**5.3 Design of data exchange format based on XML**

In a distributed intrusion prevention system, data filter module is composed of a firewall and other components. Network data processing module generally refers to IDS. In this paper, data transmitted between firewall and IDS are classified into four categories: event data, rule data, analysis result data and actions response data, and it is referred to the function units in CIDF framework [11].

The relationship among above data: Data generated by the firewall with network packets filtered called event data. Whether the event described is an intrusion event, it depends on the match or analysis of IDS based rule data. If it was a real intrusion event, then generated the analysis result data. The firewall will make a response to the analysis result data based on the corresponding strategies, and generates action response data.

#### **Design of event data**

Data filtered original network packets by firewall according to security strategy is event data. Therefore, this kind of data must contain the complete description of network original data that IDS can detect or analyze by those matching information in rules. In addition, it needs to contain the firewall name and the time of event happened. The reason of including firewall name is that more firewalls may be deployed in network. When detecting the network data, more than one firewall will find the same event, so we need to distinguish and analyze. In some cases, IDS need to detect what happened during some phases and then ensure whether any intrusions had happened, so the data type also contains the time of event happened. At last, to support data expansion, we need additional data applied to describing some additional description in event data, and it can be used as a reserved interface. The illustration of event data is as follows:

Intrusion Detection and Prevention in High Speed Network 81

According to snort rules, the rule data divided into two logic parts: Rule header and rule options. The rule header contains rule actions, protocols, source and destination IP Address and mask, source or destination ports and some direction operators. The rule option contains some alert messages and the main parts of checked packets; it includes the characteristics and the priority. And the part of characteristics should be described by one or more keywords. Same as the event data, rule data also need contain the reserved interface applied to the expansion of rule data, and then put them into rule options. The design of

To analyze the data delivered to IDS and the rule data of IDS then get the analysis results data. After the detection analysis by IDS, the event can be classified into three categories: a malicious attacked event, a security event being suspected but not confirmed and normal network traffic. To the malicious attacks event, we use the obstructive response methods and record this event; it needs some alert response methods to those being suspected but not confirmed security events. Just writing down the key information to the normal network traffic is enough. However, none of these will be directly solved in IDS. IDS will put the analysis results data through the central control module and match it, then feedback to firewall if it was allowed, and firewall will tackle them according to the response actions. So the analysis results data should describe the event type, event processing action, time of the event, which IDS dealt with the event and so on. If it was the malicious or suspected event, we also need to describe the name of event, the source of event, the target of event, when attack happened and how it did affect the system. The same as the first two data structure, we also need to give the analysis results data a reserved interface which is called expansion data. The design of analysis results data is

According to response actions, firewall deal with the results data detected by IDS and gets the action response data. During this, the normal network traffic don't need to be recorded, whereas put the malicious or suspected events and corresponding processing actions into the record, thus the action response data only defined to IDS. So the action response data should present which firewall has been responded to the analysis data? What is attack event called? What is the source from? What is the target? When has it happened? And how does it compromise the system? All of these relate to the corresponding attack events in the analysis result events. These records used to keep the respond data integrity. The action response data should also record the final processing results analyzed by firewall to the results data, which is called response action. In addition, the receiver should be provided either. At last, including the extended data and the implementation of data extended. The design of action response data is shown in

The XML DTD of event data is provided in details as follows, but other types are ignored.

**Design of rule data** 

rule data is shown in Figure.3. **Design of analysis results data** 

shown in Figure.20.

Figure.21.

**Design of action response data** 

Fig. 18. The design of event data

Fig. 19. The design of rule data

The XML DTD of event data is provided in details as follows, but other types are ignored.

#### **Design of rule data**

80 Security Enhanced Applications for Information Systems

Fig. 18. The design of event data

Fig. 19. The design of rule data

According to snort rules, the rule data divided into two logic parts: Rule header and rule options. The rule header contains rule actions, protocols, source and destination IP Address and mask, source or destination ports and some direction operators. The rule option contains some alert messages and the main parts of checked packets; it includes the characteristics and the priority. And the part of characteristics should be described by one or more keywords. Same as the event data, rule data also need contain the reserved interface applied to the expansion of rule data, and then put them into rule options. The design of rule data is shown in Figure.3.

