Inherent heterogeneity of the networks increases risk factor and new security threats emerge due to the variety of network types and their vulnerabilities. This paper presents an example of applied ...security framework – the INTERSECTION. By referring to the ISO/IEC security standards and to the FP7 INTERSECTION project results, authors underline that in the processes of managing and planning security, investigating technology and business governance should be at least as important as formalizing the need for decisions on security cooperation between operators. INTERSECTION provides security mechanisms and introduces capability possible only with a management solution that is at a higher level than that of any of the connected systems alone.
This paper presents the work we have done within the MIRADOR project to design CRIM, a cooperative module for intrusion detection systems (IDS). This module implements functions to manage, cluster, ...merge and correlate alerts. The clustering and merging functions recognize alerts that correspond to the same occurrence of an attack and create a new alert that merge data contained in these various alerts. Experiments show that these functions significantly reduce the number of alerts. However, we also observe that alerts we obtain are still too elementary to be managed by a security administrator. The purpose of the correlation function is thus to generate global and synthetic alerts. This paper focuses on the approach we suggest to design this function.
The design and development of distributed and collaborative architectures for network intrusion detection systems is an ongoing yet challenging research field. The decentralizing of the intrusion ...detection functionalities became a promising approach to keep up with the steadily increase of the network communications' capacity and the attack's signatures data bases. So far, several communication models have been proposed in the literature for distributed intrusion detection systems' components. In this paper we focus on the design and implementation of an agent centric library to support flexible and extensible messages exchanges between intrusion detection system's components. We have functionally validated our solution based on a set of tests run over a real-world prototype we have implemented.
The proposed Intrusion Detection System (IDS) which is implemented with modern technologies to address certain prevailing problems in existing intrusion detection systems’ is capable of giving an ...advanced output to the security analyst. Even though the network of an organization has been secured internally as well as externally the intruders find ways to penetrate the network. With the system that is proposed activities of those intruders can be identified with a higher probability even if managed to bypass security controls of the network. The goal of this project is to give a reliable output to the system users where all the alerts are more accurate and correlated using HIDS alerts and NIDS alerts which is similar to the modern SIEM concept. The system will perform as a centralized IDS by getting inputs from both HIDS and NIDS which gives data regarding the activities of hosts and network traffic. With those implementations, the system is capable of monitoring host activities, monitoring network traffic with existing tools and give a correlated output which is more accurate, advanced and reliable prioritizing the possible attacks by using machine learning techniques and rule-based correlation techniques. With all these capabilities final product is a fully automated Intrusion Detection System which gives correlated alerts as outputs with a less rate of false positives compared to the existing systems.
ACARM-ng is an extensible, plug-in-based alert correlation framework. It introduces abstractions over correlation, reporting, reaction, gathering data from multiple sources and data storage. ACARM-ng ...supports real-time reporting, meaning that alerts can be reported while still being correlated. For an administrator, a Web User Interface is provided, to present gathered and correlated data in a consistent way. The system makes use of multi-core architectures and is written in C++.
This paper presents a semantic web-based architecture to share alerts among Security Information Management Systems (SIMS). Such architecture is useful if two or more SIMS from different domains need ...to know information about alerts happening in the other domains, which is useful for an early response to network incidents. For this, an ontology has been defined to describe the knowledge base of each SIMS that contains the security alerts. These knowledge bases can be queried from other SIMS, using standard semantic web protocols. Two modules have been implemented: one to insert the new security alerts in the knowledge base, and another one to query such knowledge bases. The performance of both modules has been evaluated, providing some results.
ModSecurity IDMEF module Balaz, Anton; Adam, Norbert; Pietrikova, Emilia ...
2018 IEEE 16th World Symposium on Applied Machine Intelligence and Informatics (SAMI),
2018-Feb.
Conference Proceeding
The paper designs intrusion detection system based on ModSecurity and Prelude system. Main goal is to supplement ModSecurity module which acts as a firewall in application layer by exporting messages ...into Prelude SIEM system. Since ModSecurity does not support format IDMEF, the paper proposes a design to implement particular ModSecurity events exporting and next Prelude events managing.
With the growing deployment of multisensor fusion systems to gather and analyse pieces of attack evidence from myriad heterogeneous sensors, a requirement is to provide a secure and robust message ...exchange mechanism for their communication. A message exchange mechanism for multisensor communication is described that is based on security spaces. A security space is a lightweight abstract space based on tuple spaces that allows secure message communication dynamically. In this paper security spaces’ schematic and semantic representations are provided. Its mathematical formalism, and application in distributed and federated multisensor environments are demonstrated.
This paper presents a data model designed to format answers in intrusion detection systems. The featured model aims at allowing interoperability between different systems. An architecture proposal ...for the intrusion detection systems that makes response treatment feasible is also introduced. Both architecture and data model are compatible with interoperability among IDSs related works already carried out by the IDWG group. Also, the development and testing of the proposed model and the architecture components are presented
Efficient intrusion detection system (IDS) management is a prominent capability for distributed IDS solutions, which makes it possible to integrate and handle different types of sensors or collect ...and synthesize alerts generated from multiple hosts located in a loosely coupled environment. Extensibility is the main requirement for most of IDS management systems. The concept of virtualization has been introduced into many popular IDS implementations due to the advantage on isolation and fast recovery in case of being compromised. Advanced capability for combining these newly emerged virtual machine (VM) based IDS approaches is another requirement for IDS management. This paper proposes an extensible IDS management architecture based on a new design of event gatherer component. By using the known IDS standard IDMEF and a plug-in concept, the Event gatherer ensures flexibility and compatibility.Experiments are carried out to demonstrate the extensibility and virtualization-compatibility of the proposed IDS management architecture.