BjOG – Bjou’s Blog, that is!

My study thesis is finally completed. It deals with different Intrusion Detection approaches consisting mainly of sniffers and honeypots and their implementation in the University’s campus network. Basically, I have deployed several heterogenous sensors in different subnets/VLANs and enabled all of them to report to one centralized console for further investigations and automated incident forwarding to the appropriate persons in charge. This is the abstract:

Computer systems and -networks connected to the Internet are exposed to a large array of malicious activities. Computers throughout the world are continuously being scanned for vulnerabilities, exploited and finally compromised by humans or by autonomously spreading malicious software, called malware. To stem this thread, the University of Karlsruhe has deployed an Intrusion Detection System (IDS) consisting of the Intrusion Prevention module ”IntruShield” and some other quarantine automation modules. The purpose of this study thesis is to ensure deeper security by extending this IDS according to the ”Defense in Depth” strategy. Therefore, several sensors have been deployed into the core- and user network to extend the current setup to a distributed Intrusion Detection System. The heterogeneity of these sensors aid to cover different kinds of attacks: Sniffers for network traffic examination, honeypots for network-host specific operations and host-based IDSs (HIDS) for hostspecific activities. As this heterogeneity leads to a large amount of different data to be analyzed, it has been decided to implement a hybrid Intrusion Detection framework, which enables all the different security applications, i.e. sensors, to report to a centralized console which performs automatic aggregation of the distributed data and correlation between the various events, presented to the security analyst through a web interface.
This work gives an introduction to the basic principles, approaches and securityrelated software technologies used throughout this study thesis. Moreover, it describes the current security concept of the University of Karlsruhe as well its proposed enhancements. In detail, this thesis evinces the campus-wide implementation of the previously mentioned distributed Intrusion Detection architecture and concludes with its evaluation and a future outlook. The thesis shows that the commissioning of this approach results not only in a better automated, but also in a more structured, more unified and a more accelerated security process.

Link: Intrusion Detection with Heterogenous Sensors, 86 pages, 3.5 MB.