Policy-Based Security Configuration Management, Application to Intrusion Detection and Prevention

Intrusion Detection and/or Prevention Systems (IDPS) represent an important line of defense against the variety of attacks that can compromise the security and well functioning of an enterprise information system. IDPSes can be network or host-based and can collaborate in order to provide better detections of malicious traffic. Although several IDPS systems have been proposed, their appropriate configuration and control for effective detection and prevention of attacks has always been far from trivial. Another concern is related to the slowing down of system performance when maximum security is applied, hence the need to trade off between security enforcement levels and the performance and usability of an enterprise information system. In this paper we motivate the need for and present a policy-based framework for the configuration and control of the security enforcement mechanisms of an enterprise information system. The approach is based on dynamic adaptation of security measures based on the assessment of system vulnerability and threat prediction and provides several levels of attack containment. As an application, we have implemented a dynamic policy-based adaptation mechanism between the Snort signature-based IDPS and the light weight anomaly-based FireCollaborator IDS. Experiments conducted over the DARPA 2000 and 1999 intrusion detection evaluation datasets show the viability of our framework.

[1]  Yue Chen,et al.  Adaptive Intrusion Response to Minimize Risk over Multiple Network Attacks , 2002 .

[2]  Marc Dacier,et al.  Towards a taxonomy of intrusion-detection systems , 1999, Comput. Networks.

[3]  Antonio F. Gómez-Skarmeta,et al.  POSITIF: A Policy-Based Security Management System , 2007, Eighth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'07).

[4]  Richard Lippmann,et al.  The 1999 DARPA off-line intrusion detection evaluation , 2000, Comput. Networks.

[5]  J.B.D. Cabrera,et al.  On the statistical distribution of processing times in network intrusion detection , 2004, 2004 43rd IEEE Conference on Decision and Control (CDC) (IEEE Cat. No.04CH37601).

[6]  Niels Provos,et al.  A Virtual Honeypot Framework , 2004, USENIX Security Symposium.

[7]  Peng Ning,et al.  Techniques and tools for analyzing intrusion alerts , 2004, TSEC.

[8]  Raouf Boutaba,et al.  A Collaborative Approach for Proactive Detection of Distributed Denial of Service Attacks , 2007 .

[9]  Raouf Boutaba,et al.  Policy-based Management: A Historical Perspective , 2007, Journal of Network and Systems Management.

[10]  Lambert Schaelicke,et al.  Characterizing the Performance of Network Intrusion Detection Sensors , 2003, RAID.

[11]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[12]  Gail-Joon Ahn,et al.  Managing heterogeneous network environments using an extensible policy framework , 2007, ASIACCS '07.

[13]  Yanyan Yang,et al.  Policy management for network-based intrusion detection and prevention , 2004, 2004 IEEE/IFIP Network Operations and Management Symposium (IEEE Cat. No.04CH37507).

[14]  Karen A. Scarfone,et al.  Guide to Intrusion Detection and Prevention Systems (IDPS) , 2007 .

[15]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .