BlueBoX: A policy-driven, host-based intrusion detection system
ACM Transactions on Information and System Security (TISSEC)
| Hi-index | 0.00 |
Network as well as Host security has become an essential requirement to guard important network resources against unauthorized and unauthenticated access. The reason is that due to technology advancements, the threats and attacks are becoming all the more intelligent and insensitive to existing security measures implemented by an Network Intrusion Detection System or Network Intrusion Detection and Prevention System (NIDS/NIDPS). The paper aims to describe how a novice approach helps to implement quota-based security policy for applications running inside the network. It also helps to identify applications as an attacker or a victim and provide elaborate logging to help administrator thwart an attack. Our system introduces three main modules: Event Collector, Network Interceptor and Administrative Server. Together, they identify an attack with help of NIDS along with the name and version of the attacker and victim applications that we try to protect. This paper describes the work we have done in the application connection and event logging part. In the connection log, we maintain application connection information. The connection log information contains start and release time of connection, upload and download data. This information is used to implement a quota-based application access policy with the organization. In this way, we achieve network access control. In the event logger, we first classify an application as an attacker and a victim. When an application attacks a vulnerable client or server on the network, our system identifies this threat and maintains an event log of the same. In addition, if any host from our network tries to land an attack on any application outside the network, our system identifies such applications as threat to the network. An event log is also maintained for such attacker applications within the network. The event log contains information such as Source and Destination IP, application name and version, timestamp etc. This event log is used to generate administrative reports. The administrator, to take corrective measures for such applications, uses these reports.