Abstraction-based intrusion detection in distributed environments

Abstraction is an important issue in intrusion detection, since it not only hides the difference between heterogeneous systems, but also allows generic intrusion-detection models. However, abstraction is an error-prone process and is not well supported in current intrusion-detection systems (IDSs). This article presents a hierarchical model to support attack specification and event abstraction in distributed intrusion detection. The model involves three concepts: system view, signature, and view definition. A system view provides an abstract interface of a particular type of information; defined on the instances of system views, a signature specifies certain distributed attacks or events to be monitored; a view definition is then used to derive information from the matches of a signature and presents it through a system view. With the three elements, the model provides a hierarchical framework for maintaining signatures, system views, as well as event abstraction. As a benefit, the model allows generic signatures that can accommodate unknown variants of known attacks. Moreover, abstraction represented by a system view can be updated without changing either its specification or the signatures specified on its basis. This article then presents a decentralized method for autonomous but cooperative component systems to detect distributed attacks specified by signatures. Specifically, a signature is decomposed into finer units, called detection tasks, each of which represents the activity to be monitored on a component system. The component systems (involved in a signature) then perform the detection tasks cooperatively according to the "dependency" relationships among these tasks. An experimental system called CARDS has been implemented to test the feasibility of the proposed approach.

[1]  J. F. McClary,et al.  NADIR: An automated system for detecting network intrusion and misuse , 1993, Comput. Secur..

[2]  Richard A. Kemmerer,et al.  NSTAT: A Model-based Real-time Network Intrusion Detection System , 1998 .

[3]  Shyhtsun Felix Wu,et al.  DECIDUOUS: decentralized source identification for network-based intrusions , 1999, Integrated Network Management VI. Distributed Management for the Networked Millennium. Proceedings of the Sixth IFIP/IEEE International Symposium on Integrated Network Management. (Cat. No.99EX302).

[4]  Stephen Northcutt,et al.  Network Intrusion Detection: An Analyst's Hand-book , 1999 .

[5]  Michael Stonebraker,et al.  Implementation techniques for main memory database systems , 1984, SIGMOD '84.

[6]  Karl N. Levitt,et al.  GrIDS A Graph-Based Intrusion Detection System for Large Networks , 1996 .

[7]  Darren New The TUNNEL Profile , 2003, RFC.

[8]  B. E. Eckbo,et al.  Appendix , 1826, Epilepsy Research.

[9]  Isij Monitor,et al.  Network Intrusion Detection: An Analyst’s Handbook , 2000 .

[10]  Peter G. Neumann,et al.  EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances , 1997, CCS 2002.

[11]  Karl N. Levitt,et al.  Intrusion Detection Inter-component Adaptive Negotiation , 1999, Recent Advances in Intrusion Detection.

[12]  Salvatore J. Stolfo,et al.  A Data Mining and CIDF Based Approach for Detecting Novel and Distributed Intrusions , 2000, Recent Advances in Intrusion Detection.

[13]  Victoria Neufeldt,et al.  Webster's New World Dictionary of American English , 1988 .

[14]  Markus G. Kuhn,et al.  Analysis of a denial of service attack on TCP , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[15]  Salvatore J. Stolfo,et al.  A framework for constructing features and models for intrusion detection systems , 2000, TSEC.

[16]  Udo W. Pooch,et al.  Cooperating security managers: a peer-based intrusion detection system , 1996, IEEE Netw..

[17]  Sushil Jajodia,et al.  A Query Facility for Common Intrusion Detection Framework , 2000 .

[18]  Sean W. Smith,et al.  Security and Privacy for Partial Order Time , 1994 .

[19]  Deborah A. Frincke,et al.  Planning, Petri Nets, and Intrusion Detection , 1998 .

[20]  Eugene H. Spafford,et al.  Using embedded sensors for detecting network attacks , 2000 .

[21]  Marc Dacier,et al.  Intrusion detection , 1999, Comput. Networks.

[22]  Jennifer Widom,et al.  A First Course in Database Systems , 1997 .

[23]  Harold S. Javitz,et al.  The NIDES Statistical Component Description and Justification , 1994 .