#### **Design of analysis results data**

To analyze the data delivered to IDS and the rule data of IDS then get the analysis results data. After the detection analysis by IDS, the event can be classified into three categories: a malicious attacked event, a security event being suspected but not confirmed and normal network traffic. To the malicious attacks event, we use the obstructive response methods and record this event; it needs some alert response methods to those being suspected but not confirmed security events. Just writing down the key information to the normal network traffic is enough. However, none of these will be directly solved in IDS. IDS will put the analysis results data through the central control module and match it, then feedback to firewall if it was allowed, and firewall will tackle them according to the response actions. So the analysis results data should describe the event type, event processing action, time of the event, which IDS dealt with the event and so on. If it was the malicious or suspected event, we also need to describe the name of event, the source of event, the target of event, when attack happened and how it did affect the system. The same as the first two data structure, we also need to give the analysis results data a reserved interface which is called expansion data. The design of analysis results data is shown in Figure.20.

#### **Design of action response data**

According to response actions, firewall deal with the results data detected by IDS and gets the action response data. During this, the normal network traffic don't need to be recorded, whereas put the malicious or suspected events and corresponding processing actions into the record, thus the action response data only defined to IDS. So the action response data should present which firewall has been responded to the analysis data? What is attack event called? What is the source from? What is the target? When has it happened? And how does it compromise the system? All of these relate to the corresponding attack events in the analysis result events. These records used to keep the respond data integrity. The action response data should also record the final processing results analyzed by firewall to the results data, which is called response action. In addition, the receiver should be provided either. At last, including the extended data and the implementation of data extended. The design of action response data is shown in Figure.21.

Intrusion Detection and Prevention in High Speed Network 83

IPIEP (Intrusion Protection Interaction Exchange Protocol) is an application layer protocol applied to the definition of exchange rules for correlation messages, while IPIMEF (Intrusion Protection Interaction Message Exchange Format) provides the definition of data format for

Above all, all of these related works don't provide the support to the trusted communication transmission between data filter module and network data process module in a distributed

The main contribution of this subsection is to provide a trusted communication protocol between data filter module and network data processing module in a distributed IPS. The transmit data can be classified into four categories with XML technology defined respectively, and XML DTD description language is applied to the definition of these four

Fig. 21. The design drawing of action response data

intrusion prevention system.

**5.5 Summary** 

message, and they don't have corresponding dependent relationship.

Fig. 20. The design of analysis results data

### **5.4 Related works**

IDXP (Intrusion Detection Exchange Protocol) is an application layer protocol, which is applied to the data exchange among intrusion detection entities (Feinstein & Matthews, 2007), and it may support the transformation of the IDMEF (Intrusion Detection Message Exchange Format) message, unstructured text and binary dataset (Debar et al., 2007). Again, it has the security characteristics of bidirectional authentication, integrity and confidentiality based on connection-oriented protocols. However, IDXP and IDMEF are simply data exchange protocols, and they aren't adaptive to other correlation schemes.

IAP (Intrusion Alert Protocol)[9] is a transport protocol applied to the alert data of intrusion detection, which is based on TCP protocol and TLS protocol used for the secure data transmission (Gupta et al., 2001). Alert data is described in XML, and it conforms to the format specification of IDMEF.

IDXP (Intrusion Detection Exchange Protocol) is an application layer protocol, which is applied to the data exchange among intrusion detection entities (Feinstein & Matthews, 2007), and it may support the transformation of the IDMEF (Intrusion Detection Message Exchange Format) message, unstructured text and binary dataset (Debar et al., 2007). Again, it has the security characteristics of bidirectional authentication, integrity and confidentiality based on connection-oriented protocols. However, IDXP and IDMEF are simply data

IAP (Intrusion Alert Protocol)[9] is a transport protocol applied to the alert data of intrusion detection, which is based on TCP protocol and TLS protocol used for the secure data transmission (Gupta et al., 2001). Alert data is described in XML, and it conforms to the

exchange protocols, and they aren't adaptive to other correlation schemes.

Fig. 20. The design of analysis results data

**5.4 Related works** 

format specification of IDMEF.

Fig. 21. The design drawing of action response data

IPIEP (Intrusion Protection Interaction Exchange Protocol) is an application layer protocol applied to the definition of exchange rules for correlation messages, while IPIMEF (Intrusion Protection Interaction Message Exchange Format) provides the definition of data format for message, and they don't have corresponding dependent relationship.

Above all, all of these related works don't provide the support to the trusted communication transmission between data filter module and network data process module in a distributed intrusion prevention system.

