Attack Scenarios Construction and Automated Report Generation in SACHET Intrusion

[Ann]

[attachment=15192]
Attack Scenarios Construction and Automated Report Generation in SACHET Intrusion Detection System
An Intrusion Detection Systems (IDS) is a passive system which relies on the system administrator to take action when an attack is detected. The latency between an attack detection and corrective action taken by the administrator is usually high and therefore, by the time the administrator notices an attack and takes an action, the damage is already done. This necessitates the need for an Intrusion Prevention System which can not only detect attacks but can also actively respond to them. Intrusion prevention is a pre-emptive approach to system security which is used to identify potential threats and respond to them swiftly.
Vulnerability Assessment would provide a clear picture of all hosts on the network, the services that they provide and also information on the known vulnerabilities. This information would help the administrator in configuring the IDS and can also be used to assign priority to an alert.
In this thesis, we describe the design and implementation of Intrusion Prevention and Vulnerabilty Assessment schemes for Sachet IDS. Sachet is a distributed, real time network-based Intrusion Detection System with centralized control developed at IIT Kanpur. Sachet uses an open source software, Snort, for signature-based detection. Recently, a new version of Snort, snort-inline, has been released for Linux which has intrusion prevention capability. The aim of Intrusion Prevention for Sachet is to provide this capability for Windows operating system. The aim of Vulnerability Assessment is to determine the vulnerabilities of machines monitored by Sachet at regular intervals and to use this information to assign priority to alerts generated by Snort.

[borik bori]

Attack Scenarios Construction and Automated Report Generation in SACHET Intrusion Detection System

Increased connectivity and the use of the Internet have exposed the organizations to subversion, thereby necessitating the use of intrusion detection systems to protect information systems and communication networks from malicious attacks and unauthorized access. An Intrusion Detection System (IDS) is a security system that monitors computer systems and network traffic, analyzes that traffic to identify possible security breaches, and raises alerts. An IDS triggers thousands of alerts per day making it difficult for human users to analyze them and take appropriate actions. It is therefore important to reduce the redundancy of alerts, intelligently integrate and correlate them, and to present high level view of the detected security issues to the administrator.

In this thesis, we describe the design and implementation of attack scenarioconstruction and automated report generation modules for Sachet - a distributed, real-time, network-based IDS developed at lIT Kanpur. The aim of attack scenario construction is to identify logical relations among low level alerts, correlate them, and to provide the system administrator with a condensed view of reported security issues known as attack scenarios. The alerts are correlated on the assumption that most intrusions are not isolated but related as different stages of a series of attacks, with the early stages preparing for the latter ones. The module was successfully tested on a benchmark 2000 DARPA data set. Automated report generation takes the alerts produced by Sachet and generates reports which provide the system administrator with an overall picture of the status of the network under surveillance.