Commenced in January 2007
Frequency: Monthly
Edition: International
Paper Count: 30184
Evaluation of State of the Art IDS Message Exchange Protocols

Authors: Robert Koch, Mario Golling, Gabi Dreo

Abstract:

During the last couple of years, the degree of dependence on IT systems has reached a dimension nobody imagined to be possible 10 years ago. The increased usage of mobile devices (e.g., smart phones), wireless sensor networks and embedded devices (Internet of Things) are only some examples of the dependency of modern societies on cyber space. At the same time, the complexity of IT applications, e.g., because of the increasing use of cloud computing, is rising continuously. Along with this, the threats to IT security have increased both quantitatively and qualitatively, as recent examples like STUXNET or the supposed cyber attack on Illinois water system are proofing impressively. Once isolated control systems are nowadays often publicly available - a fact that has never been intended by the developers. Threats to IT systems don’t care about areas of responsibility. Especially with regard to Cyber Warfare, IT threats are no longer limited to company or industry boundaries, administrative jurisdictions or state boundaries. One of the important countermeasures is increased cooperation among the participants especially in the field of Cyber Defence. Besides political and legal challenges, there are technical ones as well. A better, at least partially automated exchange of information is essential to (i) enable sophisticated situational awareness and to (ii) counter the attacker in a coordinated way. Therefore, this publication performs an evaluation of state of the art Intrusion Detection Message Exchange protocols in order to guarantee a secure information exchange between different entities.

Keywords: Cyber Defence, Cyber Warfare, Intrusion Detection Information Exchange, Early Warning Systems, Joint Intrusion Detection, Cyber Conflict

Digital Object Identifier (DOI): doi.org/10.5281/zenodo.1086549

Procedia APA BibTeX Chicago EndNote Harvard JSON MLA RIS XML ISO 690 PDF Downloads 1887

References:


[1] S. Aguirre and W. Hill, "Intrusion detection fly-off: Implications for the united states navy,” MITRE Technical Report MTR 97W096, Tech. Rep., 1997.
[2] S. Winterfeld and R. Rosenthal, "Understanding Today ’ s Cyber Challenges,” Policy, no. May, p. 28, 2011.
[3] "Guide to Intrusion Detection and Prevention Systems (IDPS),” 2007. (Online). Available: http://csrc.nist.gov/publications/nistpubs/800-94/ SP800-94.pdf
[4] M. Wood and M. Erlinger, "Intrusion Detection Message Exchange Requirements,” RFC 4766, March, Tech. Rep., 2007. (Online). Available: http://www.hjp.at/doc/rfc/rfc4766.html
[5] M. Roesch, "Snort-lightweight intrusion detection for networks,” in Proceedings of the 13th USENIX conference on System administration. Seattle, Washington, 1999, pp. 229–238. (Online). Available: http: //www.usenix.org/event/lisa99/full papers/roesch/roesch.pdf
[6] G. Keeni, R. Danyliw, and Y. Demchenko, "Requirements for the format for incident information exchange (fine),” draft-ietf-inch-requirements- 08. txt, IETF, 2006.
[7] R. Danyliw, J. Meijer, and Y. Demchenko, "The incident object description exchange format,” 2007.
[8] R. Holt, A. Winter, and A. Schurr, "Gxl: Toward a standard exchange format,” in Reverse Engineering, 2000. Proceedings. Seventh Working Conference on. IEEE, 2000, pp. 162–171.
[9] U. Fayyad, G. Piatetsky-Shapiro, and P. Smyth, "From data mining to knowledge discovery in databases,” AI magazine, vol. 17, no. 3, p. 37, 1996.
[10] J. Moy, "Ospf version 2,” 1997, request for Comments: 2178.
[11] S. Zhuang, B. Zhao, A. Joseph, R. Katz, and J. Kubiatowicz, "Bayeux: An architecture for scalable and fault-tolerant wide-area data dissemination,” in Proceedings of the 11th international workshop on Network and operating systems support for digital audio and video. ACM, 2001, pp. 11–20.
[12] P. Eugster, P. Felber, R. Guerraoui, and A. Kermarrec, "The many faces of publish/subscribe,” ACM Computing Surveys (CSUR), vol. 35, no. 2, pp. 114–131, 2003.
[13] P. Trommler, The application profile model. vdf Hochschulverlag AG, 2000.
[14] M. Surkan, "Safesuite spots net holes,” PC Week Netweek Dec, vol. 16, 1996.
[15] J. Case, M. Fedor, M. Schoffstall, and C. Davin, A simple network management protocol (SNMP). Network Information Center, SRI International, 1989.
[16] L. LaPadula, "State of the Art in CyberSecurity Monitoring - An Update,” Security, no. September, p. 18, 2001. (Online). Available: http://oai.dtic.mil/oai/oai?verb=getRecord& metadataPrefix=html&identifier=ADA458008
[17] S. Staniford-Chen, B. Tung, D. Schnackenberg et al., "The common intrusion detection framework (cidf),” in Proceedings of the information survivability workshop, 1998.
[18] D. Corner, "Idmef-” lingua franca” for security incident management tutorial and review of standards development,” SANS Institute, 2003.
[19] P. Kothari, "Intrusion detection interoperability and standardization,” SANS Institute, 2002.
[20] M. Rose, "The blocks extensible exchange protocol core,” 2001.
[21] M. Rose, "Mapping the beep core onto tcp,” RFC 3081, March, Tech. Rep., 2001.
[22] D. Schnackenberg, K. Djahandari, and D. Sterne, "Infrastructure for intrusion detection and response,” in DARPA Information Survivability Conference and Exposition, 2000. DISCEX’00. Proceedings, vol. 2. IEEE, 2000, pp. 3–11.
[23] C. Vulnerabilities, "Exposures (cve), the mitre corporation,” 2004.
[24] P. Mell, K. Scarfone, and S. Romanosky, "Common vulnerability scoring system,” Security & Privacy, IEEE, vol. 4, no. 6, pp. 85–89, 2006.
[25] "US-CERT Vulnerability Notes Database,” 2013. (Online). Available: http://www.kb.cert.org/vuls
[26] "Microsoft TechNet Security Bulletin,” 2013. (Online). Available: http://technet.microsoft.com/en-us/security/bulletin
[27] "VUPEN Security Advisories,” 2013. (Online). Available: http: //www.vupen.com/english/security-advisories/
[28] "Secunia Advisories,” 2013. (Online). Available: http://secunia.com/ advisories/
[29] "SecurityTracker,” 2013. (Online). Available: http://securitytracker.com/
[30] "NetIQ Sentinel,” 2013. (Online). Available: https://www.netiq.com/ products/sentinel/
[31] "SIEM Solutions and Products,” 2013. (Online). Available: http: //www.blackstratus.com/
[32] "NetIQ,” 2013. (Online). Available: https://www.netiq.com/
[33] "Snort IDMEF Plugin,” 2013. (Online). Available: http://sourceforge. net/projects/snort-idmef/
[34] "Snort :: Home Page,” 2013. (Online). Available: http://www.snort.org
[35] "Sourcefire Network Security Solutions,” 2013. (Online). Available: http://www.sourcefire.com
[36] "Prelude-IDS,” 2013. (Online). Available: https://www.prelude-ids.org