Cost-aware systemwide intrusion defense via online forensics and on-demand detector deployment

Saman A. Zonouz, Kaustubh R. Joshi, William H. Sanders

Research output: Chapter in Book/Report/Conference proceedingConference contribution

7 Citations (Scopus)

Abstract

Balancing the coverage benefits of deploying multiple types of intrusion detection systems against their performance and false alarm costs is an important problem with practical ramifications for runtime security policy. In this position paper, we present an approach to "on-demand" deployment of intrusion detection systems by balancing detection coverage against cost and deploying an IDS only when it is needed. The proposed approach relies on often easy to detect symptoms of attacks, e.g., participation in a botnet or DDoS, and works backwards by iteratively deploying increasingly more localized and powerful detectors closer to the initial attack vector. We accomplish this by characterizing multiple IDS systems in a uniform framework based on their costs and detection capabilities and integrating them, for the first time, into an online system-wide forensics framework. We develop the basic elements of the framework and give an example of its envisioned operation.

Original languageEnglish
Title of host publicationProceedings of the ACM Conference on Computer and Communications Security
Pages71-74
Number of pages4
DOIs
StatePublished - Dec 20 2010
Event3rd ACM Workshop on Assurable and Usable Security Configuration, SafeConfig '10, Co-located with CCS'10 - Chicago, IL, United States
Duration: Oct 4 2010Oct 8 2010

Other

Other3rd ACM Workshop on Assurable and Usable Security Configuration, SafeConfig '10, Co-located with CCS'10
CountryUnited States
CityChicago, IL
Period10/4/1010/8/10

Fingerprint

Intrusion detection
Detectors
Costs
Online systems
Botnet

Keywords

  • intrusion detection and forensics systems

ASJC Scopus subject areas

  • Software
  • Computer Networks and Communications

Cite this

Zonouz, S. A., Joshi, K. R., & Sanders, W. H. (2010). Cost-aware systemwide intrusion defense via online forensics and on-demand detector deployment. In Proceedings of the ACM Conference on Computer and Communications Security (pp. 71-74). [1866910] https://doi.org/10.1145/1866898.1866910

Cost-aware systemwide intrusion defense via online forensics and on-demand detector deployment. / Zonouz, Saman A.; Joshi, Kaustubh R.; Sanders, William H.

Proceedings of the ACM Conference on Computer and Communications Security. 2010. p. 71-74 1866910.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Zonouz, SA, Joshi, KR & Sanders, WH 2010, Cost-aware systemwide intrusion defense via online forensics and on-demand detector deployment. in Proceedings of the ACM Conference on Computer and Communications Security., 1866910, pp. 71-74, 3rd ACM Workshop on Assurable and Usable Security Configuration, SafeConfig '10, Co-located with CCS'10, Chicago, IL, United States, 10/4/10. https://doi.org/10.1145/1866898.1866910
Zonouz SA, Joshi KR, Sanders WH. Cost-aware systemwide intrusion defense via online forensics and on-demand detector deployment. In Proceedings of the ACM Conference on Computer and Communications Security. 2010. p. 71-74. 1866910 https://doi.org/10.1145/1866898.1866910
Zonouz, Saman A. ; Joshi, Kaustubh R. ; Sanders, William H. / Cost-aware systemwide intrusion defense via online forensics and on-demand detector deployment. Proceedings of the ACM Conference on Computer and Communications Security. 2010. pp. 71-74
@inproceedings{1b45c2d205424b228ee0a8b6e6bc8087,
title = "Cost-aware systemwide intrusion defense via online forensics and on-demand detector deployment",
abstract = "Balancing the coverage benefits of deploying multiple types of intrusion detection systems against their performance and false alarm costs is an important problem with practical ramifications for runtime security policy. In this position paper, we present an approach to {"}on-demand{"} deployment of intrusion detection systems by balancing detection coverage against cost and deploying an IDS only when it is needed. The proposed approach relies on often easy to detect symptoms of attacks, e.g., participation in a botnet or DDoS, and works backwards by iteratively deploying increasingly more localized and powerful detectors closer to the initial attack vector. We accomplish this by characterizing multiple IDS systems in a uniform framework based on their costs and detection capabilities and integrating them, for the first time, into an online system-wide forensics framework. We develop the basic elements of the framework and give an example of its envisioned operation.",
keywords = "intrusion detection and forensics systems",
author = "Zonouz, {Saman A.} and Joshi, {Kaustubh R.} and Sanders, {William H.}",
year = "2010",
month = "12",
day = "20",
doi = "10.1145/1866898.1866910",
language = "English",
isbn = "9781450300933",
pages = "71--74",
booktitle = "Proceedings of the ACM Conference on Computer and Communications Security",

}

TY - GEN

T1 - Cost-aware systemwide intrusion defense via online forensics and on-demand detector deployment

AU - Zonouz, Saman A.

AU - Joshi, Kaustubh R.

AU - Sanders, William H.

PY - 2010/12/20

Y1 - 2010/12/20

N2 - Balancing the coverage benefits of deploying multiple types of intrusion detection systems against their performance and false alarm costs is an important problem with practical ramifications for runtime security policy. In this position paper, we present an approach to "on-demand" deployment of intrusion detection systems by balancing detection coverage against cost and deploying an IDS only when it is needed. The proposed approach relies on often easy to detect symptoms of attacks, e.g., participation in a botnet or DDoS, and works backwards by iteratively deploying increasingly more localized and powerful detectors closer to the initial attack vector. We accomplish this by characterizing multiple IDS systems in a uniform framework based on their costs and detection capabilities and integrating them, for the first time, into an online system-wide forensics framework. We develop the basic elements of the framework and give an example of its envisioned operation.

AB - Balancing the coverage benefits of deploying multiple types of intrusion detection systems against their performance and false alarm costs is an important problem with practical ramifications for runtime security policy. In this position paper, we present an approach to "on-demand" deployment of intrusion detection systems by balancing detection coverage against cost and deploying an IDS only when it is needed. The proposed approach relies on often easy to detect symptoms of attacks, e.g., participation in a botnet or DDoS, and works backwards by iteratively deploying increasingly more localized and powerful detectors closer to the initial attack vector. We accomplish this by characterizing multiple IDS systems in a uniform framework based on their costs and detection capabilities and integrating them, for the first time, into an online system-wide forensics framework. We develop the basic elements of the framework and give an example of its envisioned operation.

KW - intrusion detection and forensics systems

UR - http://www.scopus.com/inward/record.url?scp=78650164959&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=78650164959&partnerID=8YFLogxK

U2 - 10.1145/1866898.1866910

DO - 10.1145/1866898.1866910

M3 - Conference contribution

SN - 9781450300933

SP - 71

EP - 74

BT - Proceedings of the ACM Conference on Computer and Communications Security

ER -