Um Agente SNMP para Detecção de Intrusão baseada na Monitoração de Interações de Protocolos

Edgar MeneghettiLuciano GasparyLiane Tarouco

This paper proposes the use of Trace architecture as an intrusion detection system. The architecture, presented in [1, 2, 3], supports high-layer protocol, service and application management through an approach based on passive observation of protocoal interactions (traces) in the network traffic. To describe the scenarios to be monited, the network manager uses a state machine-based language. By using examples, the paper shows that this language is suitable for attack signature modeling and proposes some extensions to allow the specification of higher number of scenarios related to security management. Next, the paper describes the implementation of the monitoring agent, key-component from Trace architecture, and its use to detect intrusions. This agent (a) captures network traffic, (b) observes the occurrence of the programmed traces and (c) stores statistics about their occurrence in a management information base (MIB). The use of SNMP let queries to the monitoring agent be easily made. The solution presented addresses three problems from intrusion detection systems: the great number of false positives, the inability to model some attacks and packet discards (when used in high speed networks).

Caso o link acima esteja inválido, faça uma busca pelo texto completo na Web: Buscar na Web

Biblioteca Digital Brasileira de Computação - Contato:
     Mantida por: