Abstract

We present a prototype of an Intrusion Warning System for combining event message flows of multiple domain-specific security tools in order to determine anomalies for early warning and response. Unlike other approaches for cooperating Intrusion Detection Systems (IDS), we suggest a modified star shape architecture for distributing attack information and feed back warning messages. We assume that there are almost no known properties, neither of the underlying information providing local security tools nor of their local security policies. Such heterogeneous environments are typical for dynamic coalitions like NATO. We extended a well-known hierarchical distributed IDS architecture to provide Meta IDS services with feedback to the local access points. The extensions include three major items:

Early Anomaly Warning - A graph clustering based anomaly detector for the event messages is used as an adaptive early warning module for largely scaled activities, e.g. internet worms.

Information Sanitizing - Event messages are anonymized when leaving the local domain, according to a domain-specific information sharing policy.

Message Aggregation - Additional filters for data reduction and application of predefined correlation rules make the data flow feasible.