• About ISSO
• Research Areas
• Projects
• Finished Projects and Archive
• Opensource Projects

Finished Projects

Security Architecture and Modeling

Intrusion Detection Intercomponent Adaptive Negotiation

Objective:
The Intrusion Detection System (IDS) community is developing better techniques for collecting and analyzing data in order to handle intrusions in large, distributed environments. In order to best utilize these techniques and make best use of IDS resources, IDSs should be able to dynamically adapt to new and improved components and to changes in the environment. The Intrusion Detection Inter-component Adaptive Negotiation (IDIAN) project is developing a negotiation protocol to allow a distributed collection of heterogeneous ID components to cooperatively adapt and reach agreement on the best ways to use each other's capabilities and fulfill needs -- i.e., the information that can be generated and processed. Moreover, the negotiation will be dynamic, so the information generated and processed can evolve as the IDS evolves or the environment changes.

Approach:
The IDIAN project leverages the Common Intrusion Detection Framework (CIDF), an effort by DARPA to develop a common language, protocols, and APIs that would allow intrusion detection components to inter-operate and share information. The IDIAN project has extended the CIDF language CISL (Common Intrusion Specification Language) with constructs useful for dynamic negotiation. One such construct is the notion of a filter to specify sets of IDS messages. Filters are useful in negotiating, for example, what audit data will be transmitted. The IDIAN project also adopts the CIDF framework architecture that classifies ID components according to their function.The negotiation protocol utilizes the notion of a contract -- an association between two ID components, a producer and a consumer -- that specifies one or more possible agreements between them. An agreement commits the producer to provide the consumer with a set of services. For example, a detection component (producer) might have a contract with an analysis component (consumer) to provide a specific set of audit data. At any given time, at most one of the agreements in a contract is in effect, although the ID components may elect to switch to one of the alternatives dynamically. Furthermore, two components may have multiple contracts operating at the same time.

The primary function of the protocol is to allow ID components to dynamically negotiate new contracts/agreements and to change existing ones. The protocol is designed to ensure that negotiations eventually terminate, and to handle multiway, cascading, and hierarchical negotiations.

To facilitate choosing among several options, the protocol uses the notion of cost to capture the relative cost to a producer (resp., consumer) to provide (process) a specific set of resources. Services provided by producers use up a variety of system resources. A consumer may decide to use a particular service only if the resource cost is below a certain threshold. The absolute and relative amount of resources required to supply a particular service may vary over time, and the protocol allows producers and consumers to renegotiate when necessary.

In addition to the protocol, the IDIAN project has developed several scenarios that demonstrate specific situations in which an IDS must adapt to a changing environment. The scenarios can be divided into two general classes:

1. The acquisition (or loss) of a capability by the IDS. For example, an ID component may acquire a new attack signature. The IDS must adapt by incorporating the new signature into the overall system.
2. An overload of the IDS caused, for example, by faults in the IDS itself or by a flooding attack. The IDS could adapt by reducing the amount of information being gathered, or by cutting off the flow of data from the flooding source.

Finally, the IDIAN project will implement the scenarios by incorporating an adaptive capability using the negotiation protocol into some existing IDS components in order to provide some experience with negotiation and demonstrate the utility of the protocol.

• Demonstration Requirements Report
• Quad Chart