Correlation and Tracking of Distributed IDS

Presented at DEF CON 10 (2002), Aug. 2, 2002, 1 p.m. (50 minutes).

Standard approaches to intrusion detection and response attempt to detect and prevent individual attacks. However, it is not the attack but rather the attacker against which our networks must be defended To do this, the information that is being provided by intrusion detect systems (IDS) must be gathered and then divided into its component parts such that the activity of individual attackers is made clear. By applying techniques from radar tracking, information warfare, and multisensor data fusion to info gathered from distributed IDS, we hope to improve the capabilities for early detection of distributed/coordinated attacks against infrastructure and the detection of the preliminary phases of distributed denial of service attacks.

Presenters:

• Daniel Burroughs - Institute for Security Technology Studies Dartmouth College
  Daniel Burroughs is a research engineer and Ph.D. candidate at the Institute for Security Technology Studies at Dartmouth College. His areas of research have included mobile agents, distributed simulation, and distributed intrusion detection. He is also the head of engineering for SignalQuest, Inc., which specializes in the development of embedded sensors.

Links:

• https://defcon.org/html/defcon-10/defcon-10-speakers.html#danielburroughs
• https://infocon.org/cons/DEF CON/DEF CON 10/DEF CON 10 video/DEF CON 10 - Dan Burroughs - IDS Correlation.mp4
• https://www.youtube.com/watch?v=vaUZjBiC6mA

Similar Presentations:

• DEF CON 9 (2001) / Applying Information Warfare theory to generate a higher level of knowledge from current IDS.
• DEF CON 9 (2001) / Distributed Intrusion Detection System Evasion
• Black Hat USA 1999 / Putting Intrusion Detection into Intrusion Detection Systems