|
Abstract : |
Abstract. Evidence of attacks against a network and its resources is often scattered over several hosts. Intrusion detection systems (IDS) which attempt to detect such attacks therefore have to collect and correlate information from dierent sources. We propose a completely decentralized system to solve the task of event correlation and information fusing of data gathered from multiple points within the network. Our system models an intrusion as a pattern of events that can occur at dierent hosts and consists of collaborating sensors deployed at various locations throughout the protected network installation. We present a specication language to dene intrusions as distributed patterns and a mechanism to specify their simple building blocks. The peer-to-peer algorithm to detect these pattern and its prototype implementation, called Quicksand, are described. Problems and their solutions involved in the management of such a system are discussed., |
