have invested in tools for computer networks monitoring. To design an effective attack ... entities that represent data from intrusion detection alerts. It explores the ...
KBAM: Data Model of a Knowledge Base for Monitoring Attacks Giani Petri, Raul C. Nunes, Victor L. O. Lopez, Tarcisio C. Junior, Osmar M. dos Santos Computer Science Graduate Program — PPGI Federal University of Santa Maria — UFSM {gpetri,ceretta,vlopez,ceolin,osmar}@inf.ufsm.br Abstract—This work proposes a data model of a knowledge base called KBAM. It represents different aspects of computer networks focused on events related to intrusion detection. A case study conducted in a real network infrastructure demonstrates the applicability of the model and identifies the advantages of its use.
must also be equipped with Snort, which is responsible for detecting malicious events from its previously defined rules. The intrusion detection alerts are represented by the attributes of the IDMEF format. Figure 1 presents the main entities that represent the data from the messages alerts.
I. I NTRODUCTION The level of information confidentiality and the constant increase in the number of attacks has turned computer networks into a critical infrastructure [1]. Therefore, to increase the information security level different companies have invested in tools for computer networks monitoring. To design an effective attack monitoring system it is necessary to have access to a knowledge base that contains a history of different aspects of the monitored network and that provides support to the decisions of the security team. These aspects correspond to the data related to the network behavior, information about threats signatures, incidents and countermeasures [2]. In this paper we propose a data model of a knowledge base called KBAM (Knowledge Base Attack Monitoring) [3], which encompasses different aspects of network attacks monitoring. The data model of KBAM consists on the following aspects: data alerts generated by Intrusion Detection Systems (IDSs), information about the countermeasures applied to alerts, statistics of network traffic and signatures of known attacks. As proof of concept we integrate KBAM knowledge base in a real monitoring environment to demonstrate its applicability. This paper is structured as follows. Section II presents the proposed KBAM data model and the proof of concept conducted in a real monitoring environment. Section III presents our conclusions. II. KBAM K NOWLEDGE BASE The data model of KBAM represents the aspects of a knowledge base with focus on security incidents specific to the field of intrusion detection. The model consists of 50 entities that represent data from intrusion detection alerts. It explores the Intrusion Detection Message Exchange Format (IDMEF) [4] for intrusion detection messages and the Intrusion Detection Response Exchange Format (IDREF) [5] for responses messages. The behavior of the network traffic is represented by the parameters highlighted in [6]. In this work it is assumed that the representation of threats signatures are integrally obtained by the Snort IDS [7]. Thus, the monitored environment that uses KBAM
Figure 1.
Entities that represents the detection alerts.
As shown in Figure 1, the entity that records informations related to alerts generated by detectors is the entity Alert that relates with the entities Assessment, Analyzer, Target, Source, ToolAlert, Classification, OverflowAlert and AdditionalData. The entity AdditionalData stores information that does not fit into the IDMEF format. The entity OverflowAlert represents specific informations about overflow type alerts. The entity Assessment stores information which allows an assessment of the event causing the alert. The entity Analyzer stores information related to the identification of the analyzer that originated the alert. The entities Source and Target correspond, respectively, to the possible origin and target event and the entity Classification records a possible classification of the type of alert. The response alerts are modeled according to Figure 2 entities, where an event response is modeled as a IDREF-Message entity. This entity is related to the entities Response, Config and React that represent the reply types supported by IDREF format. The entity Response carries information to control or inform an attack to be sent. The entity Config allows modification of the configuration of a specific resource in order to halt an attack. The last entity React represents the reaction of the environment against an attack and is related to Block and Shutdown entities, two entities that allows to block or shutdown a resource.
A resource can be a node or network service, a list of users, a list of files or an operating system process.
Figure 2.
Entities that represent alerts response events.
The quantification of the parameters is obtained by a sniffer that collects the behavior of network traffic and stores them in the entities, as shown in Figure 3.
Figure 3.
Entities that represent the quantification of network traffic.
According to Figure 3, the entity Parameters contains all parameters that are captured from network traffic. The attribute parameter stores the description of the parameter used and the attributes descriptor_start and descriptor_end contains the interval of descriptors for each parameter. The entity Counter_mod is responsible for storing counters of captured packets from the network. The moment of capture is stored in the attribute tsmp, the quantification of the packages is in the attribute value and the parameter identification is recorded through the relationship with the entity Parameters. As proof of concept the data model was implemented and integrated in the computer network infrastructure of Federal University of Santa Maria (UFSM). This case study involved two monitoring points for data acquisition: in the network of the admission exam department (Coperves) and in the Data Center network of the UFSM. In both networks we have installed Intrusion Detection Systems (IDSs) based on signatures (Snort and Suricata), a sniffer responsible for collecting network traffic and a component responsible for the generation of countermeasures in the format IDREF (IDREF Component). The integration of data alerts generated by IDSs is accomplished through the use of the Prelude framework, which allows the unification of various types of applications and sensors by unifying the alert information through the IDMEF format. The sniffer quantify the network packages and stores them directly in KBAM, providing data collected for the analysis of the security team. A software component has implemented the IDREF requirements for creation of countermeasures and was connected directly
to KBAM data base. Generated by sensors and stored in KBAM, the alerts in IDMEF format are listed in the IDREF Component, allowing the security team to select the alert they will be response to and to generate response messages. In this way, the process of creating a response to an alert is cyclic and allows human interaction. Thus, the response could be refined in each alert-response interaction. As result, instead of only store data from alert messages generated by IDSs, the proposed data model also stores knowledge about the countermeasures. In addition, KBAM also allows to continuously refine it by security team interactions. III. C ONCLUSION By representing intrusion alerts and alert responses on standard formats (IDMEF and IDREF) and by allowing the continuous refinement of the alert responses, the data model of KBAM is adequate to model data for attack monitoring tools. A case study has demonstrated its applicability. The advantages of its use in a real monitoring environment includes: (i) the possibility of storing data collected from different intrusion detection tools or sniffer; (ii) the feature to represent information about intrusion detection events through standards; and, (iii) the allowed refinement of knowledge when creating countermeasures to malicious events. Thus, KBAM data modeling can help security teams in monitoring attacks on computer networks. R EFERENCES [1] M. Hesse and N. Pohlmann, “Internet situation awareness,” in eCrime Researchers Summit, Atlanta, GA, Oct. 2008, pp. 1–9. [2] S. Bastke, M. Deml, and S. Schmidt, “Internet early warning systems - overview and architecture,” in European Workshop on Internet Early Warning and Network Intelligence, Hamburg, Germany, January 2010. [3] G. Petri, R. C. Nunes, T. C. Junior, and O. M. Santos, “Modeling of a knowledge base to attacks monitoring,” in X Regional School of Computer Networks, Pelotas, Brasil, 2012, (in portuguese). [4] H. Debar, D. Curry, and B. Feinstein, “The intrusion detection message exchange format (idmef),” March 2007, rFC 4765. March 2007. [5] P. F. Silva and C. B. Westphall, “An intrusion answer model compatible with the alerts idwg model,” Network Operations and Management Symposium (NOMS), pp. 1–4, April 2006. [6] G. Ricci, “Evaluation of the relevance for the detection of abnormalities and attacks of the communication parameters collected by the internet analysis system,” Master’s thesis, University of Applied Sciences, Gelsenkirchen, Germany, 2008, (in german). [7] SNORT, “Snort home page,” 2012, . Access: 11 jul. 2012.
available:
