This paper presents a hierarchical model to support attack specification and event abstraction in distributed intrusion detection. The model involves three concepts: system view, signature, and view definition. A system view provides an abstract interface of a particular type of information; defined on the instances of system views, a signature specifies certain distributed attacks or events to be monitored; a view definition is then used to derive information from the matches of a signature and presents it through a system view. With the three elements, the model provides a hierarchical framework for maintaining signatures, system views as well as event abstraction. As a benefit, the model allows generic signatures that can accommodate unknown variants of known attacks. Moreover, abstraction represented by a system view can be updated without changing either its specification or the signatures defined on the basis of it. This paper then presents a decen

Current distributed intrusion detection systems are not completely distributed with respect to data analysis because of the presence of centralized data analysis components. This deficiency has many undesirable implications. Here we present a framework for doing distributed intrusion detection with no centralized analysis components. Our approach uses agents that are the only data analysis components. Agents cooperate by using a hierarchical communication framework. This cooperation is driven by interests expressed by the agents.

We have designed and implemented an intrusion detection system prototype based on mobile agents. Our agents travel between monitored systems in a network of distributed systems, obtain information from data cleaning agents, classify & correlate information, and report the information to a user interface and database via mediators. Agent systems with lightweight agent support allow runtime addition of new capabilities to agents. We describe the design of our multi-agent intrusion detection system and show how lightweight agent capabilities allowed us to add communication and collaboration capabilities to the mobile agents in our intrusion detection system. 1 Introduction A secure computer system provides guarantees regarding the condentiality, integrity, and availability of its objects (such as data, processes, or services). However, systems generally contain design and implementation aws that result in security vulnerabilities. An intrusion takes place when an attacker or gr...

It is important for intrusion detection systems (IDSs) to share information in order to discover attacks involving multiple sites. However, no framework exists for an IDS to request from and send to another IDS data relevant to specific events. The lack of such a framework may result in a waste of processing time, storage capacity and network bandwidth. This paper proposes a formal framework modeling requests among the cooperating IDSs. To show wide applicability, the paper explores the use of the formal approach in the Common Intrusion Detection Framework (CIDF), extending CIDF components to include a query facility.

Abstract: The integration of Software Fault Tree (SFT) which describes intrusions and Colored Petri Nets (CPNs) which specifies design, is examined for an Intrusion Detection System (IDS). The IDS under development is a collection of mobile agents that detect, classify, and correlate system and network activities. Software Fault Trees (SFTs), augmented with nodes that describe trust, temporal, and contextual relationships, are used to describe intrusions. CPNs for intrusion detection are built using CPN templates created from the augmented SFTs. Hierarchical CPNs are created to detect critical stages of intrusions. The agent-based implementation of the IDS is then constructed from the CPNs. Examples of intrusions and descriptions of the prototype implementation are used to demonstrate how the CPN approach has been used in development of the IDS. The main contribution of this paper is an approach to systematic specification, design, and implementation of an IDS. Innovations include

It is essential for intrusion detection systems to share information in order to discover attacks involving multiple sites. Common Intrusion Detection Framework (CIDF) is an important step towards enabling different intrusion detection and response (IDR) components to interoperate with each other. Although CIDF provides an infrastructure and language support that allows an IDR component to understand the information sent by another component, it does not contain a facility for a component to request specific information from other components. The lack of such a facility may result in a waste of processing time, storage capacity and network bandwidth. This paper proposes an extension to the Common Intrusion Specification Language (CISL), the language adopted by CIDF, to model requests among CIDF components. The extension is simple and consistent with the original CISL. Each request for information is described as a pattern for relevant information and an optional format specification for the responding message. The use of pattern in modeling requests not only provides a way to represent queries, but also leads to a potential reuse of signature-based intrusion detection software.

Abstract not found

It is essential for intrusion detection systems to share information in order to discover attacks involving multiple sites. Common Intrusion Detection Framework #CIDF# is an important step towards enabling di#erent intrusion detection and response #IDR# components to interoperate with each other. Although CIDF provides an infrastructure and language support that allows an IDR component to understand the information sentby another component, it does not contain a facility for a component to request speci#c information from other components. The lack of such a facilitymay result in a waste of processing time, storage capacity and network bandwidth. This paper proposes an extension to the Common Intrusion Speci#cation Language #CISL#, the language adopted by CIDF, to model requests among CIDF components. The extension is simple and consistent with the original CISL. Each request for information is described as a pattern for relevant information and an optional format speci#cation for the responding message. The use of pattern in modeling requests not only provides a way to represent queries, but also leads to a potential reuse of signature-based intrusion detection software.

Abstract Development of information security system is brought by problem by the development of network environment, and the need of equipment for performance test, but performance test equipments are expensive and difficult to use. Therefore, we need an environment which can develop a performance test for an information security system. In this paper, the design and implementation of an APS(Attack Packet Simulator) extracts the attack information from Snort rule and creates an attack information in the Database using the extracted information. Stored information in the database creates and transmits the packets which are analyzed for comparing the results to other systems.

Abstract not found