Architecture of Computer Intrusion Detection Based on Partially Ordered Events

Abstract

Information technologies became part of our daily life. Nowadays, contemporary society is dependent on functioning of miscellaneous information systems providing daily community motion. The attack aim is often to disrupt, deny of service or at least one of its parts required for proper functionality, or to acquire unauthorized access to information [Vokorokos (2004)]. Nowadays, solid system assecuration becomes one of the main priorities. Basic way of protection is realized through specialized devices firewalls allowing to define and control permitted communications in boundary parts of computer network or between protected segments and surrounding environment. Present firewalls often detect some unauthorized attack activities but their functionality is limited. Unauthorized intrusion detection systems allow increase of information systems security against attacks from the Internet or organization intranet, by means of passive inform about arising intrusion or active interfere against defecting intrusion. The existing intrusion detection approaches can be divided in two classes anomaly detection and misuse detection [Denning (1987)]. The anomaly detection approaches the problem by attempting to find deviations from the established patterns of usage. On the other hand, the misuse detection compares the usage patterns to known techniques of compromising computer security. Architecturally, the intrusion detection system(IDS) can be categorized into three types host-based IDS, network-based IDS and hybrid IDS [Bace (2000)]. The host-based IDS, deployed in individual host-machines, can monitor audit data of a single host. The network-based IDS monitors the traffic data sent and received by hosts. The hybrid IDS uses bothmethods. The intrusion detection throughmultiple sources represents a difficult task. Intrusion pattern matching has a non-deterministic nature where that same intrusion or attack can be realized through various permutations of the same events. The purpose of this paper is to present authors’ proposed intrusion detection architecture based on the partially ordered events and the Petri nets. Project is proposed and implemented at the Department of Computers and Informatics in Kosice supported by VEGA 1/4071/07. (Security architecture of heterogeneous distributed and parallel computing system and dynamical computing system resistant against attacks) a APVV 0073-07 (Identification methods and analysis of safety threats in architecture of distributed computer systems and dynamical networks).