Creating a Collaborative Situational-Aware IDS

Thumbnail Image

Files

Mathews_umbc_0434D_11627.pdf (1.95 MB)

Links to Files

Permanent Link

http://hdl.handle.net/11603/15515

Collections

UMBC Theses and Dissertations

Author/Creator

Author/Creator ORCID

Date

2017-01-01

Type of Work

dissertations
Text

Department

Computer Science and Electrical Engineering

Program

Computer Science

Citation of Original Publication

Rights

This item may be protected under Title 17 of the U.S. Copyright Law. It is made available by UMBC for non-commercial research and education. For permission to publish or reproduce, please see http://aok.lib.umbc.edu/specoll/repro.php or contact Special Collections at speccoll(at)umbc.edu
Distribution Rights granted to UMBC by the author.

Subjects

collaborative
IDS
intrusion detection
situational-aware

Abstract

An Intrusion Detection System (IDS) is a set of tools that runs passively in the background to determine if components of a system, as reflected in the network or host monitoring data, are behaving maliciously [1]. Traditional IDSs have well known limitations that decrease their utility against many kinds of attacks. Current state-of-the-art IDSs are point based solutions that perform a simple analysis of host or network data and then flag an alert. Only known attacks whose characteristics are captured and represented as signatures that have been stored in some form can be discovered by most of these systems. IDS elements of this type cannot detect zero-day type attacks or attacks that use "low-and-slow" vectors. Many times an attack, exploitation, or infection event is only revealed by post facto forensics after some damage has already been done. To address these issues, a semantic approach to intrusion detection was taken that uses traditional as well non-traditional sensors, collaboratively. Tim Berner's Lee defined the Semantic Web as "not a separate Web but an extension of the current one, in which information is given well-defined meaning, better enabling computers and people to work in cooperation. [2]" Traditional sensors include hardware or software such as network scanners, host scanners, and IDSs like Snort and Norton AntiVirus. Potential non-traditional sensors include open sources of information such as online forums, blogs, and vulnerability databases which contain textual descriptions of proposed attacks or discovered exploits. Exploits are vulnerabilities or weaknesses that can be used to attack a system. After analyzing the data streams from these sensors, the information extracted is added as facts to a knowledge base using a World Wide Web Consortium(W3C) [3] standards based ontology that our group has developed. The W3C is a consortium of different people and organizations that work together to establish standards for the Web. In addition to the ontology and facts stored in the knowledge base, rules/policies were developed that can reason over the facts to identify the situation or context in which an attack can occur. Attacks characterized as low-and-slow aim to stealthily perform their malicious activity so that they remain unnoticed instead of causing as much damage as quickly as possible. By having different sources collaborate to discover potential security threats and create additional rules/policies, the resulting situational-aware IDS is better equipped to stop creative attacks such as those that follow a "low-and-slow" intrusion pattern. Leveraging information from these heterogeneous sources leads to a more robust, situational-aware IDS that is better equipped to detect complicated attacks. This will allow for detection in soft real time, meaning that the alerts indicating the presence of an attack might not come the instant an attack starts. This allows for the creation of rules that can detect the complicated attacks. Prototypes of various components of this system were created and tested for efficiency and the accuracy of their ability to detect complex malware including botnets.