Providing Dynamic Control to Passive Network Security Monitoring

TitleProviding Dynamic Control to Passive Network Security Monitoring
Publication TypeConference Paper
Year of Publication2015
AuthorsAmann, J., & Sommer R.
Published inProceedings of 18th International Symposium on Research in Attacks, Intrusions and Defenses (RAID)
Date Published11/2015

Passive network intrusion detection systems detect a wide range of attacks, yet by themselves lack the capability to actively respond to what they find. Some sites thus provide their IDS with a separate control channel back to the network, typically by enabling it to dynamically insert ACLs into a gateway router for blocking IP addresses. Such setups, however, tend to remain narrowly tailored to the site’s specifics, with little opportunity for reuse elsewhere, as different networks deploy a wide array of hard- and software and differ in their network topologies. To overcome the shortcomings of such ad-hoc approaches, we present a novel network control framework that provides passive network monitoring systems with a flexible, unified interface for active response, hiding the complexity of heterogeneous network equipment behind a simple task-oriented API. Targeting operational deployment in large-scale network environments, we implement the design of our framework on top of an existing opensource IDS. We provide exemplary backends, including an interface to OpenFlow hardware, and evaluate our approach in terms of functionality and performance.

ICSI Research Group

Networking and Security