| This paper discusses the side effects of sanitizing IT security
event messages in a cooperative multi-domain intrusion warning
system (IWS).
To enhance detection capabilities of conventional IT security tools
like IDS, virus scanners and packet filters, a centralized, so-called
intrusion warning system can be deployed, which collects and
analyzes event messages from the different domains. Additionally,
the IWS informs the domains about potentially critical situations
which might not be covered by the existing tools due to technical
limitations, heterogeneous security policies or differences in
configuration. Thus, it can be deployed as an early warning system and
for decision support.
In cooperation scenarios like military coalition environments
(CEs, e.g. NATO, KFOR, SFOR), potentially confidential or sensitive
information still needs to be concealed from the CE partners, as
defined by existing information sharing policies. This holds also
for information contained within IDS event messages, there might be
specifications of network addresses and topologies, of products or
vendors, of both applications and security systems, included in the
messages. Thus, for enabling the CE wide cooperation of IT security
systems, appropriate information sanitizing techniques need to be
applied to enforce the policy. This might lead to a negative impact
on the centralized analysis capabilities, since potentially
important information might be dropped from the messages.
In this paper, the impact of sanitizing event message flows in a
cooperative IWS is studied by examining the behaviour of an IWS when
feeding it with real-life event messages combined with artificial
events from an internet worm spreading simulation. The worm
detection capabilities of the analysis components are determined in
a multi-domain setup for both situations, with and without applying
information sanitizing mechanisms on the event message flow.
|
| [Speaker]
Jens Toelle is a senior researcher at the computer networks department of the Research Establishment for Applied Sciences (FGAN) in Wachtberg, Germany. He holds a Dipl.-Inform. degree (~ MSc.) from University of Paderborn, Germany and a Ph.D. from University of Bonn (2002), Germany. He worked as a researcher and senior researcher/ at University of Bonn until Dec. 2004. In Jan. 2005, he joined the network security group of the FGAN computer networks department. His research interests include intrusion detection and application layer security.
Marko Jahnke is a senior researcher at the computer networks department of the Research Establishment for Applied Science (FGAN) in Wachtberg, Germany.
Nils gentschen Felde is a research assistant at the Ludwig-Maximilians-University of Munich, Germany.
Peter Martini is a professor of computer science and holds the computer network chair at the Institute of Computer Science IV at the University of Bonn, Germany.
|