Network and Topology Models to Support IDS Event Processing

Jörg Kippe, Steffen Pfrang

Abstract

This paper describes our work on network models to provide awareness to the process of correlating network security alerts as well as to support the asset assessment process within the security analysis of IT infrastructures. Various means of discovery methods mostly known from network management are used to discover nodes, their properties as well as the links connecting the nodes and building a network. Our implementation is based on existing open source components which have been integrated together and are using an information model according to proposed open standards.

References

  1. Bierman, A. (2016). Guidelines for authors and reviewers of yang data model documents. IETF Network Working Group Internet-Draft, RFC6087bis, 2016.
  2. Bjorklund, M. (2010). Yang - a data modelling language for the network configuration protocol (netconf). IETF RFC 6020, 2010.
  3. Clemm, A., Medved, J., Varga, R., Tkacik, T., Bahadur, N., Ananthakrishnan, H., and Liu, X. (2016). A data model for network topologies. IETF Network Working Group Internet-Draft, 2016.
  4. Debar, H., Curry, D., and Feinstein, B. (2007). The intrusion detection message exchange format (idmef). IETF RFC 4765, 2007.
  5. DeMontigny, A. and Massicotte, F. (2004). Passive network discovery for real time situation awareness. In Proc NATORTO Symp. Adapt. Def. Unclassif. Netw., volume 4.
  6. Enns, R., Bjorklund, M., and Schoenwaelder, J. (2011). Network configuration protocol (netconf). IETF RFC 6241, 2011.
  7. IEC (2015). Iec 62443 industrial communication networks - network and system security. International Electrotechnical Commision (IEC), 2015.
  8. ITU-R (1994). Open systems interconnection - model and notation. ITU-R Rec. X.200, 1994.
  9. Morin, B. (2002). M2d2: A formal data model for ids alert correlation. In Int. Workshop Recent Adv. Intrusion Detect. Springer Berlin Heidelberg, 2002.
  10. NIST (2010). Guide for applying the risk management framework to federal information systems. NIST Special Publication 800-37, 2010.
  11. Norseth, K. and Bell, E. (2005). Definition of managed objects for bridges. IETF RFC 4188, 2005.
  12. Pfrang, S., Kippe, J., Meier, D., and Haas, C. (2016). Design and architecture of an industrial it security lab. In Testbeds and Research Infrastructures for the Development of Networks and Communities.
  13. Ptacek, T. and Newsham, T. (1998). Insertion, evasion and denial of service: Eluding network intrusion detection. Secure Networks, Inc.
  14. Roesch, M. (2001). Snort. presented at the Black Hat Conference 2001.
  15. Roesch, M. (2004). Your network is talking, are you listening? presented at the CanSecWest, Vancouver 2004.
  16. Schoenwaelder, J. (2013). Common yang data types. IETF RFC 6991, 2013.
  17. Vigna, G. (2003). A topological characterization of tcp/ip security. In Int. Symp. Form. Methods Eur. Springer Berlin Heidelberg, 2003.
Download


Paper Citation


in Harvard Style

Kippe J. and Pfrang S. (2017). Network and Topology Models to Support IDS Event Processing . In Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-209-7, pages 372-379. DOI: 10.5220/0006189403720379


in Bibtex Style

@conference{icissp17,
author={Jörg Kippe and Steffen Pfrang},
title={Network and Topology Models to Support IDS Event Processing},
booktitle={Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},
year={2017},
pages={372-379},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0006189403720379},
isbn={978-989-758-209-7},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - Network and Topology Models to Support IDS Event Processing
SN - 978-989-758-209-7
AU - Kippe J.
AU - Pfrang S.
PY - 2017
SP - 372
EP - 379
DO - 10.5220/0006189403720379