bartzis, C., Zhu, H., Clarke, E., Wing, J.: Ranking Attack Graphs. In: Zamboni, D., Krügel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 127–144. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  22. Modelo-Howard, G.: Addendum to Determining Placement of Intrusion Detectors for a Distributed Application through Bayesian Network Modeling, http://cobweb.ecn.purdue.edu/~dcsl/publications/detectors-location_addendum.pdf

  23. National Vulnerability Database, http://nvd.nist.gov/nvd.cfm

  24. Ning, P., Cui, Y., Reeves, D.: Constructing Attack Scenarios through Correlation of Intrusion Alerts. In: 9th ACM Conference on Computers & Communications Security, pp. 245–254 (2002)

    Google Scholar 

  25. Ou, X., Boyer, W., McQueen, M.: A Scalable Approach to Attack Graph Generation. In: 13th ACM Conference on Computer & Communications Security, pp. 336–345 (2006)

    Google Scholar 

  26. Peikari, C., Chuvakin, A.: Security Warrior. O’Reilly, New York (2004)

    Google Scholar 

  27. Ray, S., Starobinski, D., Trachtenberg, A., Ungrangsi, R.: Robust Location Detection with Sensor Networks. IEEE J. on Selected Areas in Comm. 22, 1016–1025 (2004)

    Article  Google Scholar 

  28. Snort Intrusion Detection System, http://www.snort.org

  29. Valdes, A., Skinner, K.: Adaptive, Model-based Monitoring for Cyber Attack Detection. In: Debar, H., Mé, L., Wu, S.F. (eds.) RAID 2000. LNCS, vol. 1907, pp. 80–92. Springer, Heidelberg (2000)

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. School of Electrical and Computer Engineering, Purdue University, 465 Northwestern Avenue, West Lafayette, IN 47907, USA

    Gaspar Modelo-Howard, Saurabh Bagchi & Guy Lebanon

Authors
  1. Gaspar Modelo-Howard
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Saurabh Bagchi
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Guy Lebanon
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Richard Lippmann Engin Kirda Ari Trachtenberg

Rights and permissions

Reprints and permissions

Copyright information

© 2008 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Modelo-Howard, G., Bagchi, S., Lebanon, G. (2008). Determining Placement of Intrusion Detectors for a Distributed Application through Bayesian Network Modeling. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds) Recent Advances in Intrusion Detection. RAID 2008. Lecture Notes in Computer Science, vol 5230. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-87403-4_15

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-87403-4_15

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-87402-7

  • Online ISBN: 978-3-540-87403-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation