Impact of Sanitized Message Flows in a Cooperative Intrusion Warning System

Impact of Sanitized Message Flows in a Cooperative Intrusion Warning System

This paper discusses the side effects of sanitizing IT security event messages in a cooperative multi-domain intrusion warning system (IWS). To enhance detection capabilities of conventional IT security tools like intrusion detection systems (IDS), virus scanners and packet filters, a centralized, s...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Hauptverfasser: Tolle, J., Jahnke, M., Felde, N.G., Martini, P.
Format: Tagungsbericht
Sprache:eng
Schlagworte:
Alarm systems
Centralized control
Discrete event simulation
Event detection
Filters
Information analysis
Information security
Internet
Intrusion detection
Network topology
Online-Zugang:Volltext bestellen
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
Beschreibung
Zusammenfassung:This paper discusses the side effects of sanitizing IT security event messages in a cooperative multi-domain intrusion warning system (IWS). To enhance detection capabilities of conventional IT security tools like intrusion detection systems (IDS), virus scanners and packet filters, a centralized, so-called intrusion warning system can be deployed, which collects and analyzes event messages from the different domains. Additionally, the IWS informs the domains about potentially critical situations which might not be covered by the existing tools due to technical limitations, heterogeneous security policies or differences in configuration. The architecture of an IWS relies on centralized storage and analysis components, while the event messages are collected and preprocessed by distributed entities which are under the operational control of the respective domains. In cooperation scenarios like military coalition environments (CEs, e.g. NATO, KFOR, SFOR), potentially confidential or sensitive information still needs to be concealed from the CE partners, as defined by existing information sharing policies. This also holds for the information contained in IDS event messages, since there might be specifications of network addresses and topologies, of products or vendors, of applications and security systems included in the messages. Thus, for enabling a CE wide cooperation of IT security systems, appropriate information sanitizing techniques need to be applied before sharing any security relevant information. This might lead to a negative impact on the centralized analysis capabilities, since potentially important information might be dropped from the messages. In this paper, the impact of sanitizing event message flows in a cooperative IWS is studied by examining the behaviour of an IWS when feeding it with real-life event messages combined with artificial events from an Internet worm spreading simulation. The worm detection capabilities of the analysis components are determined in a multi-domain setup for both situations, with and without applying information sanitizing mechanisms on the event message flow
ISSN:2155-7578
2155-7586
DOI:10.1109/MILCOM.2006.302010