Skip to main content
SpringerLink
Log in

Decentralized Event Correlation for Intrusion Detection

  • Conference paper
  • First Online:
Information Security and Cryptology — ICISC 2001 (ICISC 2001)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 2288))

Included in the following conference series:

Abstract

Evidence of attacks against a network and its resources is often scattered over several hosts. Intrusion detection systems (IDS) which attempt to detect such attacks therefore have to collect and correlate information from different sources. We propose a completely decentralized approach to solve the task of event correlation and information fusing of data gathered from multiple points within the network.

Our system models an intrusion as a pattern of events that can occur at different hosts and consists of collaborating sensors deployed at various locations throughout the protected network installation.

We present a specification language to define intrusions as distributed patterns and a mechanism to specify their simple building blocks. The peer-to-peer algorithm to detect these patterns and its prototype implementation, called Quicksand, are described. Problems and their solutions involved in the management of such a system are discussed.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Jai Sundar Balasubramaniyan, Jose Omar Garcia-Fernandez, David Isacoff, Eugene Spafford, and Diego Zamboni. An Architecture for Intrusion Detection using Autonomous Agents. In 14th IEEE Computer Security Applications Conference, December 1998.

    Google Scholar 

  2. Marc Crosbie and Eugene Spafford. Defending a computer system using autonomous agents. In Proceedings of the 18th National Information Systems Security Conference, October 1995.

    Google Scholar 

  3. Jose Duarte de Queiroz, Luiz Fernando Rust da Costa Carmo, and Luci Pirmez. Micael: An autonomous mobile agent system to protect new generation networked applications. In 2nd Annual Workshop on Recent Advances in Intrusion Detection, September 1999.

    Google Scholar 

  4. IETF Intrusion Detection Working Group. Intrusion Detection Message Exchange Format. http://www.ietf.org/html.charters/idwg-charter.html.

  5. Judith Hochberg, Kathleen Jackson, Cathy Stallins, J. F. McClary, David DuBois, and Josephine Ford. NADIR: An automated system for detecting network intrusion and misuse. Computer and Security, 12(3):235–248, May 1993.

    Article  Google Scholar 

  6. Christopher Krügel and Thomas Toth. An efficient, IP based solution to the ‘Logical Timestamp Wrapping’ problem. In 6th International Conference on Telecommunications, 2001.

    Google Scholar 

  7. Christopher Krügel, Thomas Toth, and Engin Kirda. Service Specific Anomaly Detection for Intrusion Detection. In ACM Symposium on Applied Computing (to appear), 2002.

    Google Scholar 

  8. L. Lamport. Time, clocks and the ordering of events in a distributed system. Comms. ACM, 21(7):558–65, 1978.

    Article  MATH  Google Scholar 

  9. Peter G. Neumann and Phillip A. Porras. Experience with EMERALD to date. In 1st USENIX Workshop on Intrusion Detection and Network Monitoring, pages 73–80, Santa Clara, California, USA, April 1999.

    Google Scholar 

  10. Phillip A. Porras and Peter G. Neumann. EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances. In Proceedings of the 20th NIS Security Conference, October 1997.

    Google Scholar 

  11. Martin Roesch. Snort-lightweight intrusion detection for networks. In USENIX Lisa 99, 1999.

    Google Scholar 

  12. S. R. Snapp, J. Brentano, G. V. Dias, T. L. Goan, L. T. Heberlein, C. Ho, K. N. Levitt, B. Mukherjee, S. E. Smaha, T. Grance, D. M. Teal, and D. Mansur. DIDS (Distributed Intrusion Detection System)-Motivation, Architecture and an early Prototype. In 14th National Security Conference, pages 167–176, October 1991.

    Google Scholar 

  13. S. Staniford-Chen, S. Cheung, R. Crawford, M. Dilger, J. Frank, J. Hoagland, K. Levitt, C. Wee, R. Yip, and D. Zerkle. GrIDS-A Graph based Intrusion Detection System for large networks. In Proceedings of the 20th National Information Systems Security Conference, volume 1, pages 361–370, October 1996.

    Google Scholar 

  14. G. Vigna and R. Kemmerer. NetSTAT: A network-based intrusion detection system. In Proceedings of the 14th Annual Computer Security Applications Conference, December 1998.

    Google Scholar 

  15. Giovanni Vigna, Richard A. Kemmerer, and Per Blix. Designing a Web of highlyconfigurable Intrusion Detection Sensors. In Recent Advances in Intrusion Detection. Springer Lecture Notes in Computer Science, 2001.

    Google Scholar 

  16. Gregory B. White, Eric A. Fisch, and Udo W. Pooch. Cooperating Security Managers: A peer-based intrusion detection system. IEEE Network, pages 20–23, January/ February 1996.

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Distributed Systems Group, Technical University Vienna, Argentinierstrasse 8, A-1040, Vienna, Austria

    Christopher Krügel, Thomas Toth & Clemens Kerer

Authors
  1. Christopher Krügel
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Thomas Toth
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Clemens Kerer
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. International Research center for Information Security (IRIS), Information and Communications University (ICU), 58-4, Hwaam-dong-Yusong-gu, 305-732, Daejeon, Korea

    Kwangjo Kim

Rights and permissions

Reprints and permissions

Copyright information

© 2002 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Krügel, C., Toth, T., Kerer, C. (2002). Decentralized Event Correlation for Intrusion Detection. In: Kim, K. (eds) Information Security and Cryptology — ICISC 2001. ICISC 2001. Lecture Notes in Computer Science, vol 2288. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-45861-1_10

Download citation

  • DOI: https://doi.org/10.1007/3-540-45861-1_10

  • Published:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-43319-4

  • Online ISBN: 978-3-540-45861-6

  • eBook Packages: Springer Book Archive

Publish with us

Policies and ethics

Search

Navigation