CPL - Chalmers Publication Library
| Utbildning | Forskning | Styrkeområden | Om Chalmers | In English In English Ej inloggad.

Operator-Centric and Adaptive Intrusion Detection

Ulf Larson (Institutionen för data- och informationsteknik, Datorteknik (Chalmers)) ; Stefan Lindskog ; Dennis K. Nilsson (Institutionen för data- och informationsteknik, Datorteknik (Chalmers)) ; Erland Jonsson (Institutionen för data- och informationsteknik, Datorteknik (Chalmers))
Proceedings of the Fourth International Conference on Information Assurance and Security (IAS 2008), September 8-10, 2008, Naples, Italy p. 161-166. (2008)
[Konferensbidrag, refereegranskat]

An intrusion detection system should support the operator of the system. Thus, in addition to producing alerts, it should allow for easy insertion of new detection algorithms. It should also support dynamic selection and de-selection of detection algorithms, and it should adjust its resource consumption to the current need. Such a system would allow the operator to easily extend the system when new detection algorithms become available. It would also allow the operator to maintain a low-cost monitoring baseline and perform more extensive monitoring when it is required. In this paper we propose an architecture for intrusion detection which aims at providing the operator with this support. The architecture uses a modular design to promote a high degree of flexibility. This supports creation of an environment in which state-of-the-art intrusion detection algorithms easily can be inserted. The modular design also allows for detection algorithms to be enabled and disabled when required. Additionally, the architecture uses a sensor reconfiguration mechanism to affect the amount of data collected. When a detection algorithm is enabled or disabled, the sensor providing the input data to the algorithm is correspondingly reconfigured. This implies a minimum of excess collected data. To illustrate the feasibility of the architecture, we provide a proof-of-concept supporting monitoring of users for insider detection and webserver monitoring for intrusion attempts.

Denna post skapades 2008-09-18. Senast ändrad 2017-11-14.
CPL Pubid: 74126


Läs direkt!

Länk till annan sajt (kan kräva inloggning)

Institutioner (Chalmers)

Institutionen för data- och informationsteknik, Datorteknik (Chalmers)



Chalmers infrastruktur