Abstract
Intrusion detection relies on the information provided by a number of sensorsdeployed throughout a protected network. Sensors operate on different event streams, such as network packets and application logs, and provide information at different abstraction levels, such as low-level warnings and correlated alerts. In addition, sensors range from lightweight probes and simple log parsers to complex software artifacts that perform sophisticated analysis. Therefore, deploying, configuring, and managing, a large number of heterogeneous sensors is a complex, expensive, and error-prone activity.
Unfortunately, existing systems fail to manage the complexity that is inherent in today’s intrusion detection infrastructures. These systems suffer from two main limitations: they are developed ad hoc for certain types of domains and/or environments, and they are difficult to configure, extend, and control remotely.
To address the complexity of intrusion detection infrastructures, we developed a framework, called STAT, that overcomes the limitations of current approaches. Instead of providing yet another system tailored to some domain-specific requirements, STAT provides a software framework for the development of new intrusion detection functionality in a modular fashion.
According to the STAT framework, intrusion detection sensors are built by dynamically composing domain-specific components with a domain-independent runtime. The resulting intrusion detection sensors represent a software family. Each sensor has the ability to reconfigure its behavior dynamically. The reconfiguration functionality is supported by a component model and by a control infrastructure, called MetaSTAT. The final product of the STAT framework is a highly-configurable, well-integrated intrusion detection infrastructure.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Apache 2.0 Documentation, 2001. http://www.apache.org/.
D. Curry and H. Debar. Intrusion Detection Message Exchange Format: Extensible Markup Language (XML) Document Type Definition. draft-ietf-idwg-idmef-xml-06.txt, December 2001.
R. Durst, T. Champion, B. Witten, E. Miller, and L. Spagnuolo. Addendum to “Testing and Evaluating Computer Intrusion Detection Systems”. CACM, 42(9): 15, September 1999.
R. Durst, T. Champion, B. Witten, E. Miller, and L. Spagnuolo. Testing and Evaluating Computer Intrusion Detection Systems. CACM, 42(7):53–61, July 1999.
S.T. Eckmann, G. Vigna, and R.A. Kemmerer. STATL: An Attack Language for State-based Intrusion Detection. Journal of Computer Security, 2002.
E. Gamma, R. Helm, R. Johnson, and J. Vlissides. Design Patterns. Addison-Wesley, 1995.
A.K. Ghosh, J. Wanken, and F. Charron. Detecting Anomalous and Unknown Intrusions Against Programs. In Proceedings of the Annual Computer Security Application Conference (ACSAC’98), pages 259–267, Scottsdale, AZ, December 1998.
K. Ilgun. USTAT: A Real-time Intrusion Detection System for UNIX. Master’s thesis, Computer Science Department, University of California, Santa Barbara, July 1992.
K. Ilgun. USTAT: A Real-time Intrusion Detection System for UNIX. In Proceedings of the IEEE Symposium on Research on Security and Privacy, Oakland, CA, May 1993.
K. Ilgun, R.A. Kemmerer, and P.A. Porras. State Transition Analysis: A Rule-Based Intrusion Detection System. IEEE Transactions on Software Engineering, 21(3): 181–199, March 1995.
Taligent Inc. Building Object-Oriented Frameworks. White Paper, 1994.
Intersect Alliance. Snare: System Intrusion Analysis and Reporting Environment. http://www.intersectalliance.com/projects/Snare, August 2002.
ISS. Realsecure 7.0. http://www.iss.net/, August 2002.
H. S. Javitz and A. Valdes. The NIDES Statistical Component Description and Justification. Technical report, SRI International, Menlo Park, CA, March 1994.
R. Johnson and B. Foote. Designing Reusable classes. Journal of Object-Oriented Programming, l(2):22–35, June/July 1988.
K. Kendall. A Database of Computer Attacks for the Evaluation of Intrusion Detection Systems. Master’s thesis, MIT, June 1999.
