Investigating the Benefits of Using Multiple Intrusion-Detection Sensors
Paper i proceeding, 2008

Most intrusion detection systems (IDSs) available today are using a single audit source for detection, even though attacks have distinct manifestations in different parts of the system. Previously, we have explored the benefits of combining several sensors monitoring different audit sources to improve the detection of attacks. In this paper we go one step further and investigate possible synergetic effects by actively sharing information between distinct intrusion detection sensors taking events from isolated audit sources. We present four scenarios where we show how the function of one IDS, measured as false alarm rate, performance in terms of used resources, or attack response, can be improved by having access to information collected and analyzed by another IDS. Based on these four scenarios, we then generalize our findings and outline necessary properties of a sensor communication framework for multiple IDSs. Our focus is on cooperation between IDSs, but we also touch on response techniques.

IDS cooperation

intrusion detection

IDS response

Författare

Magnus Almgren

Chalmers, Data- och informationsteknik, Datorteknik

Erland Jonsson

Chalmers, Data- och informationsteknik, Datorteknik

The 13th Nordic Workshop on Secure IT-systems. Published by the Technical University of Denmark.

1601-2321 (ISSN)

13-26

Ämneskategorier

Annan data- och informationsvetenskap