RECLAMO

The right performance of a Collaborative Intrusion Detection Network (CIDN) can only be ensured if all its Intrusion Detection Systems (IDS) are capable of maintaining a good communication among them. To this end, all these elements are required to use the same format to depict the events, i.e. incidents, happening in the underlying system. Some formats were defined for exchanging messages that represent events detected by analyzing the network traffic as well as other ways of knowledge related to the detection of threats or intrusions. Among them, the format chosen for the RECLAMO system is IDMEF (Intrusion Detection Message Exchange Format), defined by the IETF in RFC 4765, as it fits in a right way with the requirements of the system in terms of information that must be shared among the elements of a CIDN.

Despite the foregoing, IDMEF does not allow including information related to the confidence that the system has on the (meta-)alerts' issuers; that is, if IDSs expose a good behavior when sharing their (meta-)alerts. This fact entails that IDMEF fails in determining whether the (meta-)alerts comes from well-reputable IDSs to accept such (meta-)alerts as true events that actually happened. In this sense, an XML extension to the data model of IDMEF, called IntrusionTrust, has been defined in RECLAMO with the aim of including in a (meta-)alert the confidence (trust) about its issuers; that is, about the IDSs which generated it. This extension is highly detailed below.

This extension is developed as part of the section in the IDMEF data model dedicated to extend it. The information included in IntrusionTrust includes, apart from the trust value itself, the information about the algorithm used to compute the issuers' trust score and the information about the CIDN: its identification as well as information about the node acting as the leader of the CIDN. In this extension, besides defining the trust score of a given IDS which generated a single alert, is also possible to define the trust score of any meta-alert built by the global detection system. The trust value on a (meta-)alert is computed by the Trust and Reputation module proposed in RECLAMO.

The next figure depicts the IntrusionTrust extension from a graphical point of view.

The first high-level element in this extension is AttackPercentage, which represents the percentage (between 0 and 1) about the ongoing attack carried out so far. This value is optional, only being required for a meta-alert to indicate the percentage of a multi-step attack. The second one is the AssessmentTrust complex type, which includes the issuer(s)' trust score for a (meta-)alert computed by the trust and reputation management system proposed in RECLAMO (see the Trust and Reputation module). This is composed by the following complex types:

AssessmentSource: information about the source(s) which issued the assessment, i.e. the nodes computing the trust scores, about the IDSs which generated the (meta-)alert, namely:
- CIDNId: CIDN identifier to which the IDSs belong.
- LeaderId: leader identifier of the CIDN.
- AlertId: identifiers of the alerts that were assessed, especially useful for a meta-alert with possibly multiple single alerts.
Assessment: information about the assessment itself, which is composed by three optional subclasses.
- Creator: entity identifier that ultimately created the assessment.
- Timestamp: date and time in which the assessment was generated.
- Algorithm: algorithm that was used by the trust and reputation management system to compute the final trust score of the (meta-)alert, such as RepCIDN, PeerTrust, FIRE, PowerTrust or REGRET.
- Trust: final trust score for the (meta-)alert.

software download

You can download from the below links all the software material needed to reproduce the Parser module. Note that one link is a reference to download all the single alerts belonging to the Phase 1 (IPsweep) defined by the MIT in its DARPA 2000 dataset.

Please don't hesitate to contact us for any enquiries you might have.