Manifesto of the Dagstuhl PerspectiveWorkshop.docx

1、Manifesto of the Dagstuhl PerspectiveWorkshopNetwork attack detection and defense Manifesto of the Dagstuhl PerspectiveWorkshop,March 2nd6th, 2008Georg Carle Falko Dressler Richard A. Kemmerer Hartmut Koenig Christopher Kruegel Pavel LaskovPublished online: 24 February 2009. The Author(s) 2009. This

2、 article is published with open access at SAbstract This manifesto is the result of the PerspectiveWorkshop Network Attack Detection and Defense held inSchloss Dagstuhl (Germany) from March 2nd6th, 2008.The participants of the workshop represent researchers fromAustria, France, Norway, the Switzerla

3、nd, the United States,and Germany who work actively in the field of intrusiondetection and network monitoring. The workshop attendeesopinion was that intrusion detection and flow analysis,which have been developed as complementary approachesfor the detection of network attacks, should more stronglyc

4、ombine event detection and correlation techniques to bettermeet future challenges in future reactive security.The workshop participants considered various perspectivesto envision future network attack detection and defense.The following topics are seen as important in thefuture: the development of e

5、arly warning systems, the intro-G. CarleTU Muenchen,Munich, GermanyF. DresslerUniversity Erlangen-Nuremberg,Erlangen, GermanyR. A. KemmererUniversity of California,Santa Barbara, CA USAH. Koenig (_)BTU Cottbus,LS RNKS,PF 101344, 03013 Cottbus, Germanye-mail: koeniginformatik.tu-cottbus.deC. KruegelT

6、echnical University of Vienna,Vienna, AustriaP. LaskovFraunhofer Institute Berlin,Berlin, Germanyduction of situation awareness, the improvement of measurementtechnology, taxonomy of attacks, the application ofintrusion and fraud detection for web services, and anomalydetection.In order to realize t

7、hose visions the state of the art, thechallenges, and research priorities were identified for eachtopic by working groups. The outcome of the discussion issummarized in working group papers which are published inthe workshop proceedings. The papers were compiled by theeditors to this manifesto.Keywo

8、rds Intrusion detection Network monitoring Early warning systems Situation awareness Measurement requirements1 RationaleThe increasing dependence of human society on informationtechnology (IT) systems requires appropriate measuresto cope with their misuse. The growing potential of threats,which make

9、 these systems more and more vulnerable, iscaused by the complexity of the technologies themselvesand by the growing number of individuals that are able toabuse the systems. Subversive insiders, hackers, and terroristsget better and better opportunities for attacks. Inindustrial countries this conce

10、rns both numerous companiesand the critical infrastructures, e.g. the health care system,the traffic system, power supply, trade (in particulare-commerce), or the military protection.Reactive measures comprise beside the classical virusscanner intrusion detection and flow analysis. The developmentof

11、 intrusion detection systems began already in theeighties. Intrusion detection systems possess a prime importanceas reactive measures. A wide range of commercial intrusiondetection products has been offered meanwhile; especiallyfor misuse detection. The deployment of intrusion1316 Carle et al.detect

12、ion technology still evokes a lot of unsolved problems.These concern among others the still high false positiverate in practical use, the scalability of the supervised domains,and explanatory power of anomaly-based intrusionindications.In recent years network monitoring and flow analysishas been dev

13、eloped as a complementary approach for thedetection of network attacks. Flow analysis aims at thedetection of network anomalies based on traffic measurements.Their importance arose with the increasing appearanceof denial of service attacks and worm evasions, whichare less efficient to detect with in

14、trusion detection systems.The flow analysis community developed two approachesfor high speed data collection: flow monitoring and packetsampling. Flow monitoring aims to collect statistical informationabout specific portions of the overall network traffic,e.g. information about end-to-end transport

15、layer connections.On the other hand, packet sampling reduces the trafficusing explicit filters or statistical sampling algorithms.2 ObjectivesThe objective of the Perspective Workshop Network AttackDetection and Defense was to discuss future challenges inreactive security, in particular in intrusion

16、 detection and flowanalysis. New challenges arise as the functionality of networkmonitoring, attack detection and mitigation must besuitable for a large variety of attacks, and has to be scalablefor high data rates and number of flows. Event correlationtechniques can be used to combine results fromb

17、oth worlds. The workshop was the first one devoted to thistopic in Dagstuhl. A particular objective of this workshopwas to bring together both the intrusion detection and networkmonitoring communities, which still do their researchrelatively separated and are organized in different communities(e.g.

