Paulo Fernando da Silva (paulo@lrg.ufsc.br), Carlos Becker Westphall (westphal@lrg.ufsc.br) Network...

Paulo Fernando da Silva (paulo@lrg.ufsc.br), Carlos Becker Westphall (westphal@lrg.ufsc.br) Network and Management Laboratory

Post-Graduate Program in Computer ScienceFederal University of Santa Catarina - Florianópolis, Brazil

Paulo Fernando da Silva (paulo@lrg.ufsc.br), Carlos Becker Westphall (westphal@lrg.ufsc.br) Network and Management Laboratory

Post-Graduate Program in Computer ScienceFederal University of Santa Catarina - Florianópolis, Brazil

An Intrusion Answer Model Compatible with the Alerts IDWG

Model

An Intrusion Answer Model Compatible with the Alerts IDWG

Model

The IDREF data model aims at extending the works of IDWG group in a way to implement sending mechanisms of answers to detected alerts.

The IDREF data model aims at extending the works of IDWG group in a way to implement sending mechanisms of answers to detected alerts.

For the support to the interoperability of answers, besides developing the IDREF data model, it was necessary to modify the architecture of IDSs proposed for IDWG group.

The component countermeasures, action and resource have been added.

For the support to the interoperability of answers, besides developing the IDREF data model, it was necessary to modify the architecture of IDSs proposed for IDWG group.

The component countermeasures, action and resource have been added.

-The Response class allows information with the objective to control or to inform The Response class allows information with the objective to control or to inform on an attack to be sent, having three derived classes: TCP, ICMP and notifyon an attack to be sent, having three derived classes: TCP, ICMP and notify;;

-React class is usedReact class is used to Block or Finish a Resource; to Block or Finish a Resource;-The classes Block and Shutdown respectively represent the blockade and the The classes Block and Shutdown respectively represent the blockade and the closing of some resourceclosing of some resource;;

-The reply of the Config type allows the modification of the configuration of a The reply of the Config type allows the modification of the configuration of a specific resource, in order to contain an attack;specific resource, in order to contain an attack;

-The Resource class represents a resource to which the reply will be sent. This The Resource class represents a resource to which the reply will be sent. This class has five derived classes: Node, Process, Service, UserList and FileListclass has five derived classes: Node, Process, Service, UserList and FileList;;

- In the new architecture proposal, when the operator receives a In the new architecture proposal, when the operator receives a notification from the manager he has the option of sending a notification from the manager he has the option of sending a reply in return to the manager;reply in return to the manager;

- When the manager receives a reply it codifies it in accordance When the manager receives a reply it codifies it in accordance with IDREF model and sends it to the component of with IDREF model and sends it to the component of countermeasurescountermeasures;;

-The actions contain information of the Response classes, The actions contain information of the Response classes, React or Config of IDREF model. An action can be, for example, React or Config of IDREF model. An action can be, for example, the blockade or closing of some resource;the blockade or closing of some resource;

-The resources are specified in the reply for the Resource class The resources are specified in the reply for the Resource class of IDREF model. A resource can be, for example, a user of IDREF model. A resource can be, for example, a user account or a routeraccount or a router;;

-To create an environment of intrusion detection with support to the sending of To create an environment of intrusion detection with support to the sending of responses three components have been developed: IDSMan, IDSAna and responses three components have been developed: IDSMan, IDSAna and IDSResIDSRes;;

-The IDSMan component is a manager of alerts that is able to receive IDMEF The IDSMan component is a manager of alerts that is able to receive IDMEF messages and to send IDREF messagesmessages and to send IDREF messages;;

- IDSAna is a component that makes the connection between the analyzer of a IDSAna is a component that makes the connection between the analyzer of a IDS and the IDSMan managerIDS and the IDSMan manager;;

-IDSRes is a countermeasures component that is able to receive IDREF IDSRes is a countermeasures component that is able to receive IDREF messages and to apply actions to resourcesmessages and to apply actions to resources;;

This architecture allows the reception of alerts from several different IDSs, using the IDMEF alert model and also allows the transmission of answers to received alerts, using the IDREF model of answers.

This architecture allows the reception of alerts from several different IDSs, using the IDMEF alert model and also allows the transmission of answers to received alerts, using the IDREF model of answers.

With that the proposed architecture allows interoperability as of alerts and as of reply between IDSs.

With that the proposed architecture allows interoperability as of alerts and as of reply between IDSs.