RAAS

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

RAAS: a reliable analyzer and archiver for snort intrusion detection system

Full text

Pdf (324 KB)

Source

Symposium on Applied Computing archive
Proceedings of the 2007 ACM symposium on Applied computing table of contents

Seoul, Korea

SESSION: Computer security table of contents

Pages: 259 - 263

Year of Publication: 2007

ISBN:1-59593-480-4

Authors

Mahboobeh Soleimani	IPM, Tehran, Iran
Ehsan Khosrowshahi Asl	IPM, Tehran, Iran
Mina Doroud	IPM, Tehran, Iran
Morteza Damanafshan	IPM, Tehran, Iran
Akbar Behzadi	IPM, Tehran, Iran
Maghsoud Abbaspour	IPM, Tehran, Iran and Shahid Beheshti University, Tehran, Iran

Sponsor

SIGAPP: ACM Special Interest Group on Applied Computing

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 10, Downloads (12 Months): 63, Citation Count: 1

Additional Information:

abstract references cited by index terms collaborative colleagues

Tools and Actions:	Request Permissions Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/1244002.1244067 What is a DOI?

ABSTRACT

One of the primary challenges in IDS alerts analysis is controlling and archiving the huge amount of alerts that have been triggered mainly in attack periods. We have developed a self-adaptive controlling mechanism which archives the Snort generated alerts in a well-formed abstracted format. An appropriate hashing technique along with a full-automated time-based hierarchical archiving approach has been used to reach this end. The developed system prevents the Snort database size to grow uncontrollably and unexpectedly. Results obtained from experiments and test cases show that especially in critical attack situations the system responds to queries well in a reasonable amount of time. The developed analyzer with new archiving approach is also able to compress the generated alerts effectively and generate statistical reports fast. The developed system is platform independent and can be deployed on mid-range servers and workstations. Also employing it does not require much degree of security expertise.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Kulsoom Abdullah , Chris Lee , Gregory Conti , John A. Copeland , John Stasko, IDS RainStorm: Visualizing IDS Alarms, Proceedings of the IEEE Workshops on Visualization for Computer Security, p.1, October 26-26, 2005 [doi>10.1109/VIZSEC.2005.8]
	2	ACID: Managing Alert Databases, Available at http://acidlab.sourceforge.net/acid_archive_instruct.html.
	3	Analysis Console for Intrusion Detection. Available at http://acidlab.sourceforge.net/. August 2006.
	4	archivePlus script. Available at http://ntsug.org/downloads/archivePlus.pl, August 2006.
	5	Basic Analysis and Security Engine. Available at http://secureideas.sourceforge.net/. August 2006.
	6	Brian Caswell , James C. Foster , Ryan Russell , Jay Beale , Jeffrey Posluns, Snort 2.0 Intrusion Detection, Syngress Publishing, 2003
	7	Bellare, M., and Kohno, T. Hash Function Balance and Its Impact on Birthday Attacks. EUROCRYPT '04, - LNCS Vol. 3027, Springer-Verlag, 2004.
	8	Cora, G. and Purdie, L. Comprehensive Event Log Monitoring, white paper by InterSect Alliance, 2003.
	9	Deleting Old Alerts in MySql Database. Available at http://www.snort.org/archive-5-1967.html, August 2006.
	10	Hoagland J. A. and Staniford S. Viewing IDS Alerts: Lessons from SnortSnarf. In Proeedings of DARPA Information Survivability Conference and Ex-position, 2001.
	11	Hideki Koike , Kazuhiro Ohno, SnortView: visualization system of snort logs, Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security, October 29-29, 2004, Washington DC, USA [doi>10.1145/1029208.1029232]
	12	MySQL & ACID Issues, Available at http://www.mcabee.org/lists/snort-users/Mar-03/msg00378.html, August 2006.
	13	Rehman, R. U. Intrusion Detection Systems with Snort. Prentice Hall PTR Upper Saddle River, New Jersey, pp. 180--187, 2003.
	14	Martin Roesch, Snort - Lightweight Intrusion Detection for Networks, Proceedings of the 13th USENIX conference on System administration, November 07-12, 1999, Seattle, Washington
	15	Schaelicke, L., Geiger, M. R., Freeland, C. J. Imporving the Database Logging Performance of the Snort Network Intrusion Detection Sensor. Technical Report 03--10, Department of Computer Science and Engineering University of Notre Dame, 2003.
	16	Script to cleanup ACID/Snort Alerts in MySQL DB. Available at http://marc.theaimsgroup.com/?l=snort-users&m=104941480228554&w=2, August 2006.
	17	Snort Alerts Database Purging Script. Available at http://gaia.ecs.csus.edu/~bhatian/, August 2006.
	18	Snort Forums Archive (BASE/ACID time out issue). Available at http://www.snort.org/archive-7-389.html. August 2006.
	19	Snort IDS. Available at http://www.snort.org/. August 2006.
	20	Soleimani, M., Behzadi, A., and Abbaspour, M. A fast and reliable IDS analyzer. In Proceedings of 14th Iranian Conference on Electrical Engineering (ICEE'06). Tehran, Iran. May 2006.