An Intrusion Detection and Response Cooperation Model Based on XML Message Exchange

In a distributed intrusion detection system, multiple detection components are usually applied to monitor different hosts and network resources. The components sometimes need to cooperate with one another to perform complex detection tasks. However, the heterogeneity of the detection components greatly increases the complexity of the cooperation among the components. Therefore, a more general and efficient intrusion detection cooperation mechanism is required. Considering XML’s advantages in data representation and platform independence, we proposed in this paper a distributed intrusion detection and response cooperation model based on XML message exchange. In our model, cooperation agents correlate the detection results from the detection agents and cooperation agents of other domains to detect complex intrusions. To facilitate the communication between different components, the Intrusion Detection Message Exchange Format (IDMEF) is extended and applied to represent the messages exchanged among the intrusion detection components. In addition, cooperation agents cooperate with one another by exchanging XML messages. In the model, a schema is defined to constrain the XML documents. A new concept of suspect is proposed, which indicates the suspected degree of an activity. And all the suspected activities and intrusions detected are reported to the monitors for isolation and monitoring.

[1]  Richard E. Schantz,et al.  Survival by defense-enabling , 2001, NSPW '01.

[2]  Hassen Saïdi Intrusion-Tolerant Group Management in Enclaves , 2001, Security Protocols Workshop.

[3]  Karl N. Levitt,et al.  Intrusion Detection Inter-component Adaptive Negotiation , 1999, Recent Advances in Intrusion Detection.

[4]  Sushil Jajodia,et al.  Multi-phase damage confinement in database systems for intrusion tolerance , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[5]  D. Curry,et al.  Intrusion Detection Message Exchange Format Data Model and Extensible Markup Language (XML) Document Type Definition , 2004 .

[6]  Sushil Jajodia,et al.  Modeling requests among cooperating intrusion detection systems , 2000, Comput. Commun..

[7]  Dan Boneh,et al.  Experimenting with Shared Generation of RSA Keys , 1999, NDSS.

[8]  Rong Wang Intrusion Tolerant Systems Characterization and Acceptance Monitor Design , 2001 .

[9]  Peng Liu,et al.  The design of an adaptive intrusion tolerant database system , 2003, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[10]  Jeffrey M. Bradshaw,et al.  Software agents , 1997 .

[11]  Kishor S. Trivedi,et al.  Characterizing intrusion tolerant systems using a state transition model , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[12]  Peter J. Bentley,et al.  Towards an artificial immune system for network intrusion detection: an investigation of dynamic clonal selection , 2002, Proceedings of the 2002 Congress on Evolutionary Computation. CEC'02 (Cat. No.02TH8600).

[13]  Eugene H. Spafford,et al.  Intrusion detection using autonomous agents , 2000, Comput. Networks.

[14]  C. M. Sperberg-McQueen,et al.  Extensible Markup Language (XML) , 1997, World Wide Web J..

[15]  Dipankar Gupta IAP: Intrusion Alert Protocol , 2001 .

[16]  Marc Dacier,et al.  Towards a taxonomy of intrusion-detection systems , 1999, Comput. Networks.

[17]  Dan Boneh,et al.  Building intrusion tolerant applications , 1999, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[18]  Peng Liu Architectures for intrusion tolerant database systems , 2003, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[19]  Ingoo Han,et al.  The neural network models for IDS based on the asymmetric costs of false negative errors and false positive errors , 2003, Expert Syst. Appl..