A SNMP-based platform for distributed stateful intrusion detection in enterprise networks

In recent years, intrusion detection systems (IDSs) use has increased into detect security breaches in both systems and networks. However, widespread IDS usage has been hindered by several challenges, including: 1) time-consuming configuration and analysis; 2) integration difficulties with existing network management infrastructure; and 3) the inability to add new attack signatures in a well-understood, yet expressive high-level notation. This paper presents the ID-Trace Management Platform, an extension of the simple network management protocol infrastructure based on the Internet Engineering Task Force (IETF) script management information base (Script MIB) to support distributed stateful intrusion detection in enterprise networks. It provides mechanisms allowing a management station to delegate security-related tasks to mid-level managers (MLMs) that, in turn, interact with monitoring and action agents to execute these tasks. Protocol trace specification language specifications are used by the MLMs to program monitoring agents that sniff packets on the network comparing their signatures to those of known attack signatures. With the information gathered from the monitoring process, the MLMs may execute procedures via the action agents (Java, Tcl, or Perl scripts), enabling the automation of several security tasks (including reactive and proactive tasks). The platform also provides notification mechanisms (traps) so that MLMs can report the occurrence of major events to the management station.