Skip to main content
Springer Nature Link
Log in

A Lone Wolf No More: Supporting Network Intrusion Detection with Real-Time Intelligence

  • Conference paper
Research in Attacks, Intrusions, and Defenses (RAID 2012)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7462))

Included in the following conference series:

Abstract

For network intrusion detection systems it is becoming increasingly difficult to reliably report today’s complex attacks without having external context at hand. Unfortunately, however, today’s IDS cannot readily integrate intelligence, such as dynamic blacklists, into their operation. In this work, we introduce a fundamentally new capability into IDS processing that vastly broadens a system’s view beyond what is visible directly on the wire. We present a novel Input Framework that integrates external information in real-time into the IDS decision process, independent of specific types of data, sources, and desired analyses. We implement our design on top of an open-source IDS, and we report initial experiences from real-world deployment in a large-scale network environment. To ensure that our system meets operational constraints, we further evaluate its technical characteristics in terms of the intelligence volume it can handle under realistic workloads, and the latency with which real-time updates become available to the IDS analysis engine. The implementation is freely available as open-source software.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Department of Energy Cyber Joint Cybersecurity Coordination Center, http://www.doecirc.energy.gov/

  2. National Software Reference Library, http://www.nsrl.nist.gov/

  3. Antonakakis, M., Perdisci, R., Dagon, D., Lee, W., Feamster, N.: Building a Dynamic Reputation System for DNS. In: USENIX Security (2010)

    Google Scholar 

  4. Blacklist.rules, ClamAV, and Data Mining, http://vrt-blog.snort.org/2011/02/blacklistrules-clamav-and-data-mining.html

  5. Collective Intelligence Framework, http://code.google.com/p/collective-intelligence-framework/

  6. Cyber Fed Model – Community-Wide Cyber Security Alert Distribution, http://web.anl.gov/it/cfm/

  7. Cymru, T.: Malware Hash Registry, http://www.team-cymru.org/Services/MHR/

  8. Debar, H., Wespi, A.: Aggregation and Correlation of Intrusion-Detection Alerts. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, pp. 85–103. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  9. Dreger, H., Feldmann, A., Paxson, V., Sommer, R.: Operational Experiences with High-Volume Network Intrusion Detection. In: ACM CCS (2004)

    Google Scholar 

  10. DShield.org Recommended Block List, http://feeds.dshield.org/block.txt

  11. Google Safe Browsing API, http://code.google.com/apis/safebrowsing

  12. Gu, G., Porras, P., Yegneswaran, V., Fong, M., Lee, W.: BotHunter: Detecting Malware Infection through IDS-driven Dialog Correlation. In: USENIX Security (2007)

    Google Scholar 

  13. Jung, J., Paxson, V., Berger, A.W., Balakrishnan, H.: Fast Portscan Detection Using Sequential Hypothesis Testing. In: IEEE Security and Privacy (2004)

    Google Scholar 

  14. Katti, S., Krishnamurthy, B., Katabi, D.: Collaborating against common enemies. In: IMC (2005)

    Google Scholar 

  15. Ollmann, G.: Blacklists & Dynamic Reputation. White paper (2011), http://www.damballa.com/downloads/r_pubs/WP_Blacklists_Dynamic_Reputation.pdf

  16. Paxson, V.: Bro: A System for Detecting Network Intruders in Real-Time. Computer Networks 31(23–24), 2435–2463 (1999)

    Article  Google Scholar 

  17. Roesch, M.: Snort: Lightweight Intrusion Detection for Networks. In: Systems Administration Conference (1999)

    Google Scholar 

  18. Security Event System, http://www.ren-isac.net/ses

  19. Sharma, A., Kalbarczyk, Z., Barlow, J., Iyer, R.K.: Analysis of Security Data From a Large Computing Organization. In: IEEE DSN (2011)

    Google Scholar 

  20. Sinha, S., Bailey, M., Jahanian, F.: Improving SPAM Blacklisting through Dynamic Thresholding and Speculative Aggregation. In: NDSS (2010)

    Google Scholar 

  21. Snort 2.9.1 release announcement, http://blog.snort.org/2011/08/snort-291-has-been-released-including.html

  22. Sommer, R., Paxson, V.: Exploiting Independent State For Network Intrusion Detection. In: ACSAC (2005)

    Google Scholar 

  23. The Spamhaus Block List, http://www.spamhaus.org/sbl

  24. Open Information Security Foundation: Suricata Download, http://www.openinfosecfoundation.org/index.php/downloads

  25. Symantec - Configuring blacklisting for base event types with IDS/IPS on Symantec Gateway Security 5400 Series 2.x, http://www.symantec.com/business/support/index?page=content&id=TECH81936

  26. Valdes, A., Skinner, K.: Probabilistic Alert Correlation. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, pp. 54–68. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  27. Vallentin, M., Sommer, R., Lee, J., Leres, C., Paxson, V., Tierney, B.: The NIDS Cluster: Scalable, Stateful Network Intrusion Detection on Commodity Hardware. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 107–126. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  28. Verizon: Data Breach Investigations Report. Tech. rep. (2012), http://www.wired.com/images_blogs/threatlevel/2012/03/Verizon-Data-Breach-Report-2012.pdf

  29. VirusTotal Public API, https://www.virustotal.com/documentation/public-api/

Download references

Author information

Authors and Affiliations

  1. International Computer Science Institute, USA

    Johanna Amann, Robin Sommer & Seth Hall

  2. Lawrence Berkeley National Laboratory, USA

    Robin Sommer & Aashish Sharma

Authors
  1. Johanna Amann
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Robin Sommer
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Aashish Sharma
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Seth Hall
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Institute Eurecom, 2229 Route des Cretes, 06560, Sophia Antipolis Cedex, France

    Davide Balzarotti

  2. Department of Computer Science, Columbia University, 1214 Amsterdam Avenue, M.C. 0401, 10027-7003, New York, NY, USA

    Salvatore J. Stolfo

  3. School of Computer Science, University of Birmingham, B15 2TT, Edgbaston, Birmingham, UK

    Marco Cova

Rights and permissions

Reprints and permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Amann, J., Sommer, R., Sharma, A., Hall, S. (2012). A Lone Wolf No More: Supporting Network Intrusion Detection with Real-Time Intelligence. In: Balzarotti, D., Stolfo, S.J., Cova, M. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2012. Lecture Notes in Computer Science, vol 7462. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-33338-5_16

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-33338-5_16

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-33337-8

  • Online ISBN: 978-3-642-33338-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics