DECIDUOUS: decentralized source identification for network-based intrusions

DECIDUOUS is a security management framework for identifying the sources of network-based intrusions. The first key concept in DECIDUOUS is dynamic security associations, which efficiently and collectively provide location information for attack sources. DECIDUOUS is built on top of the IETF´s IPSEC/ISAKMP infrastructure, and it does not introduce any new network protocol for source identification in a single administrative domain. It defines a collaborative protocol for inter-domain attack source identification. The second key concept in DECIDUOUS is the management information integration of the intrusion detection system (IDS) and attack source identification system (ASIS) across different protocol layers. For example, in DECIDUOUS, it is possible for a network-layer security control protocol (e.g., IPSEC) to collaborate with an application-layer intrusion detection system module (e.g., IDS for the SNMP engine). In this paper, we present the motivations, design, and prototype implementation of the DECIDUOUS framework