Investigating the Benefits of Using Multiple Intrusion-Detection Sensors
Paper in proceedings, 2008

Most intrusion detection systems (IDSs) available today are using a single audit source for detection, even though attacks have distinct manifestations in different parts of the system. Previously, we have explored the benefits of combining several sensors monitoring different audit sources to improve the detection of attacks. In this paper we go one step further and investigate possible synergetic effects by actively sharing information between distinct intrusion detection sensors taking events from isolated audit sources. We present four scenarios where we show how the function of one IDS, measured as false alarm rate, performance in terms of used resources, or attack response, can be improved by having access to information collected and analyzed by another IDS. Based on these four scenarios, we then generalize our findings and outline necessary properties of a sensor communication framework for multiple IDSs. Our focus is on cooperation between IDSs, but we also touch on response techniques.

IDS cooperation

IDS response

intrusion detection


Magnus Almgren

Chalmers, Computer Science and Engineering (Chalmers), Computer Engineering (Chalmers)

Erland Jonsson

Chalmers, Computer Science and Engineering (Chalmers), Computer Engineering (Chalmers)

The 13th Nordic Workshop on Secure IT-systems. Published by the Technical University of Denmark.

1601-2321 (ISSN)


Subject Categories

Other Computer and Information Science

More information