Abstract
We consider cooperating intrusion detection agents that limit the cooperation information flow with a focus on privacy and confidentiality. Generalizing our previous work on privacy respecting intrusion detection for centralized systems we propose an extended functional model for information reductions that is used for cooperation between intrusion detection agents. The reductions have the following goals: detective effectiveness of cooperation alliances, privacy of honest individuals, further organizational confidentiality requirements, and efficiency. For the reductions we outline the basic requirements, and derive the specific requirements imposed by the cooperation methods used for intrusion detection. It is shown, how our existing solutions could be adapted and what restrictions apply.
This work has been partially funded by the German Research Council (DFG) under grant number Bi 311/10-3.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Flegel, U.: Pseudonymizing Audit Data for Privacy Respecting Misuse Detection. PhD thesis, University of Dortmund, Dept. of Computer Science (2005)
Flegel, U.: Pseudonymizing Unix Log Files. In: Davida, G.I., Frankel, Y., Rees, O. (eds.) InfraSec 2002. LNCS, vol. 2437, pp. 162–179. Springer, Heidelberg (2002)
Biskup, J., Flegel, U.: Threshold-based identity recovery for privacy enhanced applications. In: Jajodia, S., Samarati, P. (eds.) Proceedings of the 7th ACM Conference on Computer and Communications Security, Athens, Greece, pp. 71–79. ACM SIGSAC, ACM Press, New York (2000)
Shamir, A.: How to share a secret. Communications of the ACM 22, 612–613 (1979)
Vigna, G., Kemmerer, R.A., Blix, P.: Designing a web of highly-configurable intrusion detection sensors. In: Lee, et al. [32], pp. 69–84
Ning, P., Jajodia, S., Sean Wang, X.: Intrusion Detection in Distributed Systems. In: Advances in Information Security, vol. 9. Springer, Heidelberg (2004)
Krgel, C., Valeur, F., Vigna, G.: Intrusion Detection and Correlation. In: Advances in Information Security, vol. 14, Springer, Heidelberg (2005)
Huang, M.-Y., Jasper, R.J., Wicks, T.M.: A large scale distributed intrusion detection framework based on attack strategy analysis. Computer Networks 31(23–24), 2465–2475 (1999)
Bass, T.: Intrusion detection systems and multisensor data fusion. Communications of the ACM 43(4), 99–105 (2000)
Debar, H., Wespi, A.: Aggregation and correlation of intrusion-detection alerts. In: Lee et al. [32], pp. 85–103
Valdes, A., Skinner, K.: Probabilistic alert correlation. In: Lee et al. [32], pp. 54–68
Cuppens, F.: Managing alerts in a multi-intrusion detection environment. In: Proceedings of the 17th Annual Computer Security Applications Conference (ACSAC 2001), New Orleans, Louisiana, USA, pp. 22–31. IEEE Computer Society Press, Los Alamitos (2001)
Porras, P.A., Fong, M.W., Valdes, A.: A Mission-Impact-Based Approach to INFOSEC Alarm Correlation. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 95–114. Springer, Heidelberg (2002)
Xu, D., Ning, P.: Alert correlation through triggering events and common resources. In: Proceedings of the 20th Annual Computer Security Applications Conference (ACSAC 2004), pp. 360–369. IEEE Computer Society Press, Los Alamitos (2004)
Perrochon, L., Jang, E., Luckham, D.C.: Enlisting event patterns for cyber battlefield awareness. In: Proceedings of the DARPA Information Survivability Conference and Exposition (DISCEX 2000), Hilton Head, South Carolina, pp. 1411–1422. DARPA and the IEEE Computer Society, IEEE Press, Los Alamitos (2000)
Carey, N., Clark, A., Mohay, G.: IDS Interoperability and Correlation Using IDMEF and Commodity Systems. In: Deng, R.H., Qing, S., Bao, F., Zhou, J. (eds.) ICICS 2002. LNCS, vol. 2513, pp. 252–264. Springer, Heidelberg (2002)
