An SNMP agent for stateful intrusion inspection

Intrusion detection systems (IDS) have been increasingly used in organizations, in addition to other security mechanisms, to detect intrusions to systems and networks. In the recent years several IDS have been released, but (a) the high number of false alarms generated, (b) the lack of a high-level...

Full description

Saved in:
Bibliographic Details
Main Authors: Gaspary, L.P., Meneghetti, E., Tarouco, L.R.
Format: Conference Proceeding
Language:English
Subjects:
Computer crime
Condition monitoring
Inspection
Intrusion detection
Protocols
Specification languages
Statistical analysis
Statistics
Telecommunication traffic
Online Access:Request full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Intrusion detection systems (IDS) have been increasingly used in organizations, in addition to other security mechanisms, to detect intrusions to systems and networks. In the recent years several IDS have been released, but (a) the high number of false alarms generated, (b) the lack of a high-level notation for attack signature specification, and (c) the difficulty to integrate IDS with existing network management infrastructure hinder their widespread and efficient use. In this paper we address these problems by presenting an SNMP agent for stateful intrusion inspection. By using a state machine-based language called PTSL (Protocol Trace Specification Language), the network manager can describe attack signatures that should be monitored. The signatures to be used by the agent are configured by the network manager through the IETF Script MIB. Once programmed, the agent starts monitoring the occurrence of the signatures on the network traffic and stores statistics, according to their occurrence, in an extended RMON2 MIB. These statistics may be retrieved from any SNMP-based management application and can be used to accomplish signature-based analysis. The paper also describes two experiments that have been carried out with the agent to assess its performance and to demonstrate its effectiveness in terms of false alarm generation rates.
DOI:10.1109/INM.2003.1194156