Abstraction-based intrusion detection in distributed environments

Peng Ning, Sushil Jajodia, Xiaoyang Sean Wang
2001 ACM Transactions on Privacy and Security  
Abstraction is an important issue in intrusion detection, since it not only hides the difference between heterogeneous systems, but also allows generic intrusion detection models. However, abstraction is an error-prone process and is not well supported in current Intrusion Detection Systems (IDSs). This paper presents a hierarchical model to support attack specification and event abstraction in distributed intrusion detection. The model involves three concepts: system view, signature, and view
more » ... efinition. A system view provides an abstract interface of a particular type of information; defined on the instances of system views, a signature specifies certain distributed attacks or events to be monitored; a view definition is then used to derive information from the matches of a signature and presents it through a system view. With the three elements, the model provides a hierarchical framework for maintaining signatures, system views as well as event abstraction. As a benefit, the model allows generic signatures that can accommodate unknown variants of known attacks. Moreover, abstraction represented by a system view can be updated without changing either its specification or the signatures defined on the basis of it. This paper then presents a decentralized method for autonomous but cooperative component systems to detect distributed attacks specified by signatures. Specifically, a signature is decomposed into finer units called detection tasks, each of which represents the activity to be monitored on a component system. The component systems (involved in a signature) then perform the detection tasks cooperatively according to the "dependency" relationships among these tasks. An experimental system called CARDS has been implemented to test the feasibility of the proposed approach. gives True or False). Example 1 A network monitor that reports DOS attacks that disable one or all the TCP ports of a host may have a system view TCPDOSAttacks = (EvtSch1, 7 ), where EvtSch1 = © VictimIP, VictimPort . Each DOS attack is reported as an event on (EvtSch1, 7 ). The domain of VictimIP is the set of IP addresses, and the domain of VictimPort is the set of all TCP ports plus 8 ! 9 . VictimPort being 8 ! 9 means that all TCP ports (of the host) are disabled. An event history on TCPDOSAttacks is shown in figure 1. As we discussed earlier, TCPDOSAttacks may be defined when we only know, for example, Teardrop and Land attacks. When we later discover new types of DOS attacks, for example, SYN flooding attack, we can still reuse the previously specified TCPDOSAttacks. As another example, a host may have a system view LocalTCPConn = (EvtSch2, Pred-Set2) for the TCP connections observed on the local host, where EvtSch2 = © SrcIP, SrcPort, DstIP, DstPort and PredSet2 = © LocalIP[t](var IP), Trust[t](var host) . The domains of the attributes are clear from the names. The dynamic predicate LocalIP[t](var IP) evaluates to True if and only if var IP is an IP address belonging to the local host at time t, and the dynamic predicate Trust[t](var host) evaluates to True if and only if var host is trusted by the local host at time t. Examples of event history on LocalTCPConn are omitted. 3.1.1 Qualitative Temporal Relationships between Events. The representation and reasoning about the qualitative temporal relationships between interval-based events have been extensively studied by the AI community [1; 13]. With these relationships, we can provide a more concise representation of the patterns among events. Here we quote the thirteen relationships between intervals [1] and the eleven relation-equal and
doi:10.1145/503339.503342 fatcat:cwthie7o3ra47lnblvmbdtiplu