Abstraction-based intrusion detection in distributed environments

Several approaches have been proposed to scale intrusion detection systems (IDSs) up to large distributed systems. However, two intrinsic aspects of large distributed systems are often overlooked: (1) large distributed systems are usually heterogeneous, and (2) the component systems are often autonomous. Ignoring these aspects can make the IDSs rather restrictive and even unable to protect the systems as they are designed to. issues. Specifically, a concept called system view is introduced system views hide the difference between heterogeneous systems; on the other hand, they describes what information an autonomous system is willing to provide to other systems.; This dissertation further studies two problems in depth. The first problem is how to enable an IDS to request specific information from another IDS. To address this problem, this dissertation proposes to represent a request for an IDS as a pattern plus a transformation rule, where the pattern specifies the events that the requesting party is interested in and the transformation rule extracts interesting information from the events. This approach is used to add a query facility to the Common Intrusion Detection Framework (CIDF). This work advances the state-of-the-art of intrusion detection by enabling an IDS to form flexible requests for other systems.; The second problem is how to coordinate different IDSs to correlate distributed events. This dissertation proposes to represent the event correlation to be performed as a pattern (called signature) among distributed events. A novel, decentralized method is then presented for autonomous but cooperative IDSs to perform the event correlation specified by signatures. Specifically, a signature is decomposed into finer units called detection tasks, each of which represents the activity to be monitored in one place. The IDSs (involved in a signature) then perform the detection tasks cooperatively according to the “dependency” relationships among these tasks. Our approach is superior to the existing centralized or hierarchical approaches in that (1) communication is more efficient by having different IDSs communicate with each other only when necessary and (2) no centralized or hierarchical trust is required (trust is also decentralized in our approach). As an important application of distributed event correlation, this approach can be used to represent and detect distributed (or coordinated) attacks that cannot be detected from a single place. An experimental system called CARDS has been implemented to test the feasibility of the proposed approaches.