Security and Privacy in Communication Networks. 7th International ICST Conference, SecureComm 2011, London, UK, September 7-9, 2011, Revised Selected Papers

Research Article

Secure Configuration of Intrusion Detection Sensors for Changing Enterprise Systems

Download
361 downloads
  • @INPROCEEDINGS{10.1007/978-3-642-31909-9_3,
        author={Gaspar Modelo-Howard and Jevin Sweval and Saurabh Bagchi},
        title={Secure Configuration of Intrusion Detection Sensors for Changing Enterprise Systems},
        proceedings={Security and Privacy in Communication Networks. 7th International ICST Conference, SecureComm 2011, London, UK, September 7-9, 2011, Revised Selected Papers},
        proceedings_a={SECURECOMM},
        year={2012},
        month={10},
        keywords={Distributed intrusion detection multi-stage attacks Bayesian reasoning sensor reconfiguration},
        doi={10.1007/978-3-642-31909-9_3}
    }
    
  • Gaspar Modelo-Howard
    Jevin Sweval
    Saurabh Bagchi
    Year: 2012
    Secure Configuration of Intrusion Detection Sensors for Changing Enterprise Systems
    SECURECOMM
    Springer
    DOI: 10.1007/978-3-642-31909-9_3
Gaspar Modelo-Howard1,*, Jevin Sweval1,*, Saurabh Bagchi1,*
  • 1: Purdue University
*Contact email: gmodeloh@purdue.edu, jsweval@purdue.edu, sbagchi@purdue.edu

Abstract

Current attacks to distributed systems involve multiple steps, due to attackers usually taking multiple actions to achieve their goals. Such attacks are called multi-stage attacks and have the ultimate goal to compromise a critical asset for the victim. An example would be compromising a web server, then achieve a series of intermediary steps (such as compromising a developer’s box thanks to a vulnerable PHP module and connecting to a FTP server with gained credentials) to ultimately connect to a database where user credentials are stored. Current detection systems are not capable of analyzing the multi-step attack scenario. In this document we present a distributed detection framework based on a probabilistic reasoning engine that communicates to detection sensors and can achieve two goals: (1) protect the critical asset by detecting multi-stage attacks and (2) tune sensors according to the changing environment of the distributed system monitored by the distributed framework. As shown in the experiments, the framework reduces the number of false positives that it would otherwise report if it were only considering alerts from a single detector and the reconfiguration of sensors allows the framework to detect attacks that take advantage of the changing system environment.