Intrusion Detection

Intrusion Detection Systems

Intrusion detection systems (IDS) are besides other protective measures such as virtual private networks, authentication mechanisms, or encryption techniques very important to guarantee information security. They help to defend against the various threats to which networks and hosts are exposed to by detecting the actions of attackers or attack tools in a network- or host-based manner with misuse or anomaly detection techniques.

Distributed Intrusion Detection Systems

In our work, we focus on some aspects of distributed intrusion detection systems (DIDS). Our DIDS consists of structurally very similar so-called intrusion detection (ID) agents. Through self-organized collaboration these ID agents form a distributed intrusion detection system (DIDS). The sensor layer of an ID agent provides the interface to the network and the host on which the agent resides. Sensors acquire raw data from both the network and the host, filter incoming data, and extract interesting and potentially valuable (e.g., statistical) information which is needed to construct an appropriate event. At the detection layer, different detectors, e.g., classifiers trained with machine learning techniques such as support vector machines (SVM) or conventional rule-based systems such as Snort, assess these events and search for known attack signatures (misuse detection) and suspicious behaviour (anomaly detection). In case of attack suspicion, they create alerts which are then forwarded to the alert processing layer. Alerts may also be produced by firewalls (FW) or the like. At the alert processing layer, the alert aggregation module has to combine alerts that are assumed to belong to a specific attack instance. Thus, so-called meta-alerts are generated. Meta-alerts are used or enhanced in various ways, e.g., scenario detection or decentralized alert correlation. An important task of the reaction layer is reporting.

Architecture of an ID Agent.

In our layered ID agent architecture, each layer assesses, filters, and/or aggregates information produced by a lower layer. Thus, relevant information gets more and more condensed and certain, and, therefore, also more valuable. We aim at realizing each layer in a way such that the recall of the applied techniques is very high, possibly at the cost of a slightly poorer precision.

The final goal of our work is to develop a DIDS in which ID agents collaborate in various ways to detect attacks more efficiently.

Example for knowledge exchange in a DIDS: ID Agents are enabled to detect distributed attacks and to react on novel kinds of attacks.

Up to now, we proposed an architecture for ID agents, implemented a DIDS simulation framework, and investigated various techniques for misuse detection at the detection layer. We also developed a novel technique for on-line alert aggregation at the alert processing layer which is based on a dynamic, probabilistic model of the current attack situation. Basically, it can be regarded as a data stream version of a maximum likelihood approach for the estimation of the model parameters. Currently, we focus on gradually measuring the “interestingness” of meta-alerts. The term “interestingness” is adopted from the field of data mining, where it characterizes various aspects of knowledge such as “novelty” or “usefulness”.

Our work in this field is influenced by partners from various companies. In the past, we collaborated with T-Systems, HUK Coburg, and Apsec.

Further Information



D. Fisch, F. Kastl, B. Sick; Novelty-Aware Attack recognition - Intrusion Detection With Organic Computing Techniques; 3rd IFIP Conference on Biologically-Inspired Collaborative Computing (BICC 2010) at the World Computer Congress (WCC 2010); pp. 242-253; Brisbane, 2010

A. Hofmann, B. Sick; On-Line Intrusion Alert Aggregation With Generative Data Stream Modeling; in: IEEE Transactions on Dependable and Secure Computing; (accepted)

D. Fisch, A. Hofmann, B. Sick; On the Versatility of Radial Basis Function Neural Networks: A Case Study in the Field of Intrusion Detection; in: Information Sciences; vol. 180, no. 12, pp. 2421-2439; 2010

D. Fisch, A. Hofmann, V. Hornik, I. Dedinski, B. Sick; A Framework for Large-Scale Simulation of Collaborative Intrusion Detection; in: Proceedings of the ”2008 IEEE Conference on Soft Computing in Industrial Applications (SMCia/08)”; pp. 125-130; Muroran, 2008

D. Fisch, A. Hofmann, B. Sick; Improving Intrusion Detection Training Data by Network Traffic Variation; in: Proceedings of the ”IEEE Three-Rivers Workshop on Soft Computing in Industrial Applications (SMCia/07)”; pp. 33-38; Passau, 2007

A. Hofmann, I. Dedinski, B. Sick, H. de Meer; A Novelty-Driven Approach to Intrusion Alert Correlation Based on Distributed Hash Tables; in: Proceedings of the ”12th IEEE Symposium on Computers and Communications (ISCC’07)”; pp. 71-78; Aveiro, 2007

O. Buchtala, M. Klimek, B. Sick; Evolutionary Optimization of Radial Basis Function Classifiers for Data Mining Applications; in: IEEE Transactions on Systems, Man, and Cybernetics – Part B: Cybernetics; vol. 35, no. 5, pp. 928-947; 2005

O. Buchtala, W. Grass, A. Hofmann, B. Sick; A Distributed Intrusion Detection Architecture With Organic Behavior; in: S. Nadjm-Tehrani (Ed.): Proceedings of the ”The First CRIS International Workshop on Critical Information Infrastructures (CIIW’05)”; pp. 47-56; Linköping, 2005

and others...