The monitoring, detection, interpretation and response paradigm for the security of battlespace networks

Modern battlespace networks are too complex to be defended using only the traditional shielding techniques of cryptography, authentication and static firewalls. Implicit in much of the current research devoted to applying data based techniques to network security is the paradigm of monitoring, detection, interpretation and response (MDIR). Under MDIR, shielding technologies are still present, but the designer accepts the possibility of external attacks, insider´s misuse, and vulnerable application software, and constantly monitors the network for detecting abnormalities. Previous work by the authors on a research testbed has shown that the COTS network management systems (NMSs) combined with anomaly detection and other statistical techniques can be successfully used for data monitoring, and for automatically detecting correlations among attacker events and target events during distributed denial of service attacks introduced by hacker toolkits. This paper examines the MDIR paradigm, and reviews these experiments within its background.