The KIPS Transactions:PartC (정보처리학회논문지C)

Korea Information Processing Society (한국정보처리학회)
권호 표지
DOI QR코드

DOI QR Code

Modeling and Performance Analysis on the Response Capacity against Alert Information in an Intrusion Detection System

침입탐지시스템에서 경보정보에 대한 대응 능력 모델링 및 성능분석

  • 전용희 (대구가톨릭대학교 컴퓨터정보통신공학부) ;
  • 장정숙 (대구가톨릭대학교 컴퓨터정보통신공학부) ;
  • 장종수 (한국전자통신연구원 정보보호연구단)
  • Published : 2005.10.01
Download PDF
⟨ Previous Next ⟩

Abstract

In this paper, we propose an intrusion detection system(IDS) architecture which can detect and respond against the generation of abnormal traffic such as malicious code and Internet worms. We model the system, design and implement a simulator using OPNET Modeller, for the performance analysis on the response capacity of alert information in the proposed system. At first, we model the arrival process of alert information resulted from abnormal traffic. In order to model the situation in which alert information is intensively produced, we apply the IBP(Interrupted Bernoulli Process) which may represent well the burstiness of traffic. Then we perform the simulation in order to gain some quantitative understanding of the system for our performance parameters. Based on the results of the performance analysis, we analyze factors which may hinder in accelerating the speed of security node, and would like to present some methods to enhance performance.

본 논문에서는 악성 코드, 인터넷 웜과 같은 비정상 트래픽의 생성을 탐지하고 대응하는 침입탐지시스템 구조를 제안한다. 제안된 시스템의 경보정보 대응능력 성능분석을 위하여 시스템 모델링을 수행하고, OPNET을 이용하여 시뮬레이터를 설계하고 구현한다. 먼저 비정상적인 트래픽으로 부터 초래되는 경보정보의 도착 프로세스를 모델링 한다. 경보정보가 집중적으로 발생하는 상황을 모델링하기 위하여 트래픽의 burstiness(군집성)를 잘 나타낼 수 있는 IBP(Interrupted Bunoulli Process)를 적용한다. 다음에 성능파라미터에 대한 시스템의 정량적인 이해를 위하여 모의실험을 수행한다. 성능분석 결과를 바탕으로 보안노드의 고속화를 저해하는 요인을 분석하고 성능을 향상시키기 위한 방안을 도출 하고자 한다.

Keywords

References

  1. Jai Sundar Balasubramaniyan, Jose Omar Garcia Fernandez, David Isacoff, Eugene Spafford, and Diego Zamboni, 'An architecture for intrusion detection using autonomous agents'. In Proceedings of the Fourteenth Annual Computer Security Applications Conference, pages 13-24, IEEE Computer Society, December, 1998 https://doi.org/10.1109/CSAC.1998.738563
  2. Carl Endorf, Eugene Schultz, and Jim Mellander, Intrusion Detection & Prevention, McGraw-Hill, 2004
  3. 한국전자통신연구소 최종연구보고서, 분산형 라우터 성능분석을 위한 Traffic Generator 구조에 관한 연구, 1995년 12월
  4. Rajeev Gopalakrishna, 'A Framework for Distributed Intrusion Detection using Interest-Driven Cooperating Agents', CERIAS Tech Report 2001-44, Purdue University, 2001
  5. Joseph Barrus and Neil C. Rowe. A distributed autonomousagent network-intrusion detection and response system. In Proceedings of Command and Control Research and Technology Symposium, Monterey, CA, pp.577-586, June, 1998
  6. IETF, RFC 3084, 'COPS Usage for Policy Provisioning (COPS-PH)', March, 2001
  7. IETF, RFC 2251, 'Lightweight Directory Access Protocol (v3)', December, 1997
  8. IETF RFC 2748, 'The COPS(Common Open Policy Service) Protocol', Jan., 2000
  9. D. Curry, H. Debar, 'Intrusion Detection Message Exchange Format Data Model and Extensible Markup Language (XML) Docmnent Type Definition', IETF Internet Draft, draft-ietf-idwg-idrnef-xml-07.txt, Jun., 2002
  10. H. Debar, D. Curry, B. Feinstein, 'The Intrusion Detection Message Exchange Format', IETF Internet Draft, draftietf-idwg-idmef-xml-14, January, 2005
  11. Kruegel, C., Valeur, F., Vigna, G. and Kemmerer, R. 'Stateful intrusion detection for high-speed networks', In Proceedings of the IEEE Symposium in Security and Privacy, pp.266-274, 2002 https://doi.org/10.1109/SECPRI.2002.1004378
  12. ISS. RealSecure Gigabit Network Sensor. http://www.iss.net/products_serivces/ enterprise_protection/rsnetwork/gigabitsensor.php, Setember, 2002
  13. CISCO. CISCO Intrusion Detection System. Technical Information, November, 2001
  14. M. Roesch. 'Snort-Lightweight Intrusion Detection for Networks'. In Proceedings of the USENlX LISA '99 Conference, November, 1999
  15. 한국전자통신연구원 기술문서 v1.0, 2003년 7월
  16. Frederic Cuppens, Alexander Mierge, 'Alert Correlation in a Cooperative Intrusion Detection Framework', IEEE Symposium on Security and Privacy 2002 https://doi.org/10.1109/SECPRI.2002.1004372
  17. H. Debar and A Wespi, 'Aggregation and Correlation of Intrusion Detection Alerts', RAID 2001, LNCS 2212, pp.85-103, 2001
  18. lehiro Ide, 'Superposition of Interrupted Poisson Process and its application to packetized voice multiplexer', in ITC-12, pp.1399-1405, Turin, 1988