Information Technology Reference
In-Depth Information
we may need to store all the “interesting events” that happened during its
lifetime. The challenging issue here is to decide what information or events to
store that would represent the connection as succinctly as possible and at the
same time captures all relevant events. Clearly there is a trade-off between
space and accuracy that needs to be made. The problem becomes more
dicult when dealing with connectionless trac as there is no binding glue
of a connection that imposes some structure on the nature of the trac. Here
we basically have to decide which packets to keep a record of and what type
of record? For example histograms can be used to keep track of frequencies
of certain network trac characteristics, like connections to a specific port
within a time window. Also, each synopsis technique in itself may not be
able to satisfy desired space-accuracy requirements. The challenge then is
how do we cascade synopsis techniques working together to record certain
network events? What combinations of techniques are suitable for recording
various types of network events eciently? What are the implications of this
cascading on false positive or false negative analysis?
- Integration of Information from Synopses Across Multiple Net-
works:
A single SynApp will only be able to answer queries about the events
within its vicinity. While this could be of tremendous use by itself, the real
power of a logging mechanism would be realized when multiple SynApp are
networked together to answer queries about events in the larger network
they span. For example, where as a single SynApp may say when a worm
appeared in a given network, together they can potentially help locate the
origin of the worm by finding out where it appeared first. This would then set
us on the right track to finding the culprit who created the worm. So the ben-
efit of networking the individual appliances is compelling, but its realization
brings out new challenges. How do we connect them so that they can jointly
respond to queries? How do we propagate queries to other (known) peers? Is
there a minimal yet complete protocol that could facilitate the cooperation
among synopses appliances? How could such a collaborative system provide
guarantees about the privacy of the data handled?
- Security of ForNet:
As we discussed in Section 5, various components of
ForNet itself are targets for an attack by an adversary. Besides the attacks
described in that section we need to explore further to identify attacks on
various synopsis techniques and counter measures for these attacks. Finally,
incorporate these counter measures into SynApps so that evidence gathered
by them are still valid.
References
1. Axelsson, S.: Research in intrusion-detection systems: A survey. Technical Report
No 98-17 (December 1998)
2. Axelsson, S.: The base-rate fallacy and its implications for the diculty of intrusion
detection. In Proceedings of the ACM Conference on Computer and Communica-
tion Security (November 1999)