C. Ko, M. Ruschitzka, and K. Levitt. Execution Monitoring of Security-Critical Programs in Distributed Systems: A Specification-based Approach. In Proceedings of the 1997 IEEE Symposium on Security and Privacy, pages 175–187, May 1997.
D. Lange and M. Oshima. Programming and Deploying Java Mobile Agents with Aglets. Addison-Wesley, 1998.
R. Lippmann, D. Fried, I. Graf, J. Haines, K. Kendall, D. McClung, D. Weber, S. Webster, D. Wyschogrod, R. Cunningham, and M. Zissman. Evaluating Intrustion Detection Systems: The 1998 DARPA Off-line Intrusion Detection Evaluation. In Proceedings of the DARPA Information Survivability Conference and Exposition, Volume 2, Hilton Head, SC, January 2000.
P.G. Neumann and P.A. Porras. Experience with EMERALD to Date. In First USENIX Workshop on Intrusion Detection and Network Monitoring, pages 73–80, Santa Clara, California, April 1999.
NFR Security. Overview of NFR Network Intrusion Detection System, February 2001.
D.L. Parnas. The Design and Development of Program Families. IEEE Transactions on Software Engineering, March 1976.
V. Paxson. Bro: A System for Detecting Network Intruders in Real-Time. In Proceedings of the 7th USENIX Security Symposium, San Antonio, TX, January 1998.
C.E. Perkins and E.M. Royer. Ad hoc on-demand distance vector routing. In C. Perkins, editor, Ad hoc Networking. Addison-Wesley, 2000.
P.A. Porras. STAT — A State Transition Analysis Tool for Intrusion Detection. Master’s thesis, Computer Science Department, University of California, Santa Barbara, June 1992.
P.A. Porras and P.G. Neumann. EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances. In Proceedings of the 1997 National Information Systems Security Conference, October 1997.
M.J. Ranum, K. Landfield, M. Stolarchuck, M. Sienkiewicz, A. Lambeth, and E. Wall. Implementing a Generalized Tool for Network Monitoring. In Eleventh Systems Administration Conference (USA’ 97). USENIX, October 1997.
M. Roesch. Snort-Lightweight Intrusion Detection for Networks. In Proceedings of the USENIX LISA’ 99 Conference, November 1999.
G. F. Rogers. Framework-Based Software Development in C+ +. Prentice-Hall, 1997.
Sun Microsystems, Inc. Installing, Administering, and Using the Basic Security Module. 2550 Garcia Ave., Mountain View, CA 94043, December 1991.
Y. Vandoorselaere. Prelude, an Hybrid Open Source Intrusion Detection System. http://www.prelude-ids.org/, August 2002.
G. Vigna and R.A. Kemmerer. NetSTAT: A Network-based Intrusion Detection Approach. In Proceedings of the 14thAnnual Computer Security Application Conference, Scottsdale, Arizona, December 1998.
G. Vigna, R.A. Kemmerer, and P. Blix. Designing a Web of Highly-Configurable Intrusion Detection Sensors. In W. Lee, L. Mè, and A. Wespi, editors, Proceedings of the 4thInternational Symposiun on Recent Advances in Intrusion Detection (RAID 2001), volume 2212 of LNCS, pages 69–84, Davis, CA, October 2001. Springer-Verlag.
C. Warrender, S. Forrest, and B.A. Pearlmutter. Detecting intrusions using system calls: Alternative data models. In IEEE Symposium on Security and Privacy, pages 133–145, 1999.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer Science+Business Media, Inc.
About this chapter
Cite this chapter
Kemmerer, R.A., Vigna, G. (2005). Sensor Families for Intrusion Detection Infrastructures. In: Kumar, V., Srivastava, J., Lazarevic, A. (eds) Managing Cyber Threats. Massive Computing, vol 5. Springer, Boston, MA. https://doi.org/10.1007/0-387-24230-9_7
Download citation
DOI: https://doi.org/10.1007/0-387-24230-9_7
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-24226-2
Online ISBN: 978-0-387-24230-9
eBook Packages: Computer ScienceComputer Science (R0)