worm blog: CARDS: A distributed system for detecting coordinated attacks

« Correlation between NetFlow System and Network Views for Intrusion Detection | Main | W32 Deloder Worm: The Building of an Army »

CARDS: A distributed system for detecting coordinated attacks

Another paper on a distributed data collection and analysis platform. Because worm outbreaks move so quickly and often semi-randomly, a distributed system makes sense: if you can aggregate the information from various disparate sensors, you may be able to detect the worm before it infects all networks.

A major research problem in intrusion detection is the efficient Detection of coordinated attacks over large networks. Issues to be resolved include determining what data should be collected, which portion of the data should be analyzed, where the analysis of the data should take place, and howto correlate multi-source information. This paper proposes the architecture of a Coordinated Attack Response & Detection System (CARDS). CARDS uses a signature-based model for resolving these issues. It consists of signature managers, monitors, and directory services. The system collects data in a flexible, distributed manner, and the detection process is decentralized among various monitors and is event-driven. The paper also discusses related implementation issues.

Source : CARDS: A distributed system for detecting coordinated attacks, Jiahai Yang, Peng Ning, X. Sean Wang, and Sushil Jajodia.

July 21, 2005 in detection, ids, papers | Permalink
Tell others: digg submit | del.icio.us this | Reddit