Integrated Policy-based Intrusion Detection

Funded by:Sentinels programme (Min. Economic Affairs, NWO-AB, STW)
Duration:August 2005 until September 2009
Contact:Prof.Dr. R.J. Wieringa (Roel)

The IPID project (funded by the Sentinels programme)

Integrated Policy-Based Intrusion Detection (IPID)

Currently available intrusion detection tools monitor events at a relatively low level of abstraction. Due to the large number of events that occur at that level, and due to the low abstraction level, these tools are either ineffective (by generating a large number of false negatives) or inefficient (by generating a large number of false positives). The objective of IPID is to increase both effectiveness and efficiency of these tools by relating low-level events to a smaller number of events at a high level that are meaningful to the business.

This figure shows our current ideas about integrated, policy-based intrusion detection. At the business level, security policies are specified based on e.g. IT control frameworks such as Cobit. These policies are not formal and have to be translated into formal policies and preferably rigorously checked for consistency before they can be deployed. The formal policies serve as configuration information for an intrusion detection system. This intrusion detection system provides a continuous stream of intrusion event descriptions, which are stated in terms of its configuration information, not in terms that have a clear meaning at the business level. Therefore, this information has to be aggregated automatically to provide information for security control at the business level. Based on this information, security policies may be adapted and the circle is entered a second time.

The IPID team has previously published a paper on modeling mobility aspects of security policies. Although this paper does not address the business level to a great extend, it shows what can be obtained with the modeling approach that will be used in the IPID project. This paper deals with the left-hand side of the figure above.

The IPID project is a joint project of the Distributed and Embedded Systems, Information Systems research groups of the University of Twente, Rabobank and TNO Information and Communication Technology. The project is funded by the Sentinels programme, a joint initiative of the Dutch Ministery of Economic Affairs, the Netherlands Organization for Scientific Research Governing Board (NWO-AB), and the Technology Foundation STW.

Further Information: publications