Abstraction-based intrusion detection in distributed environments

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

Abstraction-based intrusion detection in distributed environments

Full text

Pdf (591 KB)

Source

ACM Transactions on Information and System Security (TISSEC) archive
Volume 4 , Issue 4 (November 2001) table of contents

Pages: 407 - 452

Year of Publication: 2001

ISSN:1094-9224

Authors

Peng Ning	North Carolina State University, Raleigh, NC
Sushil Jajodia	George Mason University, Fairfax, VA
Xiaoyang Sean Wang	George Mason University, Fairfax, VA

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 30, Downloads (12 Months): 289, Citation Count: 8

Additional Information:

abstract references cited by index terms review collaborative colleagues peer to peer

Tools and Actions:	Request Permissions Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/503339.503342 What is a DOI?

ABSTRACT

Abstraction is an important issue in intrusion detection, since it not only hides the difference between heterogeneous systems, but also allows generic intrusion-detection models. However, abstraction is an error-prone process and is not well supported in current intrusion-detection systems (IDSs). This article presents a hierarchical model to support attack specification and event abstraction in distributed intrusion detection. The model involves three concepts: system view, signature, and view definition. A system view provides an abstract interface of a particular type of information; defined on the instances of system views, a signature specifies certain distributed attacks or events to be monitored; a view definition is then used to derive information from the matches of a signature and presents it through a system view. With the three elements, the model provides a hierarchical framework for maintaining signatures, system views, as well as event abstraction. As a benefit, the model allows generic signatures that can accommodate unknown variants of known attacks. Moreover, abstraction represented by a system view can be updated without changing either its specification or the signatures specified on its basis. This article then presents a decentralized method for autonomous but cooperative component systems to detect distributed attacks specified by signatures. Specifically, a signature is decomposed into finer units, called detection tasks, each of which represents the activity to be monitored on a component system. The component systems (involved in a signature) then perform the detection tasks cooperatively according to the "dependency" relationships among these tasks. An experimental system called CARDS has been implemented to test the feasibility of the proposed approach.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	James F. Allen, Maintaining knowledge about temporal intervals, Communications of the ACM, v.26 n.11, p.832-843, Nov. 1983 [doi>10.1145/182.358434]
	2	ANDERSON, J. P. 1980. Computer security threat monitoring and surveillance. Tech. Rep. Anderson Co. Fort Washington, PA.
	3	Rebecca Gurley Bace, Intrusion detection, Macmillan Publishing Co., Inc., Indianapolis, IN, 1999
	4	BARBARA, D., WU,N.,AND JAJODIA, S. 2001. Detecting novel network intrusion using bayes estimators. In Proceedings of the First SIAM Conference on Data Mining, April 2001.
	5	BISHOP, M. 1990. A security analysis of the NTP protocol version 2. In Proceedings of the 6th Annual Computer Security Applications Conference, pp. 20-29.
