A large scale distributed intrusion detection framework based on attack strategy analysis

To appropriately address the problem of large-scale distributed intrusion assessment/detection, issues such as information exchange, work division and coordination amongst various Intrusion Detection Systems (IDS) must be addressed. An approach based on autonomous local IDS agents performing event processing coupled with cooperative global problem resolution is preferred. However, it is not clear how autonomous the local IDS agents should be and what constitutes the theme that drives multiple IDS to work together. We believe that focusing on the intruder’s intent (attack strategy) provides the theme that drives how various IDS components work together. Analysis on attack strategy also provides an opportunity to perform pro-active look ahead adaptive auditing. This paper presents a high-level conceptual architecture view for such an approach. The Battleground Management Analogy Today’s large-scale distributed intrusion detection (ID) shares many common traits and challenges with the task of battleground management. Both endeavors face difficult challenges such as: •widely distributed heterogeneous environment •voluminous, noisy and volatile data •incomplete information for decision making •diverse variety of probes •difficulty in communication, coordination, command-and-control •trust between entities •changing attack patterns In Intrusion Detection Systems (IDS), Misuse Detection performs signature analysis by comparing on-going activities with patterns representing past intrusions in