Synapse: auto-correlation and dynamic attack redirection in an immunologically-inspired IDS

Intrusion detection systems (IDS) perform an important role in the provision of network security, providing realtime notification of attacks in progress. One promising category of IDS attempts to incorporate into its design properties found in the natural immune system. Although previous attempts to apply immunology to intrusion detection have considered the issue of accuracy, more work still needs to be done. We present an immunologically-inspired intrusion detection model in which the false positive rate is moderated through a process of event correlation between multiple sensors. In addition, the model offers a novel response mechanism. Previous research has flirted with a variety of response mechanisms, including those that are capable of tearing down connections, killing processes and dynamically updating firewall rules. Although such mechanisms may prevent or at least mitigate an attack before its full impact is achieved, they work against the collection of information for investigatory or evidence purposes. To overcome this limitation, a response strategy is proposed in which the attack is dynamically redirected to an isolated host deployed as a honeypot. In this way, it becomes possible to mitigate the effects of the attack while at the same time study the attack itself.