Designing a Web of Highly-Configurable Intrusion Detection Sensors
August 20, 2003

Intrusion detection relies on the information provided by a number of sensors deployed throughout the monitored network infrastructure. Sensors provide information at different abstraction levels and with different semantics. In addition, sensors range from lightweight probes and simple log parsers to complex software artifacts that perform sophisticated analysis. Managing a configuration of heterogeneous sensors can be a very time-consuming task. Management tasks include planning, deployment, initial configuration, and run-time modifications. This paper describes a new approach that leverages off the STAT model to support a highly configurable sensing infrastructure. The approach relies on a common sensor model, an explicit representation of sensor component characteristics and dependencies, and a shared communication and control infrastructure. The model allows an Intrusion Detection Administrator to express high-level configuration requirements that are mapped automatically to a detailed deployment and/or reconfiguration plan. This approach supports automation of the administrator tasks and better assurance of the effectiveness and consistency of the deployed sensing infrastructure.

About Giovanni Vigna

Giovanni Vigna is an Assistant Professor in the Department of Computer Science at the University of California in Santa Barbara. His current research interests include network and computer security, intrusion detection, security of mobile code systems, penetration testing, and distributed systems. In particular, in the last years he worked on STAT, a framework for the modular development of intrusion detection systems. He also published a book on Security and Mobile Agents and he is the Program Chair of the International Symposium on Recent Advances in Intrusion Detection (RAID 2003). Giovanni Vigna received his M.S. with honors and Ph.D. from Politecnico di Milano, Italy, in 1994 and 1998, respectively.