An Experience Improving Intrusion Detection Systems False Alarm Ratio by Using Honeypot

When traditional firewall and intrusion detection systems (IDS) are used to detect possible attacks from the network, they often make wrong decisions and block the legitimate connections. In this paper we propose a new architecture which is composed of distributed agents and honeypot. The main focus of our approach lies in reducing the false alarm rate of the attack detection. Using the honeypot scheme, this system is able to avoid many wrong decisions made by IDS. In this system alarming adversaries, initially detected by the IDS, will be rerouted to a honeypot network for a more close investigation. If as a result of this investigation, it is found that the alarm decision made by the IDS of the agent is wrong, the connection will be guided to the original destination in order to continue the previous interaction. This action is hidden to the user. Such a scheme significantly decreases the alarm rate and provides a higher performance of IDS. In this paper the architecture of the proposed system is described, a theoretical analysis of its behavior is given and its possible extension and implementation are explained.

[1]  Jun Zhang,et al.  MADIDS: a novel distributed IDS based on mobile agent , 2003, OPSR.

[2]  Cristine Hoepers,et al.  Honeynets Applied to the CSIRT Scenario , 2003 .

[3]  C. Stoll The Cuckoo's Egg : Tracking a Spy Through the Maze of Computer Espionage , 1990 .

[4]  Karl-Erwin Großpietsch,et al.  A combined safety/security approach for co-operative distributed systems , 2004, 18th International Parallel and Distributed Processing Symposium, 2004. Proceedings..

[5]  Zhang Jun,et al.  MADIDS: a novel distributed IDS based on mobile agent , 2003 .

[6]  Whitfield Diffie,et al.  An introduction to cryptography , 1984 .

[7]  Mary Schanken,et al.  Security concerns for distributed systems , 1994, Tenth Annual Computer Security Applications Conference.

[8]  Lu Xian-liang A Novel Distributed IDS Based by Mobile Agent , 2005 .

[9]  M.I. Aziz,et al.  Introduction to Cryptography , 2002, 2005 International Conference on Microelectronics.

[10]  Jon Crowcroft,et al.  Honeycomb , 2004, Comput. Commun. Rev..