文章基本信息

标题：OSSEC IDS Extension to Improve Log Analysis and Override False Positive or Negative Detections
本地全文：下载
作者：Diogo Teixeira ; Leonardo Assunção ; Teresa Pereira 等
期刊名称：Journal of Sensor and Actuator Networks
电子版ISSN：2224-2708
出版年度：2019
卷号：8
期号：3
页码：46-58
DOI：10.3390/jsan8030046
出版社：MDPI Publishing
摘要：Intrusion Detection Systems (IDS) are used to prevent attacks by detecting potential harmful intrusion attempts. Currently, there are a set of available Open Source IDS with different characteristics. The Open Source Host-based Intrusion Detection System (OSSEC) supports multiple features and its implementation consists of Agents that collect and send event logs to a Manager that analyzes and tests them against specific rules. In the Manager, if certain events match a specific rule, predefined actions are triggered in the Agents such as to block or unblock a particular IP address. However, once an action is triggered, the systems administrator is not able to centrally check and obtain detailed information of the past event logs. In addition, OSSEC may assume false positive or negative detections and their triggered actions: previously harmless but blocked IP addresses by OSSEC have to be unblocked in order to reestablish normal operation or potential harmful IP addresses not previously blocked by OSSEC should be blocked in order to increase protection levels. These operations to override OSSEC actions must be manually performed in every Agent, thus requiring time and human resources. Both these limitations have a higher impact on large scale OSSEC deployments assuming tens or hundreds of Agents. This paper proposes an extension to OSSEC that improves the administrator analysis capability by maintaining, organizing and presenting Agent logs in a central point, and it allows for blocking or unblocking IP addresses in order to override actions triggered by false detections. The proposed extension aims to increase efficiency of time and human resources management, mainly considering large scale OSSEC deployments.
关键词：IDS; OSSEC; cybersecurity; information security; attack detection; security events; intrusions IDS ; OSSEC ; cybersecurity ; information security ; attack detection ; security events ; intrusions