Preventing Coordinated Attacks Via Distributed Alert Exchange (original) (raw)
Related papers
Distributed Exchange of Alerts for the Detection of Coordinated Attacks
6th Annual Communication Networks and Services Research Conference (cnsr 2008), 2008
Attacks and intrusions to information systems cause large revenue losses. The prevention of these attacks is not always possible by just considering information from isolated sources of the network. A global view of the whole system is necessary to react against the different actions of such an attack. The design and deployment of a decentralized system targeted at detecting as well as reacting to information system attacks might benefit from the use of the publish/subscribe model. In this paper, we discuss the advantages and convenience in using this communication paradigm for a general decentralized attack prevention framework and overview the design and implementation of our approach by using a combination of two different publish/subscribe middleware products. Furthermore, we present a quantitative evaluation of our approach.
An alert communication infrastructure for a decentralized attack prevention framework
Proceedings 39th Annual 2005 International Carnahan Conference on Security Technology, 2005
The cooperation between the different entities of a decentralized prevention system can be solved efficiently using the publish/subscribe communication model. Here, clients can share and correlate alert information about the systems they monitor. In this paper, we present the advantages and convenience in using this communication model for a general decentralized prevention framework. Additionally, we outline the design for a specific architecture, and evaluate our design using a freely available publish/subscribe message oriented middleware.
Preventing coordinated attacks via alert correlation
2004
When attackers gain access to enterprise or corporate networks by compromising authorized users, computers, or applications, the network and its resources can be used to perform distributed and coordinated attacks against third party networks, or even on computers on the network itself. We are working on a decentralized scheme to share alerts in a secure multicast infrastructure to detect and prevent these kind of attacks. In this paper we present a collaborative framework that performs coordinated attack prevention. The detection and prevention process itself is done by a set of collaborative entities that correlate and assemble the pieces of evidence scattered over the different network resources. We also provide an example of how our system can detect and prevent a coordinated attack to demonstrate the practicability of the system.
Decentralized publish-subscribe system to prevent coordinated attacks via alert correlation
2004
We present in this paper a decentralized architecture to correlate alerts between cooperative nodes in a secure multicast infrastructure. The purpose of this architecture is to detect and prevent the use of network resources to perform coordinated attacks against third party networks. By means of a cooperative scheme based on message passing, the different nodes of this system will collaborate to detect its participation on a coordinated attack and will react to avoid it. An overview of the implementation of this architecture for GNU/Linux systems will demonstrate the practicability of the system.
Agent-Based Distributed Intrusion Alert System
Lecture Notes in Computer Science, 2004
Intrusion detection for computer systems is a key problem in today's networked society. Current distributed intrusion detection systems (IDSs) are not fully distributed as most of them centrally analyze data collected from distributed nodes resulting in a single point of failure. Increasingly, researchers are focusing on distributed IDSs to circumvent the problems of centralized approaches. A major concern of fully distributed IDSs is the high false positive rates of intrusion alarms which undermine the usability of such systems. We believe that effective distributed IDSs can be designed based on principles of coordinated multiagent systems. We propose an Agent-Based Distributed Intrusion Alert System (ABDIAS) which is fully distributed and provides two capabilities in addition to other functionalities of an IDS: (a) early warning when pre-attack activities are detected, (b) detecting and isolating compromised nodes by trust mechanisms and voting-based peer-level protocols.
Towards Scalable and Robust Distributed Intrusion Alert Fusion with Good Load Balancing
2006
Traffic anomalies and distributed attacks are commonplace in today's networks. Single point detection is often insufficient to determine the causes, patterns and prevalence of such events. Most existing distributed intrusion detection systems (DIDS) rely on centralized fusion, or distributed fusion with unscalable communication mechanisms. In this paper, we propose to build a DIDS based on the emerging decentralized location and routing infrastructure: distributed hash table (DHT). We embed the intrusion symptoms into the DHT dimensions so that alarms related to the same intrusion (thus with similar symptoms) will be routed to the same sensor fusion center (SFC) while evenly distributing unrelated alarms to different SFCs. This is achieved through careful routing key design based on: 1) analysis of essential characteristics of four common types of intrusions: DoS attacks, port scanning ,virus/worm infection and botnets; and 2) distribution and stability analysis of the popular port numbers and those of the popular source IP subnets in scans. We further propose several schemes to distribute the alarms more evenly across the SFCs, and improve the resiliency against the failures or attacks. Evaluation based on one month of DShield firewall logs (600 million scan records) collected from over 2200 worldwide providers show that the resulting system, termed Cyber Disease DHT (CDDHT), can effectively fuse related alarms while distributing unrelated ones evenly among the SFCs. It significantly outperforms the traditional hierarchical approach when facing large amounts of diverse intrusion alerts.
CARDS: A distributed system for detecting coordinated attacks
2000
Abstract A major research problem in intrusion detection is the efficient Detection of coordinated attacks over large networks. Issues to be resolved include determining what data should be collected, which portion of the data should be analyzed, where the analysis of the data should take place, and how to correlate multi-source information. This paper proposes the architecture of a Coordinated Attack Response & Detection System (CARDS). CARDS uses a signature-based model for resolving these issues.
M.: Selective and early threat detection in large networked systems
2010
Abstract—The complexity of modern networked information systems, as well as all the defense-in-depth best practices, require distributed intrusion detection architectures relying on the cooperation of multiple components. Similar solutions cause a multiplication of alerts, thus increasing the time needed for alert management and hiding the few critical alerts as needles in a hay stack. We propose an innovative distributed architecture for intrusion detection that is able to provide system administrators with selective and early security warnings. This architecture is suitable to large networks composed of several departments because it leverages hierarchical and peer-to-peer cooperation schemes among distributed NIDSes. Moreover, it embeds a distributed alert ranking system that makes it possible to evaluate the real level of risk represented by a security alert generated by a NIDS, and it allows independent network departments to exchange early warnings about critical threats. Thes...
Alert Correlation in a Cooperative Intrusion Detection Framework
Security and Privacy, 2002. …, 2002
This paper presents the work we have done within the MIRADOR project to design CRIM, a cooperative module for intrusion detection systems (IDS). This module implements functions to manage, cluster, merge and correlate alerts. The clustering and merging functions recognize alerts that correspond to the same occurrence of an attack and create a new alert that merge data contained in these various alerts. Experiments show that these functions significantly reduce the number of alerts. However, we also observe that alerts we obtain are still too elementary to be managed by a security administrator. The purpose of the correlation function is thus to generate global and synthetic alerts. This paper focuses on the approach we suggest to design this function.