A new model for creating distributed intrusion detection systems is presented in this paper. The model uses three concepts: system views, signatures, and view definitions. The system view provides an abstract representation of a specific kind of information about events, and of the relationships among components of a system. The signature is a representation of a distributed event pattern, on an instantiation of a system view. The view definition derives useful information from signatures presented through a system view (an extension of earlier work).
The authors’ model uses abstraction to hide heterogeneity and irrelevant details. It also uses hierarchical concepts to embody distributed attack and event abstraction. The signatures represent known misuse attacks, and not anomalies. The goal is to analyze events locally, that is, in a distributed manner, and to build a hierarchy of views and signatures that result in the identification of a known misuse pattern.
This paper describes a research effort to build intrusion detection systems that can be effectively deployed in large networks. The authors indicate that abstraction, hierarchical modeling based on local analysis, and the use of view definitions make their model unique. They have built a small system as proof of concept for signature decomposition, and for the distribution and execution of detection tasks. Hopefully, their next paper will reveal whether or not this model works in the real world.