Abstract
Intrusion Detection Systems (IDSs) have been increasingly used in organizations, in ad-dition to other security mechanisms, to detect intrusions to systems and networks. In the recent years several IDSs have been released, but (a) the high number of false alarms generated, (b) the lack of a high-level notation for attack signature specification, and (c) the difficulty to integrate IDSs with existing network management infrastructure hinder their wide-spread and efficient use. In this paper we address these problems by presenting an SNMP agent for stateful intrusion inspection. By using a state machine-based language called PTSL (Protocol Trace Specification Language), the network manager can describe attack signatures that should be monitored. The signatures to be used by the agent are configured by the network manager through the IETF Script MIB Once programmed, the agent starts monitoring the occurrence of the signatures on the network traffic and stores statistics, according to their occurrence, in an extended RMON2 MIB. These statistics may be retrieved from any SNMP-based management application and can be used to accomplish signature-based analysis. The paper also describes two experiments that have been carried out with the agent to assess its performance and to demonstrate its effectiveness in terms of false alarm generation rates.
The original version of this chapter was revised: The copyright line was incorrect. This has been corrected. The Erratum to this chapter is available at DOI: 10.1007/978-0-387-35674-7_66
Chapter PDF
Similar content being viewed by others
Keywords
References
Snort The Open Source Network Intrusion Detection System. http: //www. snort. org/.
NFR Security. http: //www.nfr.net/.
V. Paxson. Bro: A System for Detecting Network Intruders in Real-Time. Computer Networks, 31 (2324), Dec. 1999, p. 2435–2463.
G. Vigna, S. T. Eckmann, and R. A. Kemmerer. The STAT Tool Suite. In Proceedings of DARPA Information Survivability Conference and Exposition (DISCEX 2000), 2000.
D. Alessandri. Using Rule-Based Activity Descriptions to Evaluate Intrusion-Detection Systems. In Proceedings of International Workshop on the Recent Advances on Intrusion Detection (RAID 2000), 2000.
J. B. D. Cabrera, L. Lewis, X. Qin, W. Lee, R. K. Prasanth, B. Ravichandran, and R. K. Mehra. Proactive Detection of Distributed Denial of Service Attacks using MIB Traffic Variables - a Feasibility Study. In Proceedings of IFIP/IEEE International Symposium on Integrated Management (IM 2001), 2001.
X. Qin, W. Lee, L. Lewis, and J. B. D. Cabrera. Using MIB II Variables for Network Intrusion Detection. Data Mining for Security Applications, Advances in Computer Security. Kluwer Academic Press, March 2002.
X. Qin, W. Lee, L. Lewis, and J. B. D. Cabrera. Integrating Intrusion Detection and Network Management. In Proceedings of IFIP/IEEE Network Operations and Management Symposium (NOMS 2002), 2002, p. 329–344.
L. P. Gaspary, L. F. Balbinot, and L. R. Tarouco. Monitoring High-Layer Protocol Behavior Using the Trace Architecture. In Proceedings of Latin American Network Operation and Management Symposium (LANOMS 2001), 2001, p. 99–110.
D. Levi and J. Schönwälder. Definitions of Managed Objects for the Delegation of Management Scripts. RFC 3165, Aug. 2001.
S. Waldbusser. Remote Network Monitoring Management Information Base Version 2 using SMIv2. RFC 2021, Jan. 1997.
K. Julisch. Dealing with False Positives in Intrusion Detection. In Proceedings of International Work-shop on the Recent Advances on Intrusion Detection (RAID 2000), 2000.
R. Kavasseri and B. Stewart. Distributed Management Expression MIB. RFC 2982, Oct. 2000.
R. Kavasseri and B. Stewart. Event MIB. RFC 2981, Oct. 2000.
NET-SNMP. http: //net-snmp. sourcef orge. net/.
Jasmin - A Script MIB Implementation.http://www.ibr.cu.tu-bs.de/projects/jasmin.
A. Bierman, C. Bucci, and R. Iddon. Remote Network Monitoring MIB Protocol Identifier Reference. RFC 2895, Aug. 2000.
R. Lippmann et al. Evaluating Intrusion Detection Systems: the 1998 DARPA Off-line Intrusion Detection Evaluation. In Proceedings of DARPA Information Survivability Conference and Exposition (DISCEX 2000), 2000.
Tcpreplay.http://sourceforge.net/projects/tcpreplay/.
U. Blumenthal and B. Wijnen. User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3). RFC 2574, Apr. 1999.
B. Wijnen, R. Presuhn, and K. McCloghrie. View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP). RFC 2575, Apr. 1999.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2003 IFIP International Federation for Information Processing
About this chapter
Cite this chapter
Gaspary, L.P., Meneghetti, E., Tarouco, L.R. (2003). An SNMP Agent for Stateful Intrusion Inspection. In: Goldszmidt, G., Schönwälder, J. (eds) Integrated Network Management VIII. IM 2003. IFIP — The International Federation for Information Processing, vol 118. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-35674-7_1
Download citation
DOI: https://doi.org/10.1007/978-0-387-35674-7_1
Publisher Name: Springer, Boston, MA
Print ISBN: 978-1-4757-5521-3
Online ISBN: 978-0-387-35674-7
eBook Packages: Springer Book Archive