Self-stability Of Intrusion Detection Response System

With the rapid increase of network bandwidth,the amount of alerts generated by intrusion detection system increases everyday.Alert resolution has become a heavy overhead and the time delay between alert generation and alert resolution has grown longer and longer,which resulted in the unwanted fact that computer attackers now have more time to exploit vulnerabilities of computers and to complete attacks before being stopped.Therefore,besides intrusion detection,we need automatic response mechanism in the overall computer security protection framework to provide better protection to computers and the associated networks.Most intrusion detection and automatic response researches emphasize on improving the accuracy of intrusion detection result because automatic response mechanisms rely on the result to respond correctly.However,the possibility of incorrect detection always exists,and improving the capability of response mechanism such that it can recover itself from incorrect responses would be a promising direction to resolve the problem of imperfectness in detection result.In this study,we applied the self-stabilization concept in the firewall-based automatic response mechanism.On one hand,adding flexibility to the application of firewall policy.On the other hand,by eliminate the inappropriate or redundant firewall policies,we can also lower the load of the firewall.We implement a prototype of the self-stabilized intrusion detection and automatic response system with Snort_inline.(snort_inline is basically a modified version of Snort that accepts packets from iptables and IPFW via libipq(linux)or divert sockets(FreeBSD),instead of libpcap.It then uses new rule types(drop,sdrop,reject)to tell iptables(iptables is the userspace command line program used to configure the Linux 2.4.x and 2.6.x IPv4 packet filtering ruleset.It is targeted towards system administrators.Since Network Address Translation is also configured from the packet filter ruleset,iptables is used for this,too.)IPFW whether the packet should be dropped,rejected,modified,or allowed to pass based on a snort rule set.Think of this as an Intrusion Prevention System(IPS) that uses existing Intrusion Detection System(IDS)signatures to make decisions on packets that traverse snort_inline)The target is that system is able to correct itself from incorrect application of firewall policies and,therefore,is self-stabilizing.