Achieving Security by Intrusion-Tolerance Based on Event Correlation

Despite the increased focus on security, complex networked systems remain vulnerable to attacks. Intrusion Tolerance is an emerging paradigm for developing systems, which continue to operate correctly, and provide acceptable services even in the face of an intrusion. The effectiveness of this approach is strongly dependent on the efficiency of the adopted detection and diagnosis mechanisms. In this work, we propose an architectural framework, which collects information at several architectural levels, using multiple security probes, which are deployed as a distributed architecture, to perform event correlation and diagnosis analysis of intrusion symptoms. The experimental results show that the use of different security information sources can improve the detection and the diagnosis of attacks.

[1]  Hongli Zhang,et al.  Intrusion detection alarms reduction using root cause analysis and clustering , 2009, Comput. Commun..

[2]  Martin P. Loeb,et al.  CSI/FBI Computer Crime and Security Survey , 2004 .

[3]  Eric Totel,et al.  COTS Diversity Based Intrusion Detection and Application to Web Servers , 2005, RAID.

[4]  Gong Jian,et al.  Intrusion Alert Correlation based on D-S Evidence Theory , 2007, 2007 Second International Conference on Communications and Networking in China.

[5]  Stefan Axelsson,et al.  The base-rate fallacy and the difficulty of intrusion detection , 2000, TSEC.

[6]  Deborah A. Frincke,et al.  Alert confidence fusion in intrusion detection systems with extended Dempster-Shafer theory , 2005, ACM-SE 43.

[7]  R. Power CSI/FBI computer crime and security survey , 2001 .

[8]  Miguel Correia,et al.  Intrusion-Tolerant Architectures: Concepts and Design , 2002, WADS.

[9]  Marc Dacier,et al.  Towards a taxonomy of intrusion-detection systems , 1999, Comput. Networks.

[10]  Stefanos Manganaris,et al.  A Data Mining Analysis of RTID Alarms , 2000, Recent Advances in Intrusion Detection.

[11]  Vincent Nicomette,et al.  The Design of a Generic Intrusion-Tolerant Architecture for Web Servers , 2009, IEEE Transactions on Dependable and Secure Computing.

[12]  Hervé Debar,et al.  Correlation of Intrusion Symptoms: An Application of Chronicles , 2003, RAID.

[13]  Andrea Bondavalli,et al.  Assuring Resilient Time Synchronization , 2008, 2008 Symposium on Reliable Distributed Systems.

[14]  Jun Xu,et al.  Sustaining Availability of Web Services under Distributed Denial of Service Attacks , 2003, IEEE Trans. Computers.

[15]  Vasaka Visoottiviseth,et al.  Lightweight Detection of DoS Attacks , 2007, 2007 15th IEEE International Conference on Networks.

[16]  Klaus Julisch,et al.  Clustering intrusion detection alarms to support root cause analysis , 2003, TSEC.

[17]  Eric Totel,et al.  Anomaly Detection with Diagnosis in Diversified Systems using Information Flow Graphs , 2008, SEC.

[18]  Christopher Krügel,et al.  Comprehensive approach to intrusion detection alert correlation , 2004, IEEE Transactions on Dependable and Secure Computing.