#### **5.5 Summary**

The main contribution of this subsection is to provide a trusted communication protocol between data filter module and network data processing module in a distributed IPS. The transmit data can be classified into four categories with XML technology defined respectively, and XML DTD description language is applied to the definition of these four

Intrusion Detection and Prevention in High Speed Network 85

3. With the ever increasing deployment and usage of gigabit networks, traditional networks Intrusion Detection/Prevention Systems (IDS/IPS) have not scaled accordingly. More recently, researchers have been looking at hardware based solutions that use FPGA's to assist network IDSs/IPSs, and some proposed systems have been developed that can be scaled to achieve a high speed over 10Gbps. However, these solutions available have inherent limitations and unable to be applied to future high speed network (Tbps). In this paper, we present a scalable traffic sampling platform for intrusion detection/prevention on FPGA, called STAMP. The methodology is when the proposed platform is unable to capture the whole network traffic; it will initiate elephant flow sampling other than merely randomly dropping packets. Meanwhile, sampling rate is adaptive to the traffic load of elephant flow. All the captured packets are forward from STAMP to IDS via PCI bus. The noteworthy features of STAMP include: it takes the self similarity of network traffic into account with the attempts to collect malicious traffic, and improve the efficiency of network traffic sampling for IDS/IPS; it employs adaptive elephant flow sampling (AEFS) to retain inherent characteristics of network traffic, which contributes to anomaly detection; it provides a flexible and scalable platform for network IDSs/IPSs that will be faced the challenge of

4. To achieve the secure and reliable transmission for the interactive data between IDS and firewall, the concept of trusted communication is introduced in this paper. We give the design and implementation of a trusted communication protocol based on XML. The design and implementation of trusted communication mechanism between firewall and IDS is presented considering each functional unit of common intrusion detection framework. The CORBA middleware is applied to data transmission, and TLS secure protocol is applied to trusted transmission between IDS and firewall. The hierarchical architecture of this protocol includes application layer, XML resolution layer and message transaction layer, in which application layer consists of client and server used to capture and analyze packets; XML resolution layer translates the data into uniform XML format and provide the base for data exchange; message transaction layer employs TLS security protocol to achieve secure and trusted communication. The data type between IDS and firewall of the proposed prototype system is composed of event data, rule data, analysis result data and response action data, and the concrete descriptions of these data based on XML DTD are also provided. The proposed trusted communication protocol has the scalability to support various network security products (such as firewall, IDS, IPS, etc.) and management facilities, and may contribute to the data fusion of these facilities and

The authors would like to thank the editors and anonymous reviewers for their valuable comments. This work was supported in part by the National Grand Fundamental Research

improve resistant to Denial of Service attacks.

future high-speed network.

detect sophisticated distributed network attacks.

**7. Acknowledgment** 

network traffic collection. The packet length and type serve as the measure of anomaly detection, and simulation results show that the sample traffic is still characterized as the whole network traffic, and it may provide efficient data source for anomaly detection with the lower overhead. In a short, this method exceedingly strengthens the processing performance of IDS/IPS by the means of replacing dropping packets passively with sampling packets actively with the minor degradation of detection rates, and may

data formats, and then a data trusted communication mechanism is provided, which divided into three layers: application layer, XML parsing layer and message transaction layer. CORBA technology is applied to solving the heterogeneous platform and loadbalancing problems. TLS security protocol standard is to ensure the integrity and security during data transmission. The trusted communicated protocol also can be adaptive to network security products and network management equipments, and it contributes to security data fusion and detecting sophisticated distributed network attacks.

## **6. Conclusion**

With the rapid development and comprehensive application of network technology, Internet significantly contributes to the development of the human society. Meanwhile, network security problems gradually appear serious. Traditional firewall technologies can't provide sufficient security protection against various attacks and intrusions, while intrusion detection systems (IDS) are faced with compromise between false alarms and false positives, so intrusion prevention system (IPS) come into being. IPS may block malicious attack traffic before corresponding intrusions cause more severe damage other than simply generate intrusion alarms.

In this chaper, we investigate intrusion detection and intrusion prevention in high speed network and the main research work is as follows:


data formats, and then a data trusted communication mechanism is provided, which divided into three layers: application layer, XML parsing layer and message transaction layer. CORBA technology is applied to solving the heterogeneous platform and loadbalancing problems. TLS security protocol standard is to ensure the integrity and security during data transmission. The trusted communicated protocol also can be adaptive to network security products and network management equipments, and it contributes to

With the rapid development and comprehensive application of network technology, Internet significantly contributes to the development of the human society. Meanwhile, network security problems gradually appear serious. Traditional firewall technologies can't provide sufficient security protection against various attacks and intrusions, while intrusion detection systems (IDS) are faced with compromise between false alarms and false positives, so intrusion prevention system (IPS) come into being. IPS may block malicious attack traffic before corresponding intrusions cause more severe damage other than simply generate

In this chaper, we investigate intrusion detection and intrusion prevention in high speed

