TY - GEN
T1 - Cost-aware systemwide intrusion defense via online forensics and on-demand detector deployment
AU - Zonouz, Saman A.
AU - Joshi, Kaustubh R.
AU - Sanders, William H.
N1 - Copyright:
Copyright 2011 Elsevier B.V., All rights reserved.
PY - 2010
Y1 - 2010
N2 - Balancing the coverage benefits of deploying multiple types of intrusion detection systems against their performance and false alarm costs is an important problem with practical ramifications for runtime security policy. In this position paper, we present an approach to "on-demand" deployment of intrusion detection systems by balancing detection coverage against cost and deploying an IDS only when it is needed. The proposed approach relies on often easy to detect symptoms of attacks, e.g., participation in a botnet or DDoS, and works backwards by iteratively deploying increasingly more localized and powerful detectors closer to the initial attack vector. We accomplish this by characterizing multiple IDS systems in a uniform framework based on their costs and detection capabilities and integrating them, for the first time, into an online system-wide forensics framework. We develop the basic elements of the framework and give an example of its envisioned operation.
AB - Balancing the coverage benefits of deploying multiple types of intrusion detection systems against their performance and false alarm costs is an important problem with practical ramifications for runtime security policy. In this position paper, we present an approach to "on-demand" deployment of intrusion detection systems by balancing detection coverage against cost and deploying an IDS only when it is needed. The proposed approach relies on often easy to detect symptoms of attacks, e.g., participation in a botnet or DDoS, and works backwards by iteratively deploying increasingly more localized and powerful detectors closer to the initial attack vector. We accomplish this by characterizing multiple IDS systems in a uniform framework based on their costs and detection capabilities and integrating them, for the first time, into an online system-wide forensics framework. We develop the basic elements of the framework and give an example of its envisioned operation.
KW - intrusion detection and forensics systems
UR - http://www.scopus.com/inward/record.url?scp=78650164959&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=78650164959&partnerID=8YFLogxK
U2 - 10.1145/1866898.1866910
DO - 10.1145/1866898.1866910
M3 - Conference contribution
AN - SCOPUS:78650164959
SN - 9781450300933
T3 - Proceedings of the ACM Conference on Computer and Communications Security
SP - 71
EP - 74
BT - Proceedings of the 3rd ACM Workshop on Assurable and Usable Security Configuration, SafeConfig '10, Co-located with CCS'10
T2 - 3rd ACM Workshop on Assurable and Usable Security Configuration, SafeConfig '10, Co-located with CCS'10
Y2 - 4 October 2010 through 8 October 2010
ER -