[24]  Naji Habra,et al.  Distributed audit trail analysis , 1995, Proceedings of the Symposium on Network and Distributed System Security.

[25]  Sushil Jajodia,et al.  Abstraction-based misuse detection: high-level specifications and adaptable strategies , 1998, Proceedings. 11th IEEE Computer Security Foundations Workshop (Cat. No.98TB100238).

[26]  Marshall T. Rose,et al.  The Blocks Extensible Exchange Protocol Core , 2001, RFC.

[27]  Stuart Staniford-Chen,et al.  Holding intruders accountable on the Internet , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[28]  Feiyi Wang,et al.  Design and implementation of a scalable intrusion detection system for the protection of network infrastructure , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[29]  Christian Freksa,et al.  Temporal Reasoning Based on Semi-Intervals , 1992, Artif. Intell..

[30]  Ulf Lindqvist,et al.  Detecting computer and network misuse through the production-based expert system toolset (P-BEST) , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[31]  Stuart Staniford-chen,et al.  The Common Intrusion Detection Framework - Data Formats , 1998 .

[32]  Sushil Jajodia,et al.  Modeling requests among cooperating intrusion detection systems , 2000, Comput. Commun..

[33]  Biswanath Mukherjee,et al.  DIDS (distributed intrusion detection system)—motivation, architecture, and an early prototype , 1997 .

[34]  Charles E. Kahn,et al.  A common intrusion detection framework , 2000 .

[35]  Richard A. Kemmerer,et al.  State Transition Analysis: A Rule-Based Intrusion Detection Approach , 1995, IEEE Trans. Software Eng..

[36]  Koral Ilgun,et al.  USTAT: a real-time intrusion detection system for UNIX , 1993, Proceedings 1993 IEEE Computer Society Symposium on Research in Security and Privacy.

[37]  Eugene H. Spafford,et al.  Intrusion detection using autonomous agents , 2000, Comput. Networks.

[38]  Sushil Jajodia,et al.  Detecting Novel Network Intrusions Using Bayes Estimators , 2001, SDM.

[39]  Salvatore J. Stolfo,et al.  A data mining framework for building intrusion detection models , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[40]  Matt Bishop A security analysis of the NTP protocol version 2 , 1990, [1990] Proceedings of the Sixth Annual Computer Security Applications Conference.

[41]  Giovanni Vigna,et al.  NetSTAT: a network-based intrusion detection approach , 1998, Proceedings 14th Annual Computer Security Applications Conference (Cat. No.98EX217).

[42]  Shyhtsun Felix Wu,et al.  Real-time protocol analysis for detecting link-state routing protocol attacks , 2001, TSEC.

[43]  S. E. Smaha Haystack: an intrusion detection system , 1988, [Proceedings 1988] Fourth Aerospace Computer Security Applications.

[44]  Giovanni Vigna,et al.  NetSTAT: A Network-based Intrusion Detection System , 1999, J. Comput. Secur..

[45]  J. Davenport Editor , 1960 .

[46]  Sandeep Kumar,et al.  Classification and detection of computer intrusions , 1996 .

[47]  Kristopher Kendall,et al.  A Database of Computer Attacks for the Evaluation of Intrusion Detection Systems , 1999 .

[48]  James F. Allen Maintaining knowledge about temporal intervals , 1983, CACM.

[49]  Todd L. Heberlein,et al.  Network intrusion detection , 1994, IEEE Network.

[50]  Shyhtsun Felix Wu,et al.  JiNao: Design and Implementation of a Scalable Intrusion Detection System for the OSPF Routing Proto , 1999 .

[51]  JajodiaSushil,et al.  Abstraction-based intrusion detection in distributed environments , 2001 .

[52]  D. Frincke,et al.  A Framework for Cooperative Intrusion Detection , 1998 .

[53]  Sushil Jajodia,et al.  CARDS: A Distributed System for Detecting Coordinated Attacks , 2000, SEC.

[54]  Harold Joseph Highland,et al.  Program aids for office automation security , 1988, Comput. Secur..

[55]  Eugene H. Spafford,et al.  A PATTERN MATCHING MODEL FOR MISUSE INTRUSION DETECTION , 1994 .