1. Based on the investigation on the recent trends of network security techniques, such as firewall and IDS, we propose a intrusion prevention scheme based on the correlation between IDS and firewall. This scheme complements the fundamental flaws of IDS and firewall, and it may provide real-time, active prevention and attempts to stop attacks, which contributes to normal transmission of legal network traffic. In this paper, we present the design and implementation of a prototype system of network IPS —— DXIPS, based on the correlation between Snort\_inline and Netfilter configured by IPtables. The hierarchical architecture of this system includes intrusion prevention layer, server layer and control layer, in which intrusion prevention layer monitors the traversing traffic and conducts intrusion detection and prevention; server layer collects log data and translate them into readable formats; control layer is administrational console and perform data display. The system is design with modularization, which includes intrusion prevention module, log recording module, central control module and communication module, and the concrete implementations of these modules are presented. The deployment policies are discussed according to various applications environment. Netfilter is a built-in firewall in the kernel of Linux, which belongs to the latest fifth generation firewall. It has the capability to directly filter malicious packets in the TCP/IP stack in kernel, which improves the response performance. What's more, DXIPS provides better scalability according to various applications environment. 2. Data collection mechanism is a key factor that affects the performance of IDS/IPS. The most current products execute per-packet detection. However, with the development and widespread of high speed networking technique, the application of IDS/IPS has been faced with serious challenges. In this paper, the sampling technique in statistics is introduced into the procedure of data collection for IDS/IPS, and the new data collection module based on sampling is proposed. Three typical sampling strategies, such as systematic sampling, Poisson sampling and stratified sampling, are applied to

security data fusion and detecting sophisticated distributed network attacks.

**6. Conclusion** 

intrusion alarms.

network and the main research work is as follows:

network traffic collection. The packet length and type serve as the measure of anomaly detection, and simulation results show that the sample traffic is still characterized as the whole network traffic, and it may provide efficient data source for anomaly detection with the lower overhead. In a short, this method exceedingly strengthens the processing performance of IDS/IPS by the means of replacing dropping packets passively with sampling packets actively with the minor degradation of detection rates, and may improve resistant to Denial of Service attacks.


#### **7. Acknowledgment**

The authors would like to thank the editors and anonymous reviewers for their valuable comments. This work was supported in part by the National Grand Fundamental Research

**5**

*USA* 

**Challenges in Building Trusted** 

Globalization is a phenomenon that is bringing the world closer together through the exchange of raw goods, products, services, information, knowledge, and culture. Unprecedented advancements in technology, communications, science, transport, and industry have quickened the pace of global integration. The globalization process is creating and accelerating the emergence of transnational markets. Due to the presence of a worldwide market, there is a wider range of options to choose from among the products

The global supply chain and system complexity obscure "what's in the system." Systems are vulnerable to counterfeits, malicious inserts, or negligent design flaws. In today's global environment, one cannot afford to manage risks by simply seeking to avoid risks. The traditional discourse is that of risk avoidance. However, risk avoidance is untenable in an economic environment that operates globally with great variation in performance and with rapidly changing processes and technologies of consumption of production. Risks must be actively managed. Risk reduction comes at an expense with cost, schedule, and performance impacts to building trusted information systems. It may cost less to build robustness below some threshold of concern than to eliminate the risks, but it costs more than ignoring the risks. To find the right balance between the benefits, costs, and risks associated with globalization, one needs to understand how globalization works, the issues and challenges,

This book chapter discusses several research areas that address the effects of globalization coupled with the increasing complexity of building trusted information systems. The growing trend of globalization demands a more inclusive and persistent approach for actively managing risks in building trusted information systems. For example, the multifaceted, transitory, and global nature of the commercial information and communications technology (ICT) marketplace is limiting visibility into the supply and suppliers. One of the main challenges is verification of trustworthy components and services in the design, development, test, production, deployment, operation, and maintenance of

1 The publication of this book chapter does not indicate endorsement by the Department of Defense (DoD) or the Institute for Defense Analyses (IDA), nor should the contents be construed as reflecting the

**1. Introduction** 

and services for building information systems.

and the subsequent system design and policy choices.

trusted information systems.

official position of those organizations.

 **Information Systems<sup>1</sup>**

Serena Chan and Gregory N. Larsen

*Institute for Defense Analyses,* 

973 Program of China under Grant No. 2009CB320706, the National High Technology Research and Development Program of China under Grant No. 2011AA010101, the National Natural Science Foundation of China under Grant No. 61103197 and 61073009, Program of New Century Excellent Talents in University of Ministry of Education of China under Grant No. NCET-06-0300, the Youth Foundation of Jilin Province of China under Grant No. 201101035, and the Fundamental Research Funds for the Central Universities of China under Grant NO.200903179.

#### **8. References**

