Thomas Toth

Evaluating the impact of automated intrusion response mechanisms

Intrusion detection systems (IDSs) have reached a high level of sophistication and are able to detect intrusions with a variety of methods. Unfortunately, system administrators neither can keep up with the pace that an IDS is delivering alerts, nor can they react upon these within adequate time limits. Automatic response systems have to take over that task. In case of an identified intrusion, these components have to initiate appropriate actions to counter emerging threats. Most current intrusion response systems (IRSs) utilize static mappings to determine adequate response actions in reaction to detected intrusions. The problem with this approach is its inherent inflexibility. Countermeasures (such as changes of firewall rules) often do not only defend against the detected attack but may also have negative effects on legitimate users of the network and its services. To prevent a situation where a response action causes more damage that the actual attack, a mechanism is needed that compares the severity of an attack to the effects of a possible response mechanism. In this paper, we present a network model and an algorithm to evaluate the impact of response actions on the entities of a network. This allows the IRS to select the response among several alternatives which fulfills the security requirements and has a minimal negative effect on legitimate users.

Using Decision Trees to Improve Signature-Based Intrusion Detection

Most deployed intrusion detection systems (IDSs) follow a signature-based approach where attacks are identified by matching each input event against predefined signatures that model malicious activity. This matching process accounts for the most resource intensive task of an IDS. Many systems perform the matching by comparing each input event to all rules sequentially. This is far from being optimal. Although sometimes ad-hoc optimizations are utilized, no general solution to this problem has been proposed so far. This paper describes an approach where machine learning clustering techniques are applied to improve the matching process. Given a set of signatures (each dictating a number of constraints the input data must fulfill to trigger it) an algorithm generates a decision tree that is used to find malicious events using as few redundant comparisons as possible. This general idea has been applied to a network-based IDS. In particular, a system has been implemented that replaces the detection engine of Snort [14, 16]. Experimental evaluation shows that the speed of the detection process has been significantly improved, even compared to Snorts recently released, fully revised detection engine.

Decentralized Event Correlation for Intrusion Detection

Evidence of attacks against a network and its resources is often scattered over several hosts. Intrusion detection systems (IDS) which attempt to detect such attacks therefore have to collect and correlate information from different sources. We propose a completely decentralized approach to solve the task of event correlation and information fusing of data gathered from multiple points within the network.Our system models an intrusion as a pattern of events that can occur at different hosts and consists of collaborating sensors deployed at various locations throughout the protected network installation.We present a specification language to define intrusions as distributed patterns and a mechanism to specify their simple building blocks. The peer-to-peer algorithm to detect these patterns and its prototype implementation, called Quicksand, are described. Problems and their solutions involved in the management of such a system are discussed.