Intrusion Detection Systems
Intrusion detection systems (IDS) are besides other protective measures such as virtual private networks, authentication mechanisms, or encryption techniques very important to guarantee information security. They help to defend against the various threats to which networks and hosts are exposed to by detecting the actions of attackers or attack tools in a network- or host-based manner with misuse or anomaly detection techniques.
Distributed Intrusion Detection Systems
In our work, we focus on some aspects of distributed intrusion detection systems (DIDS). Our DIDS consists of structurally very similar so-called intrusion detection (ID) agents. Through self-organized collaboration these ID agents form a distributed intrusion detection system (DIDS). The sensor layer of an ID agent provides the interface to the network and the host on which the agent resides. Sensors acquire raw data from both the network and the host, filter incoming data, and extract interesting and potentially valuable (e.g., statistical) information which is needed to construct an appropriate event. At the detection layer, different detectors, e.g., classifiers trained with machine learning techniques such as support vector machines (SVM) or conventional rule-based systems such as Snort, assess these events and search for known attack signatures (misuse detection) and suspicious behaviour (anomaly detection). In case of attack suspicion, they create alerts which are then forwarded to the alert processing layer. Alerts may also be produced by firewalls (FW) or the like. At the alert processing layer, the alert aggregation module has to combine alerts that are assumed to belong to a specific attack instance. Thus, so-called meta-alerts are generated. Meta-alerts are used or enhanced in various ways, e.g., scenario detection or decentralized alert correlation. An important task of the reaction layer is reporting.
In our layered ID agent architecture, each layer assesses, filters, and/or aggregates information produced by a lower layer. Thus, relevant information gets more and more condensed and certain, and, therefore, also more valuable. We aim at realizing each layer in a way such that the recall of the applied techniques is very high, possibly at the cost of a slightly poorer precision.
The final goal of our work is to develop a DIDS in which ID agents collaborate in various ways to detect attacks more efficiently.
Up to now, we proposed an architecture for ID agents, implemented a DIDS simulation framework, and investigated various techniques for misuse detection at the detection layer. We also developed a novel technique for on-line alert aggregation at the alert processing layer which is based on a dynamic, probabilistic model of the current attack situation. Basically, it can be regarded as a data stream version of a maximum likelihood approach for the estimation of the model parameters. Currently, we focus on gradually measuring the “interestingness” of meta-alerts. The term “interestingness” is adopted from the field of data mining, where it characterizes various aspects of knowledge such as “novelty” or “usefulness”.
Our work in this field is influenced by partners from various companies. In the past, we collaborated with T-Systems, HUK Coburg, and Apsec.