1 / 1

Paulo Fernando da Silva (paulo@lrg.ufsc.br), Carlos Becker Westphall (westphal@lrg.ufsc.br)

An Intrusion Answer Model Compatible with the Alerts IDWG Model. The IDREF data model aims at extending the works of IDWG group in a way to implement sending mechanisms of answers to detected alerts.

tawny
Download Presentation

Paulo Fernando da Silva (paulo@lrg.ufsc.br), Carlos Becker Westphall (westphal@lrg.ufsc.br)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. An Intrusion Answer Model Compatible with the Alerts IDWG Model The IDREF data model aims at extending the works of IDWG group in a way to implement sending mechanisms of answers to detected alerts. • The Response class allows information with the objective to control or to inform on an attack to be sent, having three derived classes: TCP, ICMP and notify; • React class is used to Block or Finish a Resource; • The classes Block and Shutdown respectively represent the blockade and the closing of some resource; • The reply of the Config type allows the modification of the configuration of a specific resource, in order to contain an attack; • The Resource class represents a resource to which the reply will be sent. This class has five derived classes: Node, Process, Service, UserList and FileList; For the support to the interoperability of answers, besides developing the IDREF data model, it was necessary to modify the architecture of IDSs proposed for IDWG group. The component countermeasures, action and resource have been added. Paulo Fernando da Silva (paulo@lrg.ufsc.br), Carlos Becker Westphall (westphal@lrg.ufsc.br) Network and Management Laboratory Post-Graduate Program in Computer Science Federal University of Santa Catarina - Florianópolis, Brazil • In the new architecture proposal, when the operator receives a notification from the manager he has the option of sending a reply in return to the manager; • When the manager receives a reply it codifies it in accordance with IDREF model and sends it to the component of countermeasures; • The actions contain information of the Response classes, React or Config of IDREF model. An action can be, for example, the blockade or closing of some resource; • The resources are specified in the reply for the Resource class of IDREF model. A resource can be, for example, a user account or a router; • To create an environment of intrusion detection with support to the sending of responses three components have been developed: IDSMan, IDSAna and IDSRes; • The IDSMan component is a manager of alerts that is able to receive IDMEF messages and to send IDREF messages; • IDSAna is a component that makes the connection between the analyzer of a IDS and the IDSMan manager; • IDSRes is a countermeasures component that is able to receive IDREF messages and to apply actions to resources; This architecture allows the reception of alerts from several different IDSs, using the IDMEF alert model and also allows the transmission of answers to received alerts, using the IDREF model of answers. With that the proposed architecture allows interoperability as of alerts and as of reply between IDSs.

More Related