	6	Ho-Yen Chang , S. Felix Wu , Y. Frank Jou, Real-time protocol analysis for detecting link-state routing protocol attacks, ACM Transactions on Information and System Security (TISSEC), v.4 n.1, p.1-36, Feb. 2001 [doi>10.1145/383775.383776]
	7	CHANG,H.Y.,NARAYAN, R., SARGOR, C., JOU, F., WU,S.F.,VETTER, B. M., GONG, F., WANG, X., BROWN, M., AND YUILL, J. J. 1999. DECIDUOUS: Decentralized source identification for networkbased intrusions. In Proceedings of the 6th IFIP/IEEE International Symposium on Integrated Network Management. IEEE.
	8	CHANG,H.Y.,WU,S.F.,SARGOR,C.,AND WU, X. 2000. Towards tracing hidden attackers on untrusted IP networks. submitted for publication, 2000.
	9	CURRY,D.AND DEBAR, H. 2001. Intrusion detection message exchange format data model and extensible markup language (xml) document type definition. Internet draft, draft-ietf-idwg-idmefxml- 03.txt, Feb.
	10	David J DeWitt , Randy H Katz , Frank Olken , Leonard D Shapiro , Michael R Stonebraker , David Wood, Implementation techniques for main memory database systems, ACM SIGMOD Record, v.14 n.2, June 1984
	11	FEIERTAG, R., KAHN, C., PORRAS, P., SCHNACKENBERG, D., STANIFORD-CHEN,S.,AND TUNG, B. 2000. A common intrusion specification language. http://www.gidos.org/drafts/language.txt.
	12	Richard Feiertag , Sue Rho , Lee Benzinger , Stephen Wu , Timothy Redmond , Cui Zhang , Karl Levitt , Dave Peticolas , Mark Heckman , Stuart Staniford , Joey McAlerney, Intrusion detection inter-component adaptive negotiation, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.34 n.4, p.605-621, Oct. 2000 [doi>10.1016/S1389-1286(00)00137-7]
	13	FEINSTEIN, B. S., MATTHEWS, G. A., AND WHITE, J. C. C. 2001. The intrusion detection exchange protocol (IDXP). Internet Draft. draft-ietf-idwg-beep-idxp-02.txt. March.
	14	Christian Freksa, Temporal reasoning based on semi-intervals, Artificial Intelligence, v.54 n.1-2, p.199-227, March 1992 [doi>10.1016/0004-3702(92)90090-K]
	15	FRINCKE, D., TOBIN, D., MCCONNELL, J., MARCONI,J.,AND POLLA, D. 1998. A framework for cooperative intrusion detection. In Proceedings of the 21st National Information Systems Security Conference (Crystal City, VA, Oct).
	16	HEBERLEIN,L.T.,MUKHERJEE,B.,AND LEVITT, K. N. 1992. Internetwork security monitor: An intrusion-detection system for large-scale networks. In Proceedings of 15th National Computer Security Conference (Baltimore, MD, Oct.), 262-271.
	17	FRINCKE, Y., HO.D.,AND TOBIN,D.JR. 1998. Planning, petri nets, and intrusion detection. In Proceedings of the 21st National Information Systems Security Conference (Crystal City, VA, Oct.).
	18	Judith Hochberg , Kathleen Jackson , Cathy Stallings , J. F. McClary , David DuBois , Josephine Ford, NADIR: an automated system for detecting network intrusion and misuse, Computers and Security, v.12 n.3, p.235-248, May 1993 [doi>10.1016/0167-4048(93)90110-Q]
	19	IETF, 2001. Secure network time protocol (stime). http://www.ietf.org/html.charters/stimecharter. html.
	20	Koral Ilgun, USTAT: A Real-Time Intrusion Detection System for UNIX, Proceedings of the 1993 IEEE Symposium on Security and Privacy, p.16, May 24-26, 1993
	21	Koral Ilgun , R. A. Kemmerer , Phillip A. Porras, State Transition Analysis: A Rule-Based Intrusion Detection Approach, IEEE Transactions on Software Engineering, v.21 n.3, p.181-199, March 1995 [doi>10.1109/32.372146]
	22	JAVITS,H.S.AND VALDES, A. 1993. The NIDES statistical component: Description and justification. Technical Rep. SRI International, Computer Science Laboratory.
	23	JOU,Y.F.,GONG, F., SARGOR, C., WU, X., WU, S. F., CHANG,H.C.,AND WANG, F. 2000. Design and implementation of a scalable intrusion detection system for the protection of network infrastructure. In DARPA Information Survivability Conference and Exposition.
