A Lone Wolf No More: Supporting Network Intrusion Detection with Real-Time Intelligence

TitleA Lone Wolf No More: Supporting Network Intrusion Detection with Real-Time Intelligence
Publication TypeConference Paper
Year of Publication2012
AuthorsAmann, J., Sommer R., Sharma A., & Hall S.
Other Numbers3337

For network intrusion detection systems it is becoming increasinglydifficult to reliably report today’s complex attacks withouthaving external context at hand. Unfortunately, however, today’s IDScannot readily integrate intelligence, such as dynamic blacklists, into theiroperation. In this work, we introduce a fundamentally new capabilityinto IDS processing that vastly broadens a system’s view beyond what isvisible directly on the wire. We present a novel Input Framework thatintegrates external information in real-time into the IDS decision process,independent of specific types of data, sources, and desired analyses. Weimplement our design on top of an open-source IDS, and we report initialexperiences from real-world deployment in a large-scale network environment.To ensure that our system meets operational constraints, wefurther evaluate its technical characteristics in terms of the intelligencevolume it can handle under realistic workloads, and the latency withwhich real-time updates become available to the IDS analysis engine. Theimplementation is freely available as open-source software.


We would like to thank the Lawrence Berkeley National Laboratoryfor their collaboration. This work was supported by the U.S. Army Research Laboratoryand the U.S. Army Research Office under MURI grant No. W911NF-09-1-0553; afellowship within the Postdoc-Programme of the German Academic Exchange Service(DAAD); by the Director, Office of Science, Office of Safety, Security, and Infrastructure,of the U.S. Department of Energy under Contract No. DE-AC02-05CH11231; and bythe US National Science Foundation under grant OCI-1032889. Any opinions, findings,and conclusions or recommendations expressed in this material are those of the authorsor originators and do not necessarily reflect the views of the DAAD, the ARL/ARO,the DOE, or the NSF, respectively.

Bibliographic Notes

Proceedings of the 15th International Symposium on Attacks, Intrusions, and Detections (RAID 2012), pp. 314-333, Amsterdam, the Netherlands

Abbreviated Authors

J. Amann, R. Sommer, A. Sharma, and S. Hall

ICSI Research Group

Networking and Security

ICSI Publication Type

Article in conference proceedings