Extending Intrusion Detection with Alert Correlation and Intrusion Tolerance

Intrusion detection is an important security tool. It has the possibility to provide valuable information about the current status of security. However, as enterprises deploy multiple intrusion detection sensors at key points in their networks, the issue of correlating messages from these sensors becomes increasingly important. A correlation capability reduces alert volume, and potentially improves detection performance through sensor reinforcement or complementarity. Correlation is especially advantageous when heterogeneous sensors are employed because of the potential to aggregate different views of the same incident. This thesis studies a number of different properties of intrusion alert correlation, such as standard formats and similarity metrics. A conceptual framework is suggested, followed by three different case studies. Firstly, a router based IDS is implemented and analyzed. The quality of the event source is found to be unreliable and the consequences for intrusion detection and correlation are evaluated. Secondly, a case study of live traffic analysis is performed using heterogeneous intrusion alert correlation. A successful correlation is presented. Thirdly, the possibility to implement intrusion alert correlation using open source tools is evaluated. A simple prototype is implemented. However, even if the performance of the intrusion detection systems increases, there will always be intrusions. One way to remedy this problem is to use fault tolerant techniques in a new setting, providing intrusion tolerance. This results in a system that will continue to provide a valid service, possibly with a performance penalty, in spite of current intrusion attempts. This thesis studies different ways to implement intrusion tolerant services. Additionally, an intrusion tolerant reverse proxy server is implemented and analyzed. All in all, we show the value of intrusion alert correlation and intrusion tolerance in different settings.