Using Active Intrusion Detection to Recover Network Trust

Most existing intrusion detection systems take a passive approach to observing attacks or noticing exploits. We suggest that active intrusion detection (AID) techniques provide value, particularly in scenarios where an administrator attempts to recover a network infrastructure from a compromise. In such cases, an attacker may have corrupted fundamental services (e.g., ARP, DHCP, DNS, NTP), and existing IDS or auditing tools may lack the precision or pervasive deployment to observe symptoms of this corruption. We prototype a specific instance of the active intrusion detection approach: how we can use an AID mechanism based on packet injection to help detect rogue services.

[1]  Thomas Henry Ptacek,et al.  Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection , 1998 .

[2]  Mark Handley,et al.  Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics , 2001, USENIX Security Symposium.

[3]  Stefan Axelsson,et al.  Intrusion Detection Systems: A Survey and Taxonomy , 2002 .

[4]  Ralph E. Droms,et al.  Dynamic Host Configuration Protocol , 1993, RFC.

[5]  David C. Plummer,et al.  Ethernet Address Resolution Protocol: Or Converting Network Protocol Addresses to 48.bit Ethernet Address for Transmission on Ethernet Hardware , 1982, RFC.

[6]  Niels Provos,et al.  A Virtual Honeypot Framework , 2004, USENIX Security Symposium.

[7]  Samuel T. King,et al.  ReVirt: enabling intrusion analysis through virtual-machine logging and replay , 2002, OPSR.

[8]  B. Cheswick An Evening with Berferd In Which a Cracker is Lured, Endured, and Studied , 1997 .

[9]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[10]  Clifford Stoll,et al.  Stalking the wily hacker , 1988, CACM.

[11]  Burak Dayioglu,et al.  Design of a Log Server for Distributed and Large-Scale Server Environments , 2003, ISCIS.

[12]  Paul V. Mockapetris,et al.  Domain names: Concepts and facilities , 1983, RFC.

[13]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[14]  Paul V. Mockapetris,et al.  Domain names - implementation and specification , 1987, RFC.

[15]  Eugene H. Spafford,et al.  The internet worm: crisis and aftermath , 1989 .

[16]  Matthew Burnside,et al.  Pushing Boulders Uphill: The Difficulty of Network Intrusion Recovery , 2009, LISA.

[17]  Anja Feldmann,et al.  Dynamic Application-Layer Protocol Analysis for Network Intrusion Detection , 2006, USENIX Security Symposium.

[18]  Abe Singer,et al.  Tempting Fate , 2005, login Usenix Mag..

[19]  Salvatore J. Stolfo,et al.  A Network Access Control Mechanism Based on Behavior Profiles , 2009, 2009 Annual Computer Security Applications Conference.

[20]  Eugene H. Spafford,et al.  Crisis and aftermath , 1989, Commun. ACM.