Synapse

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

Synapse: auto-correlation and dynamic attack redirection in an immunologically-inspired IDS

Full text

Pdf (1.97 MB)

Source

ACM International Conference Proceeding Series; Vol. 167 archive
Proceedings of the 2006 Australasian workshops on Grid computing and e-research - Volume 54 table of contents

Hobart, Tasmania, Australia

Pages: 135 - 144

Year of Publication: 2006

ISBN ~ ISSN:1445-1336 , 1-920-68236-8

Authors

David Duncombe	Information Security Institute, Queensland University of Technology, Brisbane, Queensland, Australia
George Mohay	Information Security Institute, Queensland University of Technology, Brisbane, Queensland, Australia
Andrew Clark	Information Security Institute, Queensland University of Technology, Brisbane, Queensland, Australia

Publisher

Australian Computer Society, Inc. Darlinghurst, Australia, Australia

Bibliometrics

Downloads (6 Weeks): 6, Downloads (12 Months): 72, Citation Count: 0

Additional Information:

abstract references index terms collaborative colleagues

Tools and Actions:	Review this Article Save this Article to a Binder Display Formats: BibTex EndNote ACM Ref

ABSTRACT

Intrusion detection systems (IDS) perform an important role in the provision of network security, providing real- time notification of attacks in progress. One promising category of IDS attempts to incorporate into its design properties found in the natural immune system. Although previous attempts to apply immunology to intrusion detection have considered the issue of accuracy, more work still needs to be done. We present an immunologically-inspired intrusion detection model in which the false positive rate is moderated through a process of event correlation between multiple sensors. In addition, the model offers a novel response mechanism. Previous research has flirted with a variety of response mechanisms, including those that are capable of tearing down connections, killing processes and dynamically updating firewall rules. Although such mechanisms may prevent or at least mitigate an attack before its full impact is achieved, they work against the collection of information for investigatory or evidence purposes. To overcome this limitation, a response strategy is proposed in which the attack is dynamically redirected to an isolated host deployed as a honeypot. In this way, it becomes possible to mitigate the effects of the attack while at the same time study the attack itself.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	AIDE. (2005). Project Info aide. Retrieved September 5, 2005, from the World Wide Web: http: //sourceforge.net/projects/aide.
	2	Stephanie Forrest , Steven A. Hofmeyr , Anil Somayaji, Computer immunology, Communications of the ACM, v.40 n.10, p.88-96, Oct. 1997 [doi>10.1145/262793.262811]
	3	Stephanie Forrest , Steven A. Hofmeyr , Anil Somayaji , Thomas A. Longstaff, A Sense of Self for Unix Processes, Proceedings of the 1996 IEEE Symposium on Security and Privacy, p.120, May 06-08, 1996
	4	Joshua Haines , Dorene Kewley Ryder , Laura Tinnel , Stephen Taylor, Validation of Sensor Alert Correlators, IEEE Security and Privacy, v.1 n.1, p.46-56, January 2003 [doi>10.1109/MSECP.2003.1176995]
	5	Havrilla, J. S. (2000). CERT Advisory CA- 2000-13 Two Input Validation Problems In FTPD. Retrieved September 3, 2005, from the World Wide Web: http://www.cert.org/ advisories/CA-2000-13.html.
	6	Steven Andrew Hofmeyr , Stephanie Forrest, An immunological model of distributed detection and its application to computer security, 1999
	7	Steven A. Hofmeyr , Stephanie A. Forrest, Architecture for an Artificial Immune System, Evolutionary Computation, v.8 n.4, p.443-473, December 2000 [doi>10.1162/106365600568257]
	8	Hunt. (2005). Packetstorm back to your roots. Retrieved September 3, 2005, from the World Wide Web: http://packetstormsecurity.nl/ sniffers/hunt/.
	9	JUGGERNAUT. (2005). JUGGERNAUT. Retrieved September 3, 2005, from the World Wide Web: http://staff.washington.edu/ dittrich/talks/qsm-sec/P50-06.txt.
	10	McHugh, J. (2001). Intrusion and intrusion detection. International Journal of Information Security, 1:14-35.
	11	Qiao, Y., & Weixin, X. (2002). A Network IDS with Low False Positive Rate. Paper presented at the Congress on Evolutionary Computation, Honolulu, HI.
	12	Ranum, M. J. (2001). Coverage in Intrusion Detection Systems. Retrieved August 15, 2003, from the World Wide Web: http://www.nfr.com/resource/downloads/Coverage\_in\_IDS.pdf.
	13	Snort. (2005). Snort the de facto standard for intrusion detection/prevention. Retrieved September 3, 2005, from the World Wide Web: http: //www.snort.org/.
	14	Somayaji, A., & Forrest, S. (2000). Automated Response Using System-Call Delays. Paper presented at the 9th USENIX Security Symposium, Denver, CO.
	15	The Honeynet Project (2005). The Honeynet Project. Retrieved September 8, 2005, from the World Wide Web: http://project.honeynet. org/.
	16	Tripwire. (2005). Project Info Open Source Tripwire. Retrieved September 3, 2005, from the World Wide Web: http://sourceforge.net/ projects/tripwire/.
	17	Verwoerd, T., & Hunt, R. (2002). Intrusion detection techniques and approaches. Computer Communications, 25(15), 1356-1365.