Impact of sanitized message flows in a cooperative intrusion warning system

Authors:
Jens Tolle;Marko Jahnke;Nils gentschen Felde;Peter Martini
Affiliations:
Research Establishment for Applied Science, FGAN, Wachtberg, Germany;Research Establishment for Applied Science, FGAN, Wachtberg, Germany;Ludwig-Maximilians-University, Munich, Germany;University of Bonn, Computer Science IV, Bonn, Germany
Venue:
MILCOM'06 Proceedings of the 2006 IEEE conference on Military communications
Year:
2006

Citing 7
Cited 0

Protecting routing infrastructures from denial of service using cooperative intrusion detection

NSPW '97 Proceedings of the 1997 workshop on New security paradigms
On the design and performance of prefix-preserving IP traffic trace anonymization

IMW '01 Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement
Prefix-Preserving IP Address Anonymization: Measurement-Based Security Evaluation and a New Cryptography-Based Scheme

ICNP '02 Proceedings of the 10th IEEE International Conference on Network Protocols
On the Nature of Structure and Its Identification

WG '99 Proceedings of the 25th International Workshop on Graph-Theoretic Concepts in Computer Science
A high-level programming environment for packet trace anonymization and transformation

Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications
Alliance formation for DDoS defense

Proceedings of the 2003 workshop on New security paradigms
Meta IDS Environments: An Event Message Anomaly Detection Approach

IWIA '05 Proceedings of the Third IEEE International Workshop on Information Assurance

Quantified Score

Hi-index	0.00

Visualization

Abstract

This paper discusses the side effects of sanitizing IT security event messages in a cooperative multi-domain Intrusion Warning System (IWS). To enhance detection capabilities of conventional IT security tools like Intrusion Detection Systems (IDS), virus scanners and packet filters, a centralized, so-called Intrusion Warning System can be deployed, which collects and analyzes event messages from the different domains. Additionally, the IWS informs the domains about potentially critical situations which might not be covered by the existing tools due to technical limitations, heterogeneous security policies or differences in configuration. The architecture of an IWS relies on centralized storage and analysis components, while the event messages are collected and preprocessed by distributed entities which are under the operational control of the respective domains. In cooperation scenarios like military coalition environments (CEs, e.g. NATO, KFOR, SFOR), potentially confidential or sensitive information still needs to be concealed from the CE partners, as defined by existing information sharing policies. This also holds for the information contained in IDS event messages, since there might be specifications of network addresses and topologies, of products or vendors, of applications and security systems included in the messages. Thus, for enabling a CE wide cooperation of IT security systems, appropriate information sanitizing techniques need to be applied before sharing any security relevant information. This might lead to a negative impact on the centralized analysis capabilities, since potentially important information might be dropped from the messages. In this paper, the impact of sanitizing event message flows in a cooperative IWS is studied by examining the behaviour of an IWS when feeding it with real-life event messages combined with artificial events from an internet worm spreading simulation. The worm detection capabilities of the analysis components are determined in a multi-domain setup for both situations, with and without applying information sanitizing mechanisms on the event message flow.