We describe an approach to detecting coordinated attacks in tactical wireless networks in which distributed detectors cooperate to match signatures from audit events generated at different locations. Traditionally, the signature matching engine compares the signature with a single audit data stream to identify occurrences of the action sequence described in the signature. Such approach introduces a single point of failure and uses huge bandwidth for transferring audit data from the data sources to the matching engine. Our approach decomposes an extended infinite state machine, an operational representation of an attack signature, into multiple cooperative finite state machines that enable distributed signature engines to match the signature. We describe the decomposition methodology and the distributed matching algorithm and illustrate them using several example multi-stage attacks in tactical networks. In addition, we implemented an example distributed signature matching engine for detecting the example attacks in a simulation framework based on MASON. Our approach avoids a single point of failure and reduces the bandwidth usage by communicating internal state information rather than audit events
[1]
Karl N. Levitt,et al.
A general cooperative intrusion detection architecture for MANETs
,
2005,
Third IEEE International Workshop on Information Assurance (IWIA'05).
[2]
Christopher Krügel,et al.
Decentralized Event Correlation for Intrusion Detection
,
2001,
ICISC.
[3]
Tadeusz Luba,et al.
Decomposition of Boolean Functions Specified by Cubes
,
2003,
J. Multiple Valued Log. Soft Comput..
[4]
Jean-Philippe Pouzol,et al.
From Declarative Signatures to Misuse IDS
,
2001,
Recent Advances in Intrusion Detection.
[5]
Giovanni Vigna,et al.
Designing a Web of Highly-Configurable Intrusion Detection Sensors
,
2001,
Recent Advances in Intrusion Detection.
[6]
Harald Richter,et al.
A Formal Approach for Analysis and Testing of Reliable Embedded Systems
,
2005,
Electron. Notes Theor. Comput. Sci..