Runtime Monitoring and Dynamic Reconfiguration for Intrusion Detection Systems

Authors:
Martin Rehák;Eugen Staab;Volker Fusenig;Michal Pěchouček;Martin Grill;Jan Stiborek;Karel Bartoš;Thomas Engel
Affiliations:
Department of Cybernetics, Czech Technical University, Prague;Faculty of Science, Technology and Communication, University of Luxembourg, Luxembourg;Faculty of Science, Technology and Communication, University of Luxembourg, Luxembourg;Department of Cybernetics, Czech Technical University, Prague;CESNET, z. s. p. o., Prague, Czech Republic and Department of Cybernetics, Czech Technical University, Prague;Department of Cybernetics, Czech Technical University, Prague;CESNET, z. s. p. o., Prague, Czech Republic and Department of Cybernetics, Czech Technical University, Prague;Faculty of Science, Technology and Communication, University of Luxembourg, Luxembourg
Venue:
RAID '09 Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection
Year:
2009

Citing 18
Cited 7

An Intrusion-Detection Model

IEEE Transactions on Software Engineering - Special issue on computer security and privacy
On ordered weighted averaging aggregation operators in multicriteria decisionmaking

IEEE Transactions on Systems, Man and Cybernetics
Ensemble Methods in Machine Learning

MCS '00 Proceedings of the First International Workshop on Multiple Classifier Systems
Sabotage-Tolerance Mechanisms for Volunteer Computing Systems

CCGRID '01 Proceedings of the 1st International Symposium on Cluster Computing and the Grid
Automated Generation and Analysis of Attack Graphs

SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
Diagnosing network-wide traffic anomalies

Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications
Mining anomalies using traffic feature distributions

Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
Result Verification and Trust-Based Scheduling in Peer-to-Peer Grids

P2P '05 Proceedings of the Fifth IEEE International Conference on Peer-to-Peer Computing
Reducing unwanted traffic in a backbone network

SRUTI'05 Proceedings of the Steps to Reducing Unwanted Traffic on the Internet on Steps to Reducing Unwanted Traffic on the Internet Workshop
Intrusion detection in computer networks by a modular ensemble of one-class classifiers

Information Fusion
Towards Trust-Based Acquisition of Unverifiable Information

CIA '08 Proceedings of the 12th international workshop on Cooperative Information Agents XII
Trust-Based Classifier Combination for Network Anomaly Detection

CIA '08 Proceedings of the 12th international workshop on Cooperative Information Agents XII
Evading Anomaly Detection through Variance Injection Attacks on PCA

RAID '08 Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection
Improving Anomaly Detection Error Rate by Collective Trust Modeling

RAID '08 Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection
Semantic-Driven Model Composition for Accurate Anomaly Diagnosis

ICAC '08 Proceedings of the 2008 International Conference on Autonomic Computing
Attack Grammar: A New Approach to Modeling and Analyzing Network Attack Sequences

ACSAC '08 Proceedings of the 2008 Annual Computer Security Applications Conference
M2D2: a formal data model for IDS alert correlation

RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
SP 800-94. Guide to Intrusion Detection and Prevention Systems (IDPS)

SP 800-94. Guide to Intrusion Detection and Prevention Systems (IDPS)

Effective multimodel anomaly detection using cooperative negotiation

GameSec'10 Proceedings of the First international conference on Decision and game theory for security
Attack-defense trees and two-player binary zero-sum extensive form games are equivalent

GameSec'10 Proceedings of the First international conference on Decision and game theory for security
Foundations of attack-defense trees

FAST'10 Proceedings of the 7th International conference on Formal aspects of security and trust
On the Value of Coordination in Distributed Self-Adaptation of Intrusion Detection System

WI-IAT '11 Proceedings of the 2011 IEEE/WIC/ACM International Conferences on Web Intelligence and Intelligent Agent Technology - Volume 02
Tracking malicious hosts on a 10gbps backbone link

NordSec'10 Proceedings of the 15th Nordic conference on Information Security Technology for Applications
A self-tuning self-optimizing approach for automated network anomaly detection systems

Proceedings of the 9th international conference on Autonomic computing
Re-examining the performance bottleneck in a NIDS with detailed profiling

Journal of Network and Computer Applications

Quantified Score

Hi-index	0.00

Visualization

Abstract

Our work proposes a generic architecture for runtime monitoring and optimization of IDS based on the challenge insertion. The challenges, known instances of malicious or legitimate behavior, are inserted into the network traffic represented by NetFlow records, processed with the current traffic and the system's response to the challenges is used to determine its effectiveness and to fine-tune its parameters. The insertion of challenges is based on the threat models expressed as attack trees with attached risk/loss values. The use of threat model allows the system to measure the expected undetected loss and to improve its performance with respect to the relevant threats, as we have verified in the experiments performed on live network traffic.