Developed by Vern Paxon, a research at UC Berkely, it is a network-based, misuse intrusion detection system. Packets are passively captured from the network and processed into an event stream. The event stream is then compared against a policy script interpreter to detect intrusions. Reports are generated in the form of connection summaries and real-time alerts. Approximately 40 Mb of connection summaries and 20 real-time notifications occur each day. While automatic intrusion response beyond reporting and alerts is discussed as future research, it is currently not implemented.
Besides, I have saw a good paper <Cyber-Critical Infrastructure Protection Using Real-time Payload-based Anomaly Detection> written by Patrick. It uses the transport layer packets captured by Bro and then extract features from those TCP payload.
I am thinking if you want to do intrusion response, you may have to get some output/alerts from some kind of intrusion detection system. Right now I am getting myself familiar with this great tool.
Snort: http://www.snort.org/
It is also a famous network misuse intrusion detection system consists of three components: a packet decoder, a rule-based detection system, and an alert system. Intrusion response is limited to reports and alarms. Little of the work is based on such detection system.
The ultimate goal:
Expand all these network tools to cyber-physical system and come up with my own detection and response system. Theoretical part would be how to define abnormal behavior, build a model to quantitatively denote or rate the security level.
No comments:
Post a Comment