	24	KAHN, C., BOLINGER,D.,AND SCHNACKENBERG, D. 1998 Communication in the common intrusion detection framework. http://www.gidos.org/drafts/communication.txt.
	25	KAHN, C., PORRAS, P. A., STANIFORD-CHEN,S.,AND TUNG, B. 1998 A common intrusion detection framework. Submitted to Journal of Computer Security.
	26	Richard A. Kemmerer, NSTAT: A Model-based Real-time Network Intrusion Detection System, University of California at Santa Barbara, Santa Barbara, CA, 1998
	27	KENDALL, K. 1999 A database of computer attacks for the evaluation of intrusion detection systems. Master's thesis, Dept. EECS, MIT, June.
	28	KERSCHBAUM, F., SPAFFORD,E.H.,AND ZAMBONI, D. 2000 Using embedded sensors for detecting network attacks. In Proceedings of the 1st ACM Workshop on Intrusion Detection Systems (Nov.), ACM Press, New York, NY.
	29	Sandeep Kumar, Classification and detection of computer intrusions, Purdue University, West Lafayette, IN, 1996
	30	KUMAR,S.AND SPAFFORD, E. H. 1994 A pattern matching model for misuse intrusion detection. In Proceedings of the 17th National Computer Security Conference (Oct.), 11-21.
	31	Wenke Lee , Rahul A. Nimbalkar , Kam K. Yee , Sunil B. Patil , Pragneshkumar H. Desai , Thuan T. Tran , Salvatore J. Stolfo, A Data Mining and CIDF Based Approach for Detecting Novel and Distributed Intrusions, Proceedings of the Third International Workshop on Recent Advances in Intrusion Detection, p.49-65, October 02-04, 2000
	32	LEE, W., STOLFO,S.J.,AND MOK, K. W. 1999 A data mining framework for building intrusion detection models. In Proceedings of the 1999 IEEE Symposium on Security and Privacy (Oakland, CA, May). To appear.
	33	Wenke Lee , Salvatore J. Stolfo, A framework for constructing features and models for intrusion detection systems, ACM Transactions on Information and System Security (TISSEC), v.3 n.4, p.227-261, Nov. 2000 [doi>10.1145/382912.382914]
	34	Jia-Ling Lin , Xiaoyang Sean Wang, Abstraction-based misuse detection: high-level specifications and adaptable strategies, 1998
	35	J. Lin , X. Wang , S. Jajodia, Abstraction-Based Misuse Detection: High-Level Specifications and Adaptable Strategies, Proceedings of the 11th IEEE Computer Security Foundations Workshop, p.190, June 09-11, 1998
	36	LINDQVIST,U.AND PORRAS, P. A. 1999 Detecting computer and network misuse through the production-based expert system toolset (P-BEST). In Proceedings of the 1999 IEEE Symposium on Security and Privacy (Oakland, CA, May), IEEE, 146-161.
	37	MOUNJI, A. 1997 Languages and tools for rule-based distributed intrusion detection. Ph.D. dissertation, University of (Namur, Belgium, Sept.).
	38	A. Mounji , B. Le Charlier , D. Zampunieris , N. Habra, Distributed audit trail analysis, Proceedings of the 1995 Symposium on Network and Distributed System Security (SNDSS'95), p.102, February 16-17, 1995
	39	MUKHERJEE, B., HEBERLEIN,L.T.,AND LEVITT, K. N. 1994. Network intrusion detection. IEEE Network, 8, 3 (May), 26-41.
	40	NEUFELDT, V. Ed. 1988 Webster's New World Dictionary of American English. Webster's New World, 3rd college Ed.
	41	NEW, D. 2001. The TUNNEL Profile. Internet draft. draft-ietf-idwg-beep-tunnel-01.txt, Feb.
	42	NING, P., WANG,X.S.,AND JAJODIA, S. 2000a. Modeling requests among cooperating intrusion detection systems. Comput. Commun. 23, 17, 1702-1716.
	43	NING, P., WANG,X.S.,AND JAJODIA, S. 2000b. A query facility for common intrusion detection framework. In Proceedings of the 23rd National Information Systems Security Conference (Baltimore, MD), 317-328.
