A Lone Wolf No More: Supporting Network Intrusion Detection with Real-Time Intelligence
Title | A Lone Wolf No More: Supporting Network Intrusion Detection with Real-Time Intelligence |
Publication Type | Conference Paper |
Year of Publication | 2012 |
Authors | Amann, J., Sommer R., Sharma A., & Hall S. |
Page(s) | 314-333 |
Other Numbers | 3337 |
Abstract | For network intrusion detection systems it is becoming increasinglydifficult to reliably report todays complex attacks withouthaving external context at hand. Unfortunately, however, todays IDScannot readily integrate intelligence, such as dynamic blacklists, into theiroperation. In this work, we introduce a fundamentally new capabilityinto IDS processing that vastly broadens a systems view beyond what isvisible directly on the wire. We present a novel Input Framework thatintegrates external information in real-time into the IDS decision process,independent of specific types of data, sources, and desired analyses. Weimplement our design on top of an open-source IDS, and we report initialexperiences from real-world deployment in a large-scale network environment.To ensure that our system meets operational constraints, wefurther evaluate its technical characteristics in terms of the intelligencevolume it can handle under realistic workloads, and the latency withwhich real-time updates become available to the IDS analysis engine. Theimplementation is freely available as open-source software. |
Acknowledgment | We would like to thank the Lawrence Berkeley National Laboratoryfor their collaboration. This work was supported by the U.S. Army Research Laboratoryand the U.S. Army Research Office under MURI grant No. W911NF-09-1-0553; afellowship within the Postdoc-Programme of the German Academic Exchange Service(DAAD); by the Director, Office of Science, Office of Safety, Security, and Infrastructure,of the U.S. Department of Energy under Contract No. DE-AC02-05CH11231; and bythe US National Science Foundation under grant OCI-1032889. Any opinions, findings,and conclusions or recommendations expressed in this material are those of the authorsor originators and do not necessarily reflect the views of the DAAD, the ARL/ARO,the DOE, or the NSF, respectively. |
URL | http://www.icsi.berkeley.edu/pubs/networking/alonewolfnomore12.pdf |
Bibliographic Notes | Proceedings of the 15th International Symposium on Attacks, Intrusions, and Detections (RAID 2012), pp. 314-333, Amsterdam, the Netherlands |
Abbreviated Authors | J. Amann, R. Sommer, A. Sharma, and S. Hall |
ICSI Research Group | Networking and Security |
ICSI Publication Type | Article in conference proceedings |