Abstract
A major research problem in intrusion detection is the efficient Detection of coordinated attacks over large networks. Issues to be resolved include determining what data should be collected, which portion of the data should be analyzed, where the analysis of the data should take place, and how to correlate multi-source information. This paper proposes the architecture of a Coordinated Attack Response and Detection System (CARDS). CARDS uses a signature-based model for resolving these issues. It consists of signature managers, monitors, and directory services. The system collects data in a flexible, distributed manner, and the detection process is decentralized among various monitors and is event-driven. The paper also discusses related implementation issues.
The original version of this chapter was revised: The copyright line was incorrect. This has been corrected. The Erratum to this chapter is available at DOI: 10.1007/978-0-387-35515-3_53
Chapter PDF
Similar content being viewed by others
References
J. S. Balasubramaniyan et al, An Architecture for Intrusion Detection using Autonomous Agents, TR 98/05, COAST Lab., Purdue, 1998
D. E. Denning, An Intrusion-Detection Model, Proc. 1986 IEEE Symposium on Security and Privacy, pages 118–131, Oakland, May 1986
A. K. Ghosh, J. Wanken, and F. Charron, Detecting Anomalous and Unknown Intrusions Against Programs, Proc. 14th Annual Computer Security Applications Conf., Pages: 259–267 Scottsdale, AZ, Dec. 1998
T. L. Heberlein et al, A Network Security Monitor, IEEE Symposium on Security and Privacy, Oakland, CA, May 1990
H. S. Javitz and A. Valdez, The SRI IDES Statistical Anomaly Detector, IEEE Symposium on Security and Privacy, Oakland, CA, May 1991
J. Lin, X. S. Wang, and S. Jajodia, Abstraction-based misuse detection: High-level specifications and adaptable strategies. In Proceedings of the 11th Computer Security Foundation Workshop, pages 190–201, June 1998.
T. Lunt and R. Jagannathan, A Prototype Real-time Intrusion-detection System, IEEE Symposium on Security and Privacy, Oakland, CA, May 1988
B. Mukherjee, L. T. Heberlein, and K. N. Levvit, Network Intrusion Detection, IEEE Network, pages 26–41, May/June 1994
P. Ning, S. Jajodia, and X. S. Wang, A Scalable Signature-based Model for Detecting Coordinated Attacks. TR 01/00, George Mason Univ., 2000.
S. Northcutt, Network Intrusion Detection: An Analyst’s Handbook, New Riders, 1999
P. A. Porras and P. G. Neumann, EMERALD: Event Monitoring Enabling Response to Anomalous Live Disturbances, Proc. 20th National Information Systems Security Conf., Baltimore, MD, Oct. 1997
S. E. Smaha, Haystack: An Intrusion Detection System, Proc. IEEE 4th Aerospace Computer Security Applications conference, Dec. 1988
Motivation, Architecture, and An Early Prototype, Proc. 14th NCSC, pages 167–176, Washington, DC, Oct. 1991
S. Staniford-Chen et al, GrIDSA Graph Based Intrusion detection System for Large Networks, Proc. 19th National Information Systems Security Conf. Vol. 1, pages 361–370, Oct. 1996
G. Vigna and R. A. Kemmerer, NetSTAT: A Network-based Intrusion Detection Approach, Proc. 14th Annual Computer Security Applications Conf., Scottsdale, AZ, Dec. 1998
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2000 IFIP International Federation for Information Processing
About this paper
Cite this paper
Yang, J., Ning, P., Wang, X.S., Jajodia, S. (2000). Cards: A Distributed System for Detecting Coordinated Attacks. In: Qing, S., Eloff, J.H.P. (eds) Information Security for Global Information Infrastructures. SEC 2000. IFIP — The International Federation for Information Processing, vol 47. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-35515-3_18
Download citation
DOI: https://doi.org/10.1007/978-0-387-35515-3_18
Publisher Name: Springer, Boston, MA
Print ISBN: 978-1-4757-5479-7
Online ISBN: 978-0-387-35515-3
eBook Packages: Springer Book Archive