Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

A Case for Network-wide Orchestration of Host-based Intrusion Detection and Response

Mark Timmons, Daniel Lukaszewski, Geoffrey Xie

TL;DR

The paper addresses the lack of network-wide coordination for host-based intrusion detection by proposing a central IDS orchestrator that remotely programs host IDS agents and aggregates alerts. It introduces a system concept with multi-fidelity interrogation and cross-host correlation, and implements a prototype on the Layer 4.5 framework to evaluate the approach. Two experiments, a DNS flood and a malicious root process, show that network-wide orchestration can detect threats, deploy suitable response modules, and mitigate attacks, with JIT and pre-built modules offering trade-offs in timing and adaptability. The results suggest improved situational awareness and automated defense capabilities with potential for real-time adaptive security in enterprise environments.

Abstract

Recent cyber incidents and the push for zero trust security underscore the necessity of monitoring host-level events. However, current host-level intrusion detection systems (IDS) lack the ability to correlate alerts and coordinate a network-wide response in real time. Motivated by advances in system-level extensions free of rebooting and network-wide orchestration of host actions, we propose using a central IDS orchestrator to remotely program the logic of each host IDS and collect the alerts generated in real time. In this paper, we make arguments for such a system concept and provide a high level design of the main system components. Furthermore, we have developed a system prototype and evaluated it using two experimental scenarios rooted from real-world attacks. The evaluation results show that the host-based IDS orchestration system is able to defend against the attacks effectively.

A Case for Network-wide Orchestration of Host-based Intrusion Detection and Response

TL;DR

The paper addresses the lack of network-wide coordination for host-based intrusion detection by proposing a central IDS orchestrator that remotely programs host IDS agents and aggregates alerts. It introduces a system concept with multi-fidelity interrogation and cross-host correlation, and implements a prototype on the Layer 4.5 framework to evaluate the approach. Two experiments, a DNS flood and a malicious root process, show that network-wide orchestration can detect threats, deploy suitable response modules, and mitigate attacks, with JIT and pre-built modules offering trade-offs in timing and adaptability. The results suggest improved situational awareness and automated defense capabilities with potential for real-time adaptive security in enterprise environments.

Abstract

Recent cyber incidents and the push for zero trust security underscore the necessity of monitoring host-level events. However, current host-level intrusion detection systems (IDS) lack the ability to correlate alerts and coordinate a network-wide response in real time. Motivated by advances in system-level extensions free of rebooting and network-wide orchestration of host actions, we propose using a central IDS orchestrator to remotely program the logic of each host IDS and collect the alerts generated in real time. In this paper, we make arguments for such a system concept and provide a high level design of the main system components. Furthermore, we have developed a system prototype and evaluated it using two experimental scenarios rooted from real-world attacks. The evaluation results show that the host-based IDS orchestration system is able to defend against the attacks effectively.

Paper Structure

This paper contains 24 sections, 6 figures, 1 algorithm.

Table of Contents

  1. Introduction
  2. Orchestration of Host-based IDS
  3. System Concept
  4. IDS Orchestrator
  5. Host IDS Agent
  6. IDS Module Deployment
  7. Prototype Implementation
  8. Orchestrator Modification
  9. Alert Processing
  10. Prototype Limitations
  11. Design of Experiments
  12. Attack Vectors and Objectives
  13. Testbed Design
  14. Test Scenarios and Configurations
  15. DNS Flood Attack
  16. ...and 9 more sections

Figures (6)

  • Figure 1: Illustration of main design components of proposed system.
  • Figure 2: Adapted from lukaszewski2023AgileNetOps. Modified Layer 4.5 orchestrator consists of two new components: Alert Processor method and Alert Database (in red).
  • Figure 3: Experimental testbed consisting of two physical hosts running multiple virtual machines.
  • Figure 4: Illustration of mitigation of DNS flood attack using JIT modules. Major events: initial alert from IDS module (A), orchestrator notification (B), response module built and deployed (C), and response effective (D). For brevity, we only annotate the Attacker 1 events, while using the same style of vertical markers for Attacker 2 and the Benign host.
  • Figure 5: Illustration of pre-built IDS module response to DNS flood attack. Major events: initial alert from IDS module (A), orchestrator notification (B), response module deployed (C), and response effective (D). Compared to the JIT response (Figure \ref{['fig: DNS benign']}), the mitigation time was much shorter.
  • ...and 1 more figures