Abstract
Intrusion Detection Systems (IDS) are used to prevent attacks by detecting potential harmful intrusion attempts. Currently, there are a set of available Open Source IDS with different characteristics. The Open Source Host-based Intrusion Detection System (OSSEC) supports multiple features and its implementation consists of Agents that collect and send event logs to a Manager that analyzes and tests them against specific rules. In the Manager, if certain events match a specific rule, predefined actions are triggered in the Agents such as to block or unblock a particular IP address. However, once an action is triggered, the systems administrator is not able to centrally check and obtain detailed information of the past event logs. In addition, OSSEC may assume false positive or negative detections and their triggered actions: previously harmless but blocked IP addresses by OSSEC have to be unblocked in order to reestablish normal operation or potential harmful IP addresses not previously blocked by OSSEC should be blocked in order to increase protection levels. These operations to override OSSEC actions must be manually performed in every Agent, thus requiring time and human resources. Both these limitations have a higher impact on large scale OSSEC deployments assuming tens or hundreds of Agents. This paper proposes an extension to OSSEC that improves the administrator analysis capability by maintaining, organizing and presenting Agent logs in a central point, and it allows for blocking or unblocking IP addresses in order to override actions triggered by false detections. The proposed extension aims to increase efficiency of time and human resources management, mainly considering large scale OSSEC deployments.
Highlights
Networks and systems connected to the Internet are exposed daily to world wide cyber threats
This paper focuses on two particular Open Source Host-based Intrusion Detection System (OSSEC) limitations with impacts on its scalability, namely the complexity of log analysis that are distributed by each Agent, and the inability to centrally block IP addresses not previously detected or unblock previously blocked IP addresses
The system administrator can use a combination of security mechanisms, such as firewalls, Intrusion Detection Systems (IDS), and Security Information and Event Management (SIEM), to prevent and mitigate the security attacks
Summary
Networks and systems connected to the Internet are exposed daily to world wide cyber threats. The proposed extension simplifies the SysAdmin task by preserving and organizing Agent logs at the Manager, allowing to check them centrally using filters, even after they are processed This extension allows for overriding specific false positive and negative detections and respective triggered actions, centrally in the Manager, in particular for actions involving blocking and unblocking IP addresses in one or multiple Agents. In this scenario, a set of events were triggered and the time elapsed for the Manager to analyze logs and revert actions was accounted. The use of the proposed extension allowed to shorten the time to override particular OSSEC actions, to block or unblock specific IP addresses in the Agents The impact of this elapsed time would be proportionally higher when multiple Agents are deployed.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
