An Advanced IDS Management Architecture

Efficient Intrusion Detection System (IDS) management is a prominent capability for distributed IDS solutions, which makes it possible to integrate and handle different types of sensors or collect and synthesize alerts generated from multiple hosts located in a loosely coupled environment. Extensibility is the main requirement for most of IDS management systems. The concept of virtualization has been introduced into many popular IDS implementations due to the advantage on isolation and fast recovery in case of being compromised. Advanced capability for combining these newly emerged Virtual Machine (VM) based IDS approaches is another requirement for IDS management. This paper proposes an advanced IDS management architecture based on a new design of the Event Gatherer and the combination with the Virtual Machine Monitor (VMM). By implementing the known IDS standard IDMEF and a plugin concept, the Event Gatherer ensures flexibility and compatibility. Experiments are carried out to demonstrate the extensibility and virtualization-compatibility of the proposed IDS management architecture. Based on the proposed architecture, two application scenarios, IDS on Lock-Keeper and IDS in the Cloud, are realized and presented in the paper.