Author
Deborah Frinke, Don Tobin, Jesse McConnell, Jamie Marconi, Dean Polla
Abstract
The trend towards a strong interdependence among networks has serious security implications. Not only does the compromise of one network adversely affect resources needed by others, but the compromised network may be part of a multi-network attack targeting other systems. The task of identifying such attacks in progress can be quite difficult. Other researchers have found that data sharing is needed to detect many systemic attacks involving multiple hosts even within a single network [PN97]. Systems such as DIDS and EMERALD have been developed to gather and analyze such data network and enterprise-wide, respectively. However, neither system addresses data sharing between networks that lack central administration. This paper identifies some of the issues that need to be addressed if cooperative intrusion detection using data sharing between distinct sites is to become a viable option, and provides a set of requirements for designing such a system. A substantial subset of these requirements have been modelled in a functional cooperative data sharing system.