Title :
Intelligent techniques for network sensor information processing in large-scale network infrastructures
Author :
Hooper, Emmanuel
Author_Institution :
Inf. Security Group, Univ. of London R. Holloway, Egham
Abstract :
Intrusion detection systems (IDSs) and security tools are used to monitor potential attacks in network infrastructures. These tools and IDSs trigger alerts of potential attacks and violations in network security. However, most of the alerts generated by the IDS sensors are false positives. False positives are alerts triggered by suspicious but normal, benign connections. Due to the very high volumes of false positives, the task of manually analysing the alerts is extremely difficult, resulting in inefficient real-time detection and response. In this paper we present detailed explanation of a novel approach for efficient intelligent detection and response to suspect packets to benign false positives. The intelligent strategy consists of network quarantine channels (NQCs) technique with multiple zones for isolation and interaction with the source packets in real-time. The NQC consists of various subnet zones, which examine the packets by sending intelligent responses to the source host packet to obtain more information on the nature of the packet. Once the source packets intention is known, the NQC sends a feedback to the IDS to modify the alerts. We propose multiple feedback methods, including message flags, to the IDS monitor and database. The effect of these innovative approaches, using NQC and feedback mechanisms, is the enhancement of the capability of the IDS to detect threats and benign attacks. This is accomplished by applying adaptive rules to the alert filters and policies of the IDS network sensors. We describe the NQC approach with detailed description of its operation and the technique. In addition, we propose new techniques for feeding the results of the NQC to the IDS. Furthermore, we propose new methods of communication between the IDS and firewalls for sending responses to suspect packets. These approaches demonstrate the effectiveness of using the intelligent detection and response strategy for handling benign and attack packets.
Keywords :
authorisation; feedback; large-scale systems; feedback mechanisms; firewalls; intrusion detection systems; large-scale network infrastructures; network quarantine channels; network security; network sensor information processing; security tools; Adaptive filters; Databases; Feedback; Information processing; Information security; Intelligent networks; Intelligent sensors; Intrusion detection; Large-scale systems; Monitoring; data mining; information processing; network sensor security; sensors networks;
Conference_Titel :
Intelligent Sensors, Sensor Networks and Information Processing, 2008. ISSNIP 2008. International Conference on
Conference_Location :
Sydney, NSW
Print_ISBN :
978-1-4244-3822-8
Electronic_ISBN :
978-1-4244-2957-8
DOI :
10.1109/ISSNIP.2008.4762054