	44	Stephen Northcutt , Stephen Northcult, Network Intrusion Detection: An Analyst's Handbook, New Riders Publishing, Thousand Oaks, CA, 1999
	45	PORRAS, P., SCHNACKENBERG, D., STANIFORD-CHEN, S., STILLMAN, M., AND WU, F. 1998. The common intrusion detection framework architecture. http://www.gidos.org/drafts/architecture.txt.
	46	PORRAS,P.A.AND NEUMANN, P. G. 1997. EMERALD: Event monitoring enabling response to anomalous live disturbances. In Proceedings of the 20th National Information Systems Security Conference, National Institute of Standards and Technology, Galthersburg, MD.
	47	ROSE, M. 2001. The blocks extensible exchange protocol core. IETF RFC 3080. March.
	48	Christoph L. Schuba , Ivan V. Krsul , Markus G. Kuhn , Eugene H. spafford , Aurobindo Sundaram , Diego Zamboni, Analysis of a Denial of Service Attack on TCP, Proceedings of the 1997 IEEE Symposium on Security and Privacy, p.208, May 04-07, 1997
	49	SMAHA, S. E. 1988. Haystack: An intrusion detection system. In Proceedings of the Fourth Aerospace Computer Security Applications Conference (Dec.).
	50	SNAPP, S. R., BRENTANO, J., DIAS, G. V., GOAN, T. L., HEBERLEIN,L.T.,HO, C., LEVITT, K. N., MUKHERJEE, B., SMAHA, S. E., GRANCE, T., TEAL,D.M.,AND MANSUR, D. 1991. DIDS (distributed intrusion detection system) motivation, architecture, and an early prototype. In Proceedings of the 14th National Computer Security Conference (Washington, D.C., Oct.), 167-176.
	51	TIMESTEN PERFORMANCE SOFTWARE 2001. Architecture for real-time data management: Timesten's core in-memory database technology. White paper.
	52	Eugene H. Spafford , Diego Zamboni, Intrusion detection using autonomous agents, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.34 n.4, p.547-570, Oct. 2000 [doi>10.1016/S1389-1286(00)00136-5]
	53	STANIFORD-CHEN, S., CHEUNG, S., CRAWFORD, R., DILGER, M., FRANK, J., HOAGLAND, J., LEVITT, K., WEE, C., YIP, R., AND ZERKLE, D. 1996. GrIDSA graph based intrusion detection system for large networks. In Proceedings of the 19th National Information Systems Security Conference, vol. 1 (Oct.), 361-370.
	54	S. Staniford-Chen , L. T. Heberlein, Holding intruders accountable on the Internet, Proceedings of the 1995 IEEE Symposium on Security and Privacy, p.39, May 08-10, 1995
	55	SMITH,S.W.AND TYGAR, J. D. 1994. Security and privacy for partial order time. In ISCA Seventh International Conference on Parallel and Distributed Computing Systems (Oct.).
	56	Jeffrey D. Ullman , Jennifer Widom, A first course in database systems, Prentice-Hall, Inc., Upper Saddle River, NJ, 1997
	57	Giovanni Vigna , Richard A. Kemmerer, NetSTAT: a network-based intrusion detection system, Journal of Computer Security, v.7 n.1, p.37-71, Sept. 1999
	58	G. Vigna , R. A. Kemmerer, NetSTAT: A Network-Based Intrusion Detection Approach, Proceedings of the 14th Annual Computer Security Applications Conference, p.25, December 07-11, 1998
	59	WHITE,G.B.,FISCH,E.A.,AND POOCH, U. W. 1996. Cooperating security managers: A peer-based intrusion detection system. IEEE Network (Jan.), 20-23.
	60	WU,S.F.,CHANG, H. C., JOU, F., WANG, F., GONG, F., SARGOR, C., QU,D.,AND CLEAVELAND, R. 2001. JiNao: Design and implementation of a scalable intrusion detection system for the OSPF routing protocol. To appear in Journal of Computer Networks and ISDN Systems.
	61	Jiahai Yang , Peng Ning , Xiaoyang Sean Wang , Sushil Jajodia, CARDS: A Distributed System for Detecting Coordinated Attacks, Proceedings of the IFIP TC11 Fifteenth Annual Working Conference on Information Security for Global Information Infrastructures, p.171-180, August 22-24, 2000

