CPL - Chalmers Publication Library
| Utbildning | Forskning | Styrkeområden | Om Chalmers | In English In English Ej inloggad.

Investigating the Benefits of Using Multiple Intrusion-Detection Sensors

Magnus Almgren (Institutionen för data- och informationsteknik, Datorteknik (Chalmers)) ; Erland Jonsson (Institutionen för data- och informationsteknik, Datorteknik (Chalmers))
The 13th Nordic Workshop on Secure IT-systems. Published by the Technical University of Denmark. (1601-2321). p. 13-26. (2008)
[Konferensbidrag, refereegranskat]

Most intrusion detection systems (IDSs) available today are using a single audit source for detection, even though attacks have distinct manifestations in different parts of the system. Previously, we have explored the benefits of combining several sensors monitoring different audit sources to improve the detection of attacks. In this paper we go one step further and investigate possible synergetic effects by actively sharing information between distinct intrusion detection sensors taking events from isolated audit sources. We present four scenarios where we show how the function of one IDS, measured as false alarm rate, performance in terms of used resources, or attack response, can be improved by having access to information collected and analyzed by another IDS. Based on these four scenarios, we then generalize our findings and outline necessary properties of a sensor communication framework for multiple IDSs. Our focus is on cooperation between IDSs, but we also touch on response techniques.

Nyckelord: intrusion detection, IDS cooperation, IDS response



Denna post skapades 2008-10-14. Senast ändrad 2015-02-26.
CPL Pubid: 75378

 

Institutioner (Chalmers)

Institutionen för data- och informationsteknik, Datorteknik (Chalmers)

Ämnesområden

Övrig informationsteknik

Chalmers infrastruktur

Relaterade publikationer

Denna publikation ingår i:


Techniques for Improving Intrusion Detection