High-efficient intrusion detection infrastructure

Abstract

In recent years research activities in computer network security focus more actively on the development of effective methods in intrusion detection. The reason for this development is the rapidly increasing potential of threats to social, economical, and military information stored in information technology (IT) systems. Powerful and practically applicable mechanisms are required to protect critical infrastructures. Intrusion detection systems have been proven as a powerful means for the detection of IT security violations. They provide protection of computer and network resources by automatic detection of security violations. Some of these systems are able to initiate appropriate intrusion response actions. The crucial point for realtime applications, especially for host-based audit analysis, is the detection speed. In the paper we present the distributed intrusion detection infrastructure HEIDI which tackles this problem. HEIDI provides a module system based on sensors and agents to set up tailored intrusion detection systems for real-time applications. The basic features of the HEIDI approach are a distributed analysis functionality, the handling of overload situations, and a dynamic configurability. Furthermore, the problem of time-consuming audit analysis is compensated by integration of StraFER, a new signature match algorithm.