Attack Signature Matching and Discovery in Systems Employing Heterogeneous IDS

Nathan Carey, George Mohay, Andrew Clark
Queensland University of Technology

Over the past decade, Intrusion Detection Systems (IDS) have improved steadily in the efficiency and effectiveness with which they detect intrusive activity. This is particularly true with signature-based IDS due to progress with intrusion analysis and intrusion signature specification. At the same time system complexity, overall numbers of bugs and security vulnerabilities have been on the increase. This has led to the recognition that in order to operate over the entire attack space, multiple heterogeneous IDS must be used, which need to interoperate with one another, and possibly also with other components of system security. This paper describes our research into developing algorithms for attack signature matching for detecting multi-stage attacks manifested by alerts from heterogeneous IDS. It describes also the preliminary results of that research, the visualization tools we have developed to visualize alert traffic from heterogeneous IDS and the administrator interface.

Keywords: Intrusion Detection, Alert Correlation, Attack Signatures, Attack Detection, Interoperability.

Read Paper Read Paper (in PDF)