CITED BY 8

	M. Zaki , Tarek S. Sobh, Attack abstraction using a multiagent system for intrusion detection, Journal of Intelligent & Fuzzy Systems: Applications in Engineering and Technology, v.16 n.2, p.141-150, April 2005
	Yu Chen , Kai Hwang , Wei-Shinn Ku, Distributed change-point detection of DDoS attacks: experimental results on DETER testbed, Proceedings of the DETER Community Workshop on Cyber Security Experimentation and Test on DETER Community Workshop on Cyber Security Experimentation and Test 2007, p.7-7, August 06-07, 2007, Boston, MA
	Kai Hwang , Min Cai , Ying Chen , Min Qin, Hybrid Intrusion Detection with Weighted Signature Generation over Anomalous Internet Episodes, IEEE Transactions on Dependable and Secure Computing, v.4 n.1, p.41-55, January 2007
	Peng Ning , Yun Cui , Douglas S. Reeves , Dingbang Xu, Techniques and tools for analyzing intrusion alerts, ACM Transactions on Information and System Security (TISSEC), v.7 n.2, p.274-318, May 2004
	Yu Chen , Kai Hwang , Wei-Shinn Ku., Collaborative Detection of DDoS Attacks over Multiple Network Domains, IEEE Transactions on Parallel and Distributed Systems, v.18 n.12, p.1649-1662, December 2007
	Erin Cody , Raj Sharman , Raghav H. Rao , Shambhu Upadhyaya, Security in grid computing: A review and synthesis, Decision Support Systems, v.44 n.4, p.749-764, March, 2008
	Jeffrey Undercoffer , Anupam Joshi , Tim Finin , John Pinkston, Using DAML+OIL to classify intrusive behaviours, The Knowledge Engineering Review, v.18 n.3, p.221-241, September 2003
	Klaus Julisch, Clustering intrusion detection alarms to support root cause analysis, ACM Transactions on Information and System Security (TISSEC), v.6 n.4, p.443-471, November 2003

INDEX TERMS

Primary Classification:
D. Software
D.4 OPERATING SYSTEMS
D.4.6 Security and Protection
Subjects: Invasive software (e.g., viruses, worms, Trojan horses)

General Terms:
Security

Keywords:
Cooperative information systems, heterogeneous systems, intrusion detection, misuse detection

REVIEW

"Anthony Donald Vanker : Reviewer"

A new model for creating distributed intrusion detection systems is presented in this paper. The model uses three concepts: system views, signatures, and view definitions. The system view provides an abstract representation of a specific kind of i more...

Collaborative Colleagues:

Peng Ning: colleagues

Sushil Jajodia: colleagues

Xiaoyang Sean Wang: colleagues

Peer to Peer - Readers of this Article have also read:

Inferring constraints from multiple snapshots ACM Transactions on Graphics (TOG) 12, 4
David Kurlander , Steven Feiner
Data structures for quadtree approximation and compression Communications of the ACM 28, 9
Hanan Samet
A hierarchical single-key-lock access control using the Chinese remainder theorem Proceedings of the 1992 ACM/SIGAPP Symposium on Applied computing
Kim S. Lee , Huizhu Lu , D. D. Fisher
Putting innovation to work: adoption strategies for multimedia communication systems Communications of the ACM 34, 12
Ellen Francik , Susan Ehrlich Rudman , Donna Cooper , Stephen Levine
The GemStone object database management system Communications of the ACM 34, 10
Paul Butterworth , Allen Otis , Jacob Stein

Adobe Acrobat

QuickTime

Windows Media Player

Real Player