Morin, B., Debar, H.: Correlation of Intrusion Symptoms: An Application of Chronicles. In: Vigna, G., Krügel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 94–112. Springer, Heidelberg (2003)
Dain, O.M., Cunningham, R.K.: Fusing Heterogeneous Alert Streams into Scenarios. In: Applications of Data Mining in Computer Security, Kluwer, Boston (2002)
Templeton, S.J., Levitt, K.: A requires/provides model for computer attacks. In: Proceedings of the New Security Paradigms Workshop, Cork, Ireland, pp. 31–38. ACM Press, New York (2000)
Cuppens, F., Miège, A.: Alert correlation in a cooperative intrusion detection framework. In: Proceedings of the IEEE Symposium on Research in Security and Privacy, Berkeley, California, USA, pp. 202–215. IEEE Press, Los Alamitos (2002)
Ning, P., Cui, Y., Reeves, D.S., Xu, D.: Techniques and tools for analyzing intrusion alerts. ACM Transactions on Information and System Security 7(2), 274–318 (2004)
Ning, P., Xu, D.: Learning attack strategies from intrusion alerts. In: Jajodia, S., Atluri, V., Jaeger, T. (eds.) Proceedings of the 10th ACM Conference on Computer and Communications Security, Washington, D.C., USA, pp. 200–209. ACM SIGSAC, ACM Press, New York (2003)
Denning, D.E.: Cryptography and Data Security. Addison-Wesley, Reading (1982)
Farkas, C., Jajodia, S.: The inference problem: a survey. ACM SIGKDD Explorations Newsletter 4(2), 6–11 (2002)
Biskup, J., Bonatti, P.A.: Controlled query evaluation for enforcing confidentiality in complete information systems. International Journal of Information Security 3(1), 14–27 (2004)
Xu, J., Fan, J., Ammar, M., Moon, S.B.: Prefix-preserving IP address anonymization: Measurement-based security evaluation and a new cryptography-based scheme. In: Proceedings of the 10th IEEE International Conference on Network Protocols (ICNP), pp. 280–289 (2002)
Li, Y., Slagell, A., Luo, K., Yurcik, W.: CANINE: A combined converter and anonymizer tool for processing netflows for security. In: Proceedings of the international Conference on Telecommunication Systems - Modeling and Analysis (ICTSM 2005), Dallas, Texas, USA (November 2005)
Lincoln, P., Porras, P., Shmatikov, V.: Privacy-preserving sharing and correlation of security alerts. In: Proceedings of the 13th USENIX Security Symposium, San Diego, California, USA, pp. 239–254 (August 2004)
Xu, D., Ning, P.: Privacy-preserving alert correlation: A concept hierarchy based approach. In: Proceedings of the 21st Annual Computer Security Applications Conference (ACSAC 2005), pp. 537–546. IEEE Computer Society Press, Los Alamitos (2005)
Slagell, A., Yurcik, W.: Sharing computer network logs for security and privacy: A motivation for new methodologies of anonymization. In: Workshop on the Value of Security through Collaboration (SECOVAL) (2005)
Pang, R., Paxson, V.: A high-level programming environment for packet trace anonymization and transformation. In: Proceedings of the 2003 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications (SIGCOMM 2003), Karlsruhe, Germany, August 2003, pp. 339–351. ACM Press, New York (2003)
Lee, W., Mé, L., Wespi, A. (eds.): RAID 2001. LNCS, vol. 2212. Springer, Heidelberg (2001)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Flegel, U., Biskup, J. (2006). Requirements of Information Reductions for Cooperating Intrusion Detection Agents. In: Müller, G. (eds) Emerging Trends in Information and Communication Security. ETRICS 2006. Lecture Notes in Computer Science, vol 3995. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11766155_33
Download citation
DOI: https://doi.org/10.1007/11766155_33
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-34640-1
Online ISBN: 978-3-540-34642-5
eBook Packages: Computer ScienceComputer Science (R0)