Supporting interoperability to heterogeneous IDS in secure networking framework

On 22 October 2002, ICANN, the Internet's main governing body, acknowledged that a massive distributed denial-of-service attack briefly shut down seven of the 13 central Domain Name Services servers that manage Internet traffic worldwide. Prompt action by DNS server operators minimized the duration and impact of the attack, which had little effect on overall Internet performance. Intrusion detection systems are researched and developed to detect attacks from outside world since 1980. Intrusion detection systems create an alert data or log data when detect an intrusion. But Many IDS uses heterogeneous data set, so these data must be mapped to another format. IDWG in IETF proposed IDMEF. This paper designs an alert data format compatible IDMEF. The secure networking framework is consisted of SGS and CPCS. SGS acts as an intrusion detection system on edge of network ingress point, and CPCS acts as a higher-level server. SGS makes an alert data compatible IDMEF and sends it to CPCS. CPCS parses an IDMEF alert data and makes an alert object for using correlation analysis. SGS can see its area only, but CPCS can see wide network area. CPCS can detect more complex attacks as well as support integrated management through cooperating each other. In the view of alert processing we converted raw alert data to Ladon-alert data to support interoperability. We use IDMEF-compatible alert datat structure. We have designed and developed integrated IDS on gateway, and security control server on higher-level class. Then this framework offers cooperative intrusion detection, policy based controlling.