Abstract
Evidence of attacks against a network and its resources is often scattered over several hosts. Intrusion detection systems (IDS) which attempt to detect such attacks therefore have to collect and correlate information from different sources. We propose a completely decentralized approach to solve the task of event correlation and information fusing of data gathered from multiple points within the network.
Our system models an intrusion as a pattern of events that can occur at different hosts and consists of collaborating sensors deployed at various locations throughout the protected network installation.
We present a specification language to define intrusions as distributed patterns and a mechanism to specify their simple building blocks. The peer-to-peer algorithm to detect these patterns and its prototype implementation, called Quicksand, are described. Problems and their solutions involved in the management of such a system are discussed.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Jai Sundar Balasubramaniyan, Jose Omar Garcia-Fernandez, David Isacoff, Eugene Spafford, and Diego Zamboni. An Architecture for Intrusion Detection using Autonomous Agents. In 14th IEEE Computer Security Applications Conference, December 1998.
Marc Crosbie and Eugene Spafford. Defending a computer system using autonomous agents. In Proceedings of the 18th National Information Systems Security Conference, October 1995.
Jose Duarte de Queiroz, Luiz Fernando Rust da Costa Carmo, and Luci Pirmez. Micael: An autonomous mobile agent system to protect new generation networked applications. In 2nd Annual Workshop on Recent Advances in Intrusion Detection, September 1999.
IETF Intrusion Detection Working Group. Intrusion Detection Message Exchange Format. http://www.ietf.org/html.charters/idwg-charter.html.
Judith Hochberg, Kathleen Jackson, Cathy Stallins, J. F. McClary, David DuBois, and Josephine Ford. NADIR: An automated system for detecting network intrusion and misuse. Computer and Security, 12(3):235–248, May 1993.
Christopher Krügel and Thomas Toth. An efficient, IP based solution to the ‘Logical Timestamp Wrapping’ problem. In 6th International Conference on Telecommunications, 2001.
Christopher Krügel, Thomas Toth, and Engin Kirda. Service Specific Anomaly Detection for Intrusion Detection. In ACM Symposium on Applied Computing (to appear), 2002.
L. Lamport. Time, clocks and the ordering of events in a distributed system. Comms. ACM, 21(7):558–65, 1978.
Peter G. Neumann and Phillip A. Porras. Experience with EMERALD to date. In 1st USENIX Workshop on Intrusion Detection and Network Monitoring, pages 73–80, Santa Clara, California, USA, April 1999.
Phillip A. Porras and Peter G. Neumann. EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances. In Proceedings of the 20th NIS Security Conference, October 1997.
Martin Roesch. Snort-lightweight intrusion detection for networks. In USENIX Lisa 99, 1999.
S. R. Snapp, J. Brentano, G. V. Dias, T. L. Goan, L. T. Heberlein, C. Ho, K. N. Levitt, B. Mukherjee, S. E. Smaha, T. Grance, D. M. Teal, and D. Mansur. DIDS (Distributed Intrusion Detection System)-Motivation, Architecture and an early Prototype. In 14th National Security Conference, pages 167–176, October 1991.
S. Staniford-Chen, S. Cheung, R. Crawford, M. Dilger, J. Frank, J. Hoagland, K. Levitt, C. Wee, R. Yip, and D. Zerkle. GrIDS-A Graph based Intrusion Detection System for large networks. In Proceedings of the 20th National Information Systems Security Conference, volume 1, pages 361–370, October 1996.
G. Vigna and R. Kemmerer. NetSTAT: A network-based intrusion detection system. In Proceedings of the 14th Annual Computer Security Applications Conference, December 1998.
Giovanni Vigna, Richard A. Kemmerer, and Per Blix. Designing a Web of highlyconfigurable Intrusion Detection Sensors. In Recent Advances in Intrusion Detection. Springer Lecture Notes in Computer Science, 2001.
Gregory B. White, Eric A. Fisch, and Udo W. Pooch. Cooperating Security Managers: A peer-based intrusion detection system. IEEE Network, pages 20–23, January/ February 1996.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2002 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Krügel, C., Toth, T., Kerer, C. (2002). Decentralized Event Correlation for Intrusion Detection. In: Kim, K. (eds) Information Security and Cryptology — ICISC 2001. ICISC 2001. Lecture Notes in Computer Science, vol 2288. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-45861-1_10
Download citation
DOI: https://doi.org/10.1007/3-540-45861-1_10
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-43319-4
Online ISBN: 978-3-540-45861-6
eBook Packages: Springer Book Archive