Implementing IDS Management on Lock-Keeper

  • Feng Cheng
  • Sebastian Roschke
  • Christoph Meinel
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5451)


Intrusion Detection System (IDS) management is an important component for most distributed IDS solutions. One of the main requirements is extensibility, which enables the integration of different types of IDS sensors as well as the deployment in different kinds of environments. Lock-Keeper is a simple implementation of the high level security idea, “Physical Separation”. It works as a sluice to exchange data between two networks without having to establish a direct and physical connection. To enhance the security of the Lock-Keeper system itself, it is necessary to deploy IDS sensors on Lock-Keeper components. This paper proposes an extensible IDS management architecture, which can be easily integrated on the special hardware platform of Lock-Keeper. Unified interface and communication between different integrated IDS sensors are designed using the known IDS standard, IDMEF, and realized as several kinds of plugins, such as handlers, receivers, and senders. A prototype of implementation is presented and some practical experiments are carried out to show the extensibility and applicability of the proposed architecture.


Intrusion Detection Anomaly Detection Intrusion Detection System Distribute Hash Table Network Intrusion Detection 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Snort IDS Website (1998-2009),
  2. 2.
    Samhain IDS Website (2001-2009),
  3. 3.
    Bro IDS Website (2003-2009),
  4. 4.
    F-Secure Linux Security Website F-Secure Corporation (2006-2009),
  5. 5.
    Prelude IDS Website: PreludeIDS Technologies (2005-2009),
  6. 6.
    Hallaraker, O., Vigna, G.: Detecting malicious javascript code in mozilla. In: Proceedings of the 10th IEEE International Conference on Engineering of Complex Computer Systems, ICECCS 2005, Washington, DC, USA, pp. 85–94 (2005)Google Scholar
  7. 7.
    Mahoney, M.V., Chan, P.K.: An analysis of the 1999 dARPA/Lincoln laboratory evaluation data for network anomaly detection. In: Vigna, G., Krügel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 220–237. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  8. 8.
    Ramadas, M., Ostermann, S., Tjaden, B.C.: Detecting anomalous network traffic with self-organizing maps. In: Vigna, G., Krügel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 36–54. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  9. 9.
    Northcutt, S., Novak, J.: Network Intrusion Detection: An Analyst’s Handbook. New Riders Publishing, Thousand Oaks (2002)Google Scholar
  10. 10.
    Brumley, D., Newsome, J., Song, D., et al.: Towards automatic generation of vulnerability-based signatures. In: Proceedings of the, IEEE Symposium on Security and Privacy, SP 2006, Washington, DC, USA, pp. 2–16 (2006)Google Scholar
  11. 11.
    Leung, K., Leckie, C.: Unsupervised anomaly detection in network intrusion detection using clusters. In: Proceedings of the 28th Australasian conference on Computer Science, ACSC 2005, Darlinghurst, Australia, pp. 333–342 (2005)Google Scholar
  12. 12.
    Debar, H., Curry, D., Feinstein, B.: The Intrusion Detection Message Exchange Format, Internet Draft. Technical Report, IETF Intrusion Detection Exchange Format Working Group (July 2004)Google Scholar
  13. 13.
    Cheng, F., Meinel, C.: Research on the Lock-Keeper Technology: Architectures, Applications and Advancements. International Journal of Computer and Information Science 5(3), 236–245 (2004)Google Scholar
  14. 14.
    Lock-Keeper Website (2003-2009),
  15. 15.
    Cheng, F., Meinel, C.: Lock-Keeper: A new implementation of physical separation technology. In: Paulus, S., Pohlmann, N., Reimer, H. (eds.) Securing Electronic Business Processes: Highligths of the Information Security Solutions Europe Conference, ISSE 2006, pp. 275–286. Friedrich Vieweg & Sohn Verlag (2006)Google Scholar
  16. 16.
    Claudino, E.C., Abdelouahab, Z., Teixeira, M.M.: Management and integration of information in intrusion detection system: Data integration system for IDS based multi-agent systems. In: Proceedings of the 2006 IEEE/WIC/ACM international conference on Web Intelligence and Intelligent Agent Technology, WI-IATW 2006, Washington, DC, USA, pp. 49–52 (2006)Google Scholar
  17. 17.
    Derrick, E.J., Tibbs, R.W., Reynolds, L.L.: Investigating new approaches to data collection, management and analysis for network intrusion detection. In: Proceedings of the 45th Annual Southeast Regional Conference, SE 2007, New York, USA, pp. 283–287 (2007)Google Scholar
  18. 18.
    Zhou, C.V., Karunasekera, S., Leckie, C.: Evaluation of a decentralized architecture for large scale collaborative intrusion detection. In: Proceedings of the 10th IFIP/IEEE International Symposium on Integrated Network Management, IM 2007, Munich, Germany, pp. 80–89 (2007)Google Scholar
  19. 19.
    Yu, J., Reddy, Y.V.R., Selliah, S., et al.: TRINETR: An intrusion detection alert management system. In: Proceedings of the 13th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises, WETICE 2004, Washington, DC, USA, pp. 235–240 (2004)Google Scholar
  20. 20.
    Intelligent Application Gateway (IAG) Website: Microsoft Corporation (2006-2009),
  21. 21.
    Kang, M.H., Moskowitz, I.S.: A pump for rapid, reliable, secure communication. In: Proceedings of the 1st ACM Conference on Computer and Communications Security, CCS 1993, New York, USA, pp. 119–129 (1993)Google Scholar
  22. 22.
    Menoher, J.: Owl computing product overview: Secure one-way data transfer systems. White Paper, Owl Computing Technologies, Inc. (2008)Google Scholar
  23. 23.
    Nmap Security Scanner Website (1997-2008),
  24. 24.
    Moore, D., Shannon, C., Brown, D.J., et al.: Inferring internet denial-of-service activity. ACM Transactions on Computer Systems (TOCS) 24(2), 115–139 (2006)CrossRefGoogle Scholar
  25. 25.
    The Anti-Virus or Anti-Malware Test File: European Institute for Computer Antivirus Research (EICAR) (2008),

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Feng Cheng
    • 1
  • Sebastian Roschke
    • 1
  • Christoph Meinel
    • 1
  1. 1.Hasso Plattner Institute (HPI)University of PotsdamPotsdamGermany

Personalised recommendations