SHOMAR: An Open Architecture for Distributed Intrusion Detection Services

Abstract

Distributed Intrusion Detection Systems (DIDS) offer an alternative to centralized intrusion detection. Current research indicates that a distributed intrusion detection paradigm may afford greater coverage, consequently providing an increase in security. In some cases, DIDS offer an alternative to centralized analysis, consequently improving scalabity. SHOMAR, the distributed architecture presented in this paper, provides an open framework that enables secure access to heterogeneous software and hardware components of a distributed intrusion detection system. SHOMAR is built upon a simplified Public Key Infrastructure that provides for authentication, non-repudiation, anti-playback, and access control. This framework supports a broad spectrum of approaches, ranging from hierarchical to peer-to-peer. The system topology and rules governing access to intrusion detection services is based solely upon policy, which is enforced through the use of a capability manager. The protoype system uses Java. The Extensible Markup Language is the sole medium for data exchange between intrusion detection components. SHOMAR provides a distributed service infrastructure independent of the underlying communications network.