Attack signature matching and discovery in systems employing heterogeneous IDS

Over the past decade, intrusion detection systems (IDS) have improved steadily in the efficiency and effectiveness with which they detect intrusive activity. This is particularly true with signature-based IDS due to progress with intrusion analysis and intrusion signature specification. At the same time system complexity, overall numbers of bugs and security vulnerabilities have been on the increase. This has led to the recognition that in order to operate over the entire attack space, multiple heterogeneous IDS must be used, which need to interoperate with one another, and possibly also with other components of system security. We describe our research into developing algorithms for attack signature matching for detecting multistage attacks manifested by alerts from heterogeneous IDS. It describes also the testing and preliminary results of that research, and the administrator interface used to analyze the alerts produced by the tests and the results of signature matching.