18、WGs SIDAR and KUVS in the German Societyof Informatics (GI) for reactive security and communicationsystems, respectively). The seminar was supposed tofoster the coordination of the research activities in bothcommunities.3 DeliverablesThe outcome of the workshop is a written manifesto, detailingthe o

19、pen issues and possible research perspectivesfor the coming 510 years according to the objectives givenabove. The manifesto was compiled by the editors listed atthe front page based on the working group papers. PavelLaskov kindly added a section on anomaly detection. Theseminar participants and the

20、composition of the workinggroups are listed in the appendix.4 Scoping4.1 Intrusion detectionThe security function intrusion detection deals with themonitoring of IT systems to detect security violations. Thedecision which activities have to be considered as securityviolations in a given context is d

21、efined by the appliedsecurity policy. Two main complementary approaches areapplied: anomaly and misuse detection. Anomaly detectionaims at the exposure of abnormal system and/or network behavior.It requires a comprehensive set of data describing thenormal system and network behavior. Although much r

22、esearchhas been done in this area, it is difficult to achieveso that anomaly detection has currently still a limited practicalimportance. Misuse detection focuses on the (automated)detection of known attacks described by patterns, called signatures.These patterns are used to identify an attack in an

23、audit data stream. This approach is applied by the majorityof the systems used in practice. Their effectiveness, however,is also still limited. Intrusion detection systems arefurther classified in network- and host-based systems. Networkintrusion detection systems analyze the network trafficto find

24、suspicious attack patterns. They have proven to be robustand are preferably applied in todays commercial products.The development of field proven host-based systemsseems to bemore difficult. Todays solutions aremostly onlyable to capture simple attacks, especially by matching singlestep signatures i

25、n audit data streams, which have to begenerated by special audit functions after a security relevantevent took place.The successful deployment of intrusion detection systemsin practice still has to cope with a number of challenges.One problem is the accuracy of the detection models(such as signature

26、s or specifications). When detectionmodels are overly restrictive, false negatives are possible.This is particularly problematic for misuse detection systemsthat specify the properties of a particular attack. Here,care must be taken that the properties are not too specificand only valid for a very n

27、arrow set of instances of thecomplete class of attacks. When attack models are overlypermissive, on the other hand, they will also match benigntraffic. This is often the case with anomaly-based systems.A result of matching benign traffic is a large number of falsepositives. False positives undermine

28、 the trust in the intrusiondetection system as they often cause lengthy investigationsof valid network traffic. A second problem faced by intrusiondetection systems is the large number of alerts thatthey produce. Network packets are at a very low level, anda single attack scenario run by an adversar

29、y (which includesscans, brute-force attacks against multiple services, etc.) canquickly generate hundreds or even thousands of individualpackets that match an attack specification. The result is hun-13Network attack detection and defense 17dreds or thousands of very similar alerts that actually refe

30、r toa single root cause. Alert correlation was proposed to inferhigh-level attack scenarios froma stream of low-level alerts.Unfortunately, the different alert formats and the difficultyof inferring strategies from low-level events make this problemchallenging.The main merit of anomaly-based intrusi

31、on detectiontechniques is their ability to detect previously unknown attacks.One might think that the collective expertise amassedin the computer security community and a sophisticatedinfrastructure for dissemination of security-related advice(e.g. vulnerability tracking systems and signature database)rule out major outbreaks of “genuinely novel” exploits. Unfortunately,signs are appearing that a wide-scale deploymentof efficient tools for obfuscation, mutation, and simpleencryption of attacks generate a huge variability of, strictlyspeaking, only “marginally novel”