Policy management for network-based intrusion detection and prevention

Intrusion detection and prevention systems are becoming an essential part of network infrastructure. They provide the ability to detect intrusion signatures or discover abnormal behaviors, and thus trigger actions. The actions are performed to preempt ongoing attacks as well as to prevent future intrusions. In the past, intrusion detection technology is mainly deployed as sensors that passively monitor traffic to detect symptoms that indicate attacks or their prelude. However, recent Internet worms and distributed denial-of-service attacks have shown that such passive detection is not timely enough in coping with network-based attacks. Thus, the recent trend is to integrate detection and prevention technologies into security firewalls, and deploy the technologies as active components in the network infrastructure. This poses a new challenge for network operation and policy management. The objective of this paper is to provide a framework for managing related policies in an enterprise-networking environment. Specifically, we propose a framework called attack-response matrix (ARM), to integrate intrusion analysis with traffic enforcement for security purposes. ARM describes the mapping from intrusion types to traffic enforcement actions. It allows policies to dictate what actions to take on what types or stages of attacks. It is intuitive, and introduces a paradigm shift from flat detection rules to a structural representation that better describes an intrusion prevention system (IPS). It can be integrated with the framework of policy-based management, using policy decision points (i.e. PDP) and policy enforcement points (i.e. PEP), to configure, enforce, update and monitor intrusion prevention devices in the network. In the paper, we also point out related research issues, such as the chaining of prevention actions and the self-correction of traffic enforcement policies.