Design and implementation of a decentralized prototype system for detecting distributed attacks

This paper presents the design and implementation of a decentralized research prototype intrusion detection system (IDS) named coordinated attacks response and detection system (CARDS), which aims at detecting distributed attacks that cannot be detected using data collected at any single place. CARDS adopts a signature-based approach. It consists of three kinds of independent but cooperative components: signature manager, monitor, and directory service. Unlike traditional distributed IDSs, CARDS decomposes global representations of distributed attacks into smaller units (called detection tasks) that correspond to the distributed events indicating the attacks, and then executes and coordinates the detection tasks in the places where the corresponding events are observed.

[1]  J. F. McClary,et al.  NADIR: An automated system for detecting network intrusion and misuse , 1993, Comput. Secur..

[2]  Stephen Northcutt,et al.  Network Intrusion Detection: An Analyst's Hand-book , 1999 .

[3]  Karl N. Levitt,et al.  Intrusion Detection Inter-component Adaptive Negotiation , 1999, Recent Advances in Intrusion Detection.

[4]  Michael Stonebraker,et al.  Implementation techniques for main memory database systems , 1984, SIGMOD '84.

[5]  Richard A. Kemmerer,et al.  State Transition Analysis: A Rule-Based Intrusion Detection Approach , 1995, IEEE Trans. Software Eng..

[6]  C. M. Sperberg-McQueen,et al.  Extensible markup language , 1997 .

[7]  Stuart Staniford-Chen,et al.  Holding intruders accountable on the Internet , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[8]  Rebecca Gurley Bace,et al.  Intrusion Detection , 2018, Encyclopedia of Social Network Analysis and Mining. 2nd Ed..

[9]  Sushil Jajodia,et al.  Modeling requests among cooperating intrusion detection systems , 2000, Comput. Commun..

[10]  Biswanath Mukherjee,et al.  DIDS (distributed intrusion detection system)—motivation, architecture, and an early prototype , 1997 .

[11]  Peter G. Neumann,et al.  EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances , 1997, CCS 2002.

[12]  S. E. Smaha Haystack: an intrusion detection system , 1988, [Proceedings 1988] Fourth Aerospace Computer Security Applications.

[13]  Giovanni Vigna,et al.  NetSTAT: A Network-based Intrusion Detection System , 1999, J. Comput. Secur..

[14]  Anup K. Ghosh,et al.  Detecting anomalous and unknown intrusions against programs , 1998, Proceedings 14th Annual Computer Security Applications Conference (Cat. No.98EX217).

[15]  Eugene H. Spafford,et al.  Intrusion detection using autonomous agents , 2000, Comput. Networks.

[16]  Sushil Jajodia,et al.  Detecting Novel Network Intrusions Using Bayes Estimators , 2001, SDM.

[17]  Salvatore J. Stolfo,et al.  A data mining framework for building intrusion detection models , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[18]  James F. Allen Maintaining knowledge about temporal intervals , 1983, CACM.

[19]  Eugene H. Spafford,et al.  Using embedded sensors for detecting network attacks , 2000 .

[20]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1986, 1986 IEEE Symposium on Security and Privacy.

[21]  Naji Habra,et al.  Distributed audit trail analysis , 1995, Proceedings of the Symposium on Network and Distributed System Security.

[22]  Harold S. Javitz,et al.  The NIDES Statistical Component Description and Justification , 1994 .

[23]  Todd L. Heberlein,et al.  Network intrusion detection , 1994, IEEE Network.

[24]  Salvatore J. Stolfo,et al.  A Data Mining and CIDF Based Approach for Detecting Novel and Distributed Intrusions , 2000, Recent Advances in Intrusion Detection.

[25]  Sushil Jajodia,et al.  Abstraction-based misuse detection: high-level specifications and adaptable strategies , 1998, Proceedings. 11th IEEE Computer Security Foundations Workshop (Cat. No.98TB100238).

[26]  Giovanni Vigna,et al.  NetSTAT: a network-based intrusion detection approach , 1998, Proceedings 14th Annual Computer Security Applications Conference (Cat. No.98EX217).

[27]  Sushil Jajodia,et al.  Abstraction-based intrusion detection in distributed environments , 2001, TSEC.

[28]  Richard A. Kemmerer,et al.  NSTAT: A Model-based Real-time Network Intrusion Detection System , 1998 .

[29]  Shyhtsun Felix Wu,et al.  DECIDUOUS: decentralized source identification for network-based intrusions , 1999, Integrated Network Management VI. Distributed Management for the Networked Millennium. Proceedings of the Sixth IFIP/IEEE International Symposium on Integrated Network Management. (Cat. No.99EX302).

[30]  Feiyi Wang,et al.  Design and implementation of a scalable intrusion detection system for the protection of network infrastructure , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[31]  Christian Freksa,et al.  Temporal Reasoning Based on Semi-Intervals , 1992, Artif. Intell..