GIDRE: Grid-based detection intrusion and response environment

Abstract

This paper describes a new method to improve the efficiency and quickness of incidents detection by network protection systems. The principal element of this new method is the ADSH (Hybrid ADS, i.e. an ADS and IDS integrated solution, this is an upgrade of traditional IDS, ADS, NIDS, etc. This method is called GIDRE, and proposes an innovative mechanism for early detection and response to attacks, as well as distribution of information about its characteristics, allowing the optimization of resources and the response to them in their goal of protecting computer systems connected to the network. To reach this goal, GIDRE has standardised mechanisms for exchanging information between clusters of intrusion and user anomalous behaviour (ADSH) detection systems, which will be distributed through the network using GRID architecture. These ADSH will realise a constant capture of the suspicious attack packets and anomalous packets, which circulate through the network. Thus, ADSH will share anomalies information detected in the network, having been able to discriminate almost immediately, if an attack of global form is taking place or if it is an accidental deviation of the behaviour of some particular user. When the ADSHs detects anomalous traffic it will trigger a Local Alarm (LA) about the protocols used in the attack, and this information analysis will be sent to the Console of the corresponding protocol (the ADSH assigned to that protocol) for further integration with potential LA,s coming from other sites. When the Console of the protocol analyzes the received LAs, it determines if it has taken place a GA (General Alarm) and if necessary, it will generate new configuration rules to apply in the perimeter protection systems of the affected local networks. The GIDRE topology elements are as follows: there are several ADSHs distributed over different networks, several firewalls, and a Central Console in HD redundant architecture. There have been some experiments in which we have demonstrated the advantage of having distributed ADSH compared to a single ADSH. To demonstrate it, we analyze the SPAM behaviour, which is sent directly to the users' address book , who will have to be contaminated. It detects the nodes contamination processes, using ADSH distributed and a single ADSH. © 2009 Vieweg+Teubner | GWV Fachverlage GmbH, Wiesbaden.