Towards an Integrated Intrusion Detection Monitoring in High Speed Networks

Abstract

Problem statement: Security Management has become a critical aspect for large scale distributed systems. Particularly, recent Distributed Intrusion Detection Systems (DIDS) schemes in High Speed Networks (HSN) have raised new serious management problems and challenges. Increasing the effectiveness of IDS monitoring is primordial to satisfy the restrictive constraints in such large multi-domains environment for narrow context of HSN. Approach: We consider the intrusion detection monitoring as a two facets entity: one at local level (single domain) and another at the global one (multi-domains). Through the local level, evolution of single domain intrusion detection process (vulnerability data collection, alert generation and sensor configuration according to some improvement scenarios) can be monitored. The global level represents evolution of multi-domain intrusion detection process as well as the eventual security defending process through overall network (policy generation, load balancing operations and global alert correlation). Differentiating these two facets, leads to the design of a scalable intrusion detection management solution. Results: The effectiveness of DIDS management in HSN had been studied and an IDS scalable monitoring architecture for multi-domains had been proposed. Several scenarios of Snort IDS showed an improvement on the performance of real-time detection. An integration of a set of tools provided a convivial IDS monitoring platform. Conclusion: To satisfy the constraints of Intrusion detection process in term of real-time and efficiency in HSN we need to monitor efficiently the IDS process. In this context, the management framework outlined is more appropriate, convenient and efficient. The herein proposed architecture, the snort IDS improvement techniques and the integrated platform played a crucial role in improving of IDS real-time monitoring.