Protecting routing infrastructures from denial of service using cooperative intrusion detection
NSPW '97 Proceedings of the 1997 workshop on New security paradigms
On the design and performance of prefix-preserving IP traffic trace anonymization
IMW '01 Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement
ICNP '02 Proceedings of the 10th IEEE International Conference on Network Protocols
On the Nature of Structure and Its Identification
WG '99 Proceedings of the 25th International Workshop on Graph-Theoretic Concepts in Computer Science
A high-level programming environment for packet trace anonymization and transformation
Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications
Alliance formation for DDoS defense
Proceedings of the 2003 workshop on New security paradigms
Meta IDS Environments: An Event Message Anomaly Detection Approach
IWIA '05 Proceedings of the Third IEEE International Workshop on Information Assurance
Hi-index | 0.00 |
This paper discusses the side effects of sanitizing IT security event messages in a cooperative multi-domain Intrusion Warning System (IWS). To enhance detection capabilities of conventional IT security tools like Intrusion Detection Systems (IDS), virus scanners and packet filters, a centralized, so-called Intrusion Warning System can be deployed, which collects and analyzes event messages from the different domains. Additionally, the IWS informs the domains about potentially critical situations which might not be covered by the existing tools due to technical limitations, heterogeneous security policies or differences in configuration. The architecture of an IWS relies on centralized storage and analysis components, while the event messages are collected and preprocessed by distributed entities which are under the operational control of the respective domains. In cooperation scenarios like military coalition environments (CEs, e.g. NATO, KFOR, SFOR), potentially confidential or sensitive information still needs to be concealed from the CE partners, as defined by existing information sharing policies. This also holds for the information contained in IDS event messages, since there might be specifications of network addresses and topologies, of products or vendors, of applications and security systems included in the messages. Thus, for enabling a CE wide cooperation of IT security systems, appropriate information sanitizing techniques need to be applied before sharing any security relevant information. This might lead to a negative impact on the centralized analysis capabilities, since potentially important information might be dropped from the messages. In this paper, the impact of sanitizing event message flows in a cooperative IWS is studied by examining the behaviour of an IWS when feeding it with real-life event messages combined with artificial events from an internet worm spreading simulation. The worm detection capabilities of the analysis components are determined in a multi-domain setup for both situations, with and without applying information sanitizing mechanisms on the event message flow.