Runtime Monitoring and Dynamic Reconfiguration for Intrusion Detection Systems

Our work proposes a generic architecture for runtime monitoring and optimization of IDS based on the challenge insertion. The challenges, known instances of malicious or legitimate behavior, are inserted into the network traffic represented by NetFlow records, processed with the current traffic and the system's response to the challenges is used to determine its effectiveness and to fine-tune its parameters. The insertion of challenges is based on the threat models expressed as attack trees with attached risk/loss values. The use of threat model allows the system to measure the expected undetected loss and to improve its performance with respect to the relevant threats, as we have verified in the experiments performed on live network traffic.

[1]  Zhi-Li Zhang,et al.  Reducing Unwanted Traffic in a Backbone Network , 2005, SRUTI.

[2]  Tao Ye,et al.  Connectionless port scan detection on the backbone , 2006, 2006 IEEE International Performance Computing and Communications Conference.

[3]  Michal Pechoucek,et al.  Improving Anomaly Detection Error Rate by Collective Trust Modeling , 2008, RAID.

[4]  Matthias Klusch,et al.  Cooperative Information Agents XII, 12th International Workshop, CIA 2008, Prague, Czech Republic, September 10-12, 2008. Proceedings , 2008, CIA.

[5]  D. S. Moore,et al.  The Basic Practice of Statistics , 2001 .

[6]  Hervé Debar,et al.  M2D2: A Formal Data Model for IDS Alert Correlation , 2002, RAID.

[7]  Thomas Engel,et al.  Towards Trust-Based Acquisition of Unverifiable Information , 2008, CIA.

[8]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1986, 1986 IEEE Symposium on Security and Privacy.

[9]  Vipin Kumar,et al.  Chapter 3 MINDS-Minnesota Intrusion Detection System , .

[10]  Somesh Jha,et al.  Automated generation and analysis of attack graphs , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[11]  Mark Crovella,et al.  Mining anomalies using traffic feature distributions , 2005, SIGCOMM '05.

[12]  Karen A. Scarfone,et al.  Guide to Intrusion Detection and Prevention Systems (IDPS) , 2007 .

[13]  Chris GauthierDickey,et al.  Result verification and trust-based scheduling in peer-to-peer grids , 2005, Fifth IEEE International Conference on Peer-to-Peer Computing (P2P'05).

[14]  Willard Van Orman Quine,et al.  A Way to Simplify Truth Functions , 1955 .

[15]  Yijun Wang,et al.  Attack Grammar: A New Approach to Modeling and Analyzing Network Attack Sequences , 2008, 2008 Annual Computer Security Applications Conference (ACSAC).

[16]  Thomas G. Dietterich Multiple Classifier Systems , 2000, Lecture Notes in Computer Science.

[17]  Fabio Roli,et al.  Intrusion detection in computer networks by a modular ensemble of one-class classifiers , 2008, Inf. Fusion.

[18]  Luis F. G. Sarmenta,et al.  Sabotage-tolerance mechanisms for volunteer computing systems , 2001, Proceedings First IEEE/ACM International Symposium on Cluster Computing and the Grid.

[19]  Cristiana Amza,et al.  Semantic-Driven Model Composition for Accurate Anomaly Diagnosis , 2008, 2008 International Conference on Autonomic Computing.

[20]  Ling Huang,et al.  Evading Anomaly Detection through Variance Injection Attacks on PCA , 2008, RAID.

[21]  Ronald R. Yager,et al.  On ordered weighted averaging aggregation operators in multicriteria decision-making , 1988 .

[22]  Fabio Roli,et al.  Multiple Classifier Systems, 9th International Workshop, MCS 2010, Cairo, Egypt, April 7-9, 2010. Proceedings , 2010, MCS.

[23]  Michal Pechoucek,et al.  Trust-Based Classifier Combination for Network Anomaly Detection , 2008, CIA.

[24]  Ronald R. Yager,et al.  On ordered weighted averaging aggregation operators in multicriteria decisionmaking , 1988, IEEE Trans. Syst. Man Cybern..

[25]  R. Polikar,et al.  Ensemble based systems in decision making , 2006, IEEE Circuits and Systems Magazine.

[26]  Andrew P. Moore,et al.  Attack Modeling for Information Security and Survivability , 2001 .

[27]  Christophe Diot,et al.  Diagnosing network-wide traffic anomalies , 2004, SIGCOMM.