Abstract
A real-time intrusion detection system (IDS) has several performance objectives: good detection coverage, economy in resource usage, resilience to stress, and resistance to attacks upon itself. In this paper, we argue that these objectives are trade-offs that must be considered not only in IDS design and implementation, but also in deployment and in an adaptive manner. We show that IDS performance trade-offs can be studied as classical optimization problems. We describe an IDS architecture with multiple dynamically configured front-end and back-end detection modules and a monitor. The IDS run-time performance is measured periodically, and detection strategies and workload are configured among the detection modules according to resource constraints and cost-benefit analysis. The back-end performs scenario (or trend) analysis to recognize on-going attack sequences, so that the predictions of the likely forthcoming attacks can be used to pro-actively and optimally configure the IDS.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
T. F. Abdelzaher, G. Shin, and N. Bhatti. Performance guarantees for web server end-systems: A control-theoretical approach. IEEE Transactions on Parallel and Distributed Systems, 2001. to appear.
S. Axelsson. The base-rate fallacy and the difficulty of intrusion detection. ACM Transactions on Information and System Security, 3(3), 2000.
R. Bace. Intrusion Detection. Macmillan Technical Publishing, 2000.
J. S. Balasubramaniyan, J. Garcia-Fernandez, D. Isacoff, E. Spafford, and D. Zamboni. An architecture for intrusion detection using autonomous agents. Technical report, COAST Laboratory, Department of Computer Science, Purdue University, West Lafayette, IN, 1998.
J.B.D. Cabrera, W. Lee, R. K. Prasanth, L. Lewis, and R. K. Mehra. Optimization and control problems in real time intrusion detection. submitted for publication, March 2002.
S. Cheung, R. Crawford, M. Dilger, J. Frank, J. Hoagland, K. Levitt, J. Rowe, S. Staniford-Chen, R. Yip, and D. Zerkle. The design of GrIDS: A graph-based intrusion detection system. Technical Report CSE-99-2, U.C. Davis Computer Science Department, Davis, CA, 1999.
C. L. Compton and D. L. Tennenhouse. Collaborative load shedding for mediabased applications. In International Conference on Multimedia Computing and Systems, Boston, MA, May 1994.
D. Contis, W. Lee, D. E. Schimmel, W. Shi, A. Thomas, Y. Zhang, Jun Li, and C. Clark. A prototype programmable network processor based ids. submitted for publication, March 2002.
D. Denning. Information Warfare and Security. Addison Wesley, 1999.
J.E. Gaffney and J. W. Ulvila. Evaluation of intrusion detectors: A decision theory approach. In Proceedings of the 2001 IEEE Symposium on Security and Privacy, May 2001.
R. Gopalakrishna and E. H. Spafford. A framework for distributed intrusion detection using interest driven cooperating agents. In The 4th International Symposium on Recent Advances in Intrusion Detection (RAID 2001), October 2001.
M. Handley, C. Kreibich, and V. Paxson. Network intrusion detection: Evasion, traffic normalization, and end-to-end protocol semantics. In Proceedings of the 10th USENIX Security Symposium, August 2001.
L. Kleinrock. Queuing Systems, Vol. 1: Theory. John Wiley & Sons, Inc., 1975.
C. Kruegel, F. Valeur, G. Vigna, and R. A. Kemmerer. Stateful intrusion detection for high-speed networks. In Proceedings of 2002 IEEE Symposium on Security and Privacy, May 2002.
W. Lee, W. Fan, M. Miller, S. J. Stolfo, and E. Zadok. Toward cost-sensitive modeling for intrusion detection and response. Journal of Computer Security, 2001. to appear.
L. Liu, C. Pu, K. Schwan, and J. Walpole. Infofilter: Supporting quality of service for fresh information delivery. New Generation Computing Journal, 18(4), August 2000.
C. Lu, J. A. Stankovic, T. F. Abdelzaher, G. Tao, S. H. Son, and M. Marley. Performance specifications and metrics for adaptive real-time systems. In Proceedings of the IEEE Real-Time Systems Symposium, December 2000.
S. Martello and P. Toth. Knapsack Problems: Algorithms and Computer Implementations. John Wiley & Sons Ltd., 1990.
S. McCanne, C. Leres, and V. Jacobson. libpcap. available via anonymous ftp to ftp://ftp.ee.lbl.gov, 1994.
J. Nieh and M. S. Lam. The design, implementation and evaluation of SMART: A scheduler for multimedia applications. In Proceedings of the Sixteen ACM Symposium on Operating Systems Principles, October 1997.
S. Northcutt. Intrusion Detection: An Analyst’s Handbook. New Riders, 1999.
C. H. Papadimitriou and K. Steiglitz. Combinatorial Optimization-Algorithms and Complexity. Prentice-Hall, Inc., 1982.
V. Paxson. Bro: A system for detecting network intruders in real-time. Computer Networks, 31(23-24), December 1999.
P. A. Porras and P. G. Neumann. EMERALD: Event monitoring enabling responses to anomalous live disturbances. In National Information Systems Security Conference, Baltimore MD, October 1997.
T. H. Ptacek and T. N. Newsham. Insertion, evasion, and denial of service: Eluding network intrusion detection. Technical report, Secure Networks Inc., January 1998. http://www.aciri.org/vern/Pt acek-Newsham-Evasion-98.ps.
N. Puketza, K. Zhang, M. Chung, B. Mukherjee, and R. Olsson. A methodology for testing intrusion detection systems. IEEE Transactions on Software Engineering, 22(10), October 1996.
M. Roesch. Snort-lightweight intrusion detection for networks. In Proceedings of the USENIX LISA Conference, November 1999. Snort is available at http://www.snort.org.
L. M. Rossey, R. K. Cunningham, D. J. Fried, J. C. Rabek, R. P. Lippmann, and J. W. Haines. LARIAT: Lincoln adaptable real-time information assurance testbed. In The 4th International Symposium on Recent Advances in Intrusion Detection (RAID 2001), October 2001.
B. Schneier. Secrets & Lies: Digital Security in a Networked World. John Wiley & Sons, Inc., 2000.
G. Shipley and P. Mueller. Dragon claws its way to the top. In Network Computing. TechWeb, August 2001.
S. Staniford-Chen, S. Cheung, R. Crawford, M. Dilger, J. Frank, J. Hoagland, K. Levitt, C. Wee, R. Yip, and D. Zerkle. GrIDS-a graph based intrusion detection system for large networks. In Proceedings of the 19th National Information Systems Security Conference, 1996.
J. A. Stankovic, C. Lu, S. H. Son, and G. Tao. The case for feedback control real-time scheduling. In Proceedings of the EuroMicro Conference on Real-Time Systems, June 1999.
SunSoft. SunSHIELD Basic Security Module Guide. SunSoft, Mountain View, CA, 1995.
Top Layer Networks and Internet Security Systems. Gigabit Ethernet intrusion detection solutions: Internet security systems RealSecure network sensors and top layer networks AS3502 gigabit AppSwitch performance test results and configuration notes. White Paper, July 2000.
G. Vigna, R. A. Kemmerer, and P. Blix. Designing a web of highly-configurable intrusion detection sensors. In Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection (RAID 2001), October 2001.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2002 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Lee, W., Cabrera, J.B.D., Thomas, A., Balwalli, N., Saluja, S., Zhang, Y. (2002). Performance Adaptation in Real-Time Intrusion Detection Systems. In: Wespi, A., Vigna, G., Deri, L. (eds) Recent Advances in Intrusion Detection. RAID 2002. Lecture Notes in Computer Science, vol 2516. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-36084-0_14
Download citation
DOI: https://doi.org/10.1007/3-540-36084-0_14
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-00020-4
Online ISBN: 978-3-540-36084-1
eBook Packages: Springer Book Archive