An Efficient Intrusion Detection System Design

Intrusion detection systems have proved to be an effective instrument for protecting computer and network resources. In addition to preventive security mechanisms (e.g. authentication, encryption, or access control) they provide an automatic detection of security violations. Some systems are able to reduce arising damage by the automatic execution of intrusion response actions. For host-based systems, the most effective detection approach is audit data analysis with signature detection methods. Because of the character of audit records, these approaches are post-mortem techniques. Thus, the success of an intrusion response activity essentially depends on the time difference between the real appearance and the detection of the particular security violation. At the Brandenburg University of Technology Cottbus we are currently working on HEIDI (High-Efficient Intrusion Detection Infrastructure), which is a new approach for solving this intrusion detection efficiency problem. HEIDI consists of modules and mechanisms, which are aimed to maximize the detection speed in distributed environments. The main types of modules are sensors for fast local audit record capturing and preprocessing, and agents for performing the detection of local and distributed attacks. Unlike any other known system, HEIDI applies a combined signature evaluation scheme with maximal local concentration of analysis functionality. This leads to a minimal need for inter-agent network traffic and delay. Additionally, for assuring a continuous operation, HEIDI uses an adaptive mechanism to compensate temporary overload situations, e.g. audit bursts. To avoid a stop of execution, the affected agents are able to delegate their analysis functionality to other agents temporarily. By combining sensors and agents, it is possible to get tailored hierarchical intrusion detection architectures for given target environments. The HEIDI prototype implementation is currently in progress.