IDS Interoperability and Correlation Using IDMEF and Commodity Systems

Carey, Nathan; Clark, Andrew; Mohay, George

doi:10.1007/3-540-36159-6_22

Nathan Carey⁶,
Andrew Clark⁶ &
George Mohay⁶

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 2513))

Included in the following conference series:

International Conference on Information and Communications Security

840 Accesses
10 Citations

Abstract

Over the past decade Intrusion Detection Systems (IDS) have been steadily improving their efficiency and effectiveness in detecting attacks. This is particularly true with signature-based IDS due to progress in attack analysis and attack signature specification. At the same time system complexity, overall numbers of bugs and security vulnerabilities have increased. This has led to the recognition that in order to operate over the entire attack space, multiple IDS must be used, which need to interoperate with one another, and possibly also with other components of system security. This paper describes an experiment in IDS interoperation using the Intrusion Detection Message Exchange Format for the purpose of correlation analysis and in order to identify and address the problems associated with the effective use and management of multiple IDS. A study of the process of intrusion analysis demonstrates the benefits of multi-IDS interoperation and cooperation, as well as the significant benefits provided by alert analysis using a central relational database.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 54.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

References

Frédéric Cuppens. Managing alerts in a multi-intrusion detection environment. In Annual Computer Security Applications Conference (ACSAC 2001), Sheraton New Orleans, Louisiana, USA, December 10–14 2001. ACM.
Google Scholar
Frédéric Cuppens and Alexandre Miége. Alert correlation in a cooperative intrusion detection framework. In 2002 IEEE Symposium on Security and Privacy (S&P’02), pages 187–202, Berkeley, CA, USA, May 12–15 2002.
Google Scholar
Frédéric Cuppens and Rodolphe Ortalo. Lambda: A language to model a database for detection of attacks. In Third International Workshop on Recent Advances in Intrusion Detection, (RAID 2000), volume 1907 of LNCS, pages 197–216, Toulouse, France, October 2–4 2000. Springer.
Chapter Google Scholar
Herve Debar and Andreas Wespi. Aggregation and correlation of intrusion-detection alerts. In Proceedings of the 4 ^th International Symposiun on Recent Advances in Intrusion Detection (RAID 2001), volume 2212 of LNCS, pages 85–103, Davis, CA, October 2001. Springer-Verlag.
Chapter Google Scholar
Jon Doyle, Isaac Kohane, William Long, Howard Shrobe, and Peter Szolovits. Agile monitoring for cyber defense. In Proceedings of the DARPA Information Survivability Conference and Exposition (DISCEX-II), Anaheim, California, June 12–14 2001. IEEE.
Google Scholar
John McHugh. Intrusion and intrusion detection. International Journal of Information Security, 1:14–35, 2001.
MATH Google Scholar
Marcus Ranum. Coverage in intrusion detection systems. Technical report, NFR Security, Inc, 26th June 2001.
Google Scholar
Brian Tung. The common intrusion specification language: A retrospective. In Proceedings of the DARPA Information Survivability Conference and Exposition (DISCEX), 2000, pages 3–11, Hilton Head, SC, 2000. IEEE.
Google Scholar
Alfonso Valdes and Keith Skinner. Probabilistic alert correlation. In Proceedings of the 4 ^th International Symposiun on Recent Advances in Intrusion Detection (RAID 2001), volume 2212 of LNCS, pages 54–68, Davis, CA, October 2001. Springer-Verlag.
Chapter Google Scholar
G. Vigna, R.A. Kemmerer, and P. Blix. Designing a Web of Highly-Configurable Intrusion Detection Sensors. In Proceedings of the 4 ^th International Symposiun on Recent Advances in Intrusion Detection (RAID 2001), volume 2212 of LNCS, pages 69–84, Davis, CA, October 2001. Springer-Verlag.
Chapter Google Scholar

Download references

Author information

Authors and Affiliations

Information Security Research Centre Faculty of Information Technology, Queensland University of Technology, GPO Box 2434, Brisbane, Queensland, 4001
Nathan Carey, Andrew Clark & George Mohay

Authors

Nathan Carey
View author publications
You can also search for this author in PubMed Google Scholar
Andrew Clark
View author publications
You can also search for this author in PubMed Google Scholar
George Mohay
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

Labs for Information Technology, 21 Heng Mui Keng Terrace, Singapore, 119613
Robert Deng , Feng Bao & Jianying Zhou , &
Engineering Research Center for Information Security Technology, Chinese Academy of Sciences, P.O. Box 8718, Beijing, 100080, China
Sihan Qing

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Carey, N., Clark, A., Mohay, G. (2002). IDS Interoperability and Correlation Using IDMEF and Commodity Systems. In: Deng, R., Bao, F., Zhou, J., Qing, S. (eds) Information and Communications Security. ICICS 2002. Lecture Notes in Computer Science, vol 2513. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-36159-6_22

Download citation

DOI: https://doi.org/10.1007/3-540-36159-6_22
Published: 16 December 2002
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-00164-5
Online ISBN: 978-3-540-36159-6
eBook Packages: Springer Book Archive

Publish with us

Policies and ethics