Context-Based Intrusion Detection Using Snort, Nessus and Bugtraq Databases

Intrusion Detection Systems (IDS) use different techniques to reduce the number of false positives they generate. Simple network context information such as the communication session state has been added in IDS signatures to only raise alarms in the proper context. However, this is often not sufficient and more network context information needs to be added to these Stateful IDS (SIDS) signatures to reduce the number of false positives. IDS are also used with other network monitoring systems such as Vulnerability Detection Systems (VDS) and vulnerability databases in centralized correlation systems to determine the importance of an alarm. The correlation mechanism relies on the accuracy of a standardized relationship between IDS signatures, VDS signatures and the vulnerability databases. In this paper, we study the strength of the relationships between Snort signatures, Nessus scripts and the Bugtraq vulnerability database, as well as their potential for information correlation and for deriving network context that could be incorporated in intrusion detection signatures.

[1]  Frederic Massicotte,et al.  Passive Network Discovery for Real Time Situation Awareness , 2004 .

[2]  Hervé Debar,et al.  M2D2: A Formal Data Model for IDS Alert Correlation , 2002, RAID.

[3]  Annie De Montigny-Leboeuf A Multi-Packet Signature Approach to Passive Operating System Detection , 2005 .

[4]  Jeffrey Posluns,et al.  Snort 2.0 Intrusion Detection , 2003 .

[5]  Robert P. Goldman,et al.  Information modeling for intrusion report aggregation , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[6]  Giovanni Vigna,et al.  NetSTAT: a network-based intrusion detection approach , 1998, Proceedings 14th Annual Computer Security Applications Conference (Cat. No.98EX217).

[7]  Giovanni Vigna,et al.  A Topological Characterization of TCP/IP Security , 2003, FME.

[8]  Christopher Krügel,et al.  Comprehensive approach to intrusion detection alert correlation , 2004, IEEE Transactions on Dependable and Secure Computing.