Information Technology Reference
In-Depth Information
Fig. 6.
The graph model of HTTP-headers analysis module of finite state machine
A
HTTP
The described intrusion detection model can be used for the protection other
network protocols such as SMTP, FTP, SNMP, SOAP, etc. This model can detect
both known and new types of network attacks on computer systems. The model can
also be easily extended by means addition of new parameters.
The developed model belongs to the class of specification or policy based intrusion
detection techniques. In contrast to the existing models of this class, the behavioral
intrusion detection model uses state machine-based formal grammars as a basic
mathematical tool for attack detection. Such formal grammars allow more precise
definition of parameters, that can be used for intrusion detection.
4 Practical Implementation of Developed Behavior-Based
Intrusion Detection Model
The developed behavior-based intrusion detection model was implemented in
Intrusion Detection and Prevention System (IPS) named “Forpost”. IPS “Forpost”
consists of the following components:
−
network and server sensors, designed for the collection and analysis of information
about network packets, transmitted in computer system,
−
response module, that perform different types of responses depending on the types
of detected attacks and administrator settings,
−
informational database, designed for centralized storage of configurational data and
results of IPS work,
−
management module, which provides centralized remote management of IPS
components over the network,
−
coordination center, which provides the interaction between all other components
of the IPS,
−
software agents, that provide the transmission of data between sensors and
coordination center.
Network sensors of IPS “Forpost” are implemented as appliances that can detect
informational attacks in particular network segments. Network sensors can be
installed in computer system by means of connecting sensors to hubs or SPAN-ports
of switches. For security purposes network sensors are equipped with two network
adapters, one of which is used as a management interface, and the other provides the
collection of information about data